via Chris Williams, Editor in Chief of The Register, comes this surprising/yet not surprising fourth security flaw that now joins the Spectre/Meltdown Speculative Execution flaw in modern CPUs. Bad news for all.
"Variant 4 is referred to as a speculative store bypass. It is yet another "wait, why didn't I think of that?" design oversight in modern out-of-order-execution engineering. And it was found by Google Project Zero's Jann Horn, who helped uncover the earlier Spectre and Meltdown bugs, and Ken Johnson of Microsoft." - via Chris Williams, Editor in Chief of The Register targeting the fourth known Spectre/Meltdown flaw.
via Samuel H. Moore, writing at the IEEE's Spectrum Magazine, comes word of the 'Unhackable Envelope'. The Fraunhofer team (developers of the Unhackable Envelope) comprised of Vincent Immler - Fraunhofer Institute for Applied and Integrated Security (AISEC), Martin König - Fraunhofer Research Institution for Microsystems and Solid State Technologies (EMFT), Johannes Obermaier - Fraunhofer Institute for Applied and Integrated Security (AISEC), Matthias Hiller - Fraunhofer Institute for Applied and Integrated Security (AISEC) and Georg Sigl - Fraunhofer Institute for Applied and Integrated Security (AISEC) & Technical University of Munich (TUM) appeared at the IEEE International Symposium on Hardware Oriented Security and Trust in Washington, D.C. last week. Additionally, the group's paper 'B-TREPID: Batteryless Tamper-Resistant Envelope with a PUF and Integrity Detection' won the 2018 Best Paper Award at the confrenece (Kudo's are certainly in order!).
DOD Bans On-Base Sale of Huawei, ZTE Mobile Devices
via Graham Cluley, writing at GrahamCluley.com, comes this interesting story, originaly via Stu Woo and Gordon Lubold, both at The Wall Street Journal, in which, Messrs. Woo and Lubold detail the banning of Huawei and ZTE mobile products from Exchanges On-Base , world wide.
“Huawei and ZTE devices may pose an unacceptable risk to the department’s personnel, information and mission,“ said Army Maj. Dave Eastburn, a Pentagon spokesman, in a statement. “In light of this information, it was not prudent for the department’s exchanges to continue selling them.” - Dave Eastburn, MAJ US Army, a US Department of Defense spokesman - via Stu Woo and Gordon Lubold, both at The Wall Street Journal
"Gleg offers several different packs of exploits for clients: Agora covers mainstream web software; the “SCADA+ Pack” is focused on “industrial software and hardware environment” issues, and, predictably, the MedPack includes vulnerabilities for medical software. A one year subscription for MedPack costs $4,000, and for that Gleg provides 25 exploits per year, most of which are zero-days, Gurkin wrote." - via Joseph Cox, writing at Motherboard (a Vice property)
via Zack Whittaker timely reportage for ZDNet's Zero Day group, his work provides insight to the tangled-web-we-weave in the ICS/SCADA world. This time - the ramifications of a particularly-pesky security flaw in a Schneider product (amongst thousands of other known bugs in hundreds of other software packages coupled with poor software management practices in the industrial control systems sector combine to make a very poor nap at the control boards, indeed. Just ask Homer! Today's Critical Must Read Choice.
"It's the latest vulnerability that risks an attack to the core of any major plant's operations at a time when these systems have become a greater target in recent years. The report follows a recent warning, issued by the FBI and Homeland Security, from Russian hackers. The affected Schneider software, InduSoft Web Studio and InTouch Machine Edition, acts as middleware between industrial devices and their human operators. It's used to automate the various moving parts of a power plant or manufacturing unit, by keeping tabs on data collection sensors and control systems. " - via Zack Whittaker writing for ZDNet's Zero Day
I am sure you have all read the news of Grayshift's issues battling extortionists and their ilk. I have, however, not seen any significant commentary regarding the data theft this SNAFU could facilitate.
Here's the thought problem (looking for culpability, specifically): A Law Enforcement agency has taken custody (adhering to standards of Generally Accepted Chain of Custody guidelines) of a suspect's iPhone. Unbeknownst to the trusted Sworn Officers and Forensicators (often, one in the same) examining the device, the Grayshift appliance undergoes an unfortunate successful attack - mounted by external miscreant(s) unknown, and succumbs to the exfiltration of all data on the applicance AND the slurped data on the iPhone.
Subsequent forensication by the Sworn Officers or Forensicators (again, often one in the same - at least in smaller agencies) entrusted with reasonable and prudent Chain of Custody of the device under scrutiny, discover that the Grayshift appliance and the suspect's iPhone have both undergone the indignity of significant data leakage. How does the Agency proceed in the effort to lay charges - or not - and protect the Agency, as well?
Oh, and while they are at it, perhaps they could explain why the device is attached to a forward facing TCP/UDP connection to our beloved Interweb?
Bad news for the Intel Corporation (Nasdaq: INTC) and AMD Corporation (Nasdaq: AMD) apologists... There is word, coming from Peter Bright, plying his trade at Ars Technica of newly discovered branch prediction attacks. Bad news, indeed.
"Researchers from the College of William and Mary, Carnegie Mellon, the University of California Riverside, and Binghamton University have described a security attack that uses the speculative execution features of modern processors to leak sensitive information and undermine the security boundaries that operating systems and software erect to protect important data." - via Peter Bright, plying his trade at Ars Technica
What does Savoir-Faire the French-Canadian Mouse have to do with hardware that 'cannot be tampered with'? Quite a bit, as a matter of fact. What follows is a tale of extreme arrogance exhibited by a hardware manufacturer, and the nearly overwhelming Savoir-Faire displayed by a fifteen year old child in possession of a blisteringly precise and keen intellect. Enjoy.
Dan Goodin, writing (as is his wont) at Ars Technica, regales us with his illustrious prose that tells the tale of hardware hubris, this time in the guise of a cryptocurrency wallet device and the CEO of the company that created the dingus, add in a feisty 15 year-old security researcher that will not give up and you'll get Today's (I don't mind saying) MustRead!
'On Tuesday, a 15-year-old from the UK proved these claims wrong. In a post published to his personal blog, Saleem Rashid demonstrated proof-of-concept code that had allowed him to backdoor the Ledger Nano S, a $100 hardware wallet that company marketers have said has sold by the millions. The stealth backdoor Rashid developed is a minuscule 300-bytes long...' - via Dan Goodin, writing at Ars Technica
(Savoir-Faire is a Francophone noun-phrase describing adaptability and adroitness (the notion of rightness), essentially, having the innate knowledge of behavior, situationally. - as paraphrased from Wkipedia. Savoir-Faire is also the name of a brilliant (and insightful) mouse from Klondike Cat cartoons of Tennessee Tuxedo fame). There, I have reminded you of two things you probably already new. You are now equipped to carry-on - quite smartly indeed - with your day.
Ian Cutress - writing at eponymous AnandTech - expertly reported AMD Ryzen security flaws yesterday, via an announcement by security research firm CTS-Labs. While this appears to be bad news, let's leave the exact fix criteria to AMD, of which, has not responded (as of the writing of this post) to the annoucement from CTS-Labs (reportedly, the time-frame was a 24-hour notice, rather than the industry standard notification of 90 Calendar Days...). Stay tuned.
"CTS-Labs’ claims revolve around AMD’s Secure Processor and Promontory Chipset, and fall into four main categories, which CTS-Labs has named for maximum effect. Each category has sub-sections within." via Ian Cutress, reporting at AnandTech.
Updated 2018/03/15 0831 - Dan Goodin at Ars Technica provides additional insightful reportage, and this from Motherboard scribe Lorenzo Franceschi-Bicchierai detailing the indicators of fraud and subterfuge within (and without) the report.
via Zaid Shoorbajee - reporting for Cyberscoop, comes a story of security entropy, this time in medical imaging device system patching and an esteemed University's research targeting those systems. In this case, a research paper from Israel's Ben-Gurion University of the Negev Malware-Lab yielded good (but not-necessarily-acted-upon-advice) to Medical Professionals: Patch Your Flawed Imaging Systems...
'“In cases where even a small delay can be fatal, or where a dangerous tumor is removed or erroneously added to an image, a cyberattack can be fatal,” said Tom Mahler, an author on the paper. “However, strict regulations make it difficult to conduct basic updates on medical PCs, and merely installing anti-virus protection is insufficient for preventing cyber-attacks.” ' - Zaid Shoorbajee - reporting for Cyberscoop
As is typical of Intel Corporation (Nasdaq: INTC) the firm is attempting to shirk responsability for this attack and transfer the blame onto the company's vendors, not to mention the glad-handing exhibited by the company's CEO at CES.
It's time to rein in Intel Corporation's significantly flawed software development practice (as evidenced by the output), as the ramifications for the company's vulnerability touch many - if not all - systems worldwide. Further, what else is flawed in the company's other products (for example, automotive chips, medical device systems where the firm's hardware and software reside)?
'But the latest vulnerability—discovered in July of 2017 by F-Secure security consultant Harry Sintonen and revealed by the company today in a blog post—is more of a feature than a bug. Notebook and desktop PCs with Intel AMT can be compromised in moments by someone with physical access to the computer—even bypassing BIOS passwords, Trusted Platform Module personal identification numbers, and Bitlocker disk encryption passwords—by rebooting the computer, entering its BIOS boot menu, and selecting configuration for Intel’s Management Engine BIOS Extension (MEBx).' - via Sean Gallagher - writing at Ars Technica