LW’s NEWS WRAP: ‘Spectre-NG’ — the latest family of chip vulnerabilities; expect more to come

By Byron V. Acohido

Last Watchdog’s News Wrap Vol. 1, No. 7 Google and Microsoft don’t team up very often. But the software rivals, to their credit, have been moving in unison to help the business community get ahead of a new class of hardware-level security flaws  that affect most of the networks now in service.

Researchers at Google’s Project Zero recently uncovered more such hardware flaws, which originate inside the central processing unit, or CPU, and first came to light when the milestone Meltdown and Spectre vulnerabilities came to light in early January.

Related article: A primer on ‘microcode’ vulnerabilities

I’ve previously unraveled how a design short cut, called ‘speculative execution,’  has finally come home to roost in the form of a vast security exposure. Speculative execution was a shortcut which Intel decided to take some 20 years ago in order to increase processing speed.

Google on Monday VERIFY formally disclosed this latest iteration of these chip flaws: eight new vulnerabilities dubbed  ‘Spectre Next Generation’ or ‘Spectre-NG.’ Then on Tuesday VERIFY Microsoft issued security patches to eliminate this specific flaw on chips companies are using to run Windows operating systems.

Get used to this pattern of disclosure and patching. These vulnerabilities won’t be eliminated until the next generation of chips arrive years from how.


“It’s safe to assume there are still quite a few flaws that have yet to be discovered,” Craig Dods, Juniper Networks chief security architect, told me. “I’m hesitant to conclude that things will only get worse with time. The barrier to entry for this type of research is quite high and generally remains possible for only the most skilled engineers.”

It will be nice if Dods’ conservative assessment holds true and we never seen anything bad come from chip flaws. However,  Russia- and China-backed cyber operatives and for-profit criminal rings certainly have deep pockets and top engineering talent – so why wouldn’t they jump into a race with white hats to find more vulnerabilites — and/or exploit known flaws in unpatched systems?  I have a feeling we’ll hear from them sooner, rather than later.

Bug bounties, big business

Google and Microsoft aren’t the only ones hunting bugs and issuing patches. Companies everywhere are scrambling to discover latent bug in their networks. The result : bug bounties have risen to unprecedented heights.

An article by IDG Connect staff writer Dan Swinhoe recounts the degree to which many organizations are paying bug bounties to ethical hackers who flush out vulnerabilities, so company can patch them before threat actors can take advantage.

Bugcrowd, Synack and HackerOne are the top bug bounty facilitators; HackerOne is the top dog having raised over $74 million in bounties and with over 160,000 hackers on its platform, Swinhoe reports.

Microsoft, Google, Intel, CloudFlare, Facebook, Chrysler, GM, Uber, GitHub, Kaspersky, the Singapore Ministry of Defence, US Air Force, Army, Department of Defense, and even the Pentagon now run bug bounty programs and competitions.

David Baker, CSO of Bugcrowd, told Swinhoe companies are starting to realize they’re more vulnerable than they were being told. Also,  there is an acute shortage of skilled security professionals available for hire. But there appear to be plenty of iconoclast hackers happy to subsist as bug bounty hunters.

VC name change

One of the leading early stage venture firm channeling cash  into promising cybersecurity start-ups has just changed its name to ForgePoint Capital.

This VC firm was previously known as Trident Capital Cybersecurity is still run by co-founder Alberto Yépez, who continues to serves as managing director. “Our early stage focus and overall mission will remain the same,” Yépez says.

The name change is intended to reflect its standing as the largest VC fund focused on cybersecurity. Since 1998, the firm has made 36 investments and has 18 cybersecurity exits.  Since 2015 alone, it has raised $300 million and invested in 11 promising security vendors.

“ForgePoint Capital is dedicated to forging success, relationships, change, and the outcomes of our portfolio companies,” Yépez says. “We understand the point at which these multiple relationships converge to forge innovation.”

(Editor’s note: LW’s NEWS WRAP is an aggregation of published articles, postings and releases supplemented by additional reporting. It usually appears on the 2nd and 4th Wednesdays of each month.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone