Sophos Computer Security

| 02-05-2021
[RAND-1-100] Comments



55% of parents say that cybersecurity is a top priority this year. 🔐 Want to up your family security game? Here's some advice from our experts at Sophos Home. Once upon a time, you had to buy and manage separate products for each of these tasks, and then buy separate copies for each computer you wanted to secure. It’s a lot easier now, because they’re all built into a single product, Sophos Home Premium. What’s more, one subscription to Sophos Home Premium lets you centrally protect as many as 10 Windows and Mac computers, wherever they are – so you can. Sophos Central allows you to manage our award-winning Synchronized Security network platform. Advanced attacks are more coordinated than ever before. Now, your defenses are too. Our revolutionary Security Heartbeat™ ensures your endpoint protection and firewall are talking to each other.

  1. Sophos Computer Security Scan
  2. Sophos Computer Security
  3. Best Computer Security Software
  • In Sophos Central the computer/server status will report Isolating. Showing a request being sent to isolate the computer: The computer/server will not be isolated in this situation until real-time scanning is enabled in the Threat Protection policy. Once the policy is applied to the computer.
  • Feb 24, 2020 Applies to the following Sophos products and versions Enterprise Console, Sophos Endpoint Security and Control 10.7.2 Installation of the Sophos Enterprise Console Make sure that you have downloaded the latest version of SEC and you have checked the following: System Requirements for Enterprise Console, Port Requirements and The accounts you need.
Sophos
TypePrivate
IndustryComputer software
Founded1985; 36 years ago
Founder
HeadquartersAbingdon, England
Key people
ProductsSecurity software
ServicesComputer security
Revenue$640.7 million (2018)[1]
US$46.9 million (2018)[1]
US$66.3 million (2018)[1]
OwnerThoma Bravo
Number of employees
3,319 (2018)[1]
Websitesophos.com

Sophos Group plc is a British security software and hardware company. Sophos develops products for communication endpoint, encryption, network security, email security, mobile security and unified threat management. Sophos is primarily focused on providing security software to 100- to 5,000-seat organizations. While not a primary focus, Sophos also protects home users, through free and paid antivirus solutions (Sophos Home/Home Premium) intended to demonstrate product functionality. It was listed on the London Stock Exchange until it was acquired by Thoma Bravo in February 2020.

History[edit]

Sophos was founded by Jan Hruska and Peter Lammer and began producing its first antivirus and encryption products in 1985.[2] During the late 1980s and into the 1990s, Sophos primarily developed and sold a range of security technologies in the UK, including encryption tools available for most users (private or business). In the late 1990s, Sophos concentrated its efforts on the development and sale of antivirus technology, and embarked on a program of international expansion.[3]

In 2003, Sophos acquired ActiveState, a North American software company that developed anti-spam software. At that time viruses were being spread primarily through email spam and this allowed Sophos to produce a combined anti-spam and antivirus solution.[4] In 2006, Peter Gyenes and Steve Munford were named chairman and CEO of Sophos, respectively. Jan Hruska and Peter Lammer remain as members of the board of directors.[5] In 2010, the majority interest of Sophos was sold to Apax.[6] In 2010, Nick Bray, formerly Group CFO at Micro Focus International, was named CFO of Sophos.[7]

In 2011, Utimaco Safeware AG (acquired by Sophos in 2008–9) were accused of supplying data monitoring and tracking software to partners that have sold to governments such as Syria: Sophos issued a statement of apology and confirmed that they had suspended their relationship with the partners in question and launched an investigation.[8][9] In 2012, Kris Hagerman, formerly CEO at Corel Corporation, was named CEO of Sophos and joined the company's board. Former CEO Steve Munford became non-executive chairman of the board.[10] In February 2014, Sophos announced that it had acquired Cyberoam Technologies, a provider of network security products.[11] In June 2015, Sophos announced plans to raise $US100 million on the London Stock Exchange.[12] Sophos was floated on the FTSE in September 2015.[13]

On 14 October 2019 Sophos announced that Thoma Bravo, a US-based private equity firm, made an offer to acquire Sophos for US$7.40 per share, representing an enterprise value of approximately $3.9 billion. The board of directors of Sophos stated their intention to unanimously recommend the offer to the company's shareholders.[14] On 2 March 2020 Sophos announced the completion of the acquisition.[15]

Acquisitions and partnerships[edit]

From September 2003 to February 2006, Sophos served as the parent company of ActiveState, a developer of programming tools for dynamic programming languages: in February 2006, ActiveState became an independent company when it was sold to Vancouver-based venture capitalist firm Pender Financial.[16] In 2007, Sophos acquired ENDFORCE, a company based in Ohio, United States, which developed and sold security policy compliance and Network Access Control (NAC) software.[17][18] In November 2016, Sophos acquired Barricade, a pioneering start-up with a powerful behavior-based analytics engine built on machine learning techniques,[19] to strengthen synchronized security capabilities and next-generation network and endpoint protection. In February 2017, Sophos acquired Invincea, a software company that provides malware threat detection, prevention, and pre-breach forensic intelligence.[20][21][22]

In March 2020, Thoma Bravo acquired Sophos for $3.9 billion.[23]

See also[edit]

References[edit]

  1. ^ abcd'Annual Report 2018'(PDF). Sophos. Retrieved 20 March 2019.
  2. ^'Sophos: the early years'. Naked Security.
  3. ^'Exterminator Tools'. Windows IT Pro. 15 November 1999. Retrieved 24 April 2017.
  4. ^'Sophos acquires anti-spam specialist ActiveState'. www.sophos.com. Retrieved 3 January 2016.
  5. ^'Sophos Management Team | Global Leaders in IT Security'. sophos.com.
  6. ^'Apax Partners to acquire majority stake in Sophos'.
  7. ^'Board of Directors'.
  8. ^'The Bureau Investigates article'. Archived from the original on 4 December 2011.
  9. ^'Statement from Sophos on Recent Media Reports'.
  10. ^'Sophos Board of Directors webpage'.
  11. ^'Sophos Acquires Cyberoam to Boost Layered Defense Portfolio'. Infosecurity Magazine.
  12. ^'Sophos Plans $100 Million London IPO'.
  13. ^'Sophos joins the UK's top public companies in the FTSE 250'.
  14. ^'Sophos founders exit before Thoma Bravo sale'. Global Capital. 5 December 2019. Retrieved 25 February 2020.
  15. ^'Sophos opens new chapter with take-private acquisition'.
  16. ^'ActiveState Acquired by Employees and Pender Financial Group; Company Renews Focus on Tools and Solutions for Dynamic Languages'. Business Wire. 22 February 2006. Retrieved 24 April 2017.
  17. ^'Sophos buys Endforce for network access control'. Network World. 11 January 2007. Retrieved 24 April 2017.
  18. ^Wauters, Robin. 'Sophos beefs up on online security, acquires Dutch security software firm SurfRight for $31.8 million'. Retrieved 2 August 2016.
  19. ^https://www.sophos.com/en-us/press-office/press-releases/2016/11/sophos-acquires-security-analytics-start-up-in-ireland.aspx
  20. ^'Sophos Adds Advanced Machine Learning to Its Next-Generation Endpoint Protection Portfolio with Acquisition of Invincea'. Sophos. 8 February 2017. Retrieved 11 February 2017.
  21. ^'Sophos grows anti-malware ensemble with Invincea'. Sophos. 8 February 2017. Retrieved 11 February 2017. One may ask, if you already have great next-generation technology, why do you need Invincea’s technology?...Think of Invincea as the superhero that takes our ensemble to the next level – the entity that adds neural network-based machine learning to the team.
  22. ^'Sophos to Acquire Invincea to Add Industry Leading Machine Learning to its Next Generation Endpoint Protection Portfolio'. Invincea. 8 February 2017. Retrieved 11 February 2017.
  23. ^'Thoma Bravo completes $3.9B Sophos acquisition'. TechCrunch. Retrieved 7 April 2020.
Sophos Computer Security

External links[edit]

Retrieved from 'https://en.wikipedia.org/w/index.php?title=Sophos&oldid=1014829104'

Remember Rowhammer?

Well, it’s back, and this time it’s called SMASH.

Rowhammering is a reliability problem that besets many computer memory chips, notably including the sort of RAM in your laptop or mobile phone.

Simply put, rowhammering means that if you read the same memory addresses over and over and over again, millions of times…

…the repeated nanoscopic electrical activity in the part of the chip where your data is actually stored may cause enough interference to affect the values in neighbouring memory cells.

Typically, each data bit in RAM is stored physically in a tiny silicon capacitor (an electronic component that can hold electrical charge), where a charged-up capacitor denotes a binary 1, and a capacitor without any charge signals 0.

The faster and more aggressively you charge and discharge the capacitors in one part of a RAM chip, the more likely it is that electrons will leak across into, or leak away from, next-door cells.

This can cause unexpected “bitflips”, where memory cells that haven’t been accessed nevertheless leak out enough electrons to flip from 1 to 0, or pick enough stray charge to flip from 0 to 1.

Sophos Computer Security

Bluntly put: using a rowhammer attack, you can make modifications, albeit hapazardly, to memory that has nothing to do with you, just by reading repetitively from memory that’s allocated to your program

Illegal writes simply by performing legal reads!

Why the “row” in rowhammer?

You’d need an enormous number of internal control connections on the chip to construct RAM where you could read exactly one bit (or even one byte) at time.

So, electrically at least, that’s not how most RAM chips work.

Instead, the cells storing the individual bits are arranged in a series of rows that can only be read out one full row at a time, like a string of fairy lights that are controlled by a single switch:

To read cell C3 above, for example, you would tell the row-selection chip to apply power along row wire 3, which would discharge the capacitors A3, B3, C3 and D3 down column wires A, B, C and D, allowing their values to be determined.

Bits without any charge will read out as 0; bits that were storing a charge as 1.

You’ll therefore get the value of all four bits in the row, even if you only wanted to know one of them.

(The above diagram is enormously simplified: in real life, contemporary laptop RAM chips typically have rows from 16kbits to 256kbits long.)

Incidentally, reading a row wipes out the value of all its bits by discharging it, so immediately after any read, the row is refreshed by saving the extracted data back into it, so it’s ready to be accessed again.

In other words, reading even a single byte of your program’s memory causes a whole row of RAM to be discharged and then recharged by writing back the same data to it.

And it’s these repeated row-by-row rewrites that may occasionally trigger bitflips in adjacent rows on the physical chip.

What about caching and memory refresh?

In day-to-day use of your computer, several factors combine to make bitflips caused by rowhammering an unusual and unlikely problem.

The first mitigating factor is that modern CPUs automatically keep local copies of memory addresses that you access frequently

Reading data out of special internal storage called a cache, located physically on the CPU itself, is much faster than reading from RAM.

In other words, reading the same memory address over and over doesn’t automatically cause the RAM circuitry to be activated over and over again, because the cached values are used for the second and subsequent accesses instead.

The second mitigating factor is that almost all computer RAM today is what’s known as DRAM, where the D stands for dynamic.

This means that the capacitors used as memory cells need recharging regulary whether they’ve been accessed or not, otherwise their charge leaks away, causing them to “go flat” and lose their value.

This cycle, called DRAM refresh, happens about 16 times a second, and involves redundantly reading every memory row, thus immediately and automatically rewriting its data to refresh its charge.

Freshly re-written memory capacitors are much less likely to bitflip, because each bit has a charge that is either close enough to full voltage or close enough to zero that its charge level can unambiguously be detected as 0 or 1.

So, the CPU cache reduces the number of times that any row is typically impinged upon by its neighbouring rows between refreshes, reducing the likelihood of bitflips caused by overzealous memory reads between each DRAM refresh.

In other words, rowhammering is not much of a problem in an ideal world.

Could this ever be exploited?

Of course, we don’t live in an ideal world, and if you provide cybercrooks with any trick that might deliberately cause your computer hardware to misbehave, you can be sure that they’ll try it out.

Nevertheless, even if attackers deliberately set out to provoke memory access patterns to cause bitflips on purpose, you might imagine that actively exploiting those bitflips to run malware or steal data would be enormously complicated.

The attackers would need not only to bypass the CPU cache in order to force fast and repetitive access to the RAM chip itself, but also to trick the operating system into allocating memory in a predictable way to ensure that the RAM assigned to their code landed up in a suitable place on the physical chip.

Additionally, modern DRAM chips include built-in hardware known as TRR, short for for target row refresh, which automatically refreshes DRAM rows that are next to rows that have been accessed repeatedly.

At a small cost in inefficiency (a few extra row refreshes that aren’t strictly needed), TRR helps to prevent at-risk memory capacitors from reaching an ambiguous charge level where their data can’t be trusted.

Computer

LEARN MORE ABOUT TARGET ROW REFRESH

What about browser attacks?

As for exploiting the rowhammer issue in a browser, where you have to rely on code written in JavaScript and therefore have no direct control over allocating memory at all, you might think that it would be impossible.

Browser code can’t directly control the CPU cache, and isn’t even able to measure elapsed time accurately these days, because all major browsers have now deliberately and synthetically reduced both the precision and the accuracy of the timing functions available to JavaScript programs.

Even the authors of the SMASH paper admit:

[Existing … rowhammer] attacks require frequent cache flushes, large physically contiguous regions, and certain access patterns to bypass in-DRAM TRR, all challenging in JavaScript.

Timing plays a part in rowhammer attacks not only because of the 64-millisecond “DRAM refresh clock” (about 16 times a second) that is always ticking in the background, but also because timing memory accesess lets you differentiate cached memory access from uncached access, which leaks information about what data lives where in RAM, helping you to organise your data layout for the attack.

Never say never

Of course, when it comes to cybersecurity, you should never say never.

If nothing else, confidently saying that a cybersecurity problem “can’t happen” – unless you have a formal mathematical proof – is an invitation both to crooks and to hackers to prove you wrong.

Indeed, having come up last year with an attack that bypassed the protection afforded by TRR, researchers at the Vrije Universiteit (VU) Amsterdam and ETH Zurich have done it again.

Last time, they called their attack TRRespass (like many hackers, they seem to enjoy puns and speaking like pirates).

This time they have dubbed their attack SMASH, short for Synchronized Many-sided Rowhammer Attacks from JavaScript.

(We’d have gone the whole nine yards and called it SMASHAFROJ, but perhaps they thought that would be OTT, even for a BWAIN.)

You can read about SMASH in an overview article on the VU website, or delve into the (note: long and jargon-rich) full academic paper, which will be presented at a Usenix conference later in 2021.

Sophos computer security

Greatly simplified, when using Firefox 81.0.1 (admittedly now six months old) on a Linux 4.15 kernel (no longer officialy supported by the Linux team), they were able to:

  • Allocate suitably-aligned blocks of RAM by using specific JavaScript array functions inside the browser, thus allocating RAM in such a way that they could reliably predict where bitflips were likely to happen.
  • Bypass the mitigating effects of CPU caching by using memory access sequences that forced the CPU to keep running out of cache space, thus forcing it to reload data from RAM and thereby provoking the rowhammering effect that caching usually prevents.
  • Bypass the TRR hardware in the RAM chip by using techniques from their TRRespass research to access rows of RAM in a special pattern, thus causing the TRR hardware to lose track of which memory rows needed refreshing.
  • Modify write-protected JavaScript data via bitflipping in such a way as to provoke exploitable changes inside the browser itself, thus avoiding the need to escape from the JavaScript sandbox to identify and attack other processes in the system.

What to do?

As we said when we wrote about rowhammering in 2020:

Fortunately, rowhammering doesn’t seem to have become a practical problem in real-life attacks, even though it’s widely known and has been extensively researched.

The SMASH research is a masterpiece of hard-core hacking, but each attack would probably need to be tailored for the type of CPU you have, the vendor of the RAM chips you’re using, the browser and operating system you’re using, and then might not work reliably or even at all…

…so we’re not surprised that cybercriminals have stuck to attack vectors that they know can be exploited reliably.

Best computer security software

However, the SMASH researchers did find a useful mitigation for their new attack.

In their research, they relied on a Linux computer configured to use what are known Transparent Huge Pages (THP).

Linux THP means that when a program asks for memory, the operating system can choose to allocate it either in chunks of 4KB each (“small” memory pages) or of 2MB (“huge” pages).

The SMASH attack relies on a 2MB JavaScript buffer allocated all in one “huge” memory page, so that the attackers can be sure in advance that it will be assigned to one contiguous block of memory cells on the RAM chip itself, and will therefore span multiple adjacent DRAM rows.

So, if you turn off THP on your Linux laptop, you might notice or be able to measure a tiny loss in performance (we didn’t and couldn’t)…

…but you will neutralise the currently documented SMASH attacks altogether.

To turn off THP, run this command as root:

Sophos Computer Security Scan

To see the current setting of THP, print out the abovementioned THP “file” from /sys:

Sophos Computer Security

The square brackets show you which of the three valid options is currently selected. (Most Linux distros are set to [always] or [madvise] by default.)

Always means that the feature is enabled for every app; madvise means it’s off by default but apps can opt in; and never means that all kernel memory allocation will be done in 4KB “small” pages.

Don’t forget, however, that turning off THP isn’t a generic and future-proof defence against rowhammering attacks, merely a defence that seems to protect your browser against the current state of the art.

Best Computer Security Software

Small pages are efficient for programs that do lots of small allocations, but have a much higher memory management overhead when a program needs a big chunk of memory for a single purpose, because each 4KB block in the chunk has to be accounted for separately. Huge pages are efficient for large allocations, but waste space whenever a block less than 2MB is needed. Linux THP therefore aims to provide a “best of both worlds” approach to memory management.