Skip to content

Framework for Improving Critical Infrastructure Cybersecurity Version 1

The NIST CSF was designed with the intent that individual businesses and other organisations use an assessment of the business risks they face to guide their use of the framework in a cost-effective way.

The framework is divided into three parts: the Framework Core, Framework Implementation Tiers and Framework Profiles:

  • The Framework Core is a set of activities, outcomes and references that detail approaches to aspects of cyber security. The core comprises five functions, which are subdivided into 22 categories (groups of cyber security outcomes) and 98 subcategories (security controls).
  • Framework Implementation Tiers are used by an organisation to clarify for itself and its partners how it views cyber security risk and the degree of sophistication of its management approach.
  • Framework Profile is a list of outcomes that an organisation has chosen from the categories and subcategories, based on its business needs and individual risk assessments.

nist framework colour coded

Core functions, categories, subcategories and informative references

The five Framework Core functions are:

  • Identify – Develop the organisational understanding to manage cyber security risk to systems, assets, data and capabilities.
  • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
  • Detect – Develop and implement the appropriate activities to identify the occurrence of a cyber security event.
  • Respond – Develop and implement the appropriate activities to take action regarding a detected cyber security event.
  • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired because of a cyber security event.

Each function is divided into categories – groups of cyber security outcomes that relate to particular activities. Examples include ‘Asset Management’, ‘Access Control’ and ‘Detection Processes’.

nist protect.gif

Subcategories further divide a category into specific outcomes of technical and/or management activities (security controls). Examples include ‘External information systems are catalogued’, ‘Data-at-rest is protected’ and ‘Notifications from detection systems are investigated’.

For each subcategory, the CSF provides informative resources that cite specific sections of a variety of information security standards, including ISO 27001, COBIT®, NIST SP 800-53, ISA 62443, and the Center for Internet Security’s 20 Critical Security Controls.

NIST Cybersecurity Framework version 1, 2014

https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf

NIST Cybersecurity Draft Framework version 1.1, 2017

https://www.nist.gov/sites/default/files/documents/2017/12/05/draft_roadmap-version-1-1.pdf

 

Advertisements

Draft NIST Roadmap for Improving Critical Infrastructure Cybersecurity Version 1.1 December 5, 2017

This companion Roadmap to the Framework for Improving Critical Infrastructure
Cybersecurity (Cybersecurity Framework or the Framework) describes plans for
advancing the Framework development process, discusses the National Institute of
Standards and Technology’s (NIST’s) next steps with the Framework, and identifies key
areas of development, alignment, and collaboration. This plan provides a description of
anticipated future activities related to the Framework and offers stakeholders another
opportunity to participate actively in the continuing Framework development process.
While the plan is focused on the Cybersecurity Framework, the results of work described
in this roadmap are expected to be useful to a much broader audience to improve
cybersecurity risk management in much the same way that the Framework itself is useful
to many sectors and organizations that are not strictly defined as part of the critical
infrastructure. This Roadmap reflects revisions to the original planning document
released in February 20141 when Version 1.0 of the Framework was released, and
contains updates corresponding with draft Version 1.1 of the Framework.

Reference

https://www.nist.gov/sites/default/files/documents/2017/12/05/draft_roadmap-version-1-1.pdf

Intel fix reduces server performance by 2% to 25% for large volumes of data

Intel says devices are rebooting more than usual after being patched with fixes it has issued to the Spectre and Meltdown security flaws in its chips.

The company said it had reproduced the problem and was “making progress toward identifying the root cause”.

It also shared information about how the patches might affect computer performance in data centres.

One financial industry expert told the BBC he was concerned about the numbers being quoted.

Intel said its tests showed a reduction in performance ranging from 2% to 25%.

The US company said it was working with partners and customers to find ways to “address” the issue.

In an update on its website, Intel said the reboot problem had been identified in its Ivy Bridge, Sandy Bridge and Skylake processors.

It also affected Kaby Lake chips – its most recent offering.

‘Initial analysis’

Two separate security flaws, known as Meltdown and Spectre, were publicly disclosed in January.

Researchers discovered gaps in security stemming from central processing units – better known as the chip or microchip – that could allow privately stored data in computers and networks to be hacked.

Experts suggested fixing the problem could reduce the performance of Intel chips significantly.

Intel said its “initial analysis” for business cases such as running website servers showed a slowdown of 2%.

But it added that when it simulated a stock brokerage making transactions, the chips saw a 4% reduction in performance.

One industry insider suggested that figure was more significant than it might seem at first glance.

“In a company like ours, 4% would be a massive difference,” said Alasdair Haynes from the stock exchange Aquis.

“We measure the time of trades in microseconds. Firms spend an enormous amount of time and money trying to get the fastest speed out of a server.”

The most significant reduction in performance involved computer servers that store and retrieve large volumes of data. For those, the slowdown could be as severe as 25%.

Reference

http://www.bbc.com/news/technology-42733032

The reluctant cyber hero: How a 22-year-old stumbled across the worst computer chip flaw in history while reading huge Intel processor manuals with thousands of pages – INTEL FLAW

In cybersecurity circles at least, the 22-year-old German shot to fame this month when he was revealed as the man who exposed the worst computer chip flaw ever.

In uncovering the fault, which has existed for more than two decades but went completely unnoticed, he beat teams of analysts working from years of research.

Even more incredibly, he stumbled across the defect by accident while reading through thousand-page processor manuals for a completely different project.

The flaw affects most processors manufactured by Intel since 1995 but went completely undiscovered until Horn happened upon it

Horn was actually trying to work out whether processors could handle an intense piece of number-crunching code he had devised when he began picking through the doorstop-sized manuals last year, Bloomberg reports.

His research led him to a process known as speculative execution – where a chip tries to guess what it might be asked to do next and starts performing that task ahead of time in order to increase speed.

In doing so it starts fetching data from various parts of the machine and storing that information in its memory.

Horn discovered that, even if the chip guessed wrong, the data it had retrieved would still be stored and could potentially be stolen by a clever hacker.

Working from Google’s Project Zero lab in Zurich, he compared notes with other researchers before making his discovery – chips could be tricked into retrieving data of a hacker’s choosing, which could then be stolen.

 

Reference

http://www.dailymail.co.uk/news/article-5283089/German-22-year-old-worst-computer-chip-flaw-ever.html

Quit social media | Dr. Cal Newport | TEDxTysons

‘Deep work’ will make you better at what you do. You will achieve more in less time. And feel the sense of true fulfillment that comes from the mastery of a skill.

Former Facebook executive: social media is ripping society apart

Former Facebook exec: “I think we have created tools that are ripping apart the social fabric of how society works. The short-term, dopamine-driven feedback loops we’ve created are destroying how society works. No civil discourse, no cooperation; misinformation, mistruth. You are being programmed” (2017)

 

 

Nice to see some honesty from Facebook, even if only from an ex employee.

Edward Snowden’s new app turns any Android phone into a surveillance system

The app was developed by The Guardian ProjectFreedom Of The Press and Snowden to offer eyes and ears to prevent, or at least increase awareness, of whether a device has been tampered with.

So, for example, you’d set up a burner Android device in a hotel safe alongside your laptop. Haven could then be set to broadcast any audio or movement, basically if anyone opened the safe it will snap a photo, record audio and detect motion. Alerts can be sent via SMS, Signal or to a Tor-based website.

 

Writing for The Intercept, Micah Lee, a member of Freedom Of The Press who help set up and test the app, admitted that the app does have some shortcomings — such as maintaining constant internet access for notifications, preventing battery drain and false positives — but it offers something new for those who would welcome the peace of mind from additional surveillance. While beyond helping keep hardware secure, it could also have other uses.

“Haven can also be used as a cheap home or office security system to detect break-ins or vandalism while you’re away, positioning the phone to send you photographs when someone walks within range. Or you can use it to monitor for wildlife in rural areas, or to capture evidence of human rights violations and disappearances,” Lee wrote.

Or even something more festive…

Haven can be downloaded via Google Play and open source Android app store F-Droid.

Snowden, who remains exiled in Russiapreviously helped develop an iPhone case that detects when a device is transmitting data that can put users at risk of detection, and he’s been very vocal about services that he believes are problematic for privacy. He previously advised that people get rid of Dropbox and avoid using Google and Facebook and has spoken at length on why data collection is “the central problem of the future.”

Reference:

https://techcrunch.com/2017/12/24/edward-snowden-haven-app/

Randomize your WiFi MAC address on Ubuntu 16.04

Your device’s MAC address can be used to track you across the WiFi networks you connect to. That data can be shared and sold, and often identifies you as an individual. It’s possible to limit this tracking by using pseudo-random MAC addresses.

A captive portal screen for a hotel allowing you to log in with social media for an hour of free WiFi

Image courtesy of Cloudessa

Every network device like a WiFi or Ethernet card has a unique identifier called a MAC address, for example b4:b6:76:31:8c:ff. It’s how networking works: any time you connect to a WiFi network, the router uses that address to send and receive packets to your machine and distinguish it from other devices in the area.

The snag with this design is that your unique, unchanging MAC address is just perfect for tracking you. Logged into Starbucks WiFi? Noted. London Underground? Logged.

If you’ve ever put your real name into one of those Craptive Portals on a WiFi network you’ve now tied your identity to that MAC address. Didn’t read the terms and conditions? You might assume that free airport WiFi is subsidised by flogging ‘customer analytics’ (your personal information) to hotels, restaurant chains and whomever else wants to know about you.

I don’t subscribe to being tracked and sold by mega-corps, so I spent a few hours hacking a solution.

MAC addresses don’t need to stay the same

Fortunately, it’s possible to spoof your MAC address to a random one without fundamentally breaking networking.

I wanted to randomize my MAC address, but with three particular caveats:

  1. The MAC should be different across different networks. This means Starbucks WiFi sees a different MAC from London Underground, preventing linking my identity across different providers.
  2. The MAC should change regularly to prevent a network knowing that I’m the same person who walked past 75 times over the last year.
  3. The MAC stays the same throughout each working day. When the MAC address changes, most networks will kick you off, and those with Craptive Portals will usually make you sign in again – annoying.

Manipulating NetworkManager

My first attempt of using the macchanger tool was unsuccessful as NetworkManager would override the MAC address according to its own configuration.

I learned that NetworkManager 1.4.1+ can do MAC address randomization right out the box. If you’re using Ubuntu 17.04 upwards, you can get most of the way with this config file. You can’t quite achieve all three of my requirements (you must choose randomor stable but it seems you can’t do stable-for-one-day).

Since I’m sticking with Ubuntu 16.04 which ships with NetworkManager 1.2, I couldn’t make use of the new functionality. Supposedly there is some randomization support but I failed to actually make it work, so I scripted up a solution instead.

Fortunately NetworkManager 1.2 does allow for spoofing your MAC address. You can see this in the ‘Edit connections’ dialog for a given network:

Screenshot of NetworkManager's edit connection dialog, showing a text entry for a cloned mac address

NetworkManager also supports hooks – any script placed in /etc/NetworkManager/dispatcher.d/pre-up.d/ is run before a connection is brought up.

Assigning pseudo-random MAC addresses

To recap, I wanted to generate random MAC addresses based on the network and the date. We can use the NetworkManager command line, nmcli, to show a full list of networks:

> nmcli connection
NAME                 UUID                                  TYPE             DEVICE
Gladstone Guest      618545ca-d81a-11e7-a2a4-271245e11a45  802-11-wireless  wlp1s0
DoESDinky            6e47c080-d81a-11e7-9921-87bc56777256  802-11-wireless  --
PublicWiFi           79282c10-d81a-11e7-87cb-6341829c2a54  802-11-wireless  --
virgintrainswifi     7d0c57de-d81a-11e7-9bae-5be89b161d22  802-11-wireless  --

Since each network has a unique identifier, to achieve my scheme I just concatenated the UUID with today’s date and hashed the result:


# eg 618545ca-d81a-11e7-a2a4-271245e11a45-2017-12-03

> echo -n "${UUID}-$(date +%F)" | md5sum

53594de990e92f9b914a723208f22b3f  -

That produced bytes which can be substituted in for the last octets of the MAC address.

Note that the first byte 02 signifies the address is locally administered. Real, burned-in MAC addresses start with 3 bytes designing their manufacturer, for example b4:b6:76 for Intel.

It’s possible that some routers may reject locally administered MACs but I haven’t encountered that yet.

On every connection up, the script calls nmcli to set the spoofed MAC address for every connection:

A terminal window show a number of nmcli command line calls

As a final check, if I look at ifconfig I can see that the HWaddr is the spoofed one, not my real MAC address:

> ifconfig
wlp1s0    Link encap:Ethernet  HWaddr b4:b6:76:45:64:4d
          inet addr:192.168.0.86  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::648c:aff2:9a9d:764/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12107812 errors:0 dropped:2 overruns:0 frame:0
          TX packets:18332141 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:11627977017 (11.6 GB)  TX bytes:20700627733 (20.7 GB)

The full script is available on Github.

**Comment
This looks interesting, as a privacy technique.

 

Reference

https://www.paulfurley.com/randomize-your-wifi-mac-address-on-ubuntu-1604-xenial/

Thank you for Two Million hits

Do you know how this blog started?  During the final year of the BSc course, our tutors wanted to ensure that our research was on course.  Therefore we were asked to create a blog to support our thesis.

Comments from here indicated that everyone was intrigued with privacy, so the blog ventured heavily into tutorials for VPN’s.  At that point, traction started to increase dramatically.

Next, the privacy part of the thesis was selected for publication, and I had to present it to a room full of barristers, whilst standing on a gold podium.

Now, today, I have to say thank you for two million hits.

It’s been a real pleasure.

Finally, did you know the Uni gave me a First – and that listening to your comments were pivotal in that.

Thank you for Two Million hits – and for your comments.

Intel finds critical holes in secret Management Engine hidden in tons of desktop, server chipsets

Intel today admitted its Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE) are vulnerable to multiple worrying security flaws, based on the findings of external security experts.

The firmware-level bugs allow logged-in administrators, and malicious or hijacked high-privilege processes, to run code beneath the operating system to spy on or meddle with the computer completely out of sight of other users and admins. The holes can also be exploited by network administrators, or people masquerading as admins, to remotely infect machines with spyware and invisible rootkits, potentially.

Meanwhile, logged-in users, or malicious or commandeered applications, can leverage the security weaknesses to extract confidential and protected information from the computer’s memory, potentially giving miscreants sensitive data – such as passwords or cryptographic keys – to kick off other attacks. This is especially bad news on servers and other shared machines.

In short, a huge amount of Intel silicon is secretly running code that is buggy and exploitable by attackers and malware to fully and silently compromise computers. The processor chipsets affected by the flaws are as follows:

  • 6th, 7th and 8th Generation Intel Core processors

  • Intel Xeon E3-1200 v5 and v6 processors

  • Intel Xeon Scalable processors

  • Intel Xeon W processors

  • Intel Atom C3000 processors

  • Apollo Lake Intel Atom E3900 series

  • Apollo Lake Intel Pentiums

  • Celeron N and J series processors

Intel’s Management Engine, at the heart of today’s disclosures, is a computer within your computer. It is Chipzilla’s much maligned coprocessor at the center of its vPro suite of features, and it is present in various chip families. It has been assailed as a “backdoor” – a term Intel emphatically rejects – and it is a mechanism targeted by researchers at UK-based Positive Technologies, who are set to reveal in detail new ways to exploit the ME next month.

The Management Engine is a barely documented black box. it has its own CPU and its own operating system – recently, an x86 Quark core and MINIX – that has complete control over the machine, and it functions below and out of sight of the installed operating system and any hypervisors or antivirus tools present.

It is designed to allow network administrators to remotely or locally log into a server or workstation, and fix up any errors, reinstall the OS, take over the desktop, and so on, which is handy if the box is so messed up it can’t even boot properly.

The ME runs closed-source remote-administration software to do this, and this code contains bugs – like all programs – except these bugs allow hackers to wield incredible power over a machine. The ME can be potentially abused by to install rootkits and other forms of spyware that silently snoop on users, steal information, or tamper with files.

SPS is based on ME, and allows you to remotely configure Intel-powered servers over the network. TXE is Intel’s hardware authenticity technology. Previously, the AMT suite of tools, again running on ME, could be bypassed with an empty credential string.

Today, Intel has gone public with more issues in its firmware. It revealed it “has identified several security vulnerabilities that could potentially place impacted platforms at risk” following an audit of its internal source code:

In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of our Intel Management Engine (ME), Intel Server Platform Services (SPS), and Intel Trusted Execution Engine (TXE) with the objective of enhancing firmware resilience.

The flaws, according to Intel, could allow an attacker to impersonate the ME, SPS or TXE mechanisms, thereby invalidating local security features; “load and execute arbitrary code outside the visibility of the user and operating system”; and crash affected systems. The severity of the vulnerabilities is mitigated by the fact that most of them require local access, either as an administrator or less privileged user; the rest require you to access the management features as an authenticated sysadmin.

Intel 5th Generation Core processor with vPro

Intel ME controller chip has secret kill switch

READ MORE

But as Google security researcher Matthew Garrett pointed out in the past hour or so, the aforementioned AMT flaw, if not patched, could allow remote exploitation.

In other words, if a server or other system with the AMT hole hasn’t been updated to kill off that vulnerabilities, these newly disclosed holes will allow anyone on the network to potentially log in and execute malicious code within the powerful ME coprocessor.

“The ME compromise presumably gives you everything the AMT compromise gives you, plus more,” said Garrett via Twitter. “If you compromise the ME kernel, you compromise everything on the ME. That includes AMT, but it also includes PTT.”

He explained, “PTT is Intel’s ‘Run a TPM in software on the ME’ feature. If you’re using PTT and someone compromises your ME, the TPM is no longer trustworthy. That probably means your Bitlocker keys are compromised, but it also means all your remote attestation credentials are toast.”

Garrett said if an exploit allows unsigned data to be installed and interpreted by the ME, an attacker could effectively trigger the reinfection of malware after every ME reboot. Were that to happen, the only way to fix things would be to reflash the hardware by hand. At that point, he said, it would probably be cheaper just to get new hardware.

Intel said systems using ME Firmware versions 11.0, 11.5, 11.6, 11.7, 11.10, and 11.20, SPS Firmware version 4.0, and TXE version 3.0 are affected. The cited CVE-assigned bugs are as follows:

  • Intel Manageability Engine Firmware 11.0.x.x/11.5.x.x/11.6.x.x/11.7.x.x/11.10.x.x/11.20.x.x
    • CVE-2017-5705: “Multiple buffer overflows in kernel in Intel Manageability Engine Firmware 11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code.” Logged-in superusers, or high-privilege programs, can execute code within the hidden Management Engine, below the OS and any other software.
    • CVE-2017-5708: “Multiple privilege escalations in kernel in Intel Manageability Engine Firmware 11.0/11.5/11.6/11.7/11.10/11.20 allow unauthorized process to access privileged content via unspecified vector.” Logged-in users or running apps can slurp confidential information out of memory. This is very bad news on a shared system.
    • CVE-2017-5711: “Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege.” Logged-in superusers, or high-privilege programs, can execute code within the AMT suite, below the OS and any other software.
    • CVE-2017-5712: “Buffer overflow in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allows attacker with remote Admin access to the system to execute arbitrary code with AMT execution privilege.” People with network access to a machine, and can log in as an admin, can execute code within the AMT suite.
  • Intel Manageability Engine Firmware 8.x/9.x/10.x
    • CVE-2017-5711: “Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege.” Logged-in superusers, or high-privilege programs, can execute code within the AMT suite, below the OS and any other software.
    • CVE-2017-5712: “Buffer overflow in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allows attacker with remote Admin access to the system to execute arbitrary code with AMT execution privilege.” People with network access to a machine, and can log in as an admin, can execute code within the AMT suite.
  • Server Platform Service 4.0.x.x
    • CVE-2017-5706: “Multiple buffer overflows in kernel in Intel Server Platform Services Firmware 4.0 allow attacker with local access to the system to execute arbitrary code.” Logged-in superusers, or high-privilege programs, can execute code within the hidden Management Engine, below the OS and any other software.
    • CVE-2017-5709: “Multiple privilege escalations in kernel in Intel Server Platform Services Firmware 4.0 allows unauthorized process to access privileged content via unspecified vector.” Logged-in users or running apps can slurp confidential information out of memory. This is very bad news on a shared system.
  • Intel Trusted Execution Engine 3.0.x.x
    • CVE-2017-5707: “Multiple buffer overflows in kernel in Intel Trusted Execution Engine Firmware 3.0 allow attacker with local access to the system to execute arbitrary code.” Logged-in superusers, or high-privilege programs, can execute code within the hidden Management Engine, below the OS and any other software.
    • CVE-2017-5710: “Multiple privilege escalations in kernel in Intel Trusted Execution Engine Firmware 3.0 allows unauthorized process to access privileged content via unspecified vector.” Logged-in users or running apps can slurp confidential information out of memory. This is very bad news on a shared system.

Chipzilla thanked Mark Ermolov and Maxim Goryachy at Positive for discovering and bringing to its attention the flaw CVE-2017-5705, which sparked the aforementioned review of its source code for vulnerabilities.

Intel advises Microsoft and Linux users to download and run the Intel-SA-00086 detection tool to determine whether their systems are vulnerable to the above bugs. If you are at risk, you must obtain and install firmware updates from your computer’s manufacturer, if and when they become available. The new code was developed by Intel, but it needs to be cryptographically signed by individual hardware vendors in order for it to be accepted and installed by the engine.

Lenovo was quick off the mark with patches for its gear ready to download.

We’ll give you a roundup of fixes as soon as we can. It’s not thought Apple x86 machines are affected as they do not ship with Intel’s ME, as far as we can tell.

Today’s news will no doubt fuel demands for Intel to ship components free of its Management Engine – or provide a way to fully disable it – so people can use their PCs without worrying about security bugs on mysterious secluded coprocessors. ®

Reference:

https://www.theregister.co.uk/2017/11/20/intel_flags_firmware_flaws/

Dell Response

http://www.dell.com/support/article/fr/fr/frbsdt1/sln308237/dell-client-statement-on-intel-me-txe-advisory–intel-sa-00086-?lang=en

%d bloggers like this: