Archive for the ‘Security and Compliance’ category

Microsoft Ignite agenda insights to the future road map

August 14th, 2018

Microsoft recently published the session list for its annual Ignite IT Pro conference happening at the end of the September. Alook at the topcis gives a clue to its roadmap. There sessionson on the next version of SQL Server. Surface Hub 2 and Surface Go with LTE, Intune and Windows Autopilot, Windows Server 2019. New Remote Desktop services.

Last year, Microsoft used Ignite to highlight AI, intelligent edge and its futuristic quantum-computing technologies but overall the listed sessions, look more down to earth. There are two mixed-reality sessions — including “Visio Immersive,” Almost 100 listed sessions touch on AI . At Inspire Microsoft told partners the “AI Accelerate Kit”would be coming in October and include AI use cases, best practices and “Ethical AI” guidance so that seems lilley to be included.

At Ignite Microsoft will again focus on Microsoft 365,- the bundle of Windows 10, Office 365 and Intune security/management technologies.

Expect to a lot of Dynamics 365 CRM and ERP content — because October is when the next feature update will arrive for the suite of Dynamics products.

There seems to be more developer content: . ASP.NET, Visual Studio Code and Visual Studio 2017, Node.js, and sessions on linux and Docket containers, Progressive Web Apps and MSIX, the new Windows 10 application-packaging technology Microsoft is rolling out.

There are 115 sessions listed for SQL Server /Azure SQL. Mayeb we will get an insight into the successor to SQL Server 2017 — codenamed “Aris,” which is currently in private Community Technology Preview testing.

Microsoft wil lalso show the new the Surface Hub 2 and Surface Go.

Expect Windows Server 2019, Microsoft’s next major release of Windows Server, to be a hot topic -it’s due to start roll out before year end.

https://www.microsoft.com/en-us/ignite

https://www.microsoft.com/en-us/ignite/faq

September 24–28, 2018 | Orlando, Florida

End of life for SQL 2008 and 2008 r2 is only a year away

July 14th, 2018

On July 9, 2019, Microsoft will end Extended Support, for SQL Server 2008 and 2008 R2hich means no more updates or support of any kind, potentially leaving you vulnerable to security and compliance issues.
Some considerations:
That is only a year away. So time to start planning and to get it into your 2019 budget.
What applications are affected? With what new SQL version are they compatible?
Will you need to rebuy licenses? The SQL license cost is now core based and it might prove lot higher than last time so take the time to consider all options.
Should any of your applications move to the cloud?
Should you also look at upgrades to Hardware? Windows, Office, Exchange, or Business finance/erp systems in conjunction with SQL?
Is now the time to review your security solutions?
Are you going to expand, or implement heavy new processes like consolidation, budgeting, BI in then next 2-3 years?
Is your mobile network growing?

There are major enhancements at QL 2016 sp1 so we recommend you should not consider any version lower than that. By next year SQL 2017 will also have settled down.

To discuss options callus o 0097143365589

Is your rdp access secure?

July 14th, 2018

A recently released report sponsored by IBM Security and conducted by Ponemon Institute estimated that a data breach costs Companies an average of $148 per lost or stolen record. This was based on interviews regarding meg breaches i.e. more than 1 million records.

According to the McAfee Advanced Threat research team, Cybercriminals are compromising and selling remote desktop protocol (RDP) access on the dark web for as little as $10, Cybercriminals will try to RDP access to: create false flags, spam, account abuse, credential harvesting, extortion, ransomware, and to cryptomine.

If you use RDP network access then you are vulnerable to such attack, which will concern everyone from government to healthcare institutions,

Remote access systems are needed by many organizations to conduct their businesses, McAfee’s research team recommendations:
• Use complicated passwords and two-factor authentication on your RDP, as this will make brute-force attack more difficult to complete
• Do not conduct or allow RDP connections across open internet
• Lock out or timeout users with too many failed login attempts
• Check event logs regularly for strange login attempts
• Use an account-naming convention that doesn’t give away details about your organization
• Make a list of all systems using the network and what protocols they are connected through, including POS systems and Internet of Things (IoT)

The good news is that the research found that security automation tools are doing their stuff.. Machine learning, artificial intelligence, analytics, and orchestration to identify and contain breaches are new tools in the fightback against malware.. Companies that extensively use automatic security tech saved over $1.5 million on the total of a breach, said the release.

Meanwhile

‘Hello’ -no passwords!

July 3rd, 2018

Microsoft plans to replace passwords with Windows Hello and other tools, starting from the Windows 10 April 2018 Update in S mode which allows cloud users an end-to-end experience that does not require any passwords.

Microsoft promises to rid the world of passwords and to replace those with more convenient and secure options, the company announced in a Tuesday blog post. “Nobody likes passwords. They are inconvenient, insecure, and expensive,” ………. end users “should never have to deal with passwords in their day-to-day lives,” and to replace passwords with “user credentials [that] cannot be cracked, breached, or phished.”

Windows Hello, which was introduced in Windows 10, uses biometric sensors to verify a user’s identity e.g. fingerprint or a face scan. It has since introduced the Authenticator app, which allows users to log into their Microsoft account on their desktop using their phone.

Hero Rat is targetting your android devices

July 3rd, 2018

HeroRat, a nasty new Android remote access Trojan (RAT) is capable of giving anyone GUI-based control over an infected device.

It is spreading via third-party app stores and messaging services and can take complete control of infected devices. Currently the main target region seems to be Iran. It uses offers, like free Bitcoin, to trick users into downloading it, at which point it says it will not work on the affected system before apparently “uninstalling” itself. Instead it deletes its icon and registers itself with the attacker as a newly accessible device

Hero Rat relies on traditional methods to infect Android devices. Users are advised to install apps only from official sources, to keep update anti-malware software, and to always check app permissions.

Password ‘Spray attacks’ target ADFS

July 1st, 2018

Be aware of ‘Password Spray’ style attacks which target ADFS. Attackers no longer simply launch ‘Brute Force Attack’ to guess someone’s password to gain access – they are adopting a stealthier approach to automate this process over a longer time frame so they don’t trigger any alerts.

The FBI released this Alert in late March 2018: Brute Force Attacks Conducted by Cyber Actors. This “Slow and Low” method is evermore commonplace and one area in particular tat has been targeted to externally facing ADFS. Malicious traffic can be hidden/masked amongst genuine traffic and when successful this offers very valuable credentials possibly even across more than one organisation .

ADFS must be connected to the public internet to work so it offers an attack vector. Review the informative article from Beau Bullock @ BlackHills InfoSec. Once you have determined the valid accounts, simply try all accounts with one password at a time and this should leave enough time between each attempt to allow the “lockout threshold” timeout to expire.

If ADFS itself is could be compromised to gain entry, then how can we improve the security around this authentication mechanism?

On 5 March 2018, Microsoft released an article on Azure AD and ADFS best practices –’ Defending against password spray attacks’, which covers how multi-factor authentication (MFA) and a number of other elements can be applied to improve security. Subsequently Microsoft released an updated and more improved article – ‘Monitor your ADFS sign-in activity using Azure AD Connect Health’s risky IP reports’.

With Azure AD Connect Health, Microsoft’s “Risky IP Reports” :
- Easily detect risky external IP addresses that are generating large numbers of failed logins
- Get instant email notifications when risky IP addresses are detected
- Download detailed reports to perform offline analysis or share within your organisation
- Customise your threshold settings to match the security policy of your organisation

A mechanism to differentiate a single user attack pattern versus multi-user attack pattern.

One simple indicator of malicious activity is: “Unique Users Attempted” ( a count of unique user accounts attempted from the IP address during the detection time window. This provides a mechanism to differentiate a single user attack pattern versus multi-user attack pattern.)

TSB upgrade – what lessons are there to learn?.

May 5th, 2018

By now most of us have heard about the catastrophic attempt by the Spanish-owned TSB to introduce a new IT platform for their UK customers.
As my first mortgage was with the TSB many years ago, and I was also in the U.K. when the story broke I took a little more interest.

TSB, (Trustee Savings Bank), merged with and was spun out of Lloyds Bank after the EU ruled that it was a monopoly, because of the state aid it had received at the time of the banking crisis. TSB used Lloyds IT at a cost of about £220 million a year, but later moved to the Proteo platform, also used by its new owners, Sabadell. The Proteo system design goes back to 2000 and was specifically for mergers, and was used for successful integration of the four Spanish banks.

Proteo is based on Accenture’s Cobol-based Alnova system, and is customized, installed and managed by TSBs staff and runs on Amazon Cloud.

At the launch of Proteo4UK, Paul Pester, CEO of TSB, boasted that they had “created a more digital, agile and flexible TSB”. Carlos Abarca, the CIO, agreed, “It’s the technology journey that we are on together with our customers!” Similar ‘digital transformation’ good news messages from cloud providers are all too familiar.

This was to be “customer-centric by design” platform to “enable the open banking revolution”.

Well there was a revolution alright – from the locking nearly two million banking customers out of their accounts for up to ten days.

This was over a month-end, when businesses rely more heavily on access to their accounts.

TSB turned to IBM, to help get the system under control and “to help identify and resolve performance issues in the platform”. This included customers : experiencing zero balances, incorrect currencies, massively inflated mortgage amounts, and e-mails saying that there are no records of recent direct debits. IBank customers puzzled over on-screen messages, such as: ‘BeanCreationNotAllowedException exception: Error creating bean with name ‘contextManagerPostController’: Singleton bean creation not allowed while the singletons of this factory are in destruction (Do not request a bean from a BeanFactory in a destroy method implementation!)’

Customers who tried to make transfers got errors like: ‘ArrayIndexOutofBounds’ and java.lang.NullPointer and some Branches reported the systems spewing out error messages in Spanish. When I travelled back form U.K. early May, problems with internet banking wee still being reported by customers.

Instead of saving TSB over £100 million a year, this has greatly reduced public confidence in the bank but also in other banks and other financial services on the cloud generally. TSB are likely to be fined by the Financial Conduct Authority (FCA) and the Information Commissioner’s Office (ICO), which is the last thing they need to get things sorted – the loss in reputation alone is huge.

Supporters of Peter Pester believe he is being scapegoated for tech disaster:
• Allies said he has been ‘betrayed’ by a ‘bunch of Spanish numpties’
• Software that caused the problems was installed by Sabadell’s technology offshoot, Sabis
• Regulators could put TSB under a Section 166 probe – a formal investigation by an independent expert

What are the lessons?
Well, the first is not to claim success until the job is done. ( A damning report on the Guardian website suggests there were plenty of warning signs, up to a year before this all happened. Quoting an anonymous insider, the report explains how a mixture of poor technical and business decisions led to the eventual crises TSB finds itself in today.)

Which leads to the second lesson- bearers of bad news may have appoint to consider and is a hint at least the challenge needs more attention.

It seems Sabadell, the company that bought TSB, was warned about the high risk of its migration plans, which were seen by some as having too short a deadline and not big enough a budget. But Sabadell was not to be discouraged, and it pressed ahead with its plans, confident that it could successfully transfer TSB customers to its own Proteo software, as it had done with other customers in the past.

If you are doing some thing big and complicated consider the worst case and what that means for: insurance, contingency plans, contractual and legal protection, (so far none of the original contractors on the TSB redesign and upgrade have acknowledged any culpability) and PR mitigation:

PR week called it the flop of the month …….. and recipe for reputational disaster. Pester is well respected in the industry, but took too long to accept responsibility, was too quick to assume the problem was over, and too slow to appease customers. Easy to say from an armchair in Dubai but why do corporate leaders fail to heed the lessons of the past and to recognise the potential for disaster and that that when disaster arrives the only way to avoid reputational damage is to offer maximum compensation and care and to call in reinforcements asap.
Sabis is understood to have given TSB a written assurance that the parts of the system for which they were responsible had been comprehensively tested- maybe TSB needed to be more involved in those tests.

How good is your password? Can it withstand an attack every 39 seconds?

April 27th, 2018

A Clark School study at the University of Maryland found a near-constant rate of hacker attacks of computers with Internet access—every 39 seconds on average—and non-secure usernames and passwords give attackers more chance of success.

“Brute force” hackers, use simple software-aided techniques to randomly attack large numbers of computers.The vast majority of attacks came from relatively unsophisticated hackers using “dictionary scripts,” a type of software that runs through lists of common usernames and passwords attempting to break into a computer.

Top usernames in the hackers’ scripts were “test,” “guest,” “info,” “adm,” “mysql,” “user,” “administrator” and “oracle’ so avoid use of these. The most common password-guessing ploy is to re-enter or to try variations of the username. Some 43 percent of all password-guessing attempts simply reentered the username. The username followed by “123″ was the second most-tried choice.

A password should never be identical or even related to its associated username.

The hackers’ most common sequence of actions is to check the accessed computer’s software configuration, change the password, check the hardware and/or software configuration again, download a file, install the downloaded program, and then run it.

http://www.eng.umd.edu/html/news/news_story.php?id=1881

Total meltdown – patch now and revisit patches mnay are bugged

April 27th, 2018

A person known as XPN, whose blog lists identifies as a hacker and infosec researcher, posted details of a working exploit that takes advantage of Total Meltdown on Monday. The source code for Total Meltdown, a vulnerability created when Microsoft tried to patch the initial Meltdown flaw, is available on GitHub.

XPN describes Total Meltdown as a “pretty awesome” vulnerability in that it allows “any process to access and modify page table entries.”

XPN also noted that the goal was to create an exploit that could “elevate privileges during an assessment,” but it was only to help other people understand the exploitation technique, not to create a read-to-use attack.

Total Meltdown was originally created from a botched patch Microsoft issued for the original Meltdown flaw–of the Spectre/Meltdown vulnerabilities reported earlier.

Whereas the original Meltdown flaw was read-only, Total Meltdown also provides write access. This only affects 64-bit versions of Win7 and Server 2008 R2.

See the Woody on Windows column in Computerworld, https://www.computerworld.com/article/3269003/microsoft-windows/heads-up-total-meltdown-exploit-code-now-available-on-github.
There have been a series of flawed patches and its not pretty reading so take tiem to check out the article in full.

To tell if you’re protected from Total Meltdown, you’ll have to check your patch history. If you have no patches from 2018, you should be good, according to Woody on Windows. If you do have patches, KB 4100480, 4093108, or 4093118 installed, you should also be protected. Without those, Woody on Windows noted, you’ll need to rollback your machine, manually install KB 4093108, or use “Windows Update to install all of the checked April Windows patches.”

However there is lot more cautionary advice to read.

Drupal CMS critical bug

April 2nd, 2018

The team behind the popular open-source CMS Drupal is urging admins to update their sites to ward off a nasty bug that could leave their sites “highly compromised” to attackers, according to the organization.

The effected versions (Drupal i 6, 7 and 8) of the CMS power over one million websites on the internet.

Drupal has marked the security risk as “highly critical” and warns that any visitor to the site could theoretically hack it through remote code execution due to a missing input validation.

“This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,”

“Meltdown” and “Spectre and azure.”

February 10th, 2018

Last month as reported on this blog, Intel revealed two critical vulnerabilities they found in Intel chips. These vulnerabilities allow cyber-attackers to steal data from the memory of running apps. This data can include passwords, emails, photos, or documents. Intel dubbed these as: “Meltdown” and “Spectre.”

Microsoft released a patch for Azure the very next day. Just as well because Microsoft Azure is a shared-computing environment by default. One server hosts applications and development of applications, and various Virtual Machines tap into the server to allow employees to and others to access these applications. As such, the Meltdown vulnerability allows an attacker to compromise the host and read all the data from every operating system tapping into it. Around 3-10 million physical servers host Azure, and these servers in turn host tens of millions of Virtual Machines. So impressively Microsoft developed deployed a patch for these vulnerabilities in less than a week’s time. Azure is a cloud-based application and so Microsoft could focus their security team to work on the cloud servers and only the cloud servers. This way, these millions of servers and users had a patch and all applications hosted on the Azure cloud-platform were immediately protected.

A good business case example for business to move to Azure cloud services.

Malware developers are still out there. German antivirus testing firm AV-Test reported 139 samples of malware trying to attack the Meltdown vulnerability in January to exploit those who have not patched.

Microsoft patched their cloud servers, but non-Azure users (as well as all Windows users, period) still need to apply their operating system patches to ensure complete protection. This is one vulnerability you definitely don’t want cyber-attackers to exploit, whether it’s your personal computer or your business’s server.

Cyber attacks doubled in 2017 – expect 2018 to be worse.

January 27th, 2018

Cyber attacks on businesses nearly doubled in the past year. A new report, the Cyber Incident & Breach Trends Report, released by the Online Trust Alliance (OTA) found 156,700 cyber incidents last year, compared to 82,000 in 2016. The OTA is a Internet Society initiative designed to improve online trust.

The organization believes that since a majority of cybersecurity attacks are never reported, the number of cyber incidents last year could actually be closer to 350,000. “Surprising no one, 2017 marked another ‘worst year ever’ in data breaches and cyber incidents around the world,” said Jeff Wilbur, director of the OTA initiative at the Internet Society. “This year’s big increase in cyberattacks can be attributed to the skyrocketing instances of ransomware and the bold new methods of criminals using this attack.”

The OTA claimed that most of the incidents could have been prevented easily – 93 percent of breaches could have been avoided by regularly updating software, blocking fake emails, and training people to recognize phishing attacks.

52 % of security incidents were the result of an actual attack.
15 % resulted from a lack of security software,
11 % were caused by credit card skimming,
11% resulted from companies not having controls to prevent employees’ negligent or malicious actions,
8 % were the result of phishing scams.

Electron is a node.js, V8, and Chromium framework created for the development of cross-platform desktop apps with JavaScript, HTML, and CSS, The Electron framework is popular and widely used by a range of desktop app services. Skype, Signal, Slack, Shopify, and Surf are among the users, A critical vulnerability affecting Electron desktop apps has recently been disclosed.

Regular patching has always been a best practice and neglecting it is a known cause of many breaches.

In 2017 the Equifax breach brought home that message

In 2018 a patching strategy needs to be integral to your processes because of the Spectre and Meltdown vulnerabilities reported (see our earlier posts) when it was highlighted that nearly every computer chip manufactured in the last 20 years was found to contain fundamental security flaws.

Meltdown and Spectre – why do these matter?

January 6th, 2018

One of the most basic premises of computer security is isolation: When you run somebody else’s code as an untrusted process on your machine, then you restrict it to its own tightly sealed test environment. Otherwise, it might peer into other processes, or snoop around the computer as a whole. A security flaw in computers’ most deep-seated hardware puts a crack in those walls, as one newly discovered vulnerability in millions of processors has done, it breaks some of the most fundamental protections computers promise—and sends practically the entire industry scrambling.

A bug in Intel chips allows low-privilege processes to access memory in the computer’s kernel, the machine’s most privileged inner sanctum. Theoretical attacks that exploit that bug, based on quirks in features Intel has implemented for faster processing, could allow malicious software to spy deeply into other processes and data on the target computer or smartphone. On multi-

Meltdown affects Intel processors, and works by breaking through the barrier that prevents applications from accessing arbitrary locations in kernel memory. Segregating and protecting memory spaces prevents applications from accidentally interfering with one another’s data, or malicious software from being able to see and modify it at will. Meltdown makes this fundamental process fundamentally unreliable.

Spectre affects Intel, AMD, and ARM processors, broadening its reach to include mobile phones, embedded devices, and pretty much anything with a chip in it. Which, of course, is everything from thermostats to baby monitors now.

It works differently from Meltdown; Spectre essentially tricks applications into accidentally disclosing information that would normally be inaccessible, safe inside their protected memory area. This is a trickier one to pull off, but because it’s based on an established practice in multiple chip architectures, it’s going to be even trickier to fix.
user machines, like the servers run by Google Cloud Services or Amazon Web Services, they could allow hackers to break out of one user’s process, and instead snoop on other processes running on the same shared server.

It’s not a physical problem with the CPUs themselves, or a plain software bug you might find in an application like Word or Chrome. It’s in between, at the level of the processors’ “architectures,” the way all the millions of transistors and logic units work together to carry out instructions.

In modern architectures, there are inviolable spaces where data passes through in raw, unencrypted form, such as inside the kernel, the most central software unit in the architecture, or in system memory carefully set aside from other applications. This data has powerful protections to prevent it from being interfered with or even observed by other processes and applications.

Because Meltdown and Spectre are flaws at the architecture level, it doesn’t matter whether a computer or device is running Windows, OS X, Android, or something else — all software platforms are equally vulnerable. A huge variety of devices, from laptops to smartphones to servers, are therefore theoretically affected. The assumption going forward should be that any untested device should be considered vulnerable.

Not only that, but Meltdown in particular could conceivably be applied to and across cloud platforms, where huge numbers of networked computers routinely share and transfer data among thousands or millions of users and instances.

The one crumb of comfort is that the attack is easiest to perform by code being run by the machine itself — it’s not easy to pull this off remotely. So there’s that, at least.

On Wednesday evening, a large team of researchers at Google’s Project Zero, universities including the Graz University of Technology, the University of Pennsylvania, the University of Adelaide in Australia, and security companies including Cyberus and Rambus together released the full details of two attacks based on that flaw, which they call Meltdown and Spectre.

“These hardware bugs allow programs to steal data which [is] currently processed on the computer,” reads a description of the attacks on a website the researchers created. “While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.”

Both attacks are based on the same general principle, Meltdown allows malicious programs to gain access to higher-privileged parts of a computer’s memory, while Spectre steals data from the memory of other applications running on a machine. And while the researchers say that Meltdown is limited to Intel chips, they say that they’ve verified Spectre attacks on AMD and ARM processors, as well. With these glitches, if there’s any way an attacker can execute code on a machine, then it can’t be contained.

Meltdown and Spectre

https://twitter.com/brainsmoke/status/948561799875502080

When processors perform speculative execution, they don’t fully segregate processes that are meant to be low-privilege and untrusted from the highest-privilege memory in the computer’s kernel. That means a hacker can trick the processor into allowing unprivileged code to peek into the kernel’s memory with speculative execution.

he processor basically runs too far ahead, executing instructions that it should not execute. .

Retrieving any data from that privileged peeking isn’t simple, since once the processor stops its speculative execution and jumps back to the fork in its instructions, it throws out the results. But before it does, it stores those in its cache, a collection of temporary memory allotted to the processor to give it quick access to recent data. By carefully crafting requests to the processor and seeing how fast it responds, a hacker’s code could figure out whether the requested data is in the cache or not. And with a series of speculative execution and cache probes, he or she can start to assemble parts of the computer’s high privilege memory, including even sensitive personal information or passwords.

Many security researchers who spotted signs of developers working to fix that bug had speculated that the Intel flaw merely allowed hackers to defeat a security protection known as Kernel Address Space Layout Randomization, which makes it far more difficult for hackers to find the location of the kernel in memory before they use other tricks to attack it, but the bug is more serious: It allows malicious code to not only locate the kernel in memory, but steal that memory’s contents, too.

Tough Fix

In a statement responding to the Meltdown and Spectre research, Intel noted that “these exploits do not have the potential to corrupt, modify, or delete data,” though they do have the ability to spy on privileged data. The statement also argued that “many types of computing devices—with many different vendors’ processors and operating systems—are susceptible to these exploits,” mentioning ARM and AMD processors as well.

Microsoft, which relies heavily on Intel processors in its computers, says that it has updates forthcoming to address the problem. “We’re aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers,” the company said in a statement. “We are in the process of deploying mitigations to cloud services and are releasing security updates today to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM, and Intel. We have not received any information to indicate that these vulnerabilities had been used to attack our customers.”

Linux developers have already released a fix, apparently based on a paper recommending deep changes to operating systems known as KAISER, released earlier this year by researchers at the Graz University of Technology.

Apple released a statement Thursday confirming that “all Mac systems and iOS devices are affected,” though the Apple Watch is not. “Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown,” the company said. “In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.”

Amazon, which offers cloud services on shared server setups, says that it will take steps to resolve the issue soon as well. “This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices,” the company said in a statement. “All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours.”

Google, which offers similar cloud services, pointed WIRED to a chart of Meltdown and Spectre’s effects on its services, which states that the security issue has been resolved in all of the company’s infrastructure.

Those operating system patches that fix the Intel flaw may come at a performance cost: Better isolating the kernel memory from unprivileged memory could create a significant slowdowns for certain processes.

According to an analysis by the Register, which was also the first to report on the Intel flaw, those delays could be as much as 30 percent in some cases, although some processes and newer processors are likely to experience less significant slowdowns. Intel, for its part, wrote in its statement that “performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”

Until the patches for Meltdown and Spectre roll out more widely, it’s not clear just what the speed cost of neutering those attacks may turn out to be. But even if the updates result in a performance hit, it is a worthwhile safeguard: Better to put the brakes on your processor, perhaps, than allow it to spill your computer’s most sensitive secrets.

Spectre, is not likely to be fully fixed any time soon. The fact is that the practice that leads to this attack being possible is so hard-wired into processors that the researchers couldn’t find any way to totally avoid it. They list a few suggestions, but conclude:

While the stop-gap countermeasures may help limit practical exploits in the short term, there is currently no way to know whether a particular code construction is, or is not, safe across today’s processors – much less future designs.

Critical Server Patches for Meltdown and Spectre – processor bugs

January 5th, 2018

There is a set of critical bugs in our processors. There are two issues, known as Meltdown and Spectre.

If you haven’t been paying attention, a serious security flaw in nearly every processor made in the last ten years was recently discovered. Initially it was thought to be just Intel, but it appears it’s everyone. The severe design flaw in microprocessors allows sensitive data, such as passwords and crypto-keys, to be stolen from memory is real – and its details have been revealed.
On a shared system, such as a public cloud server, it is possible, depending on the configuration, for software in a guest virtual machine to drill down into the host machine’s physical memory and steal data from other customers’ virtual machines.

This is so serious CERT recommends throwing away your CPU and buying a non-vulnerable one to truly fix the issue.

https://www.kb.cert.org/vuls/id/584653

There are two bugs which are known as Meltdown and Spectre. The Register has a great summarized writeup here – no need for me to regurgitate. This is a hardware issue – nothing short of new chips will eradicate it. That said, pretty much everyone who has written an OS, hypervisor, or software has (or will have) patches to hopefully eliminate this flaw. This blog post covers physical, virtualized, and cloud-based deployments of Windows, Linux, and SQL Server.

The fact every vendor is dealing with this swiftly is a good thing. The problem? Performance will most likely be impacted. No one knows the extent, especially with SQL Server workloads. You’re going to have to test and reset any expectations/performance SLAs. You’ll need new baselines and benchmarks. There is some irony here that it seems virtualized workloads will most likely take the biggest hit versus ones on physical deployments. Time will tell – no one knows yet.

What do you need to do? Don’t dawdle or bury your head in the sand thinking you don’t need to do anything and you are safe. If you have deployed anything in the past 10 – 15 years, it probably needs to be patched. Period. PATCH ALL THE THINGS! However, keep in mind that besides this massive scope, there’s pretty much a guarantee – even on Linux – you will have downtime associated with patching.
Information that you might want to review and decide how to patch your systems.

SQL Server Versions Affected

This is a hardware issue, so every system is affected SQL Server running on x86 and x64 .for these versions:

SQL Server 2008
SQL Server 2008R2
SQL Server 2012
SQL Server 2014
SQL Server 2016
SQL Server 2017
Azure SQL Database

It is likely that SQL Server 2005, SQL Server 2000, SQL Server 7, SQL Server 6.5 are all affected. No SQL Server patches are coming.

Note: according to Microsoft, IA64 systems are not believed to be affected.

SQL Server Patches

There is a KB that discusses the attacks. Here are the patches as of this time:

SQL Server 2017 CU3
SQL Server 2017 GDR
SQL Server 2016 SP1 CU7
SQL Server 2016 SP1 GDR
.
OS Patches

The Window KB for guidance is 4072698. Here are the OS patches that I’ve been able to find.

Windows Server (Server Core) v 1709 – KB4056892
Windows Server 2016 – KB4056890
Windwos Server 2012 R2 – KB4056898
Windows Server 2012 – N/A
Windows Server 2008 R2 – KB4056897
Windows Server 2008 – N/A
Red Hat v.7.3 – Kernel Side-Channel Attacks CVE-2017-5754, 5753, 5715
SUSE Linux – 7022512
Ubuntu – N/A

VMWare has a security advisory (VMSA-2018-0002) and patches. They have released:

ESXi 6.5
ESXi 6.0
ESXi 5.5 (partial patch)
Workstation 12.x – Upgrade to 12.5.8
Fusion 8.x – Updated to 8.5.9

When to PATCH – Immediately

If you have SQL Server 2017 or SQL Server 2016 running, then patches are available.

SQL Server (Windows) VM in your data center – Patch host OS or isolate SQL Server back on physical hardware. Check Windows OS for microcode changes.

SQL Server (Windows) on bare metal or VM, not isolated from application code on the same machine, or using untrusted code – Apply OS patches, SQL Server patches, enable microcode changes.

SQL Server Linux – Apply Linux OS patches, Linux SQL Server patches, check with Linux vendor

Note that when untrusted SQL Server extensibility mechanisms are mentioned, they mean:

SQL CLR
R and Python packages running through sp_external_script, or standalone R/ML Learning Studio on a machine
SQL Agent running ActiveX scripts
Non-MS OLEDB providers in linked servers
Non-MS XPs

There are mitigations in the SQL Server KB.

When You Can Patch Later

If you have SQL Server 2008, 2008 R2, 2012, 2014 you’ll have to wait on SQL Server patches. They aren’t out yet. However, there are other situations that remove an immediate need for patching.

When You Don’t Need to Patch
If you are on AWS, they’ve patched their systems, except for EC2 VMS. Those need patches from you. AWS Statement

Azure is patched according to KB4073235. Guidance in ADV180002 says .This does not include VMs that don’t get automatic updates. You need to patch those manually.

Apple – If you’re running High Sierra, Sierra, or El Capitan, it looks like Apple took care of this back in December of 2017.

Browsers

Chrome – It looks like Google is going to release a patch for Chrome later in January. See this link for more information.
Firefox – Version 57 or later has the proper fixes. See this blog for more information, so patch away!
Edge and Internet Explorer – Microsoft has a blog post . It looks like the January security update (KB4056890) takes care of that. So if you’re using either of these browsers, please update your OSes as soon as possible.

Details On the Exploits

Descriptions of the exploit, if you want to dig down and understand.

https://meltdownattack.com/

The Register
Ars Technia
cyber.wtf researcher blog

U.A.E. VAT registration time is running out……..

December 17th, 2017

Companies in the UAE that have not got their tax registration number (TRN) yet will have to procure it within the next 14 days.

Companies who have not completed their VAT registration within the dates prescribed by the Federal Tax Authority (FTA) will have to pay a fine worth Dh20,000 and also stop sales until they get the TRN or tax registration certificate (TRC).