Security Week 52: The Greatest Hits

Remember this post, in 10 years everyone will say: here, everything is correct in the digest they wrote. Or vice versa: they did not guess at all, in one place. Predicting the future is an occupation that is doomed to failure, since prediction is always based on knowledge of the present and the past. The upcoming year 2019 is described in Philip Dick's Blade Runner, who still knew how to foresee. According to the novel (and a little - the film), we all live in a dysfunctional world, where it constantly rains, there are flying cars and robots, but there are no animals at all.

That is why predictionsKaspersky Lab experts are very practical, rather they are designed for security personnel who need to identify trends for the next year. But nevertheless let's try to choose the events of 2018, which can become the basis of something more in information security that has been relevant for a long time. The preparation used materials from this blog for the entire year, so that before you a unique format: digest digests.

Specter and Meltdown

Vulnerabilities found only in Intel (Meltdown) processors, and those found in almost all modern processors (Specter), are the main news of the year. Let's take a quick look at Meltdown: this is a private vulnerability that you can close and forget (until you find another one the same). Specter just won't be able to close this way: a theoretical attack on a vulnerable system implies both certain behavior of iron and certain characteristics of the code of the attacked application. There are many variants of Specter-like attacks, as several studies have shown this year. For example, Specter modification with the possibility of rewriting read-only memory cells or NetSpectre - an attack that can be carried out remotely, over the network, and even without executing the code on the system under attack.

All Specter-like attacks fall into the category of attacks through third-party channels: when some secret information is not transmitted in the open, but is extracted from the analysis of response time or (in the case of traditional side channel attacks) fluctuations of the current consumed by the device. In general, this is such an analogue of a spy device for “eavesdropping” glass vibrations in a room where a conversation is being conducted. It is too early to talk about some practical application of these attacks. For example, in the case of NetSpectre, under ideal conditions, it was possible to achieve “theft” of secret data at a speed of four bits per minute. And no one is even discussing whether these are the data that is needed - in the sense of whether there is really important information among them. Studies around Specter can “shoot” after 10 years, and they can remain a niche topic of device protection,

Is there a similar story in which a purely scientific study has acquired practical outlines in order to estimate the dates? You can look at the SHA-1 cryptographic hash function . It was developed by the US National Security Agency in 1995. Ten years later, in 2005, for the first time, researchers showed that the computational power required to search for collisions (two data sets generating the same hash) required less than theoretically predicted (but still very much). In 2012, the score was 2 in the eleventh degree of server-years by 2015. But in 2015, the servers were better than expected, new calculations showedridiculous for some state intelligence service figure of 49 days. This was enough to recognize the hashing algorithm as unreliable: in 2017, manufacturers of all major browsers stopped using it for generating SSL certificates. In the same year, researchers from Google and the CWI Institute showed a practical attack : they created two different PDFs that gave the same hash using SHA-1.

Total, 22 years of technology existence, 12 years of research and, notice, no benefit to cybercrime: even the experiment with two PDFs remained a purely scientific exercise. Specter can become really dangerous if processor manufacturers continue to ignore it, and they sometimes try: new research on the topic is sometimes accompanied by comments from vendors that this is, they say, standard behavior, a feature, not a bug.

Machine learning

The study on the restoration of the image on the monitor according to the nature of the noise emitted by the power supply of this monitor itself also looks doubtful from the point of view of actual use. Nevertheless, the researchers, albeit with great reservations, managed to restore the image on the display screen, recording and analyzing only the squeak of the power system, using convolutional neural networks and training them in comparing the parasitic noise and image. In a sense, this is also an attack on third-party channels: data capture through a place in which no one expected failure.

And this, in Blade Runner (this time in the film), is just well predicted - at the appropriate time for shooting the eight-bit condo style:


There, voice control, clever image processing (more about this episode - here ), in general, Hollywood in all its glory. Although the real research is far from such technical heights, it quite fits into the canon of incredible, fantastic achievements of the national economy. It's only the beginning. And what will happen? Let's fantasize: authentic identification of users on the web by the way they move the mouse, scroll the screen of the smartphone and hold the phone in their hand. Determination of mood by voice. The threat of privacy due to massively collected and processed data, helping to build a profile with such features of a person, which he himself does not know. Universal identification by face on the streets of the city. Oh wait, this is not the future, this is the present!

Well, all these technologies are not necessarily going to harm humanity - on the contrary, they can help. Machine learning makes it possible to extract meaning where previously only white noise has been seen. This gives both new opportunities and brings new risks, at least in terms of storing the collected data. As a maximum, technologies like scientific research about monitors will make it extremely difficult to keep something secret. Although you buy direct typewriters, there surely you can restore all the text entirely by the sound of keystrokes.

IoT and equated to them

One of the most popular digests of this year was devoted to vulnerabilities in routers Mikrotik, D-Link and TP-Link. Equating routers to the Internet of things is a controversial thought; we’ll formulate it carefully: serious risks in the future will be represented by devices operating autonomously, communicating mainly with their own kind and making it so that few people know what is happening there. Routers are such an indicative victim, since the last couple of years they have been attacked en masse, have all the signs of autonomous devices, and their compromise sooner or later becomes noticeable.

The obvious victims of an insecure IoT of the future are smart speakers and other devices that monitor the owner around the clock. News about them is still reminiscent of jokes: the smart column in the middle of the night begins to gigglethen a resident of Germany, on request as part of the GDPR, receives a completely different person’s voice from Amazon . Anything that is connected to your home network and has its own relationship with external servers is potentially vulnerable. While the discussion around smart devices revolves only around privacy, but it is possible that soon we will talk about isolating IoT from everything else: why does your electricity meter have access to your file ball?

In ideas about the future, we often tend to go to extremes: there will be either a beautiful utopia or a cyberpunk darkness. Dear editors suggest that everything will be quite good, even without flying cars. But even if so, the era of "personal computer" as a useful, but optional device such as a calculator, ends. It begins the time in which people are fully embedded in the network, interact with it every minute and depend on it. It means that you should not take lightly even the theoretical threats to the efficiency of this world. This world is different, but in general it is good enough to try not to break it. Will it work out? We will continue to monitor. Holiday greetings! The first digest of the new year will be released on January 14th.

Disclaimer: Мнения, изложенные в этом дайджесте, могут не всегда совпадать с официальной позицией «Лаборатории Касперского». Дорогая редакция вообще рекомендует относиться к любым мнениям со здоровым скептицизмом.