STE WILLIAMS

What is the world’s most widely-used operating system on new PCs?

Windows?

Guess again.

In all probability, it’s the venerable operating system Minix, running on a shadowy subsystem called the Management Engine (ME) that’s built into all recent Intel computers.

Officially, ME is there to make remote troubleshooting for support engineers easier, including – and this is not a misprint – when the PC is turned off but still plugged into the wall.

But ME’s ubiquity and startling capabilities matter to a growing body of critics worried about the security implications of running what, in effect, is an independent system-within-a-system – the Intel-inside-Intel if you like.

The latest salvo was September’s promise by Russian researchers Maxim Goryachy and Mark Ermolov of Positive Technologies to host a session at next month’s Black Hat Europe event during which they would demo an exploit capable of compromising ME to gain “god mode” control over a PC.

This week Intel put out an urgent security advisory confirming the issue, so it seems the pair weren’t simply talking up their presentation to get bums on seats.

Intel lists four ME vulnerabilities (CVE-2017-5705, CVE-2017-5708, CVE-2017-5711, CVE-2017-5712), affecting a swathe of recent processors running ME Firmware v11.x onwards as well as Server Platform Services v4.0 and TXE v3.0.

Several vulnerable processors are listed – anyone running a computer or server based on a Core, Xeon, Atom, Celeron, or Pentium from the last two years can assume they are affected.

Intel has posted a utility to check for these bugs, but ME firmware fixes will need to come from each hardware maker, which is where things get messier.

For instance, a visit to Dell’s support pages lists fixes for its servers but also shows the words “to be determined” next to 100 or more of the PC systems the company supports.

Users looking for a quick fix shouldn’t hold their breath.

What could an attacker do to an unpatched system?

Intel mentions several possibilities, but an alarming standout is the ability to “load and execute arbitrary code outside the visibility of the user and operating system.”

A lot of admins will find themselves doing a double-take reading this, particularly the idea that something inside a PC can run code without the desktop or server operating system being in charge.

Unhappiness at the way ME bends the rules has been steadily growing – and not just from the tinfoil hat brigade.

The privacy croup EFF described ME as a tiny homunculus computer, complete with its own operating system, processor chip, drivers, network stack and web server. 

Then, in August, Google engineer Ronald Minnich mentioned that the search giant was so unsettled by the security risks of ME running its own Minix operating system that it planned to rip out as much of ME as possible from its Linux servers.

Interestingly, Microsoft’s recent secure PC specification made no mention of ME beyond endorsing Intel’s new processor generation.

What is clear is that researchers smell blood and will continue to probe ME and equivalent low-level technologies for weaknesses.

After this week, few will bet against them finding more problems.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Cxlxc4kQyR0/

Questions about cyber influence continue to cloud last year’s US presidential elections and recently similar allegations have been levelled against the Brexit vote.

Mexican armed forces are apprehensive about upcoming elections in that country but it’s not the US or the Russians they are worried about – it’s the cartels. Mikko Hypponen, chief research officer at Finnish security company F-Secure, relayed the anecdote during a discussion about geopolitics and IoT.

Election campaigning on social media should be banned, said Hypponen, pointing out that Japan does this already. As a result, Facebook doesn’t sell in the Asian country. F-Secure found this from Google ad guidelines.

Sean Sullivan, a security advisor at F-Secure, saw the same issue differently: “Disinformation exists on Twitter, it’s how it is packaged and exposed on cable news that’s the bigger problem. Bait is put out there and cable news picks it up.”

Sullivan, a political science graduate, added that combatting disinformation is more a matter of media literacy and critical thinking than rooting out trolls and Russian bots on social media.

F-Secure’s Mikko Hypponen on IoT: If it uses electricity, it will go online

READ MORE

Internet of insecure Things

Hypponen argued IoT is a bigger revolution than mobile because it will transform workforces. For example, there will be no truck drivers in 20-25 years, he said. Shorter term the job of refuse collector and the like has been affected by IoT sensors in bins that tell managers which receptacles are full. This can mean fewer collections and, in some cases, disgruntled workers have responded by sabotaging devices.

“IoT is not about users wanting internet access on appliances,” Hypponen said, “it’s about vendors wanting to connect them to the internet so that they can collect data.”

Vendors have not quite worked out how to monetise this data as yet. They do know that they’ll need a record of historic data to turn it into something useful in future hence the desire to capture it now. “Data is the new oil,” Hypponen concluded.

Meanwhile, the security of IoT devices remains lamentably poor. Mirai failed to act as a wake-up call, with a few honourable exceptions. “Ikea take IoT security seriously because they don’t want a product recall,” Hypponen said, adding that end users only take IoT security seriously once ransomware comes to devices. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/23/hypponen_interview/

It’s time to patch Samba again – or turn off SAMBA 1, which is never as easy as it sounds.

The lid came off the issue a couple of days ago, when the big Linux distributions (Red Hat, Ubuntu, Debian and so on) rolled out fixes for a use-after-free error affecting all versions of SAMBA since 4.0 (published in 2012).

The bug means a malicious SMB1 request can give the attacker control over “the contents of heap memory via a deallocated heap pointer. It is possible this may be used to compromise the SMB server”, the project’s advisory said.

The problem with disabling SMB1, the natural workaround if you can’t run in the patch immediately, is that as readers have told The Register in previous incidents, there are clients that only support SMB1.

For example, it was only in July that Android’s Samba client added SMB2 and SMB3 – and not all users will have installed an update yet.

Sysadmins should also be warned, there’s a separate bug affecting all versions from 3.6.0 onwards: “server allocated heap memory may be returned to the client without being cleared”.

Samba’s developers have detected exploits, but warned the uncleared heap memory might contain “password hashes or other high-value data”.

Patched software has been made available here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/23/samba_needs_two_patches/

The world’s top PC-makers have started to ship fixes for the multiple flaws in Intel’s CPUs, but plenty won’t land until 2018.

The flaws struck multiple flaws in Intel’s Management Engine, Server Platform Services, and Trusted Execution Engine and make it possible to run code that operating systems – and therefore sysadmins and users – just can’t see.

Intel acknowledged the bugs after Positive Technologies publicised attack vectors for the flaws.

PC-and-server-makers have since rushed to advise of their fixes, but not all have made them available immediately.

Lenovo’s advisory listed seven machines for which the date of fix delivery is “TBD” – to be determined.

That’s a lovely small number compared to Acer, which has given 240 models the TBD treatment.

It’s therefore making Dell look good: it has just 191 TBD PCs. The company has also picked January 7th, 2018, for nine models, January 14th, 2018, for another ten machines and February 2nd, 2018, for four models. Nine machines will get their fix on Christmas Eve, 2017.

Panasonic’s advised that it’s targeted “the end of January 2018” for six machines and said it is “currently confirming” when it will deliver for another seven machines.

Even Intel itself signalled it needs time to fix its NUC, ComputeStick and ComputeCard products. The company said “Expected availability” is in December 2017.

HPE appears to have downloads ready to go, but Fujitsu’s only readied them for Japanese and EMEA customers: the rest of the world has to wait an unspecified amont of time.

Other substantial PC makers have not released advice at the time of writing.

It gets worse: plenty of the affected CPUs were sold to manufacturers of network attached storage or other appliances. If the likes of SuperMicro have announced or released fixes, they’ve eluded The Register‘s searches.

So keep an eye on your emails, and El Reg, sysadmins. There’s plenty more notifications to come and plenty of fixing to be done. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/23/intel_firmware_fixes_slow_to_arrive/

Consider this an item for the watch-list, rather than a reason to hit the panic button: a math error in the Go language could potentially affect cryptographic libraries.

Security researcher Guido Vranken (who earlier this year fuzzed up some bugs in OpenVPN) found an exponentiation error in the Go math/big package.

Big numbers – particularly big primes – are the foundation of cryptography.

Vranken posted to the oss-sec mailing list that he found the potential issue during testing of a fuzzer he wrote that “compares the results of mathematical operations (addition, subtraction, multiplication, …) across multiple bignum libraries”.

Vranken and Go developer Russ Cox agreed that the bug needs specific conditions to be manifest: “it only affects the case e = 1 with m != nil and a pre-allocated non-zero receiver.”

That’s expanded in the post, by way of explanation: “For an exponent of 1, big.Int.Exp returns the correct value only for a 0 recipient, and an off-by-one result for all pre-allocated recipients.”

Readers can see the proof-of-concept in operation at the Go Playground here.

In Vranken’s GitHub post, Cox commented:

“Most crypto code uses new(big.Int).Exp(x, y, m) instead of reusing receivers. Most crypto code is also written so that a modular exponentiation with an exponent of 1 is either completely impossible or exceedingly unlikely. We examined all the uses in the standard library and believe they are unaffected, for either the first or the second reason.”

He added that x/crypto, openpgp, and ssh are fine because they only use new(big.Int).Exp, but other packages like x/crypt/otr (an implementation in Go of the Off-The-Record messaging protocol) may need closer examination.

Vranken’s big number fuzzer is here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/23/go_math_error_has_potential_to_crock_crypto_software/

Strong enterprise cybersecurity programs must be a built on a framework that incorporates strategic, operational, and tactical leadership and goals.

As an enterprise, you used to worry about your competitors and your goal was to outpace them, to outservice them, and to outsmart them. Today, you can be the smartest and the fastest and have the best service and solutions, but it doesn’t matter anymore because to “them” you are just another giant with feet of clay.

“Them” are your cyber opponents. They are referred to as hackers, state-sponsored attackers, corporate spies, hacktivists.…  It doesn’t really matter what you call them or what their motivations are. The fact is that you — more specifically, your business assets — are their targets. Simply put, it’s about good guys vs. bad guys, both trying to make money in cyberspace. In that context, the Internet is analogous to a very bad neighborhood and, within part of it, an open war is waging where criminal organizations are trying to seize their fair share of the profits in a very unstable terrain and time period. 

What can you do to protect your assets and investments? Part of the answer is that you must know your enemy, their tactics, your strengths, your weaknesses, and the battleground. In short, you need cyber intelligence. But for most organizations, intelligence is a complex concept to grasp. It is not about spies or “infiltrating” the Darknet, which, in reality, is only a tool and a tactic to generate intelligence.

In the enterprise, the purpose of intelligence is to provide security teams with information that leads to smart decisions and avoids decision-making cognitive biases. For example, a bias such as “trusting your gut” may be natural when you negotiate one on one. But gut-trusting in the context of a nation-to-nation negotiation with an individual who represents the complex interest of a country would not bear fruit. The same logic applies to the military, because without a profound understanding of one’s own and of its enemy capabilities, and of the operation theater, lives can be endangered unnecessarily. 

In the private sector, intelligence serves as a similar process and tool, particularly the current environment of massive digital transformation. Here, the role of intelligence is to collect, analyze, and produce complete, accurate, timely, and relevant threat assessments that inform decision makers as they act on the information. 

Strong enterprise Intelligence programs are built on three pillars: strategic, operational, and tactical. The table below summarizes the three major pillars, who bears responsibility, and the goal.

Table 1: Pillars of Intelligence

The good news is that many organizations already have much of this framework in place. By borrowing and learning from it, security leaders will be better able to successfully deliver and grow their business in today’s complex threat landscape.

Related Content:

• Emerging IT Security Technologies: 13 Categories, 26 Vendors
• Forget APTs: Let’s Talk about Advanced Persistent Infrastructure
• 3 Ways to Retain Security Operations Staff

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Originally from Montreal, Martin has been navigating the tormented water of cybersecurity for over 20 years. He was the founder and CTO at Above Security Canada where he worked locally and in the Caribbean’s. Twelve years ago, he moved to Switzerland to launch SecureIT, … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/3-pillars-of-cyberthreat-intelligence/a/d-id/1330473?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Black Friday, which takes place this week as part of the US Thanksgiving long weekend, is traditionally the busiest shopping day of the season.

Indeed, it gets its name because retailers aim to sell enough to bring their businesses out of the red and into the black for the rest of the calendar year.

In recent years, Black Friday has spread not only outside the the US, but also beyond Friday, and even beyond the weekend.

One UK retailer’s “Black Friday”, for example, started several days ago and will last for close to two weeks in total.

Black Friday is followed by Cyber Monday, a chance for online retailers to tempt you with yet more bargains, or to give you a second chance at the ones you missed out on over the weekend.

So, there’s plenty of fun to be had, and loads of bargains…

…but there’s one aspect to the Black Friday season that helps scammers more than anything else: EVERYONE GETS IN A GREAT BIG RUSH!

We put our heads together and came up with three simple steps to help you enjoy your Black Friday shopping trips without getting hacked by haste.

1. Take care how you connect

When you’re out and about, scampering through the mall or rushing from shopping street to shopping street, it’s handy to stay online so you can look at the map, message your friends, check prices, and plenty more.

But how much do you know about the Wi-Fi networks you’re connecting to?

A crook who wanders the crowds claiming to be your favourite coffee shop or the free Wi-Fi you used on the train into town can mess with your traffic by inviting your phone to connecting to an imposter network.

Don’t be in such a hurry to get online that you make a bad choice – why not turn Wi-Fi off for the day, and stick to your 3G/4G connection instead?

If you do want to use Wi-Fi while you’re out and about – now and in the future – why not watch our recent Facebook Live video, Is Wi-Fi still safe to use?

(Can’t see the video directly above this line? Watch on Facebook instead.)

2. Take care what you click

Time pressure is a sales tactic used by legitimate businesses as well as by crooks, and Black Friday is all about time limits – buy now or else the price will go up (or the product will sell out)!

You’re likely to get some amazing offers over the Black Friday season, so for once it won’t just be the crooks with deals that sound almost too good to be true.

Also, if you’re buying more than usual over the Black Friday weekend, you can expect to see numerous confirmation emails (and perhaps even legitimate warnings) about online transactions you’ve performed or attempted.

Don’t get so click-happy that you wander into phishing traps by mistake.

Don’t let your guard down, and don’t click on anything “just in case”.

During National Cybsersecurity Awareness Month (October 2017) we advised you as follows: Stop. Think. Connect.

This advice holds as much and more so in Black Friday season, so don’t be in a hurry: listen to your head and not your heart.

3. Take care where you go

Even if you type in every website name yourself, in an abundance of caution, you can land in hot water.

This is especially true on mobile phones where it’s easy to miss a character or to type a letter that’s next door to the one you really wanted, like typing exanple instead of example, or rnailserver instead of mailserver.

Crooks register these near-miss domains to catch you off your guard – the trick is called typosquatting – and, once again, haste can hurt you, so, once again: Stop. Think. Connect.

If you’re tempted to rush into cybersecurity risks just to seal that bargain-of-a-lifetime, slow down.

When it comes to your personal information, chill it, don’t spill it.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/YUe4UnYmfAA/

We took to Facebook Live to discuss Uber – the data breach story of the week that looks set to become the saga of the month/quarter/year/decade.

If you have any questions or comments, please let us have them, either on Facebook or below this article. (You may comment here anonymously – just leave the name and email fields blank.)

(Can’t see the video directly above this line? Watch on Facebook instead.)

Note. With most browsers, you don’t need a Facebook account to watch the video, and if you do have an account you don’t need to be logged in. If you can’t hear the sound, try clicking on the speaker icon in the bottom right corner of the video player to unmute.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Z8fHA4o-N-M/

Comment According to an old Chinese proverb: “When a wise man points at the Moon, an idiot looks at his finger.” Google may have been hoping that you were examining a finger, not reading a Quartz story yesterday, which reveals how Android phones send location data to Google without you even knowing it.

Google received the data even if you didn’t have a SIM card in your phone, and everything else was turned off.

It’s such an old story, you’ll fall asleep reading it, so please don’t, urged one blue-ticked tweeter. Nobody suspected Google did this practice – and Google has now vowed to stop.

But you may want to consider two questions about a story that goes to the heart of the human relationship with technology: “Who is in control, here?” Firstly, can you turn it off? If you can’t turn it off then obviously you are not in control. Secondly, do you know it’s happening? If you don’t know it’s happening, you’re not even in a position to turn it off. This entirely changes the terms of that human-machine relationship.

Wait, did Oracle tip off world to Google’s creepy always-on location tracking in Android?

READ MORE

What Google did is also illegal here because consent is the key to data protection in the EU. This is what motivated a student, Max Schrems, to look into Facebook’s cookies in 2011. An Austrian studying law in California, Schrems was curious how Facebook could track you across the web, even though you hadn’t given it permission to do so. Europe’s data protection laws had been introduced in the mid-1990s, with memories of East Germany’s Stasi fresh in the memory. Schrems investigated, and discovered that Facebook didn’t delete the data even after you asked it to. Four years later the “safe harbour” provisions governing data flows from Europe to the USA lay in tatters.

The paparazzi in your pocket

Some of Silicon Valley’s vanguardistas are fond of a phrase “permissionless innovation”, a propaganda expression which implies that somehow progress won’t take place if it respects human boundaries. For obvious reasons, the phrase is coming back to haunt them.

This is “permissionless”, too, it just wasn’t very innovative. As Charles Arthur notes, Google’s response is similar to another piece of permissionless data collection. “Very reminiscent of the collection of Wi-Fi network data by Google Street View in 2010. That was blamed on a rogue engineer, even though the system had to be approved by a manager,” he writes.

Indeed, Google advanced the theory that it was the work of a lone gunman: one rogue slurper, acting alone. The FCC demolished the theory. Google had intercepted the data “for business purposes”, privacy group EPIC concluded.

If Google was a person, it would have had a restraining order for stalking slapped on it by now.

There’s an obsessive quality to Google’s collection of location data, and its insistence that it alone should have it. When in 2010 Motorola decided to go with Skyhook for its location data based on triangulating against a database of Wi-Fi access points – something Skyhook had invented – Larry Page went ballistic, threatening to close down Motorola’s production lines. Skyhook was “contaminating” Google’s own data collection, Page fumed.

Google went further in the dog days of the Obama administration, with the FCC being run by one of Obama’s biggest fundraisers, Tom Wheeler. Although the FTC has traditionally handled data protection, the FCC drove over its lawn and introduced a regulation attempting to stop ISPs doing what was central to Google’s business model – data collection. The regulation meant you could opt out of your network’s data collection, but never opt out of Google or Facebook. It was a brazen attempt to wrestle the issue of privacy away from a watchdog that was obliged to treat everyone equally, to Google-friendly regulators. The regulation was never implemented.

If Google was a person, it would have had a restraining order for stalking slapped on it by now. Google argues that it needs this data to bring you lovely services for free, and that users happily consent to the data collection. But the Street View and the Quartz story blow away the argument: consent didn’t come into it.

It’s worth examining exactly why Oracle brought the issue of data collection to the attention of the European Commission – and it’s not out of direct self-interest. Having promised both users and regulators that it would never combine data from its advertising silos into one giant “super profile”, Google went ahead and did it anyway. Everything is now co-mingled with everything else.

The European Commission is examining the complaint because data is key to effective behavioural advertising, and the super profile (like Facebook’s Graph) presents an insurmountable barrier to entry for competition. The super profile is like Napoleon crowning himself Emperor. It’s intended to ensure Google retains its part of a dominant advertising duopoly forever.

You can accuse Oracle of many things, but it isn’t an ad-slinger, and has no interest in becoming one either. Quartz is to be commended for… hey, look over there! A finger! ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/11/22/permissionless_data_slurping_google/

Another big firmware security issue affecting Intel processors, requires OEM updates.

US-CERT yesterday issued an alert in response to newly discovered vulnerabilities in Intel’s Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE) firmware that could allow an attacker to wrest control of machines running Intel processors.

According to Intel, its processors affected by the vulns are: 

• 6th, 7th 8th Generation Intel Core Processor Family
• Intel Xeon Processor E3-1200 v5 v6 Product Family
• Intel Xeon Processor Scalable Family
• Intel Xeon Processor W Family
• Intel Atom C3000 Processor Family
• Apollo Lake Intel Atom Processor E3900 series
• Apollo Lake Intel Pentium
• Celeron N and J series Processors

Researchers with Positive Technologies Research initially found the vulnerabilities in the ME and reported them to Intel. The researchers say they will provide more details on their findings during their presentation at Black Hat Europe next month.

“Intel ME is at the heart of a vast number of devices worldwide, which is why we felt it important to assess its security status. It sits deep below the OS and has visibility of a range of data, everything from information on the hard drive to the microphone and USB,” said Maxim Goryachy, researcher at Positive Technologies. “Given this privileged level of access, a hacker with malicious intent could also use it to attack a target below the radar of traditional software-based countermeasures such as anti-virus.”

Intel, meanwhile, said the flaws could allow an attacker to “impersonate” ME, SPS or TXE, and therefore compromise the machine’s security; run code unnoticed by the user or the operating system, and to crash a system or cause “instability” to it.

The chip manufacturer advises checking with OEMs to get a firmware update, and released a downloadable tool to determine whether a machine contains the vulns. “Intel highly recommends checking with your system OEM for updated firmware,” the company wrote in its security advisory.

This is the second major firmware vulnerability issue for Intel this year. In early May, the company disclosed a critical privilege-escalation bug in its Active Management Technology (AMT) firmware used in many Intel chips that affected AMT firmware versions dating back to 2010.

That vulnerability, which was discovered by security firm Embedi, could allow an attacker to remotely delete or reinstall the operating system, control the mouse and keyboard, and execute malware on the machine. Intel patched the bug in a firmware update, but like the latest firmware finding, it was up to OEMs to issue it to users.

Related Content:

• The Long Tail of the Intel AMT Flaw
• 6 Steps for Sharing Threat Intelligence
• Secure Wifi Hijacked by KRACK Vulns in WPA2
• 7 Hardware Firmware Hacks Highlighted at Black Hat 2017

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/intel-firmware-flaws-found/d/d-id/1330486?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple