Your address will show here +12 34 56 78
Business IT, Security

On April 14 Intel disclosed their architectural vulnerability to a new group of side channel attacks collectively called MDS (Microarchitectural Data Sampling). Intel have provided microcode updates to their manufacturing partners for firmware updates, as well as to Microsoft, Linux and other OS developers for integration in future software patches.

If you remember back to last January’s disclosure of Spectre, this sounds very much like the same thing all over again. Spectre was the first time we’d seen an architectural vulnerability like this, and the security industry predicted it was only the beginning. That’s proved prescient, as since then we’ve seen a number of additional architectural exploits such as Foreshadow and Spoiler, the latter of which has no software or hardware mitigation, and isn’t likely to for several years due to the tremendous memory performance impact that would result from attempting to simply mitigate these issues while retaining other current design principles.

Intel don’t classify the new MDS group of vulnerabilities as particularly critical, because of the extraordinary technical difficulty of developing a successful exploit as well as the level of access required to execute it (ie the computer itself would already need to be compromised through some other means). Some security researchers familiar with MDS disagree with Intel’s rationale, but Intel’s statements are factual – if we are to see a malicious exploit leveraging these side-channel vulnerabilities it will be extremely sophisticated and part of a much larger suite of attacks. But that doesn’t mean it won’t happen.

So where does that leave us – what is our ‘take home’ strategy? What should we as decision makers do in response the the fact that Intel hardware is potentially vulnerable to numerous forms of attack, some of which cannot be mitigated, and with more flaws likely to discovered in the future?

You can make an immediate decision about your hardware systems – replacing them with AMD Ryzen (and servers with EPYC) architectures will immediately mitigate this current slew of issues (and solve the ongoing problems posed by Intel Management Engine (ME) vulnerabilities). But replacing your entire client/server infrastructure is a very expensive scorched earth strategy, which doesn’t guarantee immunity from hardware vulnerabilities indefinitely – just the ones we already know about.

A more resilient solution involves reevaluation of your business processes and the tools and platforms you operate on, with a view to improving your security posture to minimise potential exposure as much as possible. One part of that reevaluation is hinted at in that sentence – you’ll note that I didn’t write ‘mitigate’, I wrote ‘minimise’ – that’s because it’s essential that we face up to the fact that compromise is inevitable, it’s just a matter of time – there are far to many potential attack vectors and we see time and time again that the very best organisations on the planet can be compromised, so what chance do SMBs have of remaining immune?

In about 2010 the security industry, large enterprise and governments recognised that it was unrealistic to think that networks and infrastructure could remain impenetrable – instead we needed to proactively monitor our systems and networks to detect and respond to successful compromises as rapidly as possible. That requires sophisticated tools and technology, as well as skilled security experts. It also requires enterprise-wide monitoring and logging, so we can go back and see what was accessed, stolen or damaged, and recover any data that may have been affected.

SMBs simply don’t have the budget to perform extensive network monitoring and analysis, so we need to make smart, efficient decisions. First of all, the disaster recovery strategy – if all else fails, how confident can you be that your data can be restored, how quickly, and what are the protocols for this? Secondly, how much risk are you exposed to with your current infrastructure, and can you reduce this? For example, instead of running PCs and laptops with Windows and Office, can you move to VDI and thin clients, or GSuite and PixelBooks? Can you shift your data warehouse to BigQuery and save yourself a ton of money while performing analytics and reporting at 10 orders of magnitude faster? Can you introduce new security protocols such as One-Time-Passwords (OTP) and multi-factor authentication that make credential theft impossible? (hint: the answer is yes)

But before you dismiss this as the hysterical wailing of disconnected security boffins who don’t live in the real world, where the impact on productivity and annoyance will be felt by inconvenienced staff just trying to get on with their jobs, take a minute to consider that in 2016 43% of all cyber attacks targeted small businesses, while 60% of small businesses that suffer a data breach or cyber attack are out of business within 6 months. The average cost of a malware attack is US$2.4 million. In companies with over 50,000 compromised records the average cost of a data breach is US$6.3 million. In 2017 ransomware attacks grew by 350%, while spear-phishing emails were the most widely used infection vector, employed by 71% of attackers. The Internet is saturated with malicious bots probing your networks constantly to try to find vulnerabilities while cyber-criminals will take the time to craft custom attacks against high-value targets.

When it comes to your business IT operations, you have to choose between three core competing priorities: convenience, cost and security – pick two. And remember – you only get to make a mistake about your organisation’s security once.

Could your IT security strategy do with a review?

0

Business IT, Virtualisation / Virtualization

We still get asked this question frequently. In simple terms, virtualisation is taking your existing physical computers and making a ‘software’ copy of them. This is quite easy, because all the configured, important parts of your servers are already software anyway – the operating system itself, the programs you run, and the data you’re storing. Virtualisation platforms have a standard (identical) software version of the computer ‘hardware’ for all the virtual computers to run on top of – think of it like every computer in the world having identical hardware components. The operating system, programs and data run inside this ‘virtual computer’, all contained within their own little bubble – they can’t see or interact with any of the other virtual computers running on the host machine unless you network them together.

Why would we do this? Once you virtualise a computer, there are many benefits:

1) Reliability – a virtual computer (known as a Virtual Machine or VM) doesn’t depend on the physical hardware of the host computer (the physical computer) it’s running on anymore. That means you can take a VM that’s running on one (host) computer, and move it to literally any other host computer. So if I have a VM of a Microsoft Domain Controller running on a server and a critical hardware component like the motherboard in that server fails, I can take the VM of my Domain Controller and move it to any other host (physical computer). That could be another server (if I have other physical servers in my office) or an emergency repurposed PC, or even a laptop. We can recover our virtualised environments extremely quickly, far faster than repairing the physical hardware in a server (and possibly having to repair or reinstall the operating system). With the right licensing, we can even have backup copies of VMs running on other hosts that switch on automatically if the original VM stops running for some reason (called replication).

2) Efficiency – once I virtualise my computers, I no longer need a number of physical servers to operate separate tasks like Domain Control, File Servers, Exchange (email), Accounting, Virtual Desktop Infrastructure (VDI) etc. – instead of separate machines, I can run all those VMs on the one physical host. I might be able to run them all on an existing server, or I might purchase a single high-performance server that will improve performance for all those server roles. That’s a more efficient use of my budget, both initial or capital expenditure (CAPEX), and ongoing operating costs (OPEX) for electricity and maintenance.

3) Rapid Deployment – in a virtualised environment, it takes just minutes to roll out a new virtual server for a new role – there’s no procurement of expensive physical hardware, just purchase any licenses, define the VM and install the OS and you’re ready to go. Or if you have good planning and administration in place, you might already have VM templates ready to go, in which case it’s just purchase the license, start the VM and configure it. If IT need to test things, they can do the same thing with virtual PCs, having them ready to start testing in minutes or seconds without having to move an inch from their workstation.


There are many other benefits to Virtualisation such as business continuity and disaster recovery, simplified management, the potential elimination of downtime etc. but as an introduction, in just a few short paragraphs you can already see there are tremendous benefits to Virtualisation. The important point here is if you are still running servers on physical hardware, it is time to have a discussion with your IT people about why – why you’re wasting resources, why you’re exposed to exponentially greater risk than you should be, why you’re spending money hand over fist just to keep that physical infrastructure supported and operating, why it is still so expensive and slow for your organisation to add new capabilities and tools.

0

Security
We’ve been busily auditing client environments and evaluating their readiness for Spectre mitigation. Frustratingly, of the long list of devices, computers and mainboards we have, the vast majority of products greater than two years old don’t have firmware patches available on the manufacturers’ support websites. In reaching out to Gigabyte support to determine if they did, in fact, have firmware available for a particular model, we were then provided with the file. When we asked why they have firmware available that isn’t being published on the product’s support page, they responded with this disturbing revelation:
At present, we provide bios with Intel’s Spectre microcode updated for old models by customers request.
We are, frankly, shocked at this breathtakingly short-sighted meander down frustrate-the-heck-out-of-your-supply-channel-just-for-kicks lane. The job of the entire professional IT industry to attempt to mitigate Spectre is quite colossal enough without manufacturers deliberately frustrating our efforts. We responded with this:

We very strongly recommend you review this policy. Spectre is a massive, global problem. While it might be fine for individuals with a single PC to contact support once to retrieve these files, there are going to be thousands of IT technicians and personnel patching hundreds of systems each – they don’t have time to contact manufacturers on an individual basis for every single model – that’s just a ridiculous, frustrating and extremely disrespectful waste of their time. Remember, it is IT professionals that are your biggest repeat clients and your strongest independent advocates. One of the biggest reasons we use and recommend Gigabyte products is reliability – we’ve found Gigabyte products to be well designed and highly reliable for a consumer brand. But that reliability must extend to after-sales support, or we can’t have confidence in a brand.

This kind of experience is extraordinarily frustrating – we’re in the process of auditing and evaluating the extent of patching required for all of our clients’ systems, and we shouldn’t have to contact any manufacturer to procure firmware files for every single product – you’ve taken what should be a five minute job per model and turned it into something that’s going to take days and waste many hours of our time. We stopped selling another brand of workstation and server products years ago because of the difficulty of getting support from them – compared to Intel who have always been extremely helpful, respond rapidly, turnaround firmware updates very quickly, and will airfreight completely new replacement products for in-warranty RMAs free of charge; we don’t have time or interest in brands that don’t have excellent after-sales support, it’s just too important.

So we do encourage you in the strongest terms to review this policy – the IT industry must be supported to make this job as easy as possible. It’s already a colossal job patching every PC and server in the world without manufacturers making our job even more difficult.

While we have only received official word from Gigabyte about this, we highly suspect other manufacturers are operating in a similar manner. We’re in the process of requesting files for a range of devices, so we’ll update this post once we have more details about how widespread the practice is.

In the meantime, we strongly recommend IT professionals contact manufacturers if Spectre firmware patches don’t appear on product support pages for the devices you support, not only to request those firmware files, but to demand that the manufacturers make these patches easily available on their public portals. Forcing people to jump through hoops just to get patched isn’t just ludicrous, it is dangerously disruptive.
0

Business IT, Security
Following up from our recent article on the Meltdown and Spectre vulnerabilities, we’ve had confirmation from Gigabyte that Award BIOS motherboard products cannot apply the Intel CPU microcode that patches the Spectre flaws. According to them this affects all Award BIOS products from all manufacturers. In that case, even though the CPUs may be supported by Intel, the platform itself is not, so there’s no way to apply the CPU microcode and protect that system from Spectre. There’s a possibility that Microsoft may release a future patch that includes the microcode updates at boot time, but there are a couple of problems with this:
  1. An OS microcode implementation cannot protect against a system attack that occurs prior to the OS bootloader initiating and loading the microcode tables – the microcode will protect against attacks against the OS kernel’s memory access, but a successful attack against a device that can load an attack method prior to the OS bootloader call could still exploit this flaw to some extent. That’s why the microcode firmware patch is the best path to mitigation, but for tens to hundreds of millions of systems this simply isn’t going to be possible.
  2. So far, Microsoft have released security patches that only cover the most recent architecture generations, with no word from them about when, if ever, microcode for older generations will be integrated. At this point the idea that older systems may have an OS workaround to implement Intel’s microcode is little more than wishful thinking.
Intel have been releasing rolling Linux packages with the microcode updates since January, which have been integrated into all the major distros. So there’s no technical reason why Microsoft couldn’t also include microcode for the whole gamut of affected CPUs, but they are notoriously hesitant about including patches in official Windows patches that might adversely affect people’s PCs – we’re hopeful they’re just trying to do extensive testing before they roll this out, but realistically that day may never come. Both Intel and Microsoft are recommending people apply the manufacturer’s firmware patches, but in many cases this will simply never be possible.

When we asked Gigabyte what the options were for people with Award BIOS systems, they responded with this:
We suggest you to buy new chipset motherboard and enjoy the latest technology if you encounter any issue.

So no surprises there…
0

Business IT

This probably seems like a stupid question to ask – obviously, IT is computers, and everything to do with them. Well sure, it’s that. But it’s also data, it’s where you store that data, it’s how you access that data, it’s what you do with that data. It’s what that data’s worth to you. It’s what losing that data, or having that data stolen, is worth to you.

For a long time, Information Technology has been considered an operational cost to businesses, a necessary cost that improves efficiency, increases productivity, and helps process all the paperwork; but it’s a cost, and costs present us with an opportunity to minimise, in order to improve the bottom line.

About a decade ago, that equation broke. IT wasn’t just an efficiency improvement, it was now your core means of communicating your message. It also became an uncontrollable feedback mechanism – if you were doing a poor job with that communication, you could face a customer backlash that might wipe your company’s value away overnight. As the platform you ran your entire business on, it was also your single most vulnerable point of failure – if you lost access to your IT systems, your business couldn’t operate. If you lost access to your data, if your data was stolen, that could be the end of your business. For numerous reasons, IT wasn’t just a boring cost centre to be minimised, it was now your greatest risk.

But it was also your greatest opportunity – suddenly you could reach markets and customers in a more targeted, cost efficient manner, you could generate new leads that were simply impossible previously, you could continue an ongoing dialogue with all of your customers, turning single sales into lifetime customer relationships that were more lucrative and cost substantially less to generate.

In agile businesses taking advantage of new technologies and new platforms both for communication and operating their business, IT has, in many ways, supplanted what they would have traditionally considered their core business. For example, Dominos is the world’s fastest growing pizza business, its share price growing sixty times greater between 2008 and 2016 because they evolved into a technology company that happens to sell pizzas. It’s strategic decisions around technological innovation, adoption and utilisation that will make or break a business, often in a much shorter timeframe than traditional manufacturing cycles.

However, as well as innovations and opportunities, a little over a decade ago something else changed – ‘hacking’ went from the university lab, occasional technological anarchist and ‘script kiddies’ to well orchestrated, researched and designed ‘weaponised’ cyber crime that criminal syndicates had identified as having vast potential to generate them income. We also started seeing cyber warfare agents deployed by nation states. Suddenly the Internet (and technology generally) was a vastly more dangerous place. As billions were syphoned out of national economies, criminals were doubling down on their investments, improving in ability, sophistication and manpower. The Internet is now a live battlefield, dominated by the juggernauts of nation states, multinational corporations and professional cyber criminals, with SMBs and consumers bumbling about in this hostile terrain blindfolded and earplugged, blissfully unaware of the threats surrounding, and constantly trying to attack, them.

What would the impact be to your business if your customer data was stolen and sold on the Internet? How well would you recover if you lost every bit of data on your servers? How well protected are you from these possibilities?

Large enterprises and governments have numerous security experts managing their systems around the clock, with intrusion prevention and detection systems constantly monitoring their networks for signs of compromise. Even with all that, the average detection time for an intrusion is five months – some intrusions go undetected for years, with the attackers having access to the corporate network and the data flowing over it the whole time. 81% of reported intrusions weren’t even discovered by internal teams, but in fact were alerted to the intrusion by external sources such as law enforcement. What strategies does your business have in place to mitigate and respond to cyber attacks and intrusion?

Unfortunately individuals and SMBs don’t, for the most part, have hundreds of thousands of dollars a year to throw at security professionals to secure their systems and keep them protected. Without that, businesses must make highly efficient, well targeted strategic decisions about where and how best to spend their limited resources to minimise risk and maximise protection. There are lots of potential avenues to explore here, and the correct strategy very much depends on the situation of each business.

But possibly the most effective protection you can apply to your business (well, beyond ensuring your IT systems are never deployed in a default configuration, perhaps) is actually fairly cheap – staff training. Other than unconfigured or poorly configured devices, the next most vulnerable attack surface of any business is its staff. Well trained staff are far less likely to accidentally allow an intrusion, either via technical means or just social engineering. Things like phishing scams are now far more targeted and sophisticated than ever before – some attacks even target specific individuals such as the CFO or senior accounting staff in order to trick them into sending multiple millions of dollars to a fake account in a single transaction. The majority of RansomWare attacks wouldn’t have occurred if staff had been better trained and more vigilant.

So what is IT? It’s your biggest risk, but also your greatest opportunity. For both of those reasons businesses need to be far more proactive and prepared for these new costs of doing business, but pretending we’re still living in the ‘90’s and attempting to simply minimise these costs could cost you your whole business in fairly short order.

0

Business IT, Security

You’ve probably heard of Meltdown and Spectre by now – reports have been circulating across the Internet and even in mainstream news media since the beginning of January. These pose a catastrophic risk to businesses everywhere, but the cause may turn out to be more bureaucratic than technical.

So just how bad is this? Surely it’s being blown out of all proportion?

Unfortunately, not really. If anything there’s far less attention being paid than the issue actually warrants. Some security experts have even been downplaying the risks because these vulnerabilities don’t allow remote code execution – they need to run within a privileged user session, which means an authorised user must run the malware that’s exploiting the vulnerability, and for that to happen the system must already be compromised. Meltdown and Spectre are not magic keys that unlock PCs to access and control from afar, unlike many recent Zero-Day vulnerabilities such as the ones the NSA were exploiting with their hacking toolkits. However, those traditional zero-day vulnerabilities exploited software flaws, which, as damaging as they were, are easily fixed with OS patches – hardware flaws are rare and are almost never exploited even when they are discovered, because they’re often very difficult to implement and only work in limited scenarios, which is fortunate because they’re much harder to patch.

Meltdown can be mitigated at the software/application level, and has already been addressed by Operating System (OS) vendors and browser publishers, so it has essentially been solved. But Spectre is different, even compared with most hardware vulnerabilities, because it’s a flaw of unprecedented magnitude due to the level of access it has within a CPU. While Intel and AMD have released their microcode updates, for billions of systems worldwide we’re still waiting on patches from hardware vendors before we can protect systems, and even once they’ve been released patching is going to be labour intensive and require skills that the vast majority of consumers are not going to be familiar with. Because of the simple fact that automated patching is going to be impossible for huge amounts of consumer hardware, Spectre is extremely dangerous.

But back to that earlier point about not being a remote code vulnerability. If it needs to be run locally on a PC, then it can’t penetrate your network to get on a PC in the first place, can it? To answer this, I’d like to remind readers about another type of malware – ransomware. Ransomware doesn’t take advantage of any technical vulnerability – it can’t attack your PCs or your network, and on its own it can’t even spread. It’s just a program that runs on a computer when a user executes it. And then it encrypts anything and everything it can get access to, any file the user themselves can write to, throughout your network. Ransomware has become a massive problem because people click things and run things that they didn’t check thoroughly first – Ransomware exploits human vulnerabilities, not technical ones, and it works.

Spectre exploits can be executed in a similar way to Ransomware, except instead of locking down files and trying to get you to pay a ransom, they could allow an attacker to take over the computer entirely, but by doing so in the background they then get access to network resources the user has, potentially allowing the malware to spread. It could piggyback itself on legitimate communication between people and machines and use that established trust between humans that are familiar to each other to trick other users to run it on their devices, continuing to spread through sophisticated human manipulation rather than technical penetration. Imagine if every file any of your trusted contacts emailed you could potentially install malware that could then take over your PC within minutes, without you having any ability to detect it – all you did wrong was open a legitimate attachment that actually opened and worked as expected. If a SysAdmin logs into a compromised machine using an account with elevated privileges to perform diagnostics, that could not only hand them full control of the whole network, but all connected backups, too. Most of the potential damage of Ransomware was mitigated in large organisations by their backup and disaster recovery systems, but if you’re successfully attacked by a Spectre toolkit and you don’t have cold backup archives, you could also lose every backup that’s subsequently connected to your network.

Cybercrime is a trillion dollar industry (due to hit $6 trillion by 2021) – it is a colossal business enterprise and they employ some of the finest minds on the planet (because you’ll make a lot more money writing malware than you will trying to protect against it); they will find every possible way to extract maximum value from this and they will do their level best to attack every accessible target until they control it. To say nothing of the effort state actors (foreign governments) are pumping into their CyberWarfare divisions.

What About Antivirus?

Oh, but your antivirus/Endpoint Protection suite is meant to keep you safe? Remember, these are hardware vulnerabilities, so exploiting them will require software to operate in a way that is not immediately obvious to antivirus software – it isn’t going to act like a virus at all unless it’s bundled with other tools. Sure, when software is discovered that is exploiting these vulnerabilities security vendors will be able to create signatures for them. But heuristic analysis is unlikely to detect it, so security suites are always going to play catch up. I direct your attention again to Ransomware, as the vast majority of successful attacks were performed on systems running active security suites that were unable to detect it. Quite a few security experts have warned that antivirus software may remain totally unaware of a Spectre attack while it’s going on. That may be less accurate as time passes as security companies become more familiar with Spectre and write more sophisticated software to detect it, but in that time hacking toolkits exploiting spectre will become more sophisticated too. Yes, it’s an arms race.

Ok it Sounds Bad – But the Industry is Fixing it, Right?

On the third of April 2018 Intel announced that they’d released microcode patches for most of the CPUs they’ve produced over the past ten years or so. A week later AMD also announced the release of microcode patches for their ecosystem that will be available through hardware manufacturers. Both processor manufacturers have announced a program with Microsoft to push out updates that help mitigate Spectre, but Microsoft are taking a softly-softly approach to pushing out these microcode updates within Windows – so far only CPUs from the last couple of architecture generations have been included. It is hoped that Microsoft will gradually add additional CPU models over time, but there’s no way to know at this stage how many they will eventually support. Even though the microcode patches have been released to system board/PC/Server manufactures from Intel, they need to be tested, qualified, packaged up and released in the form of firmware updates for every single PC, server, mainboard and affected device – a different, unique firmware for every single model.

So how does that affect you? If you have a PC or a laptop, it will remain vulnerable until you’ve applied a firmware patch released by the manufacturer or your CPU model has been added to Microsoft’s list, you’re running the latest version of Windows and you’ve applied all current updates. For example, if that’s a Dell machine, you’ll have to check the Dell support page for that specific device. If the patch isn’t available yet you’ll have to keep checking back. Hopefully, eventually, Dell will release a firmware patch that you can download and apply to your machine, and then you’ll be safe. You can go here to find a reporting tool that will run a check on your device and tell you if it’s still vulnerable.

If you have a business with lots of PCs and devices, yes you’ll have to check the support pages of every one of those, then download and apply the firmware patches once they become available. Yes, that’s going to take quite a lot of time and effort, but that’s not even the biggest problem.

Greatest Risk – Will Hardware Vendors Actually Patch Legacy Systems, or use this to Drive New Sales?

Unfortunately it is likely that the industry thinks it is reasonable to not provide patches for older systems, as that will help stimulate new purchasing – customers get shiny new faster equipment, the IT industry gets fat from a new wave of global panic buying, the economy is stimulated and everyone’s happy, or so the thinking goes. However, many businesses won’t be able to afford to patch large numbers of machines all at once. Some won’t trust the analysis, some will think they can roll the dice and win against the house. (And that says nothing for cost-sensitive consumers who haven’t had a pay increase in over a decade and simply can’t afford a replacement device.)

Unfortunately all those businesses, regardless of motive, will be compromised, they will lose customer data, they will lose control of their own systems, they won’t be able to afford the clean-up bill and they certainly won’t be able to afford the law suits from their customers or the suppliers they can’t afford to pay – they will go into liquidation and if it can be shown that these decisions were made knowingly, some people will go to jail.

This situation isn’t helped at all by the extraordinary apathy that has been demonstrated by many analysts and commentators – most articles on this subject have offhandedly dismissed the overwhelming difficulty to consumers and SMBs of applying firmware patches, while they haven’t even considered the possibility that device manufacturers and mainboard vendors might not bother providing firmware patches for out-of-warranty systems. Let me put it into perspective for you – if manufacturers decide to draw a line in the sand and only patch hardware manufactured in the past three years, that will leave between two and three billion PCs and laptops unpatched. Even if they go back five years, that’s still over 1.5 billion unpatched (and unprotectable) devices.

{Update 9th May: We’ve been in touch with some of the major hardware manufacturers and it appears all devices with a non-EFI Award BIOS cannot be updated with Intel’s microcode. We’re following up to see if there are technical workarounds for this, but from the information we have at hand it doesn’t look good for older systems.

As mentioned above, Microsoft are pushing out microcode updates with the most recent versions of Windows 10 (go here to view the full list), but so far it’s for a limited range of CPUs only produced in the last couple of years. Unfortunately we have no way to know where Microsoft will draw the line on older CPUs – if they discover any architectural limitations affecting stability of any devices as a result of the microcode during internal testing it is very unlikely they will continue with that series – they will do everything they can to avoid the PR disaster that would ensue from their patch causing previously operation PCs to start crashing.}

Why Wouldn’t Manufacturers Provide Patches?

Apart from the fact that manufacturers stop releasing updates for products outside their warranty period, last year we saw a kind of trial run of this situation – Intel’s AMT flaw. AMT is a component of vPro, Intel’s business class asset management hardware that’s built into all vPro devices. AMT allows remote analysis, monitoring and even remote control of the device, and a flaw was discovered that could allow anyone full control over a device by completely bypassing the password. This was a massive deal for enterprises, but most consumers didn’t even hear about it.

Like Intel’s just done with Spectre, last year they developed and released a firmware patch to fix the problem with AMT, but it was up to device manufacturers to push that out via firmware updates to PCs, laptops and motherboards. At Xion Technology we experienced varying levels of support from manufacturers of systems we support, but one particular vendor was notable. This manufacturer didn’t include motherboard models in their ‘supported products’ document, despite having a number of affected models available. For the model that affected us, it took them three months to release a firmware patch after Intel’s announcement, while some manufacturers like Dell had patches available in just two weeks. But applying the firmware didn’t patch the vulnerability – it took phone calls to a major distributor to put us in touch with the head of RA at their Australian head office before we discovered that the actual AMT firmware was a completely separate file that they didn’t publish publicly at all – the only way we were able to obtain it and patch the affected systems was via email from the head of RA. Using normal, published support channels was useless – normal support had absolutely no idea what AMT even was. Without this backchannel those systems would still be unpatched today.

As mentioned earlier, the IT Industry could easily exploit ‘opportunities’ like this to make money – manufacturers are already pushing this as an ‘upgrade opportunity’, with the major processor vendors jostling to come out of this looking good by ratcheting up the rhetoric. But the reality is that no one looks good – all the hardware vendors completely missed this for well over a decade. Trying to make a buck out of this is a cynical exercise in corporate profiteering at the expense of customers. What hardware vendors should be doing is offering discounts and credits for customers forced to upgrade due to unpatchable systems or significant performance impacts – they should be bending over backwards to make this right, even if it means a cycle of depressed profits – sell it to your shareholders as buying good will (they’ve sure as heck got a lot to make up for right now). What they may do, sadly, could be cutting their customers loose, because it makes the short-term balance sheet look better.

{Update 9th May: As mentioned in the section above, for older systems running a pre-EFI BIOS (such as Award by Phoenix Technologies) it may not be possible to write the microcode to the CPUs. In that case the reason the device or motherboard manufacturer isn’t providing a firmware patch may simply be because they can’t.}

Can We Just Replace Affected Devices?

What about simply replacing legacy systems? Unfortunately, even brand new systems are shipping without these firmware patches today, but within a month or so you’ll be able to buy computers off-the-shelf that are already fully patched. Unfortunately, patched current generation hardware isn’t natively immune to the flaw – it has the same workaround that has been implemented in older systems, and this comes with a performance penalty. The extent of that penalty will depend on what you’re doing with the device – IO intensive tasks accessing high-speed storage like SSDs or Optane suffer the largest penalties, while tasks like gaming (which depend on the graphics card more than anything) and even fairly compute-intensive applications don’t see much impact at all.

Intel’s Canon Lake CPU refresh due towards the end of the year has supposedly been redesigned to address the speculative execution flaw that gives Spectre its name, but Intel haven’t had enough time to fully redesign Canon Lake and initial reports suggested it would take until their 9th gen architecture (Ice Lake) before they had silicon that was designed from the ground up without these vulnerabilities. It will be at least 18 months before Ice Lake is released and we can start comparing apples with apples. Alternatively, AMD’s Ryzen platform may be worth investigating, as it is a compelling option to Intel’s Core architecture (and it supports ECC memory, which is a big plus).

Over the coming months you may find systems that remain unpatched by the manufacturer and it may be prudent to start replacing older systems at that point. But I wouldn’t rush out and start replacing your PCs today – you’re just replacing defective hardware with slightly newer defective hardware, at least for a while.

So What Can We Do?

To start with, you need a comprehensive list of all devices you have in use. Then use that list to find the Support page for that device and check if the manufacturer has released a firmware patch for it. If not, get in contact with the manufacturer and ask them when they expect to have a new firmware available to address this issue. Repeat these steps for every PC, Server and laptop that you own. Smartphones and tablets were vulnerable to Spectre, yes, but any device that can receive a security patch pushed out to it will have one (if they’ve haven’t already), and due to the way smartphone app stores operate it is highly unlikely a malicious app will be able to affect phones in any great number (because only those who install apps from unverified sources will even be able to get such software on their phones).

As this plays out over the next month or so, we need to watch manufacturers closely for announcements of which devices they have patched, and which they are intending to cut loose.

In the meantime you need to proactively educate staff – you need to ensure staff are well informed about the use of work computers, only using known, legitimate websites (preferably using stored Bookmarks rather than typing or clicking links redirecting from other sites). They need to think carefully about email attachments and file downloads – did it come from a legitimate source? Were they expecting it? Was the language used in the email natural and normal for that person, or did it seem unusual – could it be someone impersonating them? Does the sender’s address look correct, or is it from a different domain but hiding behind a recognised ‘reply to’ address? If in doubt, NEVER CLICK – step away from the keyboard and mouse and ask for assistance from senior or technical staff.

Finally, a Message for the Industry

We have a simple message for the whole IT hardware industry – do the right thing. For every architecture that Intel and AMD have released a patch for, make sure every PC, laptop, server and mainboard you’ve produced has supporting BIOS/UEFI firmware updates to get the speculative execution mitigation microcode into systems. It’s still going to be an uphill battle getting end users to patch their systems anyway, but at least you will have done the right thing. Over the next few years this is going to evolve into a significant problem even if the whole industry does everything we can to resolve it – the last thing we need is unscrupulous manufacturers trying to cut costs and maximise profit by not even bothering to patch older hardware.

At some point, politicians and law makers somewhere are going to get tired of all the reports of successful hacks, people losing their savings, businesses going bankrupt and private data being stolen, and when they realise there is a scapegoat, that they can score political points by attacking the IT Industry and manufacturers, they won’t just encourage law suits, they will look to regulate the industry. Once it happens somewhere, it will be copied everywhere, as businesses and citizens demand action from politicians. Because it’s now too important – this isn’t just hobbyists, or small businesses, it isn’t even small industries, it is the global economy. It doesn’t really matter if your particular company only supplies components for a small fraction of the market, if you choose to cast your customers to the wind, you’re shirking your responsibility to them and risking the security of every bit of data that flows through that hardware. Governments are more than happy to make examples out of smaller players.

Frankly if the IT Industry can’t self-regulate and ensure every partner in the supply chain does everything it can to adhere to a security-first approach, it needs to be legally regulated.

 

0

Business IT, Editorial
‘Quality’ is a word that’s so overused, it has essentially lost its meaning – consider how often you’ve heard or read that word associated with someone’s product or service. When everyone’s using the same description, it’s no longer a point of differentiation – our eyes and ears slide past it, looking for something that actually stands out. Even legally, all products are expected to be of ‘reasonably high’ quality, or they’re not even allowed to be sold – you’re not allowed to deliberately sell something you know to be of inferior quality, with no expectation of reliability.

So, everyone claims that they’re selling ‘ quality’. Which is nice. Unfortunately if you’re in the market, trying to find a good, reliable product, you can’t trust the marketing, the packaging or the claims of the salespeople, because apparently everything is ‘the highest quality’; but we know from experience that it isn’t. Some things are better than others – they’re higher quality. Some things work better, feel better, are more reliable, have more performance. Short of testing everything yourself, how do you figure out what’s the best option for your money?

Word of mouth, professional reviews, product review websites, feedback scores, even social media can be enlightening. All of those require legwork, though – you need to collect the information, compare and consider it to make an informed decision. Hopefully you have a broad enough feedback base to end up with an honest, impartial perspective.

We’re an IT Consulting company. Yes, we sell hardware, but only as part of a solution – the package is, essentially, our client’s outcome. All the design, planning, assembling, configuring and everything else that goes into delivering that solution, they’re just components; components that need to work together to deliver the final package – it’s only successful if the solution works as a whole.

So we have a vested interest in carefully choosing components that will make our solutions successful – we’re not just choosing components for our clients, we’re choosing them for ourselves, because it has to work for us, first. As the solution provider, after deployment we then have support it – if we need to provide warranty services, that immediately wipes out the meagre margin we might have had on it, as the margin in IT hardware is wafer thin.

Retailers make money selling a small amount of products to large amounts of people, and hoping that returns will be low enough that the cost of warranty service won’t eat too badly into their profit margin. Consultants make money providing services to a relatively small number of customers (clients).

To be successful, if we do our job right, our clients will be so satisfied that they will continue to employ our services long-term. That requires an excellent relationship, one that the client values highly. To build such relationships requires ongoing trust, and you develop that trust by delivering exceptional service, by building solutions that always meet or exceed the client’s needs and expectations.

We design solutions of the highest quality, based on years of experience. When we experience quality issues or product failures from a particular brand, we stop buying, supplying and using that brand – it’s far too costly for us to support, and far too costly to our reputation.

In this blog we will write about certain products that we routinely recommend, supply and support. By doing so anyone who reads this derives some value from our expertise, but don’t just take our word for it – we highly encourage any reader to use your search engine of choice to research these products for yourself. But for those short for time, or who already have enough experience with us to know you can trust our recommendations, the articles we publish here should help you understand why we recommend certain products and brands. By following our advice, you will derive much greater value from your infrastructure investments than you would with inferior alternatives.

Because quality means everything to us, and it is our intention that it is the defining idea behind everything we do.
0

Welcome to the new Xion Technology website. We’ve been in business since 2002, and in that time we’ve seen tremendous changes in the technology we use both in business and in our everyday lives. Our new blog will see regular, business-focussed content that explains common or current technology topics and its relevance to your business, in language that’s easy to understand. Feel free to use the form on the Contact page to provide us with your email address if you’d like to receive an alert when we publish new blog posts.
0