New threat can exploit every device, warns expert
DUBAI, August 27, 2018
By Sreeraj Gopinathan
There is a new threat blowing up in the news, and it’s capable of exploiting most computing devices in operation today, said an industry expert, explaining how it could be prevented it from infiltrating an organization.
Consider yourself warned: There is a new threat blowing up in the news, and it’s capable of exploiting most computing devices in operation today.
The threat is named NetSpectre, and it’s critical that you take a few minutes to learn a little more about it—and how you can prevent it from infiltrating your organization.
What is NetSpectre?
Recently discovered by a team of security researchers, NetSpectre is a variant on the new Spectre family of attacks.
Spectre attacks take advantage of a chip feature called “speculative execution”. Speculative execution was originally designed to improve CPU performance. But cyber criminals have developed a way to exploit this feature. Now, cyber criminals can develop Spectre attacks that exploit this feature, and trick computers into leaking sensitive information.
First, nearly every modern computing device is vulnerable to them. The speculative execution feature that they exploit is found in Intel, AMD, and ARM chips. These chips are present in computers, mobile devices, cloud servers, and almost any other device you can think of that has been produced since 1995.
Second, while Spectre attacks can potentially be patched, they may not be able to be solved via software improvements alone. To fully mitigate this exploit, it is likely you need to change a device’s processor architecture, at the hardware level.
Earlier versions of Spectre attacks were dangerous enough. But now NetSpectre has emerged, and it carries with it a new feature that suggests Spectre attacks are about to become even more dangerous than they originally appeared.
What makes NetSpectre so dangerous?
On the surface, NetSpectre operates like many other Spectre attacks. As The Hacker News explains, with NetSpectre, a cyber criminal can, “write and execute malicious code… to extract data from a previously-secured CPU memory,” giving that attacker access to “passwords, cryptographic keys, and other sensitive information”.
Now, previously-known variants of Spectre attacks had a limitation: the attacker needed to get the victim to first download and execute malware onto their computer, or to access an insecure website that was running malicious JavaScript, before they were able to launch their Spectre attack. But NetSpectre does not share this limitation.
NetSpectre can be launched over a network, which includes LANs and between virtual machines in Google’s Cloud. As Bleeping Computer explains, NetSpectre, “can simply bombard a computer’s network ports and achieve the same results, “as previous, more involved Spectre attacks.
NetSpectre itself can only exfiltrate data at relatively low speeds, and thus requires a substantial amount of time to achieve its objectives. But it carries a frightening promise: this new threat demonstrates a potentially devastating, previously-unknown, exploit in the majority of the world’s computing devices. And you can bet that cyber criminals are hard at work developing new, faster, and even more dangerous threats to exploit this same vulnerability.
How to beat back NetSpectre, and its next evolution
The good news is: You’re not alone in your fight against NetSpectre and its variants.
Google remains hard at work, funding research to discover new Spectre exploits before they appear in the wild. And earlier this year, Intel released a series of patches that began to mitigate their speculative execution vulnerabilities. These patches appear to close the NetSpectre vulnerability. So if you have been aware of these emerging Spectre attacks—and updated your systems accordingly—than you should be protected against NetSpectre.
But if you have not updated your systems accordingly, or if you are unsure if you have patched this vulnerability, then please take some time today to do so. While it is heartening to hear that the OEMs behind these vulnerabilities are attempting to correct them, cyber security is an “all hands on deck” activity.
Whether you are a business owner, a security professional, or simply an individual user, you share some responsibility for ensuring your network’s safety. And that begins with continued awareness of what threats are emerging, and how to protect yourself against them.
About the author
Sreeraj Gopinathan is head of Threat Anticipation Services at Paladion, a leading information security service provider.