A couple of weeks back I briefly covered the latest in a long line of CPU vulnerabilities that can be exploited to steal sensitive information from workstations and virtual machines. Bearing in mind that in the “New” IoT world of things there will be many moving parts, not to mention CPUs and GPUs and the various components of Firmware and the list goes on - Here’s everything you need to know…
So, what do I need to know?
On August 14, Intel released information on three variants of a new vulnerability referred to as L1 Terminal Fault (L1TF). The first variant (CVE-2018-3615) was discovered by researchers who have dubbed it "Foreshadow".
So, what is L1TF/Foreshadow, again?
L1TF is another method of exploiting modern CPUs' use of speculative execution, similar to Meltdown and Spectre. Specifically, it refers to the ability of attackers to read memory held inside the L1 cache.
This is dangerous for me how?
Successfully exploiting these vulnerabilities can help attackers bypass protective barriers and read privileged memory that otherwise wouldn't be accessible, including data stored on a physical machine or data stored on virtual machines in a multi-tenant cloud environment.
And Finally: What's the bottom line?
As was the case with Meltdown and Spectre, these flaws have potentially wide-ranging and long-lasting consequences, but for the majority of organizations are in no imminent threat and for most IT gurus, this ultimately shouldn't mean much for your day-to-day (especially if you operate in a non-virtualized environment). The immediate takeaway is don't panic, ensure your services are updated and tested and patch.
And with this in mind, enjoy our roundup of stories for this week…
Reminder a Clear Guide to Meltdown and Spectre Patches
If you have not patched by now, you may be in for a world of hurt, remembering Meltdown and Spectre — two massive CPU vulnerabilities affecting nearly every operating systems and device — hit, impacted customers are still rolling out patches and sunsetting systems where required.
To date, there is a bit of a lull as things haven't exactly gone smoothly, with several incompatibility muck ups causing a lot of finger-pointing and frustration. To help clear things up, we've put together a quick guide that walks through the major updates to operating systems and browsers, explaining how they address Meltdown and/or Spectre, what they specifically don't address, and any known compatibility or performance issues that have been reported.
The Meltdown and Spectre CPU Bugs, Explained | Jonathan Crowe
Internet of Things technology is mainstream
The Internet of Things (IoT) is transforming how companies and consumers go about their daily activities around the world. The technology that underlies this whole segment is evolving quickly, whether it's the rapid rise of virtual store that is upending the consumer space, and the growth of AI-powered analytics platforms for the logistics and enterprise market.
Here are some key takeaways from the report:
- It is projected that there will be more than 55 billion IoT devices by 2025, up from about 9 billion in 2017.
- It is forecasted that there will be approximately $15 trillion in aggregate IoT investment between 2017 and 2025, with survey data showing that companies' plans to invest in IoT solutions are accelerating.
- The report highlights the opinions and experiences of IoT decision-makers on topics that include: drivers for adoption; major challenges and pain points; deployment and maturity of IoT implementations; investment in and utilization of devices; the decision-making process; and forward- looking plans.
IoT Report | Peter Newman
The hardware industry's critical vulnerabilities impacting IoT
When it comes to secure development and patching, hardware vendors are at least a decade behind the software industry. At the turn of the millennium, software vendors were forced to rethink their approach to security and ensure that it was built into products throughout the development lifecycle.
In light of the multitude of “IoT Pwnage” we continue to see, hardware manufacturers need to up their game – and quickly. Unlike software vulnerabilities which can be addressed with a simple patch, many of today's hardware products have no easy means of patching firmware. It's therefore likely that an entire generation of hardware devices will need to be replaced when critical vulnerabilities are uncovered. Easy for a light bulb, slightly harder for planes and ships.
The four issues impacting IoT security | Chris Hodson