CPU level security threat. How can we protect ourselves?

@
70 Tango Charlie

hey, yea i get what you are saying but lets break it down a bit.

My history is a bit complicated but i will not go into that now but maybe later or maybe never.

So the USB thumb drive, why do i say it was the worst thing as a security flaw in human history. Why did i say this.

Well consider you have office of 1000 people or even 10 people. The size does not matter. Someone brings a thumb drive from home plug it into their work pc and introduce a virus that brings the network down, corrupts the OS and all that bad stuff.

We saw on a TV series how a simple USB drive can be picked up by anyone and plugged into a computer and if the antivirus isn't good enough things can go bad. But again it is not far from the truth as you know.

Now as a technology I agree with you it is really great, its storage, simplicity and usability is clear as day. i Do not dispute this at all.

But anything can be used the wrong way. This includes almost every technology.

From a network security perspective, anything that is plugged into the computer is a potential security risk. Now this can take many forms but it is safe to say that a USB thumb drive can be configured is the hardest to protect against.

So many times people will just find a USB and plug it into the computer to see what is on it. Not even to return it. Now that is a real vulnerability. This is fact.

Please don't misunderstand me, i know that it is a great tech when used properly but it can be used for very bad stuff. Even steeling data. It doesn't have to be a virus. If someone has the correct user rights they can easily make a copy of a data base onto a thumb drive and walk out the door without anyone even knowing what has happened.

It is for these reasons i said that it is the greatest security flaw of our time. I will stand by this as i know for a fact it is true.
 


it's neither a fact nor a convincing argument.
 
Now days most workstations that are part of an intranet domain are configured to only allow whitelisted usb devices, so when you plug in an unknown usb device into a workstation it will not work and with virtual workstations(vdi/citrix) they are making it even harder for such devices.
 
Last edited:
it's neither a fact nor a convincing argument.

Right counter it then, See it is easy to dismiss something just because the person stating now magically needs to provide proof. Well do a google on the subject. I am not gong to debate anyone on what i know is fact out of both experience and what is published online. But simply put even IF you can secure Thumb drives 100% of the time, we now have this CPU security problem, and that is what i would like information on.

So i would like to know more on the CPU topic and what type of access the intruder will need. That way one can start planning a response. Now i have learned a lot about it but would still would like to learn more. So here we are.
 
Now days most workstations that are part of an intranet domain are configured to only allow whitelisted usb devices, so when you plug in an unknown usb device into a workstation it will not work and with virtual workstations(vdi/citrix) they are making it even harder for such devices.

Yea i was told this 2 years ago that was possible. I believed their solution was build on a antivirus i am not sure if it is a fully integrated Windows based solution.
 
Yea i was told this 2 years ago that was possible. I believed their solution was build on a antivirus i am not sure if it is a fully integrated Windows based solution.
There are probably different solutions for this, depending on the solution you pick you will get better results than another solution. However it's not my area of expertise because all of the workstations in most companies are Windows and managed by a workstation management team.
 
You could use Windows' Group Policy to disable USB as far back as XP (Pro, of course). I assume it's still true.

In Linux it's even easier. You just blacklist the USB module.
 
Right counter it then, See it is easy to dismiss something just because the person stating now magically needs to provide proof. Well do a google on the subject. I am not gong to debate anyone on what i know is fact out of both experience and what is published online. But simply put even IF you can secure Thumb drives 100% of the time, we now have this CPU security problem, and that is what i would like information on.

You've already been countered by others and to be honest it's difficult to "counter" something that is barely structured as an argument.

The crux of it being where you ask us to imagine an office of 10 or 1000 people, then follow it up by telling us the number doesn't matter. In any office, a fire is far greater security concern to people than some virus on the PC. And the number does matter.

If you are so into googling, do a google on the subject of "rubber-hose cryptanalysis" or look up how various nation states deal with "security problems". Don't look up the latter too much or you might end up in a bag.

I'm pretty sure Stuxnet would've found an easier route into Iranian nuclear equipment if the Iranian's had stuck the whole thing online. And of course, the virus found it's way onto the equipment via USB, but only because the maintenance guys were ONLINE.
 
You've already been countered by others and to be honest it's difficult to "counter" something that is barely structured as an argument.

The crux of it being where you ask us to imagine an office of 10 or 1000 people, then follow it up by telling us the number doesn't matter. In any office, a fire is far greater security concern to people than some virus on the PC. And the number does matter.

If you are so into googling, do a google on the subject of "rubber-hose cryptanalysis" or look up how various nation states deal with "security problems". Don't look up the latter too much or you might end up in a bag.

I'm pretty sure Stuxnet would've found an easier route into Iranian nuclear equipment if the Iranian's had stuck the whole thing online. And of course, the virus found it's way onto the equipment via USB, but only because the maintenance guys were ONLINE.

So i guess i have to now take time out of my day to go google every example where a thumb drive infected a series of computers? Honestly is this what is expected in 2021 where basically any company that handles sensitive data outright prohibit the use of thumb drives as a company policy?

Not to mention the countless YouTube's that was made on the subject? Do i honestly have to list them all? If it was the main subject i would say it is a fair request but honestly this was about CPU vulnerabilities and to explore what can be done on OS level such as Linux, or rather that was the hope.

But let's investigate my statement.

Firstly > How many infected USB drives does it take to take down a network? Well it can range to any number but again having experienced a situation like this, normally it took only 1 infected USB drive.

Thus anyone "note the word one" can create a situation that can take a network down. Now if the network has 10 computers or a 1000 computers once it infects the network it happens very fast. Now other factors can be at play here like Security updates as example, what the firewalls look like, or something as simple as network configuration and so on.

Yes you can disable USB with the right permissions and stuff BUT it comes down to the company and what setup they have. Some companies are up to the tasks others simply do not take the time or put in the effort.

But if the goal here is to shoot me down then i will take my leave. I started these post to explore what this CPU level problem is. i simply stated the fact that USB drives was and is a problem for many networks and have been since their adoption a long time ago. BUT if you believe a USB drive hold no risk to your network then that is just fine. That said security protocol exist for a reason. Again my exposure may not be the same as yours keep that in mind also.

Yes computer security has come a long way but admit this or not the tools to attack networks and personal systems has been updated and judging by the thousands of search results a lot of those YouTube videos are days old so it is fair to say that both sides are current.

There was this one article last year i believe that 35000 computers was infected by means of USB drives. i think the story broke in April sometimes in 2020 but i am sure you can find it.

So if you are so into shooting people down i digress thank all those that did effort and took part in this exploration "not debate" and may all of you remain safe during these strange new times.
 
Good day everyone,

i have to say i rewrote this thread a few times.

each time i realized a flaw in my thinking and now realized i am heading back towards CD-Rom drives? Seriously.

Here is the truth,

If YouTube is accurate and both amd and intel CPUs have a critical security flaw then they can no longer be trusted. What about a pi computer? The latest model is very useful and i have to admit i don't really notice lag doing research and might be part of my solution.

Situation, in my off time i write a lot and consider my scripts to be my property both because i wrote it and because i believe it may have future value especially when i wish to publish my work. Thus i need to protect my property.

The question now is how do i protect what is mine from CPU level security flaw? After doing research the simple answer is i don't. See anyone with the correct tools and knowledge can do serious damage as i understand it. But i lack the technical skill to protect myself. There are millions of YouTube videos teaching anyone how to compromise Wifi networks, home networks and the like. It is sickening to know that hard work can simply be stolen or removed.

So the idea now is to move away from X86 platforms. Now apple is a contender here but lets be honest apple is not cost effective. So a cost effective solution is a Pi computer. It uses Linux and it has a ARM based CPU with good amount of ram. Mine is a old one so i will be buying a few new Pi computers and see how i can secure the network, if encryption is possible. How to manage storage encryption. How to fully isolate networks so that each Pi has its own dedicated connection that is isolated from the other.

How to get virus protection for Linux and also look into a good KVM switch.

To come back to the CD-Rom. It is the only thing i can think of that i can make that is read only and cannot be compromised. So a old laptop with CD-rom will also be tested. It will have no hard drive and will store everything on a USB and Cloud base storage. So when the system powers down there is nothing. however the laptop is still intel and i don't trust them nor do i trust amd. So am seriously considering to retire all X86 systems.

It is no longer a question of paranoia it is a question of WHY did manufactures introduce these security flaws? Should they be held liable?

So my question to you all is, do i pull out all x86 systems? Do i simply disconnect from the internet entirely? In order to protect my scripts i have invested in a old typewriter that should arrive in a few days. This is not a joke, i honestly and truly believe it is the only way forward. The idea is to type my work out and take a photo with a good camera with no Bluetooth or wifi. That way each page will have a digital backup. But i would like to continue using a computer if possible but if not then this IS my solution. A camera and a typewriter? yea... i know it sounds like i am being seriously paranoid but in end, look for yourself how many people are actively trying to get into your network "for fun" and what damage will they do because they know they are hidden?

thank you for reading
take care.

Hi! I myself am a netizen concerned with computer/internet safety so I will list some things that will help. I highly suggest you looking into these.

1. Encrypting DNS and using a VPN probably won’t protect you from many malicious attacks (besides ones requiring the attacker to know what your computer/server’s details are), but it will hide any potential giveaway or sensitive information in your internet traffic. Since I wouldn’t put my faith in a singular entity, I’d recommend you host your own VPN server and proxy chain from there.

2. Isolating processes through the use of tools like Docker or use Qubes OS. This makes anything nasty that might escape your web browser or any other program and slide into your computer helpless.

3. I see you were worried about security flaws in what I presume to be Intel’s CPU. To simply put it, either just stop using the CPU with a flaw and switch to, say, Raspberry Pi, or take extreme precautions on what goes onto your PC. The former is probably the most practical, as to make sure your PC is safe from this threat level would require immense knowledge of the back-est of backends.

4. CD ROM is a good storage solution for no hard drive, I’m just skeptical about cloud storage. If you want full control of your data and don’t want to be susceptible to network based attacks, cloud storage is a bad idea. After all, if you were willing to ditch who-knows-what for a typewriter, such a solution seems pretty ill advised. Seeing that many cloud storage entities have a bad history with users data (i.e. Google), a USB stick seems like a safe option. After all, they are portable, cost effective, and versatile.

6. No, the security flaws were not purposely put there and were just a rather devastating oversight. They should take responsibility for attacks their users could not have avoided.

Thanks for reading! I hope this helped!

P. S. Make sure the programs you are using cannot spy on you. Use privacy oriented browsers and turn off “analytics” where you can.
 
Last edited:
Hi! I myself am a netizen concerned with computer/internet safety so I will list some things that will help. I highly suggest you looking into these.

1. Encrypting DNS and using a VPN probably won’t protect you from many malicious attacks (besides ones requiring the attacker to know what your computer/server’s details are), but it will hide any potential giveaway or sensitive information in your internet traffic. Since I wouldn’t put my faith in a singular entity, I’d recommend you host your own VPN server and proxy chain from there.

2. Isolating processes through the use of tools like Docker or use Qubes OS. This makes anything nasty that might escape your web browser or any other program and slide into your computer helpless.

3. I see you were worried about security flaws in what I presume to be Intel’s CPU. To simply put it, either just stop using the CPU with a flaw and switch to, say, Raspberry Pi, or take extreme precautions on what goes onto your PC. The former is probably the most practical, as to make sure your PC is safe from this threat level would require immense knowledge of the back-est of backends.

4. CD ROM is a good storage solution for no hard drive, I’m just skeptical about cloud storage. If you want full control of your data and don’t want to be susceptible to network based attacks, cloud storage is a bad idea. After all, if you were willing to ditch who-knows-what for a typewriter, such a solution seems pretty ill advised. Seeing that many cloud storage entities have a bad history with users data (i.e. Google), a USB stick seems like a safe option. After all, they are portable, cost effective, and versatile.

6. No, the security flaws were not purposely put there and were just a rather devastating oversight. They should take responsibility for attacks their users could not have avoided.

Thanks for reading! I hope this helped!

P. S. Make sure the programs you are using cannot spy on you. Use privacy oriented browsers and turn off “analytics” where you can.

Yes i 100% agree with you.

But as i understand it, it is no longer just Intel, according this article Blog Podcast Events Resources Security Advisory: Major Flaws Found Within AMD Processors

So the very reason i went with AMD was to avoid the Intel problem. Now both share a situation that could end the use of x86 CPUs for me personally.

But as much as i want to i cannot. But i was suckered into the idea that AMD was more secure and outfitted my office with AMD systems. As you can imagine buying top end AMD hardware in our current situation where it is really expensive i will not be able to bounce back from this for a few years.

However this said even with Intel CPUs having security problems I am looking into walking back to Intel. The reality Android Studio does not support AMD based virtualization very well. You can get it to work yes, and for the most part it seems stable but all that said they really make the process harder then what it should be.

Because of this and the demand for workflow I will be going back to Intel. The cool thing is android studio works really well on Linux and is considered to be a good development platform. However it is worth noting that Android & Java is now making place for Android and Kotlin. For someone like myself that worked on and trained on Java it is a bit of kick. But i digress.

I am simply pointing out why AMD was my choice "cost / security" and why i feel this was a mistake because now it has 3 problems. "security / compatibility problems / higher cost due to popularity.

So i will be looking into Linux Ubuntu as my main OS. I will be looking into hard drive encryption as well as network encryption. But i do want an antivirus that works on Linux. It is not that it needs it but i want the option. Do you have any suggestions, those will be welcomed.

As for browsing, i simply use a VM running ISO that is basically a dedicated browser. After each session i close it down delete it. However I got my hands on a Pi 4 and am using it as a dedicated browsing computer on a isolated network. But this is only for work. The system I am using here is still my old office pc.

I will take everything you said and see how far i can push each suggestion. Thank you again for sharing. :)
 
But if the goal here is to shoot me down then i will take my leave. I started these post to explore what this CPU level problem is. i simply stated the fact that USB drives was and is a problem for many networks and have been since their adoption a long time ago. BUT if you believe a USB drive hold no risk to your network then that is just fine. That said security protocol exist for a reason. Again my exposure may not be the same as yours keep that in mind also.

Man, for someone going around telling people your opinion is "fact" and that they should "google", you seem incredibly easily butt-hurt. Maybe all that time on your high horse hasn't done you much good. I presume you are not a relative of Paul Revere given your lack of success on said horse.

You didn't simply state any of that. And you insinuate that I believe a USB drive holds NO RISK to a network. In actuality, I mentioned Stuxnet, which is far better example than anything you have provided.

Where you have given hypothetical examples about people in an office and refer to articles you read last year, I have referred to probably the greatest example of cyberwarfare.

You have not even bothered to look Stuxnet up, and responded unhelpfully to inform everyone that one USB drive can take down a network.
 
Knock it off @Linuxembourg .

At #40, you said

Agree with all your points, and you echo the correct general point of KGIII too.

If you don't agree with subsequent Posts by the OP, then vote with your feet and take no further part in this Thread.

I do not plan to repeat myself.

Thank you.

Chris Turner
wizardfromoz
 
Knock it off @Linuxembourg .

At #40, you said

If you don't agree with subsequent Posts by the OP, then vote with your feet and take no further part in this Thread.

At #40 I didn't respond to the OP, and I didn't agree with any points that stated a USB drive is no threat to a network. It's a preposterous thing to say to someone who has mentioned Stuxnet.

EDIT - I have unwatched accordingly so thanks.
 
My mistake, I live in hope.

The bottom line is the same, I am leaving for my evening, and I do not expect to see you in this Thread tomorrow, unless you can be civil.

Good night

Wizard
 
My mistake, I live in hope.

The bottom line is the same, I am leaving for my evening, and I do not expect to see you in this Thread tomorrow, unless you can be civil.

Good night

Wizard

Have a nice evening. It'd be nice if the same rules applied to the OP. I live in hope too.
 
Yes i 100% agree with you.

But as i understand it, it is no longer just Intel, according this article Blog Podcast Events Resources Security Advisory: Major Flaws Found Within AMD Processors

So the very reason i went with AMD was to avoid the Intel problem. Now both share a situation that could end the use of x86 CPUs for me personally.

But as much as i want to i cannot. But i was suckered into the idea that AMD was more secure and outfitted my office with AMD systems. As you can imagine buying top end AMD hardware in our current situation where it is really expensive i will not be able to bounce back from this for a few years.

However this said even with Intel CPUs having security problems I am looking into walking back to Intel. The reality Android Studio does not support AMD based virtualization very well. You can get it to work yes, and for the most part it seems stable but all that said they really make the process harder then what it should be.

Because of this and the demand for workflow I will be going back to Intel. The cool thing is android studio works really well on Linux and is considered to be a good development platform. However it is worth noting that Android & Java is now making place for Android and Kotlin. For someone like myself that worked on and trained on Java it is a bit of kick. But i digress.

I am simply pointing out why AMD was my choice "cost / security" and why i feel this was a mistake because now it has 3 problems. "security / compatibility problems / higher cost due to popularity.

So i will be looking into Linux Ubuntu as my main OS. I will be looking into hard drive encryption as well as network encryption. But i do want an antivirus that works on Linux. It is not that it needs it but i want the option. Do you have any suggestions, those will be welcomed.

As for browsing, i simply use a VM running ISO that is basically a dedicated browser. After each session i close it down delete it. However I got my hands on a Pi 4 and am using it as a dedicated browsing computer on a isolated network. But this is only for work. The system I am using here is still my old office pc.

I will take everything you said and see how far i can push each suggestion. Thank you again for sharing. :)

You're welcome! Also, I think a KVM switch would be a good idea to switch between computers. If they are sharing an inter/intranet, or connecting them via bridged USB's or something, make sure only the computer that you are using has the ability to communicate with other PC's as to not spread anything. Also, I highly recommend Qubes OS, even if you aren't using it as your main OS. It's based on Fedora but from an outward perspective it seems perfect for your security needs. However, the beauty of this community is freedom, so do whatever you feel is best!
 
Fire scares me. But I still use it because I like cooked food. You take precautions for the things that you can control, and you accept that there are things you cannot control. If you have a medical emergency, go to the hospital. Don't agonize over their security... you can't control it. Overall they do a pretty good job.

Consider airplane crashes... you can't control them either. You see them on the news, and hundreds die. But normal is that there are many thousands of uneventful flights every day, and millions survive them. When you see a hospital on the news with a ransomware attack, remember that normal is that every other hospital in the country is running just fine. The sky is not falling.

Back to your topic: CPU's. Again, you cannot control their manufacture. Use them, or don't... but there will never be a perfect product... ARM included. The world is not perfect, and it never will be. What you CAN control is the operating system and software that you use. You can mitigate the threats with your behavior and choices, but there will always be threats. If you haven't already, you might take a look at Qubes Linux or OpenBSD.

Probably a bit late to reply to this post, but you have a very good point. But I have some input, feel free to disregard or disagree. :)

Statistically, the odds are in your favor that you won't crash and burn. But human lives, similar to our data, are important. But will we walk 2,000 miles to our destination (encrypting every file with AES 256 bit 35 passes over and smash our routers)? No. Are we going to ride on the wing of a Messerschmitt Me-163 Komet doing the chicken dance (being careless, not taking precautions, using "iTs WiNdOwS fRoM mIcRoSoFt")? GOODNESS no. I guess my point is, we have to check ourselves when we say "It's OK!" to even things we can control (Yes @stan , I know your weren't saying that). And, @Angry Dog , I think we really should utilize the wonderful tools we have in this era to make our lives easier. We shouldn't fear them, but we should have a healthy level of "respect" for them. Have a nice day!
 
There are two sides to computer/network security and the one i wish to address is personal computer and network security.

For me, i have a dedicated computer running a few scanning tools that i pay for and keep updated. Its sol purpose is to scan my external hard drives, USB thumb drives and some of the tools allow me create a USB that i can boot with. This allow me to scan a system.

Now as a side note, For windows users especially you can set the USB drive to read only and this will actually protect it 80% of the time. See Linux is linux and will overwrite the soft read only so there is that.

But for Windows it is a good way to store data onto a USB thumb drive and protect it. But again i am clear about this, it is not perfect.

So, i personally dislike the fact that I have a CPU level security risk and have very little i can do to help the situation. So isolating my work computer was my best call in this situation. My office is a mash of old and new hardware working together to have good Lan storage that again is isolated from other networks. So only a specific computer can access it and that computer is also isolated.

I do this because my depositories is useful and a lot of my previous work goes into a lot of my future work but this is the nature of what i do. So The setup i worked on this week was really crazy. Here is what i did.

1 > Got a pi 4 8Gb loaded up and use it exclusively for the internet for my work. Meaning i don't even use it for YouTube.

2 > My old computer is now the one i use for normal web browsing and communicate here. It is also on a isolated network. It will soon be using VM browser. And it's main OS will also be isolated.

3> My old laptop is used to scan my removable storage before i use it. It gets updates from an isolated network. As stated above it uses multiple pieces of software to scan devices.

4 > Backup is done twice a day, on removable media and then scanned. After the scan is done it gets deposited in my isolated Lan storage and second external storage.

This is my setup as i have it. Is it needed ? No it is not needed. But i will use it like this because it gives me peace of mind and that is the important part.

I will soon add VPN DNS encryption along with hard drive encryption once my main computer is Linux Ubuntu. It will have 2 accounts a user account and a Admin account. As far as i understand it not having Admin rights on the User account will limit access a infection may have.

I am also looking into ways to make a USB read only on Linux this again is just to protect the data that is on it. Also looking into Antivirus for Linux. Also looking into using a old computer as a firewall. I have a few systems that has duel core CPU that is 64bits with 8Gb of ram that may do the trick time will tell.


take care and be safe.
 
But i will use it like this because it gives me peace of mind and that is the important part.
Agreed.....that IS the important part

Just out of idle curiousity, what do you use to backup?
 

Staff online

Members online


Top