With so much cybersecruity news flying around, it is hard to keep track of the bigger stories that emerged. Here is the GFI security round-up of the three top cybersecurity stories of January 2018.
2018 opened with a bang with the public unveiling of the now-infamous Meltdown and Spectre vulnerabilities on January 3. Between them this pair of problems affected literally billions of computers, smartphones and tablets, everywhere.
Meltdown was slightly more limited, mainly affecting “only” Intel chips, plus a few high-end ARM devices. With Intel holding more than 75% of the server and desktop markets, and the flaw present in just about every chip they’ve produced since 1995, this was a pretty big deal on its own. Coupled with Spectre, which impacted pretty much every processor out there, almost no-one escaped the effects of this double whammy.
The flaws potentially allowed attackers to snoop on privileged data from the system memory, even breaching the separation between clients and their hosts in cloud infrastructures. They had been independently uncovered by researchers from Google and Austria’s Graz University of Technology, and reported to device makers back in July 2017; the public release had been planned for January 9th, but was pushed forward as changes to the Linux kernel code were sparking suspicions that something big was coming.
Tweaks were required in Microsoft’s Windows, Apple’s MacOS and iOS, and all varieties of Linux, including those underlying Google’s Android and Chrome OS platforms. Browser changes were needed in some cases too. Patches and fixes were rolled out in a hurry, so some platforms including Ubuntu were not quite ready with protections when the flaws were unveiled. Chip makers also released lower-level fixes, with Intel’s causing further crashing headaches for Windows users.
As both flaws took advantage of features designed to add efficiency and speed, the fixes slowed things down a bit, introducing what some called “serious performance lag”. For most consumer devices at least, the effect would be hard to detect, but for anyone running high-powered systems and relying on optimum speed and power, any reduction can prove a major problem. Financial systems where every nanosecond counts were particularly hard-hit.
End users were left with little option but to to stay informed and install security patches from providers as they are released.
2. Bitcoin Heist in Japan
As 2017 came to a close, there was an unprecedented spike in headlines about cryptocurrency: the price of Bitcoin was soaring insanely high, and the concept of border-busting digital currencies was suddenly mainstream news.
The Bitcoin spike continued into 2018, but was already slipping back to more reasonable levels when another set of headlines shook confidence in the whole idea: another epic heist, with over $500m lost in what’s thought to be the biggest ever crypto theft.
Hackers hit Japanese digital exchange Coincheck in late January, making off with a huge haul of “XEM”, estimated to be the tenth largest cryptocurrency by value. 5% of the total supply was grabbed in the heist, worth $533 million at the time.
In the wake of the loss, Japan’s regulators have launched an investigation into how the exchange managed to lose the funds, Coincheck has promised to refund all customers affected, and the currency’s operator NEM Foundation has been tracking the movements of the stolen chunk of intangible wealth to see where it goes.
The value of the heist surpasses the previous record-holder, MtGox, also based in Japan, which lost $450 million worth of Bitcoin to hackers in 2014.
Investigators in the MtGox incident have suggested the funds may have been drained slowly over a period of up to three years; Coincheck claim they spotted their breach in little over 8 hours.
As it is impossible to know which exchanges will be hit by attack agents, and which will not, Bitcoin investors should avoid storing their money on the exchanges, and only upload it as and when you want to convert your Bitcoin into another currency.
3. Aadhaar data exposure:
Just as the Meltdown/Spectre debacle was filling the headlines, a story was unfolding of a potential leak in one of the world’s biggest databases of personal information.
Aadhaar, touted as the world’s largest biometric ID system with more than 1.19 billion enrolled members, claims to represent 99% of Indian adults over the age of 18. Operated by the Unique Identification Authority of India (UIDAI), the system assigns an identifying code number to each person enrolled, connected to a wealth of details on that individual including name, address, age, gender, photo, and additional biometric data – fingerprints and iris scans.
Despite the validity of Aadhaar being challenged in the courts, the central government has pushed citizens to link their Aadhaar numbers with a host of services, including bank accounts, mobile phone SIMs, pensions, unemployment benefits and other welfare services. There have been security concerns in the past, mainly with leaks from agencies which have collected rafts of Aadhaar data, or government departments whose websites leaked info they were holding.
In an article published on January 3 by India’s Tribune news service, an investigative journalist revealed how she had managed to buy a login allowing her to look up anyone’s Aadhaar number and view their personal data. The login cost her 500 rupees (less than $8 US). The journalist suspects that as many as 100,000 small regional firms had bought such logins, sold via WhatsApp groups, in order to sell “Aadhaar services” to local people.
The UIDAI denies this counted as a data breach, as it wouldn’t be possible to download all 1 billion+ records in their system, one at a time. (They also issued a police complaint against the journalist, on the grounds that she had accessed their data illegally – her right to investigate has been supported by Edward Snowden, among others). They also insist that biometric data was not accessible via this method, and emphasize that the Aadhaar is not a “secret”, requiring additional supportive information before it can be used to identify someone.
Either way, it’s likely that yet more vast amounts of data were accessible to people who really shouldn’t have had access. And, on the back of epic breaches like Experian or the US voter database, it shows that there are still many teething problems when it comes to secure universal ID systems. After all, these are the databases that hold our most sensitive data.
That’s it for January 2018. Tune in early in March for GFI Software’s February round-up.