What Hackers Know About Vulnerability Disclosures

Let the “good” make noise, otherwise the “bad” definitely will! In line with this adage, it is important to do all that is within your means to secure your data and your systems.
app testing
And you have a choice here: whether or not to indulge in a detailed vulnerability disclosure to the public at large.
What is a Vulnerability Disclosure Policy?
A Vulnerability Disclosure Policy (VDP) is a document that reports flaws in security that will adversely affect the working of your computer hardware and software.
Security researchers are ordained to disclose vulnerabilities to the parties concerned, mentioning the areas in the system that are flawed.
At times, in-house developers and vendors who work with vulnerable systems announce such security imperfections once the change in code takes place.
Once this patch is made available, security experts will be in a position to make the vulnerability public.
However, such an announcement will defeat the actual purpose of data security measures.
So, you may ask as to what is the best form of disclosure.
Here comes the response.
If you wish to tread the path of responsible disclosure, you should not make a public announcement of the vulnerabilities since you are in principle making a noise of the adverse effects.
When such claims reach the ears of hackers, they will look out for ways and means to breach the security barriers erected by you.
So the solution is to act without breathing a word about vulnerabilities and silently fix them.
Anything that is against to this basic principle will actually work in favor of hackers to steal and exploit your systems and data.
The Argument in Favor of a Vulnerability Disclosure Policy
Given the situation when an outsider identifies a potential issue with your hardware, software or website, you should be the informed of the same.
But when your vulnerability is known to others but remains unknown to you, it poses a huge risk.
If you have a VDP in place, you can ensure that the outsider or finder of the vulnerability will ring the bell to alert you.
It is then that you can ensure the safety and security of your products.
The Ideological Difference
The above introduction is much against the collective opinion of security experts who feel that it is important to inform the public of vulnerabilities.
This information, according to them is the most promising means to fix a security issue.
However, in line with what has been explained above, you will begin to understand that vulnerability disclosures actually put the public in a risky spot.

When you operate through a Vulnerability Disclosure Policy, you will be actually empowering hackers to trespass your security barriers even without your knowledge.
The Elements of a VDP
A VDP consists of five important elements. They are:

  1. Promise: An undertaking or assurance given to customers and stakeholders that they will be notified in clear terms about any security vulnerability
  2. Scope: The span of control, encompassing all the products and properties that come under the purview of a VDP. Additionally, a VDP should also cover all the types of vulnerabilities
  3. “Safe Harbor”: Shield the reporters of a vulnerability from being unduly penalized
  4. Process: There is a process in place which allows process finders to disclose vulnerabilities
  5. Preferences: A continuing document that explicitly sets the expectations for priorities and preferences that will be given to vulnerability reports

With a well-chalked out VDP in place, you can handle all the incoming alerts that are either technical or legal.
You can then initiate a communication with finders and work around a process which will permit internal teams to validate and lessen the risk while also disclosing the security vulnerability.
Lastly, a VDP finds its place to summarize and report all the activities that were initiated to combat security breaches to decision-makers and stakeholders.
How do Hackers Exploit VDPs and Their After-Effects on Your Business
When a VDP falls in the hands of a hacker, you are heading in the direction of a risky proposition in the following ways.

  1. Hackers Monetize With Sales to Law Enforcement and Intelligence Agencies

Imagine a situation when a cyber-attack occurs on the same day a flaw is detected in your software. This paves the way for a zero-day exploit when your data is exploited even before it the flaw is fixed and disclosed to you.
Leaving no scope for detection, it is during such times that a hacker makes the most of the publicly known vulnerabilities which aren’t patched yet.
Hackers are the bad guys who will then resort to selling this flawed information to good guys like the law enforcement internet security software companies.
They will rake in profits by initiating a legal sale which can involve anti-social activities like cyber warfare or child pornography as part of cybercrime activities.

  1. Inaction Towards Known Vulnerabilities

Most of the intelligence agencies feel that the less number of people who are informed of the vulnerabilities the better it is.
Since fewer people have knowledge about vulnerabilities, it become difficult for them to acknowledge their presence as well.

In such cases only the hackers who are adept at vulnerability research and quality exploit development can make good with a known vulnerability.
If you look at the statistics, a whopping 99% of all breaches stem from the exploitation of known vulnerabilities for which a patch already exists.

  1. What If You Notify the Vendor and Resort to Silent Patching

A responsible VDP calls for a great deal of prudence. You should, with the support of your VDP inform the vendor about the flaw you identified and handhold him to fix it.
That means, you should abstain from publicizing your inferences regarding the vulnerabilities.
The vendor will use that information to create and release a silent patch. This way, you will be safeguarding your system from hackers who can gain strength from your VDP.
On the flipside, there were many instances of initiating legal action against all those who conduct security breach and come out in the open about vulnerabilities by vendors.
This fear of facing legal action has prompted security researchers to make public all the vulnerabilities with a guarantee that they will not be taken to task.
Such an act will only jeopardize the goodwill of your company and hence you can steer clear of all such public disclosures.

  1. Publish Vulnerabilities Upon the Release of a Patch

Certain researchers may adopt a process to publicly release the information that they have identified, only after a patch is available. However, you all are aware of the slow speed of patching which will make this sort of an arrangement undependable.
It is highly impossible for every system to be patched in an instance, soon after the patch is released.
Once patching is in progress, you may experience downtime along with the shutdown of certain critical systems and non-functioning of software applications.
When dealing with critical infrastructure, you just cannot afford to have any sort of interruption.
This is the primary cause for major companies to take long periods before patching vulnerabilities that have been published ages ago.

  1. Short-Term Gains of Hackers

A hacker with malice in his mind will go the entire nine yards to exploit a zero-day vulnerability.
Driven by an exclusive motive to rake in profits, hackers focus on high-volume security compromises that are conducted on a large scale.
They work with a high level of confidence that once they exploit a vulnerability they are sure that a patch will soon be released.
Hence, they focus on gaining through short-term moves with a confidence that their trespassing will not be detected.

  1. The Public Becomes the Target Audience

Announcing your VDP is the riskiest proposition in contrast to the most common belief that the public will prompt vendors to act fast and come up with a damage control mechanism.
According to the notion, the general public upon getting notified of the vulnerabilities will act faster than the hacker who is waiting to exploit their systems.
The public will thus be able to secure their systems. Notwithstanding the fact that you are disclosing your vulnerabilities in good faith, you are actually working against the well-being of your organization.
You may ask, how? When you disclose your VDP to the public, you are getting exposed to an increased risk of hackers trespassing your security barriers.
Conclusion
Hackers are so well accustomed to the way in which organizations function. They know with certainty that businesses do not fix a vulnerability the moment it is detected.
They need not wait for a zero-day exploit to rake in profits. All that they need is the vulnerability disclosure that is made public.
They will work around this document and exploit your systems. Hence the solution to this ongoing issue of data and system security is to have a strong patching procedure in place.

Meltdown and Spectre: 2 CPU Security Bugs You Need to Know About

Being a cyber security term, vulnerability refers to the flaws seen in a system which further make ways for hackers and malware. At the beginning of 2018, the IT industry is already scrambling to patch up with the major security vulnerabilities that have affected almost all computers in the world.
app testing
The two flaws naming- Spectre & Meltdown was found by the security researchers at the Project Zero at Google. The vulnerabilities could allow leaking of information from mis-speculated execution which further leads to arbitrary virtual memory across various local security boundaries. Vulnerabilities in this particular issue are affecting numerous modern processors including AMD, ARM, Intel, and Apple.

Meltdown and Spectre- Security Bugs

According to the researchers Meltdown (CVE-2017-5754) is considered to be one of the worst CPU bug found till date. This bug is primarily thought to affect Intel processors manufactures since 1995. Meltdown allows the hacker to get through the hardware barrier seen between the users and the core memory of the PC.

Features:

  • Discovered by Jann Horn, a security analyst at the Google Project Zero
  • Allows low privileged processes to gain access to high privileged kernal processes to steal system memory
  • In modern processors, it used the side channel informations
  • Till now, has only affected the Intel processors
  • Makes fundamental processes fundamentally unreliable

In the case of Spectre, the vulnerability is more widespread and seen affecting modern processors from AMD, Intel and even the ARM chips on mobile devices. This is considered to be more likely a much serious issue as it requires redesign of the processors to fix the problem in future hardware generations.

Features:

  • Discovered by Mr. Horn and Mr. Kocher, in coordination with Mike Hamburg, Mr. Lipp and Yuval Yarom at Google
  • Hardware vulnerability with speculative execution that affect modern processors
  • Much deeper and is hard to patch
  • Consist of 2 common ID’s- CVE-2017-5753, CVE-2017-5715
  • It centres on Brand prediction which is a part of speculative execution
  • It is more generalized as it does not rely on a single processors memory management

Both these vulnerabilities can be used by attackers to steal and spy on secure data like encryption keys, passwords etc. which are seen on the cache memory and also can access the recently processed data in the system.

Part of Computer That is at Risk

The issues related to Meltdown and Spectre exist within the CPU of Windows, Android, Linux, iOS, macOS, Chromebooks and several other operating systems. A computer generally consist of huge amount of data and the core part of a computer’s operating system known as the kernel, handles the data synchronising process.
When data is in the cache, it is managed by the processor and, it is at this point that new vulnerabilities come into effect. Meltdown grabs information by simply snooping to the memory used by the kernel. And in the case of Spectre, it makes programs to perform unwanted operations which in-turn leaks data, that needs to stay confidential.
Both attacks exploit “speculative execution”, which prepares the results of a set of instructions to a chip. These results are then placed in one of the fastest bits of memory on the PC chip. Unfortunately, this can further manipulate the system bit by bit, therefore allowing the hacker to retrieve confidential data from a computer’s memory.
How is a Computer Targeted?
A hacker tries some kind of codes on a user’s computer in order to try exploit using Meltdown  & Spectre. This can be avoided by the following steps:

  • Blocking ads, browser scripts and page trackers
  • Use Chrome’s ‘site isolation feature

Steps Issued Against the Major CPU Flaw:

Practically every computing devices including laptops, smart phones and even cloud computing systems are affected by these two CPU bugs. Every major technology companies have started working against Meltdown and Spectre to protect themselves and their customers.
testbytes-mobile-app-testing-banner

  • Apple points out that it is already affected by these two CPU bugs and the company advised customers to update their device’s operating system and to only download apps from the App Store
  • Microsoft has released updates and installing the new patches can protect devices from the vulnerabilities
  • Intel has rolled out security patches and firmware updates to protect against Meltdown and Spectre. ARM is working with AMD AND
  • Microsoft, Mozilla and Google have issued patches for these browsers as the first step to defence
  • Google says that it will roll out a patch for Chrome 64
  • Chrome OS devices are patched with Kernel Page Table Isolation in Chrome OS 63 and above
  • The service provider Amazon is working to patch the servers used in their data centres

On the whole, companies and individuals should apply available security updates before the problem gets worse.
Conclusion
There is not much that can be done to resolve this issue but it can be avoided in future by redesigning processors so that attacks becomes impossible. Processors, devices, drives, operating system and numerous other have evolved optimizations for security security risks. As the security problems rise in IT industry, the choices needs to be reconsidered and in many cases new implementations are necessary.