As is typical of Intel Corporation (Nasdaq: INTC) the firm is attempting to shirk responsability for this attack and transfer the blame onto the company's vendors, not to mention the glad-handing exhibited by the company's CEO at CES.
It's time to rein in Intel Corporation's significantly flawed software development practice (as evidenced by the output), as the ramifications for the company's vulnerability touch many - if not all - systems worldwide. Further, what else is flawed in the company's other products (for example, automotive chips, medical device systems where the firm's hardware and software reside)?
'But the latest vulnerability—discovered in July of 2017 by F-Secure security consultant Harry Sintonen and revealed by the company today in a blog post—is more of a feature than a bug. Notebook and desktop PCs with Intel AMT can be compromised in moments by someone with physical access to the computer—even bypassing BIOS passwords, Trusted Platform Module personal identification numbers, and Bitlocker disk encryption passwords—by rebooting the computer, entering its BIOS boot menu, and selecting configuration for Intel’s Management Engine BIOS Extension (MEBx).' - via Sean Gallagher - writing at Ars Technica
The European Union Agency for Network and Information Security (ENISA) - has released it's Annual Threat Landscape 2017 Report (clicking the preceding link will download the artifact in PDF format). H/T to Jart Armin - Principle at CyberDefcon; a Netherlands based (registered in the UK) intelligence and threat analysis organization .
Via the inimitable Catalin Cimpanu, comes this tale of web-based subterfuge that should enrage all legitimate users on our vaunted interwebs. In this case, the use of hidden login fields (and their parent forms) used by evil usage trackers on seemingly legit sites. Is it any wonder that the effort to block both web advertising and the evil cousin to such: Web Trackers (both nefarious and otherwise) is a growth business in the browser addon market? Read it and Weep My Friends, for the demise of both privacy and your personal authentication data.
"The two services are Adthink (audienceinsights.net) and OnAudience (behavioralengine.com), and Princeton researchers said they identified scripts from these two that collected login info on 1,110 sites found on the Alexa Top 1 Million sites list.' - via Catalin Cimpanu writing at Bleeping Computer
From the video description: Breaking with the adversarial approach of Red vs Blue, look at how the current system and approaches may be broken in some organizations and provide recommendation not only for the mature organization with a large structure but also how small businesses can take a more purple strategy in the way they operate their teams including how they acquire pentest services. Presentation will cover an approach beyond the red and blue team and more of a organizational and strategic approach to change the paradigm of thinking and action to more symbiotic approach to security.
Carlos Perez is a Director at a Security Vendor working on reverse engineering, security research and integration projects. Carlos also works as a trainer providing training both to government and private organizations across the world in security technologies and also provides consulting in his spare time on infrastructure and security. His work and thoughts can be found on his webpage www.darkoperator.com. He has presented at several security conferences and is a co-host of the Security Weekly podcast.
In a tour dé force piece - published in The Atlantic - Ed Yong illuminates the horrifying truth of human warfare's murderous effect on animals in the wild; in this case, a study of the nearly total decimation wildlife populations within protected areas of Africa during wartime. Something to read and ponder. A revelation, and today's Must Read.