YAIF (Yet another Intel flaw)...

ubuysa

ubuysa

The BSOD Doctor
This one's called PotSmash and it's an Intel hyperthreading issue that potentially allows one thread on a mulithreaded core to learn information about the other thread on the same core. The good news for us home users is that the malware would have to get on our PCs first in order to exploit the flaw, but those running server farms or multi-tenant platforms should be worried. It seems the only workaround now is to disable hyperthreading, something that might not be possible on some platforms.

See https://nakedsecurity.sophos.com/2018/11/05/portsmash-attack-steals-secrets-from-intel-chips-on-the-side/?utm_source=Naked+Security+-+Sophos+List&utm_campaign=885c0e7fd9-Naked+Security+daily+news+email&utm_medium=email&utm_term=0_31623bb782-885c0e7fd9-455147793

There is also a related exploit of (I think) the same flaw called TLBleed that can extract a private key on an Intel hyperthreading system. It's not encouraging is it...?
 
Last edited:
T

Tony1044

Prolific Poster
Oussebon said:
I think it's called Portsmash, but Potsmash is better
Click to expand...

I was going to say the same things! :)

To be fair with this one though (and I really don't like to play devils advocate for the likes of Intel), this one sounds very difficult to implement and requires physical access.

And when it comes to security, all bets are off if someone has physical access AND the right elevated access to install the necessary software to implement a flaw like this.

I once walked out of a meeting with a pen-tester that had come in to the bank I was working at.

Day 1 - Pen-tester: "I need an account with domain admin rights, an account with SQL SA* rights and accounts with administrative privileges on the network kit"
Me: Aren't you supposed to be try and get that without our help?
PT: It's just quicker...

Having been granted them, we had the meeting a week later
PT: "I could access everything on the servers, including all the local disks, I could manipulate accounts in the domain and I could change records in SQL. On top of that, I could change network configurations"
Me: "No s**t, Sherlock...you had the keys to the kingdom"
Project Manager: "So..our stuff isn't built right?"
Me: Walked out laughing, having washed my hands of the debacle it'd turned into.

*For those who don't know Microsoft SQL, the SA account is a local account that allows you to do anything and everything. It's the single most powerful account and is usually not enabled these days, but rather named accounts with just the permissions needed.

Oh yeah - just recalled, he also cried about finding build-information and configuration information in servers that were being used to develop an automated build...information that wouldn't actually exist post-development.

I was NOT impressed.
 
ubuysa

ubuysa

The BSOD Doctor
Oussebon said:
I think it's called Portsmash, but Potsmash is better
Click to expand...

I am so sorry. I know I typed the 'r', but I've been having some issues with the 'r', 'w' and 'd' keys of late, apparently they're upset that I press the 'e' key a lot more than I press them. I had an email from the r, w, and d, keys this morning and it's not confidential so I'll reproduce it here...

w ar your r w and d kys and wr wll annoyd that you don't rspct us as much as your favourit ky, that on that w won't mntion that's vry clos to us and which you prss all the tim. Unlss you start using us as oftn as that othr on wll go on strik and stop working for you. So thr!
Click to expand...

I will from now on try to avoid using that input thing that's in point but it's hard and my words might look funny, so sorry.....

:surrender:
 
mishra

mishra

Rising Star
Tony1044 said:
Day 1 - Pen-tester: "I need an account with domain admin rights, an account with SQL SA* rights and accounts with administrative privileges on the network kit"
Click to expand...
Tony1044 said:
Having been granted them, we had the meeting a week later
Click to expand...

It looks to me you have been nicely Social Engineered :p Just joking here. I know this PenTesters are right PITA and most of them are jockeys when it comes to usual knowledge. We had a company who used Kali Linux to generate a report and re-brand it in order to ask top dollar for such work. Unbelievable.
 
T

Tony1044

Prolific Poster
mishra said:
It looks to me you have been nicely Social Engineered :p Just joking here. I know this PenTesters are right PITA and most of them are jockeys when it comes to usual knowledge. We had a company who used Kali Linux to generate a report and re-brand it in order to ask top dollar for such work. Unbelievable.
Click to expand...

Too many do that.

But as I run Kali myself I can usually spot when they've done it.

It wasn't social engineering as we complained bitterly to the powers that be - their response was that the pentester had threatened to walk (and still bill) if not handed everything they asked for.
 
mishra

mishra

Rising Star
Tony1044 said:
It wasn't social engineering as we complained bitterly to the powers that be - their response was that the pentester had threatened to walk (and still bill) if not handed everything they asked for.
Click to expand...

Wow, unbelievable. PenTester job is to find vulnerabilities in the system and ways to get into system that usual sysadmin failed to spot. If they start asking for domain and SQL password well... what sort of wholes are they planning to find. Ehhh. Anyhow think we're going slightly off-topic here so will stop it there.
 
T

Tony1044

Prolific Poster
mishra said:
Wow, unbelievable. PenTester job is to find vulnerabilities in the system and ways to get into system that usual sysadmin failed to spot. If they start asking for domain and SQL password well... what sort of wholes are they planning to find. Ehhh. Anyhow think we're going slightly off-topic here so will stop it there.
Click to expand...

Well they couldn't have found their own holes with a torch and a map.

It's like me asking for your house keys and then saying "not very secure your place, is it? I could rifle through your drawers!"
 
ubuysa

ubuysa

The BSOD Doctor
Tony1044 said:
Well they couldn't have found their own holes with a torch and a map.

It's like me asking for your house keys and then saying "not very secure your place, is it? I could rifle through your drawers!"
Click to expand...

When I was in charge of system security in a large mainframe installation we'd find that people would never ask for the access they actually needed, because that took some effort to establish, they'd always ask for the highest access level that would give them the access they needed - often this was the highest user access level available. What was even scarier was that their managers would sign off on these requests without themselves taking the trouble to find out what access was actually required. I used to enjoy sending them back.... :taz:

People are basically lazy and will usually look for the easiest solution, it doesn't surprise me in the least when large corporations suffer a security breach. In my experience (which is 20 years old now) people see security as a problem for them rather than a benefit and eagerly seek to circumvent it at every opportunity - including on home PCs....
 
T

Tony1044

Prolific Poster
ubuysa said:
When I was in charge of system security in a large mainframe installation we'd find that people would never ask for the access they actually needed, because that took some effort to establish, they'd always ask for the highest access level that would give them the access they needed - often this was the highest user access level available. What was even scarier was that their managers would sign off on these requests without themselves taking the trouble to find out what access was actually required. I used to enjoy sending them back.... :taz:

People are basically lazy and will usually look for the easiest solution, it doesn't surprise me in the least when large corporations suffer a security breach. In my experience (which is 20 years old now) people see security as a problem for them rather than a benefit and eagerly seek to circumvent it at every opportunity - including on home PCs....
Click to expand...

I've worked with Citrix technologies for around 25 years and I still see places where users are domain admins because "software x won't work without it".

I then sit down and show them how to use the likes of sysinternals' process monitor to determine exactly which files, folders and registry keys users actually require any kind of write access to.

It's pure laziness.
 
Oussebon

Oussebon

Multiverse Poster
ople see security as a problem for them rather than a benefit and eagerly seek to circumvent it at every opportunity - including on home PCs....
Click to expand...
The problem is... it often is a problem.

For instance, the organisation I work for a 'franchise' of has a very large central office, and multiple very small offices in the regions (and by small, ~5 people). The hardware sourced from them is so locked down we can't install our own software without phoning them for an admin password, which is valid for X minutes. Fair enough from a security point of view to make sure random stuff doesn't install on the PC, right? I totally get it.

Except that the whole system is designed around the central office, where it's one network that the IT team controls, totally uniform software and hardware. But out in the small offices (which aren't a part of the network beyond Onedrive for Business client/web browser), it kills us.

Every time the router decides to give the printer a new IP address and adjusting the IP address in the printer software doesn't work, the quickest fix is usually to uninstall and reinstall the printer/scanner software suite. For which we need the resetting admin password.

Want to use Chrome / Iron etc? Phone call + password time. Different email client with different features? Small app to convert a PDF to JPG... Onedrive client/Outlook playing up (again) and wants a reinstall? 7Zip? Any updates that count as a fresh install? Every time you'd get a UAC warning on your home PC basically...

Hot desking and another user requires all the above? They get to make their phone calls too, and wait for the password to be emailed over.

I appreciate why the PCs are locked down so much, since they're intended to keep the central office network secure, but the fact that they are and that they don't cater to what we need of them destroys productivity. Of course it's very hard to predict what several hundred small, unique offices will need. We can't predict that, which is why we can't just install all the above in one go. We discover new needs weekly.

While we need to work securely, we also need to actually work.

So we have 4 PCs we bought from Dell, which we control, and we get to work efficiently.

Security as a concept isn't really the issue of course, it's the poorly thought-out implementation....

Also the centrally-provided desktops don't have SSDs, only HDDs. We bought PCs with SSDs, obviously...
 
Last edited:
T

Tony1044

Prolific Poster
Oussebon said:
The problem is... it often is a problem.

For instance, the organisation I work for a 'franchise' of has a very large central office, and multiple very small offices in the regions (and by small, ~5 people). The hardware sourced from them is so locked down we can't install our own software without phoning them for an admin password, which is valid for X minutes. Fair enough from a security point of view to make sure random stuff doesn't install on the PC, right? I totally get it.

Except that the whole system is designed around the central office, where it's one network that the IT team controls, totally uniform software and hardware. But out in the small offices (which aren't a part of the network beyond Onedrive for Business client/web browser), it kills us.

Every time the router decides to give the printer a new IP address and adjusting the IP address in the printer software doesn't work, the quickest fix is usually to uninstall and reinstall the printer/scanner software suite. For which we need the resetting admin password.

Want to use Chrome / Iron etc? Phone call + password time. Different email client with different features? Small app to convert a PDF to JPG... Onedrive client/Outlook playing up (again) and wants a reinstall? 7Zip? Any updates that count as a fresh install? Every time you'd get a UAC warning on your home PC basically...

Hot desking and another user requires all the above? They get to make their phone calls too, and wait for the password to be emailed over.

I appreciate why the PCs are locked down so much, since they're intended to keep the central office network secure, but the fact that they are and that they don't cater to what we need of them destroys productivity. Of course it's very hard to predict what several hundred small, unique offices will need. We can't predict that, which is why we can't just install all the above in one go. We discover new needs weekly.

While we need to work securely, we also need to actually work.

So we have 4 PCs we bought from Dell, which we control, and we get to work efficiently.

Security as a concept isn't really the issue of course, it's the poorly thought-out implementation....

Also the centrally-provided desktops don't have SSDs, only HDDs. We bought PCs with SSDs, obviously...
Click to expand...

This is lazy. There's no reason they couldn't grant a user local admin rights in one of two ways - first, it's a nominated IT user in each location. This is easiest to accomplish as that one person then can log in as an administrator. It's not great from a security perspective though, as it means that one user can access every machine as an admin.

Or, and I've been battling with this here - there is a way to grant a user local admin rights to only their own machine.

It's a bit tedious to set up but once it's done, maintaining it is almost trivial.

The advantages are that a user can't abuse their admin rights on other machines and there is accountability.
 
ubuysa

ubuysa

The BSOD Doctor
Oussebon said:
The problem is... it often is a problem.

For instance, the organisation I work for a 'franchise' of has a very large central office, and multiple very small offices in the regions (and by small, ~5 people). The hardware sourced from them is so locked down we can't install our own software without phoning them for an admin password, which is valid for X minutes. Fair enough from a security point of view to make sure random stuff doesn't install on the PC, right? I totally get it.

Except that the whole system is designed around the central office, where it's one network that the IT team controls, totally uniform software and hardware. But out in the small offices (which aren't a part of the network beyond Onedrive for Business client/web browser), it kills us.

Every time the router decides to give the printer a new IP address and adjusting the IP address in the printer software doesn't work, the quickest fix is usually to uninstall and reinstall the printer/scanner software suite. For which we need the resetting admin password.

Want to use Chrome / Iron etc? Phone call + password time. Different email client with different features? Small app to convert a PDF to JPG... Onedrive client/Outlook playing up (again) and wants a reinstall? 7Zip? Any updates that count as a fresh install? Every time you'd get a UAC warning on your home PC basically...

Hot desking and another user requires all the above? They get to make their phone calls too, and wait for the password to be emailed over.

I appreciate why the PCs are locked down so much, since they're intended to keep the central office network secure, but the fact that they are and that they don't cater to what we need of them destroys productivity. Of course it's very hard to predict what several hundred small, unique offices will need. We can't predict that, which is why we can't just install all the above in one go. We discover new needs weekly.

While we need to work securely, we also need to actually work.

So we have 4 PCs we bought from Dell, which we control, and we get to work efficiently.

Security as a concept isn't really the issue of course, it's the poorly thought-out implementation....

Also the centrally-provided desktops don't have SSDs, only HDDs. We bought PCs with SSDs, obviously...
Click to expand...

This is a classic issue and frankly I'm surprised it's still around! We fought this battle several decades ago, but it's not a security issue per se, it's a system design issue. I've watched numerous projects ranging from simple user applications to whole production processes developed with scant input from the end users. 20 or more years ago system designers considered themselves experts and wouldn't demean themselves by asking the end users whether the processes they were developing would work. I know of no occasion when a new application or process was trialled with the eventual end users to see whether what was being designed was what the users needed.

From what you say it seems you've been hit with the same lack of care for the users. That system looks to have been designed by security techs whose principal goal is to protect the passwords - though emailing them isn't a good idea unless you're on an Intranet and I'd want to be able to verify the user who is phoning too - but they didn't consider how it would affect the way you work. I really am stunned that this lack of a joined-up design process is still around. It was excusable in the 1980s and 1990s because we didn't know any better but it's such a well-known issue that I can't believe it still happens!
 
T

Tony1044

Prolific Poster
ubuysa said:
This is a classic issue and frankly I'm surprised it's still around! We fought this battle several decades ago, but it's not a security issue per se, it's a system design issue. I've watched numerous projects ranging from simple user applications to whole production processes developed with scant input from the end users. 20 or more years ago system designers considered themselves experts and wouldn't demean themselves by asking the end users whether the processes they were developing would work. I know of no occasion when a new application or process was trialled with the eventual end users to see whether what was being designed was what the users needed.

From what you say it seems you've been hit with the same lack of care for the users. That system looks to have been designed by security techs whose principal goal is to protect the passwords - though emailing them isn't a good idea unless you're on an Intranet and I'd want to be able to verify the user who is phoning too - but they didn't consider how it would affect the way you work. I really am stunned that this lack of a joined-up design process is still around. It was excusable in the 1980s and 1990s because we didn't know any better but it's such a well-known issue that I can't believe it still happens!
Click to expand...

I wish I could say I was stunned but I'm really not.
 
You must log in or register to reply here.
Top