Digital Forensics & Incident Response Strategic Services Advanced Testing Services Managed Security Services
July 2, 2019
Rowhammers And RAMBleeds – Evolving Data Threats

In the good old days, data on hard disks and live “volatile” memory were the targets of bad actors. Any usable data that people will pay to get back and any secret information that they typed in while the computer was running, such as passwords and special access characters were the golden ticket to access the nirvana or treasures in an organizations digital chest.

Now, the bad actors have taken a step further to manipulate previous technically sound but limited exploits known as Rowhammers to access information stored on memory chips. The advantage, unlike volatile memory, is that this type of data remains even when the machine is rebooted, so access to this level can expose the types of data that were previously assumed to be fully protected.

This new RAMBleeds methodology that is making news is both interesting and a little shocking. The concept of flipping bits and analyzing the patterns to extract specific code variables is quite unique. It is important to note that while a recent report released by the University of Michigan, Graz University of Technology, the University of Adelaide and Data61 did provide important details on the process, it did not fully evaluate the impact on this type of attack on a production server. The amount of time and computer resources required to successfully extract and evaluate usable, exploitable data at this point in time would make this type of incident non-viable for most bad actor groups.

What does this mean to you? The most important element presented by these dedicated Universities is that all organizations need to change the way they think about vulnerabilities. Technology is ever-changing, and exploits are now being attempted in new and previously unavailable areas of systems. Organizations need to be more vigilant on their observations of system performance degradations, memory leaks and any other unusual patterns that make your Spockian eyebrow go up!

What can you do?

  • First, get on the wire. Join the CBI alerts, as well as several other well respected networks to keep up to date with the evolution of Rowhammer and its offshoots. Understanding what is new in bad actor methodologies can help you enhance your monitoring, equipment designs and overall cybersecurity posture.
  • Next, review your access management status. All of the attack vectors require access. Organizations should be consistently validating access points including but not limited to Linux, Unix (SSH) and Windows RDP for vulnerabilities.
  • Finally, enlist some backup. Utilizing an outside, independent cybersecurity partner like CBI to provide defensible Penetration Testing, Cyber Readiness Assessment and Forensic investigations could be a company’s best defense in the ever-changing world of cyber incidents.
About the Author
CBI Jeff Goreski
Jeff Goreski
Jeff is a seasoned risk assessment, risk mitigation, compliance and eDiscovery professional. His qualifications encompass many different areas in both the Anti-Money Laundering (AML) and Economic Crimes Investigation marketplaces. Jeff created the world’s first global email archiving software for Exchange, Domino, GroupWise, SunOne and First Class mail systems.

As a certified AML and financial crimes specialist and a certified e-Discovery specialist, Jeff has consulted, advised and served as an expert in the collection of technological data for global clients. Forensic gathering as well as in depth discovery of relevant data has been at the heart of his eDiscovery expertise.

Jeff was appointed to the ACEDS (Association of Certified eDiscovery Specialists) advisory board in late 2011.
I Need To...