Third Major Vulnerability in Intel Chips This Year

Researchers from KU Leuven, Technion – Israel Institute of Technology, University of Adelaide, and the University of Michigan collaborated to discover the third major vulnerability in Intel CPUs this year. They named it Foreshadow. Foreshadow is similar to two attacks that were discovered earlier this year — Spectre and Meltdown.

To explain briefly, Spectre, Meltdown, and Foreshadow are all vulnerabilities that result from hardware issues. Nearly every processor made by Intel after the year 1995, that utilizes out-of-order execution is vulnerable to Meltdown. Spectre is a vulnerability that is based on exploiting the side effects of speculative execution — an optimization technique which speeds up computer operations by doing tasks in advance that may or may not be necessary. Meltdown looks into memory (L1, L2, L3, RAM) and Spectre tricks programs into leaking information. Patches have been released for these vulnerabilities, but it is not a fix and may (will) decrease system performance. Example of meltdown:

Foreshadow is a new vulnerability that affects Intel chips made after 2015. It affects CPUs that have the Software Guard Extensions feature (SGE). SGE allows programs to create “Lock Boxes” in Intel chips that the operating system cannot access. This means that even if your computer is infected with malware, it cannot access information that is guarded by SGE


“But we discovered we could specifically target a lock box within Intel’s processors. It would let you leak any data you want out of these secure enclaves.”

— Prof Thomas Wenisch from the University of Michigan


Intel stated that there have been no reports of these vulnerabilities being used by hackers. There are far more obvious and easier approaches to hacking. Nevertheless, this highlights the importance to stick to safety procedures such as regularly updating and patching. There will always be errors and vulnerabilities in systems, hardware, and initial design. The longer you operate on older versions, the longer the hackers have to discover and make use of those vulnerabilities.

– Cheng Ye


Connections with the Lazarus group and North Korea

Just as of recent, Park Jin Hyok was indicted by the United States. Hyok was indicted with charges of Conspiracy and Conspiracy to Commit Wire Fraud. While his sole indictment was nothing more than identifying a person who was partly responsible in some major cyber attacks around the world since 2014, it helped to start to draw a line between the Lazarus Group and the government of North Korea. Furthermore, his capture itself can lead to exposure of other members of the Larazus Group. To give a little background in what the Lazarus Group is capable of, it takes a bit of history into the atrocities they have committed. In 2014, there was a hack on Sony because of the controversial movie “The Interview”. Next, in 2016, there was a hack on the Bangladesh bank for $81 million. In 2017, the WannaCry which affected well over 250,000 hospitals, corporations, and government agencies in 150 countries within 3 days.


But how could this one hacker from this group lead to the revelation of the sophisticated hacker group? While a huge email infrastructure is good for phishing and the perceived idea that things can be kept secret separate, it was a big reason that the US government were able to identify the vast email infrastructure. Well that and they got lucky because a purported supervisor sent a resume and sent how the “company was doing”, the company being Chosun Expo Joint Venture. Since revealing all the Gmail accounts, Eric Chien from Symantec Corp. has it on good authority that attacks from the Lazarus Group will undoubtedly come to a pause. While this is hardly anything close to being a closed case or bringing down an organization, it’s a spark that can light up the room of the shady Lazarus Group. vast_email_infrastructure

– Andres Orbe


3.5 Million Computer Security Jobs to be Left Understaffed by 2021

According to Forbes Magazine, the number of positions in the Computer Security field left unfilled may rise to 3.5 million by 2021. As the amount of more sophisticated hacking programs are making their way into the hands of more script kiddies on the Dark Web, the amount of security experts available isn’t able to keep up with the number needed. One of the biggest reasons for the shortage is the people being targeted. Due to workers getting rapidly taken by big corporation, Smaller companies with less capable security are being targeted, and being used to get to their larger business partners. According to the study conducted by Global Information Security Workforce in 2017, 2/3 of the organizations questioned stated that they lack the number of experts needed for adequate security. Numerous work is being done to recruit more people, including women, who currently only make up 14% of the workforce. Other potential resources are military veterans and recruiting people without a degree and training then for the job. More work is being done to incorporate AI to fill the gap. These AI programs are capable of detecting breaches much faster than humans, but currently aren’t capable at doing the investigation and analysis side of the job.


– Liam