January 2018 – Happy New Year!

Welcome back everyone! Welfare Call hopes you’ve all had a great break and a positive start to the New Year.

Over recent weeks you may have come across a lot of media coverage regarding potential security alerts with PC hardware – specifically Central Processing Units (CPU). Welfare Call would therefore like to cover this is more detail below so that you’re fully aware of the situation…

Security Alert

As part of our ongoing security assessments Welfare Call has received notification of two new vulnerabilities. These are called Spectre and Meltdown. Spectre is also known as CVE-2017-5753 and CVE-2017-5715 and Meltdown as CVE-2017-5754.

Summary

Welfare Call have carried out work to minimise the risk to clients’ data and will continue to monitor developments relating to these vulnerabilities. Where a further update is required, the severity changes or we perceive the risk to increase we will notify you again.

If you want to know more or want to know if this will affect the IT services you have access to read the details below.

More details

These flaws relate directly to the construction of many modern Central Processing Units (CPUs). The hardware providers themselves and the providers of the software that runs on them are currently working on patches and mitigations to resolve the issue.

These new bugs affect many devices, including desktop PCs, servers, mobile phones, ipads and many more devices. The faults are actually in the computer’s hardware — specifically, in the central processing unit. They are not related to the Extranet or ePEP software produced by Welfare Call Ltd nor can we alter our code to mitigate these issues. As they are related to the underlying hardware they are more difficult to rectify.

The Risk

Meltdown mainly affects computers using Intel based CPUs. It allows remote attackers to read from the CPUs memory (which may or may not have privileged or sensitive data in it).

There are two variants of Spectre – one that can expose all memory, the other that exposes a lot less.

Although both Meltdown and Spectre are hard to exploit – and there currently no known ways to use the exploit – it remains a risk, to computers online and within businesses today, including the servers we use to provide our service to you.

What are Welfare Call doing about it?

Internally, within the Welfare Call corporate network, we tightly control the software installed on our computers. Our antivirus solutions also minimise the chance of any potentially unwanted applications (PUAs) and malware from running. These procedures minimise the chance of malicious software exploiting the Meltdown and Spectre vulnerabilities and gaining unauthorised access to data. We also tightly control the websites available to our staff to minimise the chance of any new malware being run on the computers.

Any patches that are released for our internal infrastructure are reviewed and assessed for the potential impact before being deployed.

We contacted our hosting provider as soon as we were aware of these vulnerabilities. They have confirmed that all available patches have been applied. We have accessed the servers to confirm that the software is reporting correct versions that include the patch. The software running on the servers is tightly controlled and reviewed in the annual penetration tests to minimise the chance of any malicious software being used to exploit these vulnerabilities.

Is there a risk to the data held on Welfare Call Systems

We are confident that because of the control process for software on our servers and the patches that have already been applied that the risk was low initially and we have reduced the risk as far as is possible by installing the fixes available.

What should I (the client) do about it?

Clients should make sure their internal IT departments are aware of these issues and for them to update software to protect their computers. Clients should also be aware of a number of “fake” patches for Meltdown and Spectre that have been released which do not fix the issues but instead install other malicious software. A computer patched with the fake patches is at an even greater risk of data loss, security compromise or complete lock out including loss of access to all data both on that computer and all data accessible from that computer (eg your network shares). This follows a recent pattern where fake patches are released following the discovery of high profile vulnerabilities. These are designed to exploit people’s willingness to “secure their PC” as soon as possible. Only install software patches from known trusted sources. If you are unsure then consult with your local IT support service provider.

Where can I find out more?

The Internet has many articles on these vulnerabilities.

This is the first article we found : https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

Just this one website has pages of information regarding these vulnerabilities.

A list can be found here: https://search.theregister.co.uk/?q=meltdown&advanced=1&author=&date=m&results_per_page=20

  • “The introduction of the electronic personal education plans (EPEPs) system is improving information-sharing, with an increased oversight from the virtual school, although the impact on improving the quality of PEPs is not yet evident. Inspectors found that the pupil premium grant was used well to support after-school activities, including access to a nurture group, extra mathematics and English tuition, and the provision mentors.”

    Haringey – Children’s Services Inspection October 2018 (commenced with ePEP April 2018)
  • “The strong emphasis on ensuring that PEPs are of good quality and completed in a timely way is contributing well to children’s progress.”

    Enfield Children’s Services Inspection March 2019
  • “Education is actively promoted for children in care and the virtual school is increasingly effective in ensuring that children make good progress and reach their potential. The quality and timeliness of personal education plans have improved significantly. Children benefit from regular reviews of their progress.”

    London Borough of Waltham Forest – Children’s Services Inspection – Jan 2019
  • “Personal education plans are timely, set clear targets and are written in the first person. They effectively capture the voice of the child.”

    Manchester Children’s Services Focused visit – 17/09/2018
  • “The majority of personal education placed include a clear picture of the child’s progress, emotional and well-being and behaviour.”

    London Borough of Tower Hamlets Ofsted Inspection (published 07/04/2017)
  • “The quality of personal education plans is much improved.”

    Darlington Borough Council Ofsted Inspection (published 21/05/2018)
  • “The large majority of children and young people have an up-to-date, good quality personal education plan.”

    London Borough of Lambeth Ofsted Inspection (published 09/05/2018)
  • “Personal education plans are good and are regularly reviewed. They provide a vivid picture of individual children’s progress, including their social and emotional well-being, academic abilities and attitude to learning. The plans show how the pupil premium is being used to improve progress. When children are not making expected levels of progress, LACE staff identify and agree support strategies with the school, foster parents and carers to promote improvement.”

    North Lincolnshire Council Ofsted Inspection (published 25/09/17)
  • “Education planning for children looked after has historically been poor. However, teachers and the local authority are now taking full ownership of a recently introduced electronic system, and the quality of personal education plans is improving.”

    Barnet Council Ofsted Inspection (published 07/07/2017)
  • “The large majority of personal education plans (PEPs) are now of good quality. Managers have successfully introduced e-PEPs for all children looked after up to the age of 16. Appropriate training is provided for social workers and designated teachers, which is improving the quality of plans and the impact of PEP meetings.”

    Bedford Borough Council Inspection (published 07/04/2017)