New Year and New Cyber Vulnerabilities – Spectre and Meltdown

A new year and a new cyber threat. This time the vulnerabilities are baked into the design of microprocessors delivering most of the IT services on the planet. Virtually, all devices, independent of operating systems or installed applications could be affected. It is not just the laptops and PC but almost all devices including tablets, smartphones, virtual servers and impact all vendors including Microsoft, Google, Amazon and Apple.

The vulnerabilities come from serious security flaws in “speculative execution” a technique that enhances the performance of modern processors made by Intel, AMD and ARM. The vulnerabilities with their snazzy names, Meltdown and Spectre were discovered and reported to microprocessor manufactures in June 2017 by Google’s Project Zero team along two papers (Spectre and Meltdown)  published by independent researchers around the same time.  The difference between Spectre and Melton is summarised by https://meltdownattack.com/ as

“Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.”

Spectre is not easy to exploit but has no fix. Meltdown is arguably the more critical of two because it can be exploited in the Cloud Computing environment. Over the last decade, Cloud Computing services have blossomed and now deliver most of the popular applications used by online consumers, governments and industry. Multi tenanting is the mechanism by which cloud service providers can share computer resources (including processor, memory, storage) between multiple customers whilst ensuring secure segregation between them. Meltdown has the potential to undermine this fundamental principle of user segregation in a cloud-based service. Attackers in one cloud-based tenant can exploit Meltdown to access and download data (at 503 KB/s) that they are not authorised to do from a neighbouring tenant.

The flaws were due to be publicised next week but some news agencies, including The Register, published on Monday 2nd January. The vulnerabilities are not easy to exploit and according to the NCSC no exploits have yet been reported, but eventually, the cost of the fix will be humongous. The proposed software fixes reduce CPU process by around 20% to 30%. Commercially that may be too high a price to pay. At the present, the ultimate fix appears to be a hardware one.

Security hole on – MacOS High Sierra. Login as Root – No password needed!

Sounds unbelievable but it is true.  Use the username “root” and hit enter in the password field (i.e. no password) and you have full local admin access! So until it is fixed you physical security will be critical. Maybe a good idea not to travel with the mac. The Apple ecosystem is supposed to be one of the most secure but.. Even Android would (probably) not be that relaxed.

I upgraded to MacOS High Sierra at the weekend and tried out the “bug” today. It has been reported widely.  Not only does it work on the System Preferences panel.

 

 

 

 

 

 

 

 

 

But it works from the login page. Select “Other User”, type in Root as the username, hit enter in the password field (may need to do this a few times) and .. you are in!

The Indian Space Programme (the book) – price discount and reviews

Price discounts until the end of November. Ebook £9.99. Book reviews of the The Indian Space Programme. “A true scholarly, and authoritative history. A landmark book.” Dr Allan Chapman, Wadham College University of Oxford. “Singh has done a masterful job of pulling together unique material and photos for a popular reader.” Leonard David. “This is a monumental […]

[Continue reading…]

New Book Announcement – The Indian Space Programme. Available on 4 Oct 2017

My second book is available from next week – 4th October 2017.  Almost 6 years in the making, it is a detailed account of India’s Space Programme.  Available on Kindle and paperback from next week. The subject is not everyone’s cup of tea. If it is yours and fancy doing a book review. Drop me […]

[Continue reading…]

Udupi Ramachandra Rao (1932-2017) Humanitarian and Space Scientist

Whilst Homi Bhabha and Vikram Sarabhai are rightly honoured as visionary architects of the Indian Space Programme, building and operationalising it fell to others. Key among these was Professor UR Rao who lead the team to build India’s first satellite, Aryabhata. He did it in just over two years with a small young team of […]

[Continue reading…]

Book Review: ISRO: A Personal History

Title: ISRO: A Personal History Publisher: Harper Collins India Author: R. Aravamudan with Gita Aravamudan A delightful personal account of India’s space program from the very beginning. With personal memories from an era that otherwise would be lost. This is an important historical record of events that will in a few years be lost entirely […]

[Continue reading…]

Manchester – This is the Place

One of the more memorable events from Manchester over the last week. A poem by Tony Walsh.  I don’t listen to much poetry but this is a Riveting five minutes.

[Continue reading…]

Book Review : Space India 2.0

Title: Space India 2.0 Publisher:  Observer Research Foundation Author: Edited by Rajeswari Pillai Rajagopalan and Narayan Prasad Free download from http://www.orfonline.org/research/space-india-2-0-commerce-policy-security-and-governance-perspectives/ If you are looking for a single source of current state of play with the Indian space programme from a diverse collection of writers from in and outside India – this is it. This book is a […]

[Continue reading…]

Public Event. Anglo Indian Stephen Smith – India’s forgotten Rocketeer

What: A public talk on Anglo Indian Stephen Smith. His life and achievements. Where: The Larkhill Centre, Thorley Lane, Timperley, WA15 7AZ (about 3 miles from Manchester International Airport) When: 19:30 – 20:15 Tuesday 21st March 2017 The event is organised by the India Study Circle for Philately. During the 1920s Stephen Smith founded the Calcutta […]

[Continue reading…]

ISRO’s Chandrayaan-1 – detected in lunar orbit

Using an innovative radar technique, NASA has been able to detect two space in lunar orbit from the surface if the Earth. NASA’s Lunar Reconnaissance Orbiter was launched in 2009 and was in lunar orbit at the same time as Chandrayaan-1. Although a joint experiment was designed  for both spacecraft, it did not work out. […]

[Continue reading…]