Why Facebook Was Dropped from the S&P 500® ESG Index

Jun. 11 2019 — When the S&P 500 ESG (Environmental, Social, and Governance) Indexunderwent its annual rebalance after markets closed on April 30, 2019, several notable companies were removed, including Wells Fargo, Oracle, and IBM. However, the largest component to be dropped was Facebook.

A day before its exclusion, Facebook held a weight of 2.5% in the S&P 500 ESG Index. At that time, Facebook was the fourth-largest company in the S&P 500, the parent index for the S&P 500 ESG Index, with a weight of 1.9%.

Why was Facebook removed? To better understand, a primer on the S&P ESG Index Series methodology[1] is helpful.

Some ESG indices, like the Dow Jones Sustainability Indices,[2] are narrow in their construction, selecting only a few leading companies in sustainability, industry by industry. Other ESG indices, such as the S&P 500 ESG Index, keep broad exposure but exclude companies lagging in ESG performance or that are involved in certain business activities, such as the production of tobacco or controversial weapons.

To keep alignment with the S&P 500 and to exclude companies underperforming in ESG, companies are ranked within their S&P 500 GICS® industry groups by their S&P DJI ESG Scores. They are then selected, highest to lowest, with the aim of getting as close as possible to a market capitalization threshold of 75% within each industry group.

In the case of Facebook, its overall S&P DJI ESG Score was 21, out of a range of 0 to 100, with 100 being best. This low score resulted in Facebook not being selected as part of the approximately 75% of the Media & Entertainment industry group’s market capitalization included in the S&P 500 ESG Index.

Drilling down further, though its environmental score was strong at 82, this sub-score only carried a 21% weight in determining its aggregate ESG score, as environmental issues tend to be less material for tech companies. More impactful were its social and governance sub-scores, which registered at 22 and 6, respectively. These scores carried weights of 27% and 52%, respectively.

The specific issues resulting in these scores had to do with various privacy concerns, including a lack of transparency as to why Facebook collects and shares certain user information. According to SAM, a unit of RobecoSAM, S&P Dow Jones Indices’ collaborator on the S&P 500 ESG Index, its “Media and Stakeholder (MSA) analysis found that Facebook had experienced many privacy issues over the past 24 months, including allowing more than 150 companies access to more users’ personal data than it had disclosed, misuse of personal information (e.g., Cambridge Analytica) and hacking of almost 50 million accounts. These events have created uncertainty about Facebook’s diligence regarding privacy protection, and the effectiveness of the company risk management processes and how the company enforces them. These issues caused the company to lag behind its peers in terms of ESG performance.”

The good news for Facebook and other members of the S&P 500 is that the composition of the S&P 500 ESG Index is reasonably fluid, rebalancing annually. However, the S&P DJI ESG Scores are relative measures.[3] As Facebook’s peers raise the bar in their ESG performance, Facebook will need to do even more to rejoin the ranks of the S&P 500 ESG Index.

Jun. 04 2019 — Do you ever wonder where environmental, social, and governance (ESG) factors—now used in more than 25%[1] of all assets under management—come from? The short answer is: Mainly from the good-practices checklists maintained by a handful of big ratings agencies.

But where did those agencies get their checklists? Mainly from the fruits of a handful of turn-of-the-millennium sources, including John Elkington’s “Triple Bottom Line,” the “100 Best Companies to Work For” list, and the United Nations Principles for Responsible Investment.

But where did these sources come from?

Sixty-five years ago, Peter Drucker wrote in his landmark book, The Practice of Management,“What is most important is that management realize that it must consider the impact of every business policy and business action upon society.”

While Drucker would have applauded the rise of ESG investing, he would have encouraged it as one piece of a broader, holistic view of “social responsibility.” For Drucker, social responsibility begins with the customer. After all, he wrote, “it is to supply the consumer that society entrusts wealth-producing resources to the business enterprise.” Drucker also held that a corporation must take care of its employees, maintaining that if “worker and work are mismanaged” it is “actually destructive of capital.” He counseled that companies must constantly pursue innovation, not merely to grow revenue but in service of their basic function as society’s “specific organ of growth, expansion and change.” In all of this, Drucker was decades ahead of his time, anticipating an age in which 80% of a company’s value[2] would take the form of intangibles not shown on a balance sheet.

Not that Drucker considered financial strength unimportant. Business’s “first responsibility,” Drucker declared, “is to operate at a profit,” so as to fulfill its role as “the wealth-creating and wealth-producing organ of our society.” Ultimately, Drucker saw that social responsibility would be the highest expression of business purpose rather than a feel-good sideshow—a harbinger of today’s concept of “shared value” and the basis of the S&P/Drucker Institute Corporate Effectiveness Index. “It is management’s…responsibility,” Drucker wrote, “to make whatever is genuinely in the public good become the enterprise’s own self-interest.”

The evidence that investors and executives are still catching up to Drucker’s foresight is, sadly, all around. Pleas to fix capitalism before it breaks beyond repair aren’t only coming from dissatisfied workers and customers or political ideologues; they’re coming from the power elite at Davos and the Milken Institute.[3]

Here again, we find ESG’s roots in Drucker’s philosophy. Sixty-five years before today’s headlines about worried billionaires, Drucker wrote, “capitalism is being attacked not because it is inefficient or misgoverned but because it is cynical. And indeed, a society based on the assertion that private vices become public benefits cannot endure, no matter how impeccable its logic, no matter how great its benefits.”

The rising concern for capitalism’s social viability comes alongside booms in both ESG investing and ESG products and services. That’s no accident. In Peter Drucker, we have the same person to thank for laying ESG’s foundation, sounding the alarm about its importance, and prescribing it as a solution.

[1]   Bernow, Sara, Klempner, Bryce, and Magnin, Clarisse. “From ‘why’ to ‘why not’: Sustainable investing as the new normal.” McKinsey & Company. October 2017.

[2]   EY – The Embankment Project for Inclusive Capitalism Report.

[3]   Jaffe, Greg. “Capitalism in crisis: U.S. billionaires worry about the survival of the system that made them rich.” The Washington Post. April 20, 2019.


New SA crypto exchange starts rand-Bitcoin trading

South Africa’s newest crypto-currency exchange VALR today launched rand-Bitcoin trading on its platform. Customers can now buy and sell Bitcoin directly with rands, and also use Bitcoin and Ether to buy and sell over 50 other crypto-currencies.A little over an hour after VALR started rand-Bitcoin trading, CEO Farzam Ehsani said it had already seen millions of rand worth of trades.He attributed this to the platform having the lowest fees on the market, and that, for the first time, there was now international pricing of crypto-currencies for the South African market.The plan is to also launch rand-Ether trading in future.Ehsani told ITWeb that when VALR launched on December 6, 2018, it was very close to the bottom of the price of Bitcoin. Since then, the price has recovered somewhat, to just under $8 000.The platform is backed by United States-based exchange Bittrex and former FNB CEO Michael Jordaan. Aside from Ehsani, there are another three partners, who also contributed to the startup costs.Ehsani said he has a long-term view of crypto-currencies, and that it’s important to look past the day-to-day price movements.“The price will go up and down based on the whims of people, but if you understand the technology and the impact this asset class can have on the world, you take a different perspective.”He said VALR was seeing a ‘ridiculous’ amount of sign-ups at the moment, and that someone new was joining the platform every few minutes. Its customers now number in the thousands, and while they are accepting customers from all over the world, the majority are South Africans.It doesn’t accept customers from North Korea, or from the United States, due to the latter’s `particularly burdensome regulatory environment’.He’s particularly proud of VALR’s onboarding system, which he says is the fastest in the world.At the moment, exchanges in South Africa are not required to verify the identity of clients, a requirement known as KYC, or ‘know your customer’.Ehsani says, however, they’ve spent a significant amount of their R20 million startup money to build a system that automates the sign-on process.Prospective clients are asked for their name, surname, address and a password. They then upload an image of their ID, driver’s licence, or passport, which is then analysed to see if it’s a legitimate document.VALR now needs to tie these pieces of information together with a ‘liveness’ test, and the app will ask you to film a short video of yourself, following instructions, such as looking to the right and left, and repeating a string of numerals.It then compares frames of the video to the ID document, and if this matches, you’re cleared to trade. All this happens in about five minutes, and a staff member will only get involved if the system flags a discrepancy.

Exchange controls: Relic from the past

Bittrex is providing the liquidity for crypto-to-crypto trading.
In South Africa, there are exchange controls for on-shore and off-shore assets. An individual is allowed to move R1 million a year, subject to a valid SARS tax clearance certificate. No one is allowed, however, to buy crypto with rands, which, Ehsani says, is ‘very, very limiting, and why we need some liquidity to grease our operations’.
VALR thus facilitates trade between its customers and those from Bittrex.
Ehsani is a vocal opponent of exchange controls, and says it’s stifling the South African economy.
“It’s a relic from the past. It may have had a purpose during the apartheid regime, but we’ve grown beyond that now.”


Types of backup and five backup mistakes to avoid

As humanity’s use of all kinds of technology has grown, terms like backup are no longer unfamiliar to the majority of people. Of course, the concept of a backup existed long before it came to be named as such. Whenever any important document or information was copied and stored in a place separate from the original for the purpose of ensuring the information would not be lost, the process of backing up was taking place. This way, if the original became damaged, it was possible to recover the information it contained by referring to the copy, which was kept in a different, safe location. When this notion was adopted by people and companies within a technological context, its original characteristics did not change – simply, new resources became available to make the backup process easier and faster.
In this article, we will look at the main types of backup operations, as well as at some of the most common mistakes that many of us may make while backing up our data. In short, there are three main types of backup: full, incremental, and differential.
Full backup
As the name suggests, this refers to the process of copying everything that is considered important and that must not be lost. This type of backup is the first copy and generally the most reliable copy, as it can normally be made without any need for additional tools.
Incremental backup
This process requires much more care to be taken over the different phases of the backup, as it involves making copies of the files by taking into account the changes made in them since the previous backup. For example, imagine you have done a full backup. Once you’ve finished, you decide that going forward you will do incremental backups, and you then create two new files. The incremental backup will detect that all the files in the full backup remain the same, and will only make backup copies of the two newly created files. As such, the incremental backup saves time and space, as there will always be fewer files to be backed up than if you were to do a full backup. We recommend that you do not try to employ this type of backup strategy using manual means.
Differential backup
A differential backup has the same basic structure as an incremental backup—in other words, it involves making copies only of new files or of files that underwent some kind of change. However, with this backup model, all the files created since the original full backup will always be copied again. For the same reasons as with incremental backups, we recommend that differential backups are also not carried out manually.
Where to store the backup
Once you have decided which type of backup is best suited to your needs, it is important to consider carefully where to store it. The types of media most commonly used for storing data have changed over the years. Backups have been variously done on punch card, floppy disk, optical media like CD, DVD and Blu-Ray, tape, external hard disk, cloud-based storage services, and more. One of the questions you need to consider when deciding where to save your backup copy is: How long am I going to need to keep this backup? Knowing the answer to that will make it easier to figure out which medium to store your files on.
To answer that question properly it would be necessary to know the specific needs of each individual business or home, so instead let’s look at two fictitious scenarios which will serve as examples of ways in which a backup can be of great value.
  • For businesses

The year is 2017 and the company ‘Fictitious Corp.’ starts its business day at 8 a.m. as usual. At around 11 a.m., one of the IT managers hears a strange sound coming from a nearby area. Just after hearing the noise, his phone rings and he answers it. After finishing the call, he realizes that the workstation is totally paralyzed and reads a message on the screen saying all the data are now encrypted. The same message is displayed on some of the other machines located in this and other areas of the business. Then he discovers that the company’s file server has crashed, caused by the same problem: the WannaCryptor ransomworm.
In this example, the company, which was dependent on its file server in order to be able operate, could have easily avoided its systems being paralyzed by the ransomware attack if it had maintained a full, offline and current backup of its file server.
  • A home-based example

Mr. Easygoing was watching TV from the comfort of his sofa at home when he suddenly felt a surge of nostalgia and got the urge to look at some photos of his wedding and his son’s birth. Just as he was opening the photos a downpour started. Once he finished looking through them, Mr. Easygoing went to the kitchen to fix something to eat, leaving the computer plugged in. Suddenly he heard the crash of a bolt of lightning, and the electricity went off. The next day, when the power was back on, he discovered that the computer’s hard disk was fried and that all the photos capturing his memories were lost.
Here, the incident occurred due to a power surge, but there are a great many other potential causes for data loss, and all of them can be protected against, at least to a great extent, by making regular backups. If you have any information you wouldn’t want to lose, a backup is an effective way to help prevent that from happening.

Common mistakes made while doing a backup
Now that we have looked at some of the issues around the importance of backups, let’s continue with some recommendations as well as some common mistakes made during the process.
  • Not doing a backup

This is without a doubt the most common mistake. Very often a backup was not done either due to not getting around to it or because of thinking the information wasn’t important—until it was lost.
  • Saving the backup copies on the same hardware as the original files

The idea of a backup is to make a copy for safekeeping. That copy must be stored in a location different from where the original files are kept. If they are stored on the same hardware and that hardware is damaged, the backup copies might be lost along with the originals.
  • Not testing the backup

Making a backup involves a series of processes. It isn’t enough to just create a copy – you also need to check the files to verify that the data you saved is actually accessible in case you need it. Indeed, testing your backups is just as important as backing up itself. Depending on the form of the backup, which is often a compressed file, it could become corrupted, in which case a new backup needs to be done.
  • Not running the backup regularly and sufficiently frequently

It is important to make backup copies regularly, especially if the information is frequently updated. Imagine, for example, that you are writing a book in a word processing document and you only make a backup copy on the first of each month. If the file is lost on the 15th of the month, you will only have a copy dating back to two weeks ago and you will have lost all the work you did in the interim.
  • Not labeling the backup files

After running your backups, keep a record of which archive is from which hardware. In case you need to recover the data, it will be essential to do so on the right equipment.
A data loss event can cost any of us dearly, and it goes without saying that backups should be part of everybody’s cyber-hygiene. In a way, backups are intended to protect the investment we make into the data, so let’s think ahead so that we don’t lose that investment.
Do you want to learn more? We have previously covered the issue of backup from several angles, including in a digestible white paper, ‘Options for backing up your computer’, which mainly dealt with the most common hardware and software resources involved in backup operations. We encourage you to give it a read.

Read Original Article...

WhatsApp discovers 'targeted' surveillance attack

Hackers were able to remotely install surveillance software on phones and other devices using a major vulnerability in messaging app WhatsApp, it has been confirmed.

WhatsApp, which is owned by Facebook, said the attack targeted a "select number" of users and was orchestrated by "an advanced cyber-actor".

A fix was rolled out on Friday.

On Monday, WhatsApp urged all of its 1.5 billion users to update their apps as an added precaution.

The surveillance software involved was developed by Israeli firm NSO Group, according to a report in the Financial Times.

Facebook first discovered the flaw in WhatsApp earlier in May.

WhatsApp promotes itself as a "secure" communications app because messages are end-to-end encrypted, meaning they should only be displayed in a legible form on the sender or recipient's device.

However, the surveillance software would have let an attacker read the messages on the target's device.

Some users of the app have questioned why the app store notes associated with the latest update are not explicit about the fix.

"Journalists, lawyers, activists and human rights defenders" are most likely to have been targeted, said Ahmed Zidan from the non-profit Committee to Protect Journalists.

Presentational grey line

How do I update WhatsApp?


  • Open the Google Play store
  • Tap the menu at the top left of the screen
  • Tap My Apps & Games
  • If WhatsApp has recently been updated, it will appear in the list of apps with a button that says Open
  • If WhatsApp has not been automatically updated, the button will say Update. Tap Update to install the new version
  • The latest version of WhatsApp on Android is 2.19.134

  • Open the App Store
  • At the bottom of the screen, tap Updates
  • If WhatsApp has recently been updated, it will appear in the list of apps with a button that says Open
  • If WhatsApp has not been automatically updated, the button will say Update. Tap Update to install the new version
  • The latest version of WhatsApp on iOS is 2.19.51
Presentational grey line

How was the security flaw used?

It involved attackers using WhatsApp's voice calling function to ring a target's device.

Even if the call was not picked up, the surveillance software could be installed. According to the FT report, the call would often disappear from the device's call log.

WhatsApp told the BBC its security team was the first to identify the flaw. It shared that information with human rights groups, selected security vendors and the US Department of Justice earlier this month.

"The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” the company said on Monday in a briefing document note for journalists.

The firm also published an advisory to security specialists, in which it described the flaw as: "A buffer overflow vulnerability in WhatsApp VOIP [voice over internet protocol] stack allowed remote code execution via specially crafted series of SRTCP [secure real-time transport protocol] packets sent to a target phone number.”

Prof Alan Woodward from the University of Surrey said it was a "pretty old-fashioned" method of attack.

"A buffer overflow is where a program runs into memory it should not have access to. It overflows the memory it should have and hence has access to memory in which malicious code can potentially be run," he explained.

"If you are able to pass some code through the app, you can run your own code in that area.

"In VOIP there is an initial process that dials up and establishes the call, and the flaw was in that bit. Consequently you did not need to answer the call for the attack to work."

Who is behind the software?

The NSO Group is an Israeli company that has been referred to in the past as a "cyber-arms dealer".

While some cyber-security companies report the flaws they find so that they can be fixed, others keep problems to themselves so they can be exploited or sold to law enforcement.

The NSO Group is part-owned by the London-based private equity firm Novalpina Capital, which acquired a stake in February.

NSO's flagship software, Pegasus, has the ability to collect intimate data from a target device, including capturing data through the microphone and camera, and gathering location data.

In a statement, the group said: "NSO's technology is licensed to authorised government agencies for the sole purpose of fighting crime and terror.
"The company does not operate the system, and after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions. We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system.

"Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies. NSO would not or could not use its technology in its own right to target any person or organisation."

Who has been targeted?

WhatsApp said it was too early to know how many users had been affected by the vulnerability, although it added that suspected attacks were highly-targeted.

According to the New York Times, one of the people targeted was a London-based lawyer involved in a lawsuit against the NSO Group.

Amnesty International, which said it had been targeted by tools created by the NSO Group in the past, said this attack was one human rights groups had long feared was possible.

"They're able to infect your phone without you actually taking an action," said Danna Ingleton, deputy programme director for Amnesty Tech. She said there was mounting evidence that the tools were being used by regimes to keep prominent activists and journalists under surveillance.

"There needs to be some accountability for this, it can't just continue to be a wild west, secretive industry."

On Tuesday, a Tel Aviv court will hear a petition led by Amnesty International that calls for Israel's Ministry of Defence to revoke the NSO Group's licence to export its products.

What are the unanswered questions?

"Using an app as an attack route is limited on iOS as they run apps in very tightly controlled sandboxes," said Prof Woodward. "We're all assuming that the attack was just a corruption of WhatsApp but analysis is still ongoing.

"The nightmare scenario would be if you could get something much more capable onto the device without the user having to do anything," he said.

The BBC has asked WhatsApp for clarification.
Read Original Article...


THE CISCO 1001-X series router doesn't look much like the one you have in your home. It's bigger and much more expensive, responsible for reliable connectivity at stock exchanges, corporate offices, your local mall, and so on. The devices play a pivotal role at institutions, in other words, including some that deal with hypersensitive information. Now, researchers are disclosing a remote attack that would potentially allow a hacker to take over any 1001-X router and compromise all the data and commands that flow through it.

And it only gets worse from there.

To compromise the routers, researchers from the security firm Red Balloon exploited two vulnerabilities. The first is a bug in Cisco’s IOS operating system—not to be confused with Apple's iOS—which would allow a hacker to remotely obtain root access to the devices. This is a bad vulnerability, but not unusual, especially for routers. It can also be fixed relatively easily through a software patch.

"It’s not a trust buoy."

The second vulnerability, though, is much more sinister. Once the researchers gain root access, they can bypass the router's most fundamental security protection. Known as the Trust Anchor, this Cisco security feature has been implemented in almost all of the company’s enterprise devices since 2013. The fact that the researchers have demonstrated a way to bypass it in one device indicates that it may be possible, with device-specific modifications, to defeat the Trust Anchor on hundreds of millions of Cisco units around the world. That includes everything from enterprise routers to network switches to firewalls.

In practice, this means an attacker could use these techniques to fully compromise the networks these devices are on. Given Cisco's ubiquity, the potential fallout would be enormous.

“We’ve shown that we can quietly and persistently disable the Trust Anchor,” says Ang Cui, the founder and CEO of Red Balloon, who has a history of revealing major Cisco vulnerabilities. “That means we can make arbitrary changes to a Cisco router, and the Trust Anchor will still report that the device is trustworthy. Which is scary and bad, because this is in every important Cisco product. Everything.”

Dropping Anchor

In recent years, security-minded companies have increasingly added "secure enclaves" to motherboards. Different solutions go by different names: Intel has SGX, Arm has the TrustZone, Apple has the secure enclave. And Cisco has the Trust Anchor.

They variously comprise either a secure part of a computer’s regular memory, or a discrete chip—a safe, secluded oasis away from the bedlam of the computer’s main processor. No user or administrator can modify the secure enclave, no matter how much control they have over the system. Because of its immutable nature, the secure enclave can watch over and verify the integrity of everything else.

Secure-computing engineers generally view these schemes as sound in theory and productive to deploy. But in practice, it can be dangerous to rely on a sole element to act as the check on the whole system. Undermining that safeguard—which has proven possible in many companies’ implementations—strips a device of critical protections. Worse still, manipulating the enclave can make it appear that everything is fine, even when it's very much not.

That's the case with the Cisco 1001-X. The Red Balloon team showed specifically that they could compromise the device's secure boot process, a function implemented by the Trust Anchor that protects the fundamental code coordinating hardware and software as a device turns on, and checks that it's genuine and unmodified. It's a crucial way to ensure that an attacker hasn’t gained total control of a device.

On Monday, Cisco is announcing a patch for the IOS remote-control vulnerability the Red Balloon researchers discovered. And the company says it will also provide fixes for all product families that are potentially vulnerable to secure-enclave attacks like the one the researchers demonstrated. Cisco declined to characterize the nature or timing of these fixes ahead of the public disclosure. It also disputed that the secure boot vulnerability directly impacts the Trust Anchor. According to its security bulletin, all fixes are still months away from release, and there are currently no workarounds. When the patches do arrive, Cisco says, they will "require an on-premise reprogramming," meaning the fixes can't be pushed remotely, because they are so fundamental.

“As a point of clarification, Cisco advertises several related and complementary platform security capabilities,” a spokesperson told WIRED in a written statement. “One of which that is relevant to this discussion is Cisco Secure Boot which provides a root of trust for system software integrity and authenticity. Another capability offered within certain Cisco platforms is the Trust Anchor module, which helps provide hardware authenticity, platform identity, and other security services to the system. The Trust Anchor module is not directly involved in the work demonstrated by Red Balloon.”

Cisco seems to make a distinction between its "Trust Anchor Technologies," "Trustworthy Systems," and "Trust Anchor module," that may explain why it only considers secure boot to be implicated in the research.

The Red Balloon researchers disagree, though. They note that Cisco’s patent and other documentation show that the Trust Anchor implements secure boot. If secure boot is undermined, the Trust Anchor is necessarily also defeated, because all of the tools are in a chain of trust together. You can see it visualized in this Cisco diagram.

“That’s why they call it an anchor! It’s not a trust buoy,” Cui says.


The researcher group, which also includes Jatin Kataria, Red Balloon’s principal scientist, and Rick Housley, an independent security researcher, were able to bypass Cisco’s secure boot protections by manipulating a hardware component at the core of the Trust Anchor called a “field programmable gate array.” Computer engineers often refer to FPGAs as “magic,” because they can act like microcontrollers—the processors often used in embedded devices‚ but can also be reprogrammed in the field. That means unlike traditional processors, which can't be physically altered by a manufacturer once they're out in the world, an FPGA's circuits can be changed after deployment.

FPGAs pull their programming from a file called the bitstream, which is usually custom-written by hardware makers like Cisco. To keep FPGAs from being reprogrammed by mischievous passersby, FPGA bitstreams are extremely difficult to interpret from the outside. They contain a series of complex configuration commands that physically dictate whether logic gates in a circuit will be open or closed, and security researchers evaluating FPGAs have found that the computational power required to map an FPGA’s bitstream logic is prohibitively high.

"This is proof that you can’t just rely on the FPGA to do magic for you."

But the Red Balloon researchers found that the way the FPGA was implemented for Cisco’s Trust Anchor, they didn’t need to map the whole bitstream. They discovered that when Cisco’s secure boot detected a breach of trust in a system, it would wait 100 seconds—a pause programmed by Cisco engineers, perhaps to buy enough time to deploy a repair update in case of a malfunction—and then physically kill the power on the device. The researchers realized that by modifying the part of the bitstream that controlled this kill switch, they could override it. The device would then boot normally, even though secure boot accurately detected a breach.

“That was the big insight,” Red Balloon’s Kataria says. “The Trust Anchor has to tell the world that something bad has happened through a physical pin of some sort. So we started reverse engineering where each pin appeared in the physical layout of the board. We would disable all the pins in one area and try to boot up the router; if it was still working, we knew that all of those pins were not the one. Eventually we found the reset pin and worked backward to just that part of the bitstream.”

The researchers did this trial-and-error work on the motherboards of six 1001-X series routers. They cost up to about $10,000 each, making the investigation almost prohibitively expensive to carry out. They also broke two of their routers during the process of physically manipulating and soldering on the boards to look for the reset pin.

An attacker would do all of this work in advance as Red Balloon did, developing the remote exploit sequence on test devices before deploying it. To launch the attack, hackers would first use a remote root-access vulnerability to get their foothold, then deploy the second stage to defeat secure boot and potentially bore deeper into the Trust Anchor. At that point, victims would have no reason to suspect anything was wrong, because their devices would be booting normally.

“The exposure from this research will hopefully remind the companies out there beyond just Cisco that these design principles will no longer stand as secure,” says Josh Thomas, cofounder and chief operating officer of the embedded device and industrial control security company Atredis. “This is proof that you can’t just rely on the FPGA to do magic for you. And it’s at such a low level that it’s extremely difficult to detect. At the point where you’ve overridden secure boot, all of that trust in the device is gone at that point.”

Even Bigger Problems

Thomas and the Red Balloon researchers say they are eager to see what types of fixes Cisco will release. They worry that it may not be possible to fully mitigate the vulnerability without physical changes to the architecture of Cisco’s hardware anchor. That could involve implementing an FPGA in future generations of products that has an encrypted bitstream. Those are financially and computationally more daunting to deploy, but would not be vulnerable to this attack.

And the implications of this research don't end with Cisco. Thomas, along with his Atredis cofounder Nathan Keltner, emphasize that the bigger impact will likely be the novel concepts it introduces that could spawn new methods of manipulating FPGA bitstreams in countless products worldwide, including devices in high-stakes or sensitive environments.

For now, though, Red Balloon’s Cui is just worried about all of the Cisco devices in the world that are vulnerable to this type of attack. Cisco told WIRED that it does not currently have plans to release an audit tool for customers to assess whether their devices have already been hit, and the company says it has no evidence that the technique is being used in the wild.

But as Cui points out, “Tens of thousands of dollars and three years of doing this on the side was a lot for us. But a motivated organization with lots of money that could focus on this full-time would develop it much faster. And it would be worth it to them. Very, very worth it.”

Read Original Article...
Apple Repairs and Service
Member of the Internet Defense League

BitcoinCash Accepted