STE WILLIAMS

New York Attorney General Eric Schneiderman called a press conference on Monday to demand a postponement of a 14 December 2017 vote by the Federal Communications Commission (FCC) on a proposed rollback of net neutrality regulations, declaring that the public comment process in advance of it has been “deeply corrupted.”

But Schneiderman is late – very late – to the party. Reports of fake and bot-generated comments started more than six months ago, before the official public comment period even began on 18 May 2017, after FCC Chairman Ajit Pai proposed the rollback.

ZDNet reported on 10 May 2017 that more than 128,000 identical comments had already been submitted. Some whose names were on those comments told ZDNet they had not submitted them – including one “commenter” who said that they didn’t even know what net neutrality was.

Those reports continued regularly through the year, and the flawed comments process, as Naked Security reported in October this year, was almost embarrassingly obvious.

Data analytics company Gravwell claimed at the beginning of October that only about 18% (3,863,929) of the 21.8 million comments submitted on the FCC website and via its API were unique.

The rest were likely from “automated astroturfing bots,” Gravwell founder Corey Thuen said, adding that the fakes were easy to spot.

Schneiderman, who was joined at the press conference by FCC commissioner Jessica Rosenworcel, demanded that the vote be delayed. Rosenworcel, an Obama appointee, was nominated for another term in July by President Trump, and confirmed by the Senate.

Schneiderman said his office carried out a review of the comments on the impending vote. They found that at least one million of these may have been made by impersonators, including up to 50,000 claiming to be from New York. He also accused the FCC of failing to help investigate who might be behind the fakes. Rosenworcel added that nearly 50,000 of the comments to the FCC were from Russian email addresses.

The FCC has now agreed to assist, but Schneiderman said that offer came on the morning of the press conference, after nine previous requests for FCC logs to show the origin of the comments.

It is not just fake comments at issue, either. There are also complaints from advocacy groups, including the National Hispanic Media Coalition (NHMC), saying that the docket – the collected files for and against the proposed rollback – doesn’t include the 50,000 consumer complaints filed about Internet Service Providers (ISP) since the Obama net neutrality rules took effect in 2015.

According to Ars Technica, 28 Democratic senators are also complaining about that omission. In a letter to Pai, they wrote:

50,000 consumer complaints seem to have been excluded from the public record in this proceeding… we believe that your proposed action may be based on an incomplete understanding of the public record in this proceeding.

At the press conference, Schneiderman contended:

You cannot conduct a legitimate vote on a rulemaking proceeding if you have a record that is in shambles, as this one is.

Advocates of the rollback agree that the comment process has been corrupted, but they say it has been happening on both sides. Brian Hart, an FCC spokesman, told the Washington Post that 7.5 million comments in favor of maintaining net neutrality appeared to come from 45,000 email addresses, “all generated by a single fake e-mail generator website.”

He said another 400,000 comments in favor of net neutrality appeared to come from a Russian mailing address.

And Tina Pelkey, also speaking for the FCC, declared in an emailed statement on Monday to reporters that neither Schneiderman nor Rosenworcel had identified, “a single comment relied upon in the draft order as being questionable.”

The key phrase there is, of course, “relied upon” – a tacit acknowledgement of the fake comments, but also an assertion that nobody on the FCC, including Pai, is giving them any credence.

There is no indication yet that the vote will be delayed. But opponents say they think the number of bogus comments will help them in a court battle to overturn the vote, if Congress doesn’t block it until an investigation is complete. Evan Greer, campaign director for the advocacy group Fight for the Future, told the Post:

It’s all about Congress for right now. But this (fake comments) will absolutely show up in court if we get there.

Follow @tarmeding
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/exHdDJZatQ4/

The former head of cyber for the US State Department calls for agreements across countries to improve government cybersecurity.

BLACK HAT EUROPE – London, UK – Government cybersecurity won’t improve unless nations begin working together, and with their own technical security experts, to improve their understanding of security problems and the tools used to fix them.

“How many people think we’re better off today than seventeen years ago?” Chris Painter, the former and first-appointed cyber coordinator for the US State Department asked in his keynote at Black Hat Europe, held this week in London. He didn’t seem surprised at the response.

“Okay, that’s nobody … not a single person,” he noted as everyone in the packed room kept their hands lowered.

Painter then asked how many attendees believed governments were speaking with security experts to inform their policies with technical expertise. A few raised their hands in agreement.

It wasn’t too long ago that high-level government officials didn’t want to care about, or understand, cybersecurity. “That has changed, I think, dramatically,” Painter observed, as cyber issues more broadly threaten national security, human rights security, and foreign rights policy.

Governments have, in fact, begun to take cyber more seriously as threats carry greater consequences, he said. The Equifax breach, Sony hack, WannaCry, and Petya/not Petya are only a few recent attacks which have captured the international community. Many have begun to worry about attacks on their critical infrastructure, such as that in Ukraine in 2016.

Nations view technology as a threat to their overall stability, Painter said. He divided cyber threats into two categories: technical threats, and threats to policy. There has been greater emphasis on how we counter these problems both nationally and internationally, he explained, and governments have become more organized around cybersecurity.

He emphasized the need for countries to deal collectively with the threats they have in common. Security issues are usually bigger than one country, he said, noting that conflict arises when different nations have different perceptions of how technology should be used. Some countries leverage the Internet to monitor and control citizens, and suppress their freedom of expression, he added.

As countries strengthen their cyber capabilities, Painter explained, they need a stable environment so the beneficial parts of cyber aren’t undermined by weak security. He said it’s time for nations to discuss cyber policies through the United Nations and multi-government organizations instead of going solo. International law applies in cyberspace, he said; it isn’t a “lawless space” where “anything goes.”

It sounds simple on the surface but is complex in practice. According to Painter, international agreements must focus on how to prevent cyberattacks that don’t necessarily qualify as cyber warfare; right now, policies don’t address these types of threats. States shouldn’t attack the critical infrastructure of other states, for example. They shouldn’t attack one another’s computer emergency response teams (CERTs), something Painter likened to “going after ambulances on the battlefield.”

We have not done a good job of deterrence in cyberspace, he continued. Sure, there are rules telling actors not to violate other nations. But “those rules are worthless if there’s no action taken if people violate them,” he said, adding that lack of punishment establishes a norm that [an] activity is acceptable.

As part of this, Painter also called for more efficient attribution, which is necessary to take action on cybercrime. “We have to get to attribution quicker, so we can take action quicker, so we can have a deterring effect,” he said. Attribution is “a political issue,” he pointed out, and governments can’t punish a threat actor unless they are sure he/she is responsible.

International security will only come with international acceptance of rules, Painter said: “We can’t have progress if only a few countries agree.”

Related Content:

• The Rising Dangers of Unsecured IoT Technology
• First US Federal CISO Shares Security Lessons Learned
  
• Hacked IV Pumps and Digital Smart Pens Can Lead to Data Breaches
• ‘Blocking and Tackling’ in the New Age of Security

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/risk/why-cybersecurity-must-be-an-international-effort/d/d-id/1330571?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

More than 20% lack a breach response plan altogether, a new survey shows.

Nearly 75% of IT security professionals from the retail industry say their companies do not have a fully tested plan to address a security breach, according to a Tripwire report today.

Some 28% of survey respondents do have a fully tested breach plan, while 21% lack a plan altogether, the report notes.

Additionally, 21% of survey respondents say they don’t have the means to notify customers of a data breach within 72 hours of its occurrence. That runs counter to the requirements of the General Data Protection Regulation (GDPR), which in May begins the financial penalty phase for noncompliance. GDPR fines can reach as high as 4% of a company’s revenues.

Only 23% of survey respondents feel fully prepared to incur financial penalties, the survey says. “Considering the amount of high-profile data breaches that have occurred recently, plus the continued discussion around GDPR, it is surprising and concerning that many retailers do not have a tested plan in the event of a security breach,” says Tim Erlin, vice president of product management and strategy at Tripwire, in a statement.

Read more about the survey here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/most-retailers-havent-fully-tested-their-breach-response-plans/d/d-id/1330572?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New Honeywell survey shows more than half of industrial sector organizations have suffered cyberattacks.

A new survey by LNS Research on behalf of Honeywell shows that industrial sector networks are still playing catch-up in cybersecurity.

While more than half of the 130 decision-makers from industrial organizations in the survey say they work in a facility that has suffered a breach, just 37% of the respondents say their organizations monitor networks for suspicious activity and traffic.                                               

Nearly half, 45%, say they don’t have an enterprise leader for cybersecurity, and one-fifth are not employing risk assessments on a regular basis.

“Decision-makers are more aware of threats and some progress has been made to address them, but this report reinforces that cybersecurity fundamentals haven’t been adopted by a significant portion of the industrial community,” Jeff Zindel, vice president and general manager of Honeywell Industrial Cyber Security said in a statement.

A copy of the report is downloadable here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/nearly-2-3-of-industrial-companies-lack-security-monitoring/d/d-id/1330570?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

My Friend Cayla’s in trouble again: the smart interactive doll is too blabby and eavesdroppy to put under the Christmas tree, the French data privacy watchdog said on Monday.

The Commission Nationale Informatique et Libertés (CNIL) announced that it’s served formal notice to Genesis Industries about the Bluetooth-enabled talking/listening doll Cayla, along with her Bluetooth buddy i-Que robot. CNIL demands that the company cease its “serious breach of privacy” caused by the toys’ lack of security.

Both toys listen to children as they ask questions on subjects such as mathematical calculations or weather forecasts. Cayla and i-Que are equipped with microphones and speakers and use Bluetooth to communicate with a mobile app on smartphones or tablets. Off the app goes to the internet when it hears a question, back it comes to hand over the information to a child.

Information or, as the case may be, whatever a hacker programs it to say. We learned in February 2015 that Cayla was suffering from noxious cloud syndrome: the doll had a software vulnerability that allowed it to be programmed to say anything at all – from Hannibal Lecter quotes to lines from 50 Shades Of Grey.

In addition, according to security researcher Ken Munro, any nearby device could connect with the doll via Bluetooth and therefore communicate with a child.

A consumer association gave CNIL a heads-up about lack of security in both toys a year ago. CNIL decided to do its own online investigations into what was happening to data the toys sent into the cloud. It also sent a questionnaire to Genesis, a Hong Kong company, in March 2017.

CNIL found that the toys collect plenty of personal data about children, their families and their friends, including their voices, the content of their conversations with the toys (which CNIL found can reveal identifying data such as addresses and names), as well as information filled into the form in the application “My Friend Cayla App”.

It turns out that anybody located within nine meters of the toys, outside a building, can wirelessly pair a mobile phone to the toys through Bluetooth, without having to log in. It can be done without inputting a PIN code, and you don’t have to press any kind of button on the toy. After that, whoever pairs with the toys can listen and record the conversations between children and their toys, along with any conversation taking place nearby.

Not only can creeps listen to your kids with these things: they can also talk to them, the CNIL found. Creeps can either speak (or play sounds prerecorded with the “Dictaphone” app on some smartphones) via the loudspeaker, or they can use the toys with the “hands-free kit”. All a creep has to do is to call the phone connected to the toy with another one in order to talk with the child located near it, the CNIL found.

Again, we’ve known this about Cayla for a while. For its part, the CNIL has concluded that the toys’ lack of security breaches Article 1 of the French Data Protection Act. Back in February, Germany’s Bundesnetzagentur, the telecoms watchdog, called Cayla an “illegal espionage apparatus” that parents should destroy. It banned the doll on the grounds that the devices violate privacy laws by their ability to illegally transmit data collected without detection.

The CNIL was also concerned about the lack of clarity parents get about how Genesis processes the personal data the toys drink in. Nor are parents informed that the company transfers conversations to a service provider in a non-EU country.

Genesis Industries Ltd. has two months to comply with the Data Protection Act, which stipulates that technology “shall not violate human identity, human rights, privacy, or individual or public liberties”.

Meanwhile, Cayla doesn’t have any privacy advocate friends in the US, either. Several consumer complaints have been lodged with the Federal Trade Commission (FTC), including this one from the Electronic Privacy Information Centre (EPIC).

From EPIC’s complaint:

The failure to employ basic security measures to protect children’s private conversations from covert eavesdropping by unauthorized parties and strangers creates a substantial risk of harm because children may be subject to predatory stalking or physical danger.

Cayla also made it into this year’s annual Trouble in Toyland report from the US Public Interest Research Group (PIRG), a federation of consumer nonprofits.

This is at least her second appearance as a PIRG Troubled Toy. She joins the ranks of lead-filled fidget spinners, balloons that kids can easily inhale and choke on, and hoverboards that have been blamed for house fires that have killed two girls and a firefighter.

Make sure Santa’s reading up on those toys he delivers: clearly, some of them are dangerous.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_Kf3WqTgX1c/

Class, get out your pencils: we’re having a surprise quiz. Please choose the best answer to this question: What’s the best way to ensure your friend is released early from jail?

1. Encourage him to keep up his best behavior during his sentence so as to maximize the chances that his good behavior will be recognized and rewarded with early parole.
2. Write a letter in support of an early release through the appropriate jurisdiction’s credit-earning programs.
3. Hack the county jail’s network and alter his prison record.

A Michigan man opted for No. 3. Bad choice, Konrads Voits! For flunking the quiz, you’re looking at a maximum penalty under federal law of 10 years’ imprisonment and a $250,000 fine (though, of course, maximum sentences are rarely handed out).

According to the US Attorney’s Office for the Eastern District of Michigan, Voits, 27, on Friday pleaded guilty to damaging a protected computer.

The Attorney General’s office says Voits used a classic phishing scheme laced with typosquatting. According to court records posted by The Register, in January 2017, Voits set up a phishing domain. It looks just like a legitimate county domain name for Washtenaw, except Voits swapped the final W for a double V.

Then, he called and emailed employees of Washtenaw County, claiming that he was “Daniel Greene” and that he needed help with court records. Over the phone, he pretended to be “T.L.” or “A.B.”, a county IT employee. The emails tried to entice employees into clicking on a hyperlink so they’d be whisked off to his malware-poisoned site, while the object of the phone calls was to get his victims to type that phishing site domain into their browsers so as to download an executable malware file.

It was to “upgrade the county’s jail system,” Voits claimed.

Some employees fell for it. Voits also finagled remote login credentials out of one employee. That’s how he managed to install malware on the county’s network itself.

Voits got full access to the county network, including to the XJail system – which is a program used to monitor and track county prison inmates – as well as to search warrant affidavits, internal discipline records, and personal information of county employees. Through the phishing and the malware installed on the county’s network, he succeeded in stealing passwords, user names, email addresses and other personal information of more than 1,600 county employees.

In March 2017, after he’d gained full access to the county’s network, Voits got into the records of multiple inmates. He tweaked the record of at least one in an effort to get him out early.

Fortunately, jail employees do careful reviews of inmate releases. No dice, Voits: your records alteration(s) didn’t fool anybody, and no inmates were released early. Washtenaw county employees did, however, spend what the AG said was “thousands of dollars and numerous extra work hours” responding to and investigating the breach.

Part of that was the expense of hiring an incident response company to determine how extensive the breach was. Many of the county’s hard drives had to be reimaged. Also, the county purchased identity theft protection for its employees. All told, the county said its losses were at least $235,488.

Voits agreed to give up his assets to try to pay it off. Goodbye, laptop. Goodbye, collection of four cell phones. Goodbye, undisclosed amount of Bitcoin.

He’s in custody after agreeing to a plea deal. He’s due to be sentenced on April 5 2018.

I wouldn’t be surprised if one repercussion of Voits’ exploits were that county employees have been subjected to refresher courses on how to spot, and avoid, both IT support scammers and phishing attempts.

It isn’t easy. Like that easy to miss double V swap Voits employed, the signs of a phish can be subtle.

In time for the holidays, we recently came out with some simple tips on how to avoid getting phished.

As far as the bogus calls go, you might want to check out our explanation of social engineering. After all, pretending to be the IT guy is just one of the tricks the crooks like to pull!

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jKxIfSyNZhw/

If account credentials stolen during a data breach are posted on public servers, is it ever legitimate business to make money trading access to this data?

It sounds dubious, but this is precisely what a small group of websites started doing two years ago to almost no applause.

The claim was that turning breaches into a business would aid notification because it would help advertise them quickly once the data appeared online somewhere, usually on the dark web.

The counter argument was that low-level connected criminals less savvy with dark web sources would also be enthusiastic subscribers, which would turn sites into databases fuelling more online crime.

Now with the news that a prominent name in the sector, LeakBase.pw, went silent last weekend, it appears breach-as-a-service might be on its last legs.

On 2 December LeakBase started redirecting to Troy Hunt’s campaigning breach site Have I Been Pwned? (HIBP), confirming an earlier message from the site’s Twitter feed that something was up:

This project has been discontinued, thank you for your support over the past year and a half.

Which, to anyone who thinks that selling credentials stolen during data breaches is not a legitimate activity in the first place, will count as a good day for security.

Earlier this year, another breach site called LeakedSource disappeared with identical suddenness, reportedly after being raided and having its servers seized by the FBI.

This should have cleared the way for LeakBase to dominate the market but now it too has succumbed to unspecified troubles. The nature of those troubles, which ironically started in April when the site was itself breached, defaced, and subsequently changed ownership, still interests a lot of people.

According to security blogger Brian Krebs, one of the site’s founders may have links to an illegal dark web drugs website, Hansa, taken over by Dutch police in July in order to covertly monitor its customers and users.

Not to mention that handling breached data was always likely to attract the attention of police, Troy Hunt of HIBP told another news site.

Is their demise a simple cause for celebration?

It might appear so if it weren’t for the knack some of these sites had of discovering unknown breaches, typically old ones nobody knew about. A good example was the 2016 Dropbox breach affecting 68 million users, which LeakBase brought to light years after it happened in 2012.

Recently, the site was at it again, telling a news site about a breach at Taringa affecting another 28 million users.

As LeakedSource summed it up in 2016:

For the most part, the reason all of these mega breaches are coming to light now is because we’ve gone out and found the data exists.

Clearly these sites were uncovering breaches. The problem was that they sold access to this data, telling journalists about it to attract attention to their services.

Public service sites such as HIPB and Vigilante.pw are the obvious alternatives whose recent success in making unknown breaches public might in any case have rendered the whole idea of paid breach databases obsolete.

What remains unsettling is that something as critical as data breach discovery is being left up to small and under-resourced sites to do off their own bat.  Software vulnerabilities eventually turned into a thriving area of independent research – for profit as well as public service – why can’t the same be the case for data breaches?

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/V5cWpZYi1JI/

Security researchers have found several flaws in the developer tools and environments used by Android programmers.

The flaws, if exploited, would enable hackers to exploit the developer environments and insert malicious code (like adware or a cryptominer) into legitimate apps, without the developers of those kosher apps knowing about it.

Avast urges devs to secure toolchains after hacked build box led to CCleaner disaster

READ MORE

Downloadable and cloud-based tools used by Java/Android programmers to build their companies’ business applications are vulnerable, according to security researchers at Check Point. Fortunately prompt action by the software tool-makers has prevented the repetition of the sort of security screw-up that resulted in Avast inadvertently serving up backdoor versions of its Cleaner tool earlier this year.

More specifically, Check Point’s team has found several vulnerabilities that affect the most common Android integrated development environments (IDEs) – Google’s Android Studio and JetBrains’ IntelliJ IDEA and Eclipse, as well as the major reverse engineering tools for Android applications such as APKTool, the Cuckoo-Droid service and more.

The researchers’ first find was in APKTool, where it discovered the configured XML parser did not disable external entity references when parsing an XML file within the program. Check Point said the “vulnerability expose[d] the whole OS file system of APKTool users…”

The team went on to find multiple vulnerable implementations of the XML parser within other projects, specifically the most popular IDEs that are used for building Android applications.

Check Point reported the discovery to APKTool developers and the other IDE companies back in May 2017. Google and JetBrains have verified and acknowledged the security issues and have since deployed a fix to shore up the security of their products.

The Check Point team also contacted APKTool developer and IDE companies who responded by fixing the security issues and released updated versions of their products. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/12/06/java_and_android_vulns/

Black Hat Cyber threats have evolved from been a solely technical issues to core issues of government policy, according to a senior US lawyer and former cyber diplomat.

Chris Painter, former co-ordinator for cyber issues at the US State Department, told delegates at the Black Hat EU conference that cyber issues have emerged as a core topic for governments worldwide. “Cyber is now seen as a core issue for defence policy, foreign policy and more… it’s not just a technical issue.

“Cyberspace is a new domain of war and all countries are involved in it,” he added.

The US, China and Russia have agreed that the rules of international law apply in cyberspace, so the rules of war apply to cyber attacks. That means that an attack on civilian infrastructure such as a dam would be considered as warranting reprisals, but the situation is more complicated than that in practice.

“A lot of malign activity is occurring below the high threshold of what could be classified as an act of war,” Painter explained.

“We’re doing a poor job at deterrence in cyberspace. The credibility of response is OK but timeliness is a problem partly because of attribution.”

Painter argued that although you can never have absolute certainty in attribution, by using a combination of technical and political analysis it’s possible to have a high degree of confidence about who is behind particular attacks, especially if they are long term campaigns.

Launching missiles in response to a cyber attack is unlikely unless there is a loss of life involved. This means that response boils down to applying diplomatic or political pressure on governments. “We need to expand the tool set,” Painter concluded.

One thing that is already possible in greater international co-operation, something that can be achieved through diplomatic channel. Painter explained how whilst at the US State Department he struck a deal to get help from other countries in taking down nodes of a botnet that was attacking US banks in return for a promise of co-operation from the US in the event of those countries needing assistance at some future date.

Painter also outlined efforts to promote norms – or “rules of the road” – in cyberspace. He also examined challenges that lie ahead and the need for the policy and technical communities to work together globally to meet those challenges. “We didn’t see the Russian threat coming,” Painter said. “Tech people need to tell policy people about the next coming threat.”

The former White House and US State Department official made his comments during an opening keynote presentation at the Black Hat Europe conference in London on Wednesday. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/12/06/black_hat_eu_cyber/

On Wednesday, in a presentation at Black Hat Europe, Positive Technologies security researchers Mark Ermolov and Maxim Goryachy plan to explain the firmware flaws they found in Intel Management Engine 11, along with a warning that vendor patches for the vulnerability may not be enough.

Two weeks ago, the pair received thanks from Intel for working with the company to disclose the bugs responsibility. At the time, Chipzilla published 10 vulnerability notices affecting its Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE).

The Intel Management Engine, which resides in the Platform Controller Hub, is a coprocessor that powers the company’s vPro administrative features across a variety of chip families. It has its own OS, MINIX 3, a Unix-like operating system that runs at a level below the kernel of the device’s main operating system.

It’s a computer designed to monitor your computer. In that position, it has access to most of the processes and data on the main CPU. For admins, it can be useful for managing fleets of PCs; it’s equally appealing to hackers for what Positive Technologies has dubbed “God mode.”

The flaws cited by Intel could let an attacker run arbitrary code on affected hardware that wouldn’t be visible to the user or the main operating system. Fears of such an attack led Chipzilla to implement an off switch, to comply with the NSA-developed IT security program called HAP.

But having identified this switch earlier this year, Ermolov and Goryachy contend it fails to protect against the bugs identified in three of the ten disclosures: CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707.

The duo say they found a locally exploitable stack buffer overflow that allows the execution of unsigned code on any device with Intel ME 11, even if the device is turned off or protected by security software.

They claim to have employed a generic technique to bypass the stack canary, a value written to memory to catch overflows via change detection, thereby allowing them to run executable code using Return Oriented Programming.

Though the vulnerabilities require local access to an affected machine or the credentials to access the machine through a remote IT management system, an Active Management Technology (AMT) flaw disclosed by Intel in May raises the possibility of a remote attack.

“Given the massive penetration of devices with Intel chips, the potential scale for attacks is big, everything from laptops to enterprise IT infrastructure is vulnerable,” the pair said in a statement emailed to The Register.

“Such a problem is very hard to resolve – requiring a manufacturer to upgrade firmware, and attackers exploiting it may be just as difficult to detect.”

Dino Dai Zovi, co-founder and CTO of security biz Capsule8, in an email to The Register, said the most troubling aspect of the research is that it may be exploited without the need to open the target system’s enclosure.

“This is not a huge impediment to an attacker with physical access, but as some laptops have case tamper switches, it is able to bypass that protection,” he said.

Ermolov and Goryachy contend patches for the flawed hardware related to CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707 don’t preclude the possibility of exploitation because an attacker with access to the ME-region firmware can overwrite it with a vulnerable version for exploitation.

“Writing an older version of the ME firmware typically requires either writing to the flash chip directly or taking advantage of weak BIOS protections, which would depend on the vendor’s particular configuration,” said Dai Zovi.

The US government’s concern about ME exploitation has made it to the private sector. Hardware vendors Dell, Purism, and System76 are now offering gear with Intel’s ME disabled. And Google has been working on NERF (Non-Extensible Reduced Firmware), an open source software system based on u-root that replaces UEFI and the Intel ME with a small Linux kernel and initramfs (which mount the root file system).

Dai Zovi observed that in addition to these vendor options, “the security community has responded to distrust of the ME by developing a number of open source projects to disable it,” such as me_cleaner and Heads.

Asked whether Intel has any plans to alter the way its Management Engine works or to offer chips without the ME, a company spokesperson suggested such requests should be directed to hardware vendors.

“The Management Engine (ME) provides important functionality our users care about, including features such as secure boot, two-factor authentication, system recovery, and enterprise device management,” the spokesperson said.

“System owners with specialized requirements should contact the equipment manufacturers for this type of request. However, since any such configuration necessarily removes functionality required in most mainstream products, Intel does not support such configurations.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/12/06/intel_management_engine_pwned_by_buffer_overflow/