Apple Inc. (Nasdaq: AAPL) has quite forcefully denied the (via Reuters, reportedly written by George Stathakopoulos - Apple’s Vice President for Information Security) existence of surreptitious-command-and-control-chip-insertions on system boards within devices manufactured by Super Micro Computer Inc. (NASDAQ: SMCI) under contract with and deployed/implemented by Apple Inc. within the latter's data centers. Interestingly, there is some evidence of security-related issues two years ago betwixt Apple, Inc. and Super Micro Computer Inc.... And then there's The Grugq, whose typically clear and exacting opinions are trusted hereabouts - his view appears here (you'd do well to listen to his take). Regardless of what path you walk in discerning the truth of this particularly murky debacle, one thing is clear - human nature given what it is, there is certainly an abundance of vile perniciousness floating about this scenario that has yet to be revealed.
via Sean Gallagher, writing at Ars Technica, comes this particularly unfortunate news for Apple Inc. (Nasdaq: AAPL) MDM (Mobile Device Management) bits - especially considering there will be a flood of new devices into many orgs. On the plus side, the flaw has been discovered, and now it's Apple's turn-at-bat to clean up their dusty-bits, as it were. Read all about it at everyones' beloved Ars Technica!.
Friend of the Blog Trey Blalock of Firewall Consultants sent a link in yesterday which amgically trasnprted us to Ramtin Amin's Web Blog yesterday (in actuality, a Hardware Security blog of considerable reknown)(gracias Trey!). Ramtin's work is indicative of a curious intellect, and tremendous hardware investigatory chops - (plus, keen eye-hand coordination!). If you are at all fascinated by hardware security (coupled with mobile telephony, femto-cells, cabling/dongles and the like) his blog will come as a refreshing changement de rythme of to-the-point discussions of same. Don't Doddle, Chop-Chop, Enjoy!
Meanwhile, in Spectre (PDF) news, comes word from Ars Technica's Peter Bright, of a newly discovered attack vector (PDF) (dubbed NetSpectre) using the pernicious speculative-execution in-built microcode from the Minds of Intel Corporation. Now - and this is truly lovely - the vectors' not local, but external and free from the constraints of local environs (perhaps endpoint security, etc) and is consequently a more pernicious network-resident information operation. Thanks Intel You're Swell!
"That impact is now a little larger. Researchers from Graz University of Technology, including one of the original Meltdown discoverers, Daniel Gruss, have described NetSpectre: a fully remote attack based on Spectre. With NetSpectre, an attacker can remotely read the memory of a victim system without running any code on that system." - via Peter Bright,, whilst writing at Ars Technica
Bad mojo written up at Ars Technica and The Wall Street Journal, in the GPS realm. It's high time for the manufacturers to step up remediation efforts targeting these pernicious position system flaws. Until the appropos remediations and mitigations are firmly ensconced within the hardware and software under scruitny, no human should trust autonomous-navigating conveyances, unless - of course - you are actively testing those systems.
"“Our study demonstrated the initial feasibility of manipulating the road navigation system through targeted GPS spoofing,” the researchers, from Virginia Tech, China’s University of Electronic Sciences and Technology, and Microsoft Research, wrote in an 18-page paper (emphasis added). “The threat becomes more realistic as car makers are adding autopilot features so that human drivers can be less involved (or completely disengaged).”" - via Ars Technica Security Editor Extraordinaire Dan Goodin
Oleg Afonin, writing on Elcomsoft's blog, confirms Apple Inc.'s (NasdaqGS: AAPL) iOS USB Restricted Mode on the latest version release of iOS is configured by default to disallow connectivity through the device's USB port after the device is locked for one hour (as depicted in the screen shot above, the USB toggle is off). This may be troublesome for law enforcement's capability to garner data and ostensibly creates a 'golden hour' of data seizure capabilities by LE; Apple has published a support page with details of the process.
via Chris Williams, Editor in Chief of The Register, comes this surprising/yet not surprising fourth security flaw that now joins the Spectre/Meltdown Speculative Execution flaw in modern CPUs. Bad news for all.
"Variant 4 is referred to as a speculative store bypass. It is yet another "wait, why didn't I think of that?" design oversight in modern out-of-order-execution engineering. And it was found by Google Project Zero's Jann Horn, who helped uncover the earlier Spectre and Meltdown bugs, and Ken Johnson of Microsoft." - via Chris Williams, Editor in Chief of The Register targeting the fourth known Spectre/Meltdown flaw.
via Samuel H. Moore, writing at the IEEE's Spectrum Magazine, comes word of the 'Unhackable Envelope'. The Fraunhofer team (developers of the Unhackable Envelope) comprised of Vincent Immler - Fraunhofer Institute for Applied and Integrated Security (AISEC), Martin König - Fraunhofer Research Institution for Microsystems and Solid State Technologies (EMFT), Johannes Obermaier - Fraunhofer Institute for Applied and Integrated Security (AISEC), Matthias Hiller - Fraunhofer Institute for Applied and Integrated Security (AISEC) and Georg Sigl - Fraunhofer Institute for Applied and Integrated Security (AISEC) & Technical University of Munich (TUM) appeared at the IEEE International Symposium on Hardware Oriented Security and Trust in Washington, D.C. last week. Additionally, the group's paper 'B-TREPID: Batteryless Tamper-Resistant Envelope with a PUF and Integrity Detection' won the 2018 Best Paper Award at the confrenece (Kudo's are certainly in order!).
DOD Bans On-Base Sale of Huawei, ZTE Mobile Devices
via Graham Cluley, writing at GrahamCluley.com, comes this interesting story, originaly via Stu Woo and Gordon Lubold, both at The Wall Street Journal, in which, Messrs. Woo and Lubold detail the banning of Huawei and ZTE mobile products from Exchanges On-Base , world wide.
“Huawei and ZTE devices may pose an unacceptable risk to the department’s personnel, information and mission,“ said Army Maj. Dave Eastburn, a Pentagon spokesman, in a statement. “In light of this information, it was not prudent for the department’s exchanges to continue selling them.” - Dave Eastburn, MAJ US Army, a US Department of Defense spokesman - via Stu Woo and Gordon Lubold, both at The Wall Street Journal
"Gleg offers several different packs of exploits for clients: Agora covers mainstream web software; the “SCADA+ Pack” is focused on “industrial software and hardware environment” issues, and, predictably, the MedPack includes vulnerabilities for medical software. A one year subscription for MedPack costs $4,000, and for that Gleg provides 25 exploits per year, most of which are zero-days, Gurkin wrote." - via Joseph Cox, writing at Motherboard (a Vice property)
via Zack Whittaker timely reportage for ZDNet's Zero Day group, his work provides insight to the tangled-web-we-weave in the ICS/SCADA world. This time - the ramifications of a particularly-pesky security flaw in a Schneider product (amongst thousands of other known bugs in hundreds of other software packages coupled with poor software management practices in the industrial control systems sector combine to make a very poor nap at the control boards, indeed. Just ask Homer! Today's Critical Must Read Choice.
"It's the latest vulnerability that risks an attack to the core of any major plant's operations at a time when these systems have become a greater target in recent years. The report follows a recent warning, issued by the FBI and Homeland Security, from Russian hackers. The affected Schneider software, InduSoft Web Studio and InTouch Machine Edition, acts as middleware between industrial devices and their human operators. It's used to automate the various moving parts of a power plant or manufacturing unit, by keeping tabs on data collection sensors and control systems. " - via Zack Whittaker writing for ZDNet's Zero Day
I am sure you have all read the news of Grayshift's issues battling extortionists and their ilk. I have, however, not seen any significant commentary regarding the data theft this SNAFU could facilitate.
Here's the thought problem (looking for culpability, specifically): A Law Enforcement agency has taken custody (adhering to standards of Generally Accepted Chain of Custody guidelines) of a suspect's iPhone. Unbeknownst to the trusted Sworn Officers and Forensicators (often, one in the same) examining the device, the Grayshift appliance undergoes an unfortunate successful attack - mounted by external miscreant(s) unknown, and succumbs to the exfiltration of all data on the applicance AND the slurped data on the iPhone.
Subsequent forensication by the Sworn Officers or Forensicators (again, often one in the same - at least in smaller agencies) entrusted with reasonable and prudent Chain of Custody of the device under scrutiny, discover that the Grayshift appliance and the suspect's iPhone have both undergone the indignity of significant data leakage. How does the Agency proceed in the effort to lay charges - or not - and protect the Agency, as well?
Oh, and while they are at it, perhaps they could explain why the device is attached to a forward facing TCP/UDP connection to our beloved Interweb?