STE WILLIAMS

Mobile stock trading apps are riddled with security bugs.

Stock trading apps have millions of users worldwide and process billions of pounds in traded shares but the security of the apps compares poorly with comparable mobile banking applications, security firm IOActive warns.

Alejandro Hernandez, senior security consultant at IOActive, found vulnerabilities that could allow the would-be hacker to sell user’s stock, steal money or snoop into the personal details of the user’s net worth and investment strategy. Hernandez put 21 of the most used and well-known mobile trading apps available on the Apple Store and Google Play through their paces. Testing focused only on the mobile apps; desktop and web platforms were not tested.

Four of the 21 apps (19 per cent) exposed user passwords in clear text, meaning an attacker with physical access to the device could easily log in to trade their stocks or steal money. Nearly two in three (62 per cent) of the apps send sensitive data to log files and (67 per cent) store it unencrypted, allowing attackers with physical access to gain insight into a user’s net worth, investment strategy and balances.

IOActive’s score sheet from an audit of mobile stock trading apps

Two apps use unencrypted HTTP channels to transmit and receive data, and 13 of the apps that use HTTPS do not check the authenticity of the remote endpoint by verifying its SSL certificate. Both shortcomings make it possible for miscreants to run man-in-the-middle attacks to eavesdrop and tamper in cases where users are using public Wi-Fi hotspots without taking adequate precautions, such as using VPN software.

Cleartext password problems in of the tested apps [source: IOActive]

The results for trading apps proved to be much worse than those for personal banking apps in 2013 and 2015.

It’s a bleak picture overall but there is one positive development to report. The app developed by a brokerage firm who suffered a data breach many years ago was found to be the most secure of the 21 apps tested.

IOActive notified app developers of the issues it uncovered only earlier this month, following completion of its research. It is currently going through the disclosure process hence its decision not to release the names of the apps it tested.

The security firm is encouraging regulators should encourage brokers to implement safeguards for a better trading environment.

“In addition to the generic IT best practices for secure software development, regulators should develop trading-specific guidelines to be followed by the brokerage firms and fintech companies in charge of creating trading software,” according to IOActive. “Brokerage firms should perform regular internal audits to continuously improve the security posture of their trading platforms,” it added. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/26/mobile_stock_trading_app/

Equifax’s chairman and chief exec today resigned, weeks after the consumer credit reporting agency admitted a massive security breach.

Richard Smith, who “retires” with immediate effect, has joined a growing list of senior people that exited Equifax in the wake of the mega leak that affected in excess of 100 million consumers.

Smith will not collect his annual bonus, according to his agreement with Equifax. He will be on hand for the next 90 days to provide assistance to the organisation but will not be compensated for doing so.

Seven-year company veteran Paulino do Rego Barros Jr, who most recently served as president for Asia Pacific, was appointed as caretaker CEO while the company searches for a permanent successor.

“The cybersecurity incident has affected millions of consumers, and I have been completely dedicated to making this right,” Smith said in a canned statement. “At this critical juncture, I believe it is in the best interests of the company to have new leadership to move the company forward.”

Smith is due to appear before the House Energy and Commerce Committee on October 3 to answer questions about the hack. It’s not immediately clear whether or not do Rego Barros will take his place.

Smith is not the first senior Equifax exec to depart the firm since the breach, which actually took place months ago, was made public. The CIO and CSO are both “retiring”, the company said roughly a fortnight ago.

On September 7, Equifax admitted a massive breach had exposed the private data of over 143 million Americans. The incident, which started in mid-May but was only detected in late July, was blamed on a missed Apache Struts update.

An estimated 400,000 Brits and 100,000 Canadians were also caught up in the mess, Equifax eventually confirmed.

Equifax’s incident response when it went public about the breach was heavily criticised on various grounds: a customer response site was a hastily constructed WordPress bodge job, and victims were initially asked to agree to take any dispute to arbitration and forfeit the right to take part in any class-action lawsuit. Predictably various class-action lawsuits have begun.

Meanwhile, Equifax shares have taken a huge hit from the whole sorry affair and were trading at $104 at the time of writing, compared to $140 a month ago.

Three top Equifax executives, including its chief financial officer, sold a combined $1.8m worth of stock after the breach was detected but before it was made public. Equifax said that the executives had “no knowledge that an intrusion had occurred at the time they sold their shares”. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/26/equifax_ceo_resigns/

Deputy Assistant Director Donald Freese advises enterprises to lead with a business case and not fear addressing the C-suite on risk management.

Confusion over the definitions of “threat” and “risk” exist when IT security teams talk to members of the executive suite. One strategy security professionals may consider is approaching the discussion from a business perspective, instead of leading with fear, says Don Freese, deputy assistant director with the FBI’s information technology branch.

Freese, who served as a keynote speaker Monday at the ISC(2) Security Congress convention in Austin, Texas, noted that risks are measurable, providing that companies practice good security hygiene, such as logging network activity and taking inventory of the data that the enterprise possesses.

In addition to those best practices, Freese also advises IT security leaders to consider the industry that they operate in and the type of data that would be desired by cybercriminals, or nation states. That assessment would help provide a framework for the potential intent of the attackers and the magnitude of the impact to the company’s business.

And while companies may prefer to horde as much information as possible on customers — to use for driving sales — Freese cautioned against this practice.

“The more data you keep, the more ways an actor can come after you,” he noted.

Calling on the FBI

If a company suspects a nation-state has launched a cyberattack against their organization, they can work with the FBI in a confidential manner, Freese says. And the type of information that will help the FBI in its investigation are strong data metrics, such as incident logs and data that shows activity trends for at least a three-year period, he advised.

Recent trends in nation-state activity that concerns Freese is an expanded role these entities are adopting. Although intelligence gathering is the tradecraft of nation-states, these players are taking coding, technology, and social engineering to new levels and morphing into cybercriminals, as well, he added.

For example, the FBI has noticed nation-states are using malware sniffers to see how the federal agency will react, depending on which industry is poked, Freese says, adding that while not much is going beyond the sniffing the FBI is aware criminal intent is behind these actions.

In addition to stressing the importance of building relationships with customers, vendors, and employees, Freese also noted companies may want to take the initiative and get to know the agents at their local FBI office before a cyberattack ever hits.

“Going to the field office is one first step,” Freese says. “We are very relationship oriented.”

But it takes more than just one visit to develop a relationship and he advises consistently meeting with the agency to develop trust and respect between the parties.

Related Content:

• FBI Briefs Bank Executives On DDoS Attack Campaign
• FBI Threat Intelligence Cyber-Analysts Still Marginalized In Agency
• FBI Talks Avalanche Botnet Takedown

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/risk/fbis-freese-shares-risk-management-tips/d/d-id/1329975?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

After the company’s CIO and CSO resigned Sep. 14, Chairman and CEO Richard F. Smith follows them out the door.

Equifax CEO Richard F. Smith retired today, stepping down in the wake of a massive data breach that leaked Social Security Numbers, birthdates, addresses, and other personal data of 143 million people. Smith, who held the position since 2005, follows the company’s CSO and CIO, who both resigned Sep. 14.

The credit reporting firm has received sharp criticism for both its data security practices and its breach response efforts.

Attackers lifted the data by exploiting an unpatched vulnerability in the company’s website. The public was not notified until months after the incident was discovered. Services set up to inform individuals whether or not they were impacted were fraught with problems — giving users conflicting information and requiring them to waive certain legal rights (until public outcry pressured Equifax to remove the clause). An offer of one year of free credit reporting, from the very credit reporting firm that had just been breached, was also considered insufficient.    

There were also questions of corruption, as three Equifax executives, including the CFO, sold their shares in the company in the days following the breach discovery. Equifax has stated that these executives were unaware of the incident at the time. 

Both state and federal government bodies have launched investigations into the Equifax incident. Smith had agreed to testify before the House Energy and Commerce Committee in early October.

Read more at Reuters and theNew York Times.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/careers-and-people/equifax-ceo-retires-in-wake-of-breach-/d/d-id/1329978?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It might not have something to hide, but it definitely has something to protect.

The current conversation often pits privacy against security, both in consumer and enterprise settings. This is especially true in the debate over whether mobile encryption is essential for the average user. However, not wanting to have personal information shared, acted on, or used by anyone without permission should be seen as a universal right.

Why? Because today, being proactive about privacy is no longer about trying to hide from authorities. Privacy plays into a much bigger picture; it goes hand-in-hand with security and protecting you, as well as everyone in your personal and professional life, from potentially being exposed by increasing cyberthreats.

Privacy Security Standards on Mobile? There Aren’t Any
Although consumers have a much better understanding of today’s online threats, awareness of how vulnerable and exposed mobile devices are to cyber attacks, breaches, and unwanted spying is still extremely low. This is primarily driven by the misconception that the services and applications available on mobile devices today are secure and private. However, as has been shown by several major data leaks this year (such as with Docs.com), this is not the case.

The unfortunate truth is that organizations can choose to invest in as little or as much security as they want. They also have complete control over privacy options. For example, as part of Pokémon Go’s user policy, users give an increased amount of privileges and some legal rights if they don’t “opt out” of the legal waiver in writing. The opt-out process is valid only if exercised within 30 days following the date a user first accepts the app’s terms and conditions. Users who installed the app gave Nintendo the right to access all of their contact addresses and even send emails on their behalf.

Moreover, many companies and app developers today deprioritize security over other functionality. That’s because in today’s fast-moving technology ecosystem, the ROI for security isn’t perceived to be there. Security also takes time, ongoing investment, and resources.

Why Privacy Needs to Matter to Businesses
Because of the relaxed security and privacy standards across mobile applications and services, the mobile ecosystem has slowly become a stomping ground for cybercriminals.

Today, there are many different ways cybercriminals can launch an attack to breach sensitive information and gain access to credentials, be it attacking through a vulnerable cloud service, WiFi network, malicious apps, SMS phishing, email attack, or social media network. The problem continues to grow worse. In 2016, 8.5 million mobile malware attacks were discovered, which was a threefold increase over 2015.

Although research suggests that consumers have a better understanding of the threats on mobile devices today, the landscape is rapidly evolving. Cybercriminals increasingly are opting to target human vulnerabilities over technical exploits because of the huge success rate. With the bring-your-own-device trend, this makes mobile security and privacy critical for a business’s safety today. Although an organization may not necessarily have the information it needs to hide, it does have things it needs to protect, including data and employees. If steps aren’t taken to address the social and technical threats that employees face today, the risk of corporate information being exposed via an employee’s phone is near certain.

In addition, organizations must understand that a 360-degree approach is needed to address mobile security. Businesses not only need to adopt advanced technologies but also make education a critical piece of their strategy. Given mobile phones are foremost a consumer problem, employees need education about how their personal mobile phone behaviors could lead to a major company breach. 

Related Content:

• 8 Things Every Security Pro Should Know about GDPR
• If Blockchain Is the Answer, What Is the Security Question?
• Activists Beware: The Latest In 3G 4G Spying (video)

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Niko Keller, is the co-founder and CTO of Opaque Communications and is responsible for implementing and otherwise directing the company’s technology innovation and product road map. With more than 20+ years of global experience in business intelligence, security strategy, and … View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/why-your-business-must-care-about-privacy/a/d-id/1329965?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Sources say the hackers behind last year’s SEC breach accessed financial data used by companies testing its EDGAR filing system.

Attackers who breached the US Securities and Exchange Commission took advantage of businesses using legitimate financial data while testing the SEC’s EDGAR system, Reuters reports, citing sources familiar with the matter.

EDGAR is a network that businesses use to file earnings reports and other material information. The purpose of the test process, which takes place before businesses file normal reports, is to verify formatting is correct and reports are free of submission errors, Reuters states.

Corporations are supposed to use “dummy data” during the testing phase, the source explains, but information is supposed to be protected as though it’s authentic. However, some companies used legitimate data and it was not properly secured. The source reports not many businesses used real data that is believed to have been compromised.

This SEC hack, which took place in October 2016 and was discovered that month, appears to have been routed through an Eastern European server, according to an internal government memo. The FBI and US Secret Service have launched an investigation, which Reuters’ sources discussed anonymously because it has not been made public.

Between October 2016 and April 2017, the SEC documented several cybersecurity incidents, according to one source familiar with the matter. While Reuters was not immediately able to confirm the nature of each event, several involved EDGAR, the source added. In a case unrelated to EDGAR, a server intended for SEC use was not updated to fix security flaws.

SEC Chairman Jay Clayton will confirm the investigation when he testifies before the Senate Banking Committee on Tuesday, the report states.

Read more details here.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/sec-attackers-had-authentic-data-used-in-business-tests-reuters/d/d-id/1329981?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

BLACK HAT USA 2017 — (July 27, 2017) Joseph Carson, chief security strategist of Thycotic, visits the Dark Reading News Desk at Black Hat to discuss how poor use of metrics leads infosec professionals to buy security products they don’t need and make other bad decisions.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Article source: https://www.darkreading.com/analytics/how-security-metrics-fail-us-and-how-we-fail-them/v/d-id/1329982?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Imagine alarms ringing out on more than 20 ships located near the Russian port of Novorossiysk in the Black Sea, as their GPS systems suddenly gave them false readings, placing some inland, some at airports, blinking back and forth between accurate positions and pure fiction.

This type of GPS spoofing has been done before, but the incident in the Black Sea, which happened in June, appears to be the first well-documented account of mass-spoofing happening outside the confines of a university experiment.

Four years ago, students using a blue box about the size of a briefcase showed us it was possible to fool the GPS navigation system of an $80 million super-yacht. Their spoofing device – cobbled together for about $1000 – sent counterfeit signals that slowly, subtly overpowered the authentic GPS signals until the ship ultimately came under their control.

Under the direction of University of Texas/Cockrell School of Engineering Assistant Professor Todd Humphreys, the yacht takeover – along with the school’s hijacking of a drone a year earlier – were both designed to shed light on the perils of navigation attacks, serving as evidence that spoofing is a serious threat to marine vessels and other forms of transportation.

Now, with what looks to be real-world spoofing of ships in the Black Sea, Humphreys’ warnings seem prescient.

According to the Norwegian news outlet NRK, the spoofing attack was first reported by Maritime Executive.

Maritime Executive picked up on an unconfirmed report of GPS interference in the Black Sea, posted by the US Dept. of Transportation’s Maritime Administration (MARAD) on 22 June.

This is the report made from one of those ships to the US Coast Guard Navigation Center:

GPS equipment unable to obtain GPS signal intermittently since nearing coast of Novorossiysk, Russia. Now displays HDOP 0.8 accuracy within 100m, but given location is actually 25 nautical miles off…

In fact, the ship’s navigation system reported that it was on land, close to an airport in the Russian city of Gelendzhik. Within a few days, over 20 ships, all in the same area, had reported similar anomalies.

According to Dana Goward, the president of the Resilient Navigation and Timing (RNT) Foundation – a non-profit which, in part, monitors GPS incidents – this wasn’t an isolated incident, though it is the first well-documented account of mass GPS spoofing:

The RNT Foundation has received numerous anecdotal reports of maritime problems with the automatic identification system (AIS), a tracking system used for collision avoidance on ships, and with GPS in Russian waters, though this is the first well-documented public account.

GPS signals going awry near the Kremlin is a well-known phenomenon.

NRK Moscow correspondent Morten Jentoft has posted a short video demonstrating that when he’s near the Kremlin, his cell phone shows that his location has been spoofed to be at an airport that’s over 40 kilometers away (to see English subtitles click on Subtitles/closed captions). Others reportedly claim similar GPS glitches near President Vladimir Putin’s residence at the Black Sea.

GPS is crucial for many applications. The Global Positioning System’s 24 satellites beam down a radio signal to feed positioning information to all manner of vehicles and devices from our phones, to our drones, and to the navigation systems on ships. Those satellites fly in medium Earth orbit, which is more than 20,000 kilometers (12,550 miles) above the planet’s surface. That distance makes the GPS signal strength quite low by the time it reaches the Earth. Given how weak the signal is, it’s not hard to overpower them with stronger signals sent from a hacker’s rig that’s nearer the target.

Since Humphreys’ graduate students spoofed the yacht’s GPS with their $1000 homemade kit, spoofers have gotten a whole lot cheaper. You can ruin a game of Pokémon Go with a HackRF One, for example, for less than $300. It can transmit on frequencies between 1 MHz and 6 GHz, which covers most of the modern radio spectrum, including the frequency used by GPS.

In 2015, fully cognizant of the ease of GPS spoofing, the US Naval Academy opted to reinstate instruction of celestial navigation – that is, navigating by the stars – for the first time in 10 years.

Wired talked to one of the captains of a ship involved in the Black Sea mass-GPS spoofing. Fortunately, he said, his ship can survive without GPS, as it has backup navigation. When the ship’s systems went offline, Gurvan Le Meur told Wired, he relied on radar and dead reckoning.

Le Meur says that every time his ship returns to the same area, his GPS once again gets disrupted. Nowadays, his crew just turns it off on arrival so they don’t have to listen to the alarms.

But for any ships relying solely on GPS, operating on auto-pilot or in conditions that make other forms of navigation difficult, GPS-spoofing can mean they’re literally stumbling around in the dark.

Some experts have interpreted the incident as an intentional attack.

Goward:

What this case shows us is there are entities out there that are willing and eager to disrupt satellite navigation systems for whatever reason and they can do it over a fairly large area and in a sophisticated way. They’re not just broadcasting a stronger signal and denying service this is worse they’re providing hazardously misleading information.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ptT4SaEBZso/

Perhaps the message to young males looking for the thrill of “SWATting” is that investigative security blogger Brian Krebs is not your best target.

Yet another of several Krebs tormenters – Curtis Gervais, 19, of Ottawa, Canada – was recently sentenced for making almost three dozen fraudulent calls to emergency services in the US and Canada starting when he was all of 16, in 2013, and on into 2014. Two of those calls targeted Krebs.

Although when it came to Krebs, Gervais was late to the party. The blogger had been targeted enough previously that both he and the local police department were wise to it.

SWATting, which takes its name from elite law enforcement units called SWAT (Special Weapons and Tactics) teams, is a hoax that, as Krebs put it in a blog post Monday, “spoofs a call about a hostage situation or other violent crime in progress in the hopes of tricking police into responding at a particular address with deadly force.”

How much of a deterrent the sentence will be is obviously unknown, but it doesn’t add up to hard, or expensive, time. While Krebs reports that the FBI has said each SWATting incident costs emergency responders an average of $10,000, Gervais was sentenced to just nine months – six in a youth group home and the final three at his own residence with restrictions that include a ban on using a home computer. He is also banned from using Twitter or Skype during an 18-month probation. The sentence is stayed pending an appeal.

As noted, Krebs has been targeted by others – as Naked Security reported in February, Eric Taylor, 19, was sentenced to three years probation for being one of a group that, in 2013, spoofed an emergency call to make it appear that it had come from Krebs’s phone.

Taylor, who used the handle “CosmotheGod,” was among those who reported that there was a hostage situation at Krebs’s home in northern Virginia. That resulted in heavily armed police, “surrounding my home and putting me in handcuffs at gunpoint before the police realized it was all a dangerous hoax,” Krebs wrote.

Also in February, a Ukrainian man, Sergei Vovnenko, who uses aliases including “Fly” and “Flycracker,” was sentenced to 41 months in prison for trying to frame Krebs in 2014 by sending heroin to his house and alerting police about when it was going to arrive.

In that case, it was attempted retaliation – Krebs had gotten surreptitious access to a forum Vovnenko ran on the dark web where he was trying to raise money to buy heroin on the now-defunct underground market Silk Road.

Krebs foiled Vovnenko’s attempted revenge when he alerted police and the FBI – three days before it arrived – that he expected a package of heroin. And when he wrote about that, Vovnenko started issuing threats to Krebs, including one to his wife.

But in the case of Gervais, who used Twitter accounts @ProbablyOnion and @ProbablyOnion2, the motive seemed to be mainly for bragging rights. After SWATting a number of schools and residences, he solicited more targets on Twitter, and some responders apparently suggested Krebs, who said the harassment began in March 2014 with a series of “rude and annoying messages on Twitter.”

By this time, however, local police were wise to the reality that Krebs was a regular target of this kind of hoax. So a month later, on April 10 when @ProbablyOnion started bragging on Twitter about dispatching a SWAT team to Krebs’s home because of a violent hostage situation, the cops had already called Krebs on their non-emergency line, “and they were unsurprised when I told them that the Krebs manor and all of its inhabitants were just fine,” he wrote.

And when @ProbablyOnion tried again to dispatch a SWAT team to his home, on May 7, Krebs had learned his identity from a document leaked on Pastebin. In an exchange of tweets, @ProbablyOnion asked, “How’s your door.” Krebs’s reply: “Door’s fine, Curtis. But I’m guessing yours won’t be soon. Nice opsec!”

Gervais was arrested a couple of days after that exchange.

Ontario Court Justice Mitch Hoffman noted that the hoax calls, which resulted in the evacuations of schools, homes and a shopping center, caused thousands of people’s lives to be, “put in turmoil and terrorized.” He also called it, “a massive waste of public resources with significant cost to emergency services, and therefore to the taxpayer.”

But he imposed a relatively lenient sentence in part because of 900 hours of volunteer service Gervais had performed in recent years.

Others drawn to this kind of thrill, or attempted revenge – and there are hundreds of them every year, according to the FBI – may not be so fortunate in the future if they are caught. Two members of the US Congress – Rep. Katherine M. Clark (D-MA) and Patrick Meehan (R-PA) filed what they called the Interstate Swatting Hoax Act of 2015, which called for fines and jail time ranging from a year to life, depending on the damage caused.

That bill went nowhere – the last and only action on it was a referral to committee in December 2015. But there is a growing awareness of the costs and strain this kind of crime puts on emergency services, and the potential for mortal danger resulting from what its practitioners call a prank.

It is at least becoming more expensive in some places. California passed a law that took effect in January 2014 that requires those convicted of SWATting to reimburse the departments of responders up to $10,000.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EIXQSzE4dQE/

Security researchers say they’ve found a way to exploit Intel’s accident-prone Management Engine, and will reveal the problem at Black Hat Europe in December.

Positive Technologies researchers say the exploit “allows an attacker of the machine to run unsigned code in the Platform Controller Hub on any motherboard via Skylake+”.

Intel Management Engine (ME), a microcontroller that handles much of the communication between the processor and external devices, hit the headlines in May 2017 due to a target=”_blank” rel=”nofollow” href=”https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/”security concerns regarding the Active Management Technology (AMT) that runs on top of the engine.

It later emerged that AMT had a simple authentication error: an attacker could login with an empty password field.

For those whose vendors haven’t pushed a firmware patch for AMT, in August Positive Technologies discovered how to switch off Management Engine.

El Reg expects a lot of users who skipped the ME “kill switch” in the last month are about to have a change of mind, once they read this abstract ahead of Black Hat Europe.

The Positive Technologies researchers say they’ll demonstrate a pwn-everything exploit for Management Engine.

The company’s researchers Mark Ermolov and Maxim Goryachy discovered is that when Intel switched Management Engine to a modified Minix operating system, it introduced a vulnerability in an unspecified subsystem.

Because ME runs independently of the operating system, a victim’s got no way to know they were compromised, and infection is “resistant” to an OS re-install and BIOS update, Ermolov and Goryachy say.

Black Hat Europe commences on December 4th, in London. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/26/intel_management_engine_exploit/