On January 3rd, many of our vendors, including Microsoft began talking about issues in the core hardware inside our computers, called the CPU. The issue involves many shortcuts built into the hardware, making our computers faster. These shortcuts allow malicious software to steal any information from our computers. These shortcuts exist in any CPU built within the last 10 years by Intel, AMD, and ARM. Our mobile devices use ARM processors, while our desktop computers use Intel or AMD CPUs. 

The issues were found many months ago and due to the complexity and wide exposure, the affected hardware vendors worked with operating system organizations like Microsoft to write new operating system software (patches) to address these vulnerabilities before letting the community know of the issues. The patches are now available and come with negative performance impacts, slowing our computers down. The slowdown comes from not using the shortcuts that previously provided us faster processing.

BTS is evaluating the impact of these patches to understand the risk and apply patches as quickly as possible.

Over the past month we received a few hard hits to our security world. The reports started with a new WiFi problem called KRACK, then followed with a vendor providing a weak encryption device vulnerable to ROCA.

What do these attacks and vulnerabilities mean? Let's talk briefly about each:

KRACK allows a physically present attacker to force client computers and mobile devices to weaken and even remove their wireless encryption protection layer. This is concerning and is best handled by patching your devices. All the major vendors have patched this issue at this time (Apple, Microsoft and Android, though Android updates are reliant on your provider and so-far mobile providers have not applied the patch everywhere). 

This attack is worrisome, however has limited success since many of our communication paths are now encrypted as well (ex: HTTPS). Also the attacker must be local. 

ROCA is a hardware mistake in many security devices like Smart Cards. The City does not use any of these devices, however you may have one personally (rare). The fix for this issue is to contact your vendor and obtain a replacement.

(Smart Cards are a second way to authenticate you to a service. The City uses RSA tokens, which is a similar technology)

These Smart Cards or other security devices are supposed to give us really reliable random numbers and these chips were found to not do that well. This caused a problem where someone can break the encryption of a hard drive or communication channel with a low amount of resources. The reports say it costs approximately $70,000 for the computer time to break one of these communication channels or encrypted drives. Some say it can be done for less with cloud provider computer resources. 

Summary:

Both of these issues are mitigated for City owned solutions. Patch your personal compute devices, including phones/tablets and check your vendors if you have a Smart Card or other personal security device. 

NPR had an article this week, talking with a person who used phishing to build a false relationship and extract information from high ranking targets.

In the article James Linton explains how he used fake email accounts to seem to be inside organizations and obtain sensitive information. He did this for "fun". He set up accounts with names of real people inside the organization and pretended to be these people.

This article is an inside view of how easy it is to fake a communication and what awareness we need. 

a Quote from the article: Linton says, "Just be a little bit more aware of how in the zone you get when you're in email. Don't always take it for [granted] that the name you see there is the name that's the person you're speaking to."

The article is on the NPR website: https://www.npr.org/2017/11/13/563894789/how-one-man-easily-tricked-high-profile-people-online-using-false-identities

Stay vigilant.

The future of the internet is ever expanding, from Smart Cities and smart homes based on an Internet of Things (IoT), to enhanced technologies, including facial recognition and TV’s that connect to the internet. Knowing where your personal information is on the Web, how it’s used, and whether it is sold, are important factors in safely managing your Web presence and exposure to cyber risk.

Information Security shares best practices, skills and ideas on our resource site: https://www.portlandoregon.gov/bts/infosec

If you don’t find what you’re looking for, e-mail us a request or a question at btsinfosec@portlandoregon.gov.

Internet of things definitions: https://en.wikipedia.org/wiki/Internet_of_things

The way our technology is advancing applies to attacker’s methods and techniques. If we keep storing our important information in devices, and servers attempts to access this information for malicious intent will be ever expanding. Just like in the Newsletter spoken above, things that would be simple to infect devices and disguise itself from users will continue to be the new normal.

It is recommended to take the time to understand how to keep yourself safe. Review the past blogs, the information security website, and contact us if you have questions or want to learn more ways of keeping yourself safe. 

City of Portland is a target for hackers that want to expose systems and access sensitive information. What this means is all employees are a target to attack the City’s internal networks. This may seem a little frightening, but if we keep awareness levels high across all the City and everyone understands the importance it can lower the risk.

The Information Security team works diligently with other teams across BTS and other Bureaus to provide security for the entire City. However, we need the help of every employee to maintain complete awareness of any attempts to attack the City, and prevention from those attacks.

Understanding, identifying, and reporting phishing emails is an example of how all employees can assist in helping the City. When you understand, and identify a phishing email you can avoid it and reduce the possibility of compromise to the network. When you report it to the HelpDesk this gives us a chance to see if you were specifically targeted, or if more individuals will be emailed. This gives the City time to react with HelpDesk emails showing the trending phishing email.

It is important for all employees to be aware and diligent to keeping the security of the City’s networks. With your help, the City can stay compromise free!

For more information go to: https://staysafeonline.org/ncsam/about/