Tag Archives: Intel

Security News for the Week Ending April 2, 2021

SolarWinds Hackers Got Emails of Former Acting Illegal Head of DHS

Chad Wolf, former temporary acting head of DHS, that a federal court said was illegally appointed, has another item for his resume. When the Russians hacked DHS by way of SolarWinds, they obtained Wolf’s emails. Try to comprehend, for a moment, the intelligence value to Russia of whatever was in his email. DHS has not commented on that subject, but suffice it to say, this is not good. Credit: Cybernews

US Special Operations Command Buys Location Data

SOCOM paid $500,000 to buy data harvested from apps on your phone. The company, Anomaly 6, is pretty secretive. The WSJ picked up the contract info, so they are probably getting more attention than they had gotten in the last year. Founded by ex-military and location industry execs, it seems to have contracts with DoD and the intelligence community. SOCOM says that the $589,500 deal was an evaluation of their data for an overseas environment. SOCOM does a lot of work tracking down bad guys in the Middle East and Africa, so you can probably connect the dots. No one is saying and this is likely no more illegal than SOCOM buying pens from Staples – for better or for worse. Credit: Vice

A Potential Resume Generating Event

Strategic Command, the folks responsible for launching nuclear missiles, sent the following Tweet

;l;;gmlxzssaw .

Is this a launch code on Twitter? No. but here is a real world danger of Work From Home. Note to self – lock your computer before leaving.

Image

Intel Sued Over Capturing User Keystroke data

Have you ever visited a web site, started filling out a form but didn’t submit it, and the site owner contacted you anyway. The way they do that is via software on the web site that records your keystrokes as you type. One of the companies that does that is Intel. Another is Google. There is a current class action lawsuit in Florida that accuses Intel of wiretapping. I’m not a lawyer, but that seems like a stretch. Still, if you are using keystroke monitoring software on your website, you probably should watch this lawsuit closely. Credit: Threatpost

Sierra Wireless Withdraws Financial Guidance Completely After Ransomware

Sierra Wireless, a major Internet of Things vendor, reported that they were the target of ransomware last week. As a result, they halted production at their manufacturing plants. Not only did the attack shut down many of their internal systems, but it forced the company to withdraw the financial performance numbers that they had released just a month earlier. There are a couple of potential reasons why they shut manufacturing down. One of those reasons might be that they are concerned that the attackers were able to compromise code going into those products and they did not want to be the next SolarWinds. Credit: SC Magazine

Security News for the Week Ending March 13, 2020

9 Years of AMD Processors Vulnerable to 2 New Side-Channel Attacks

AMD processors from as early as 2011 to 2019 carry previously undisclosed vulnerabilities that open them to two new different side-channel attacks, according to a freshly published research.

Known as “Take A Way,” the new potential attack vectors leverage the L1 data (L1D) cache way predictor in AMD’s Bulldozer micro-architecture to leak sensitive data from the processors and compromise the security by recovering the secret key used during encryption. Source: The Hacker News

And… AMD is Not Alone This Week  – Intel has Unpatchable Flaw

And the “chip wars” continue.

All Intel processors released in the past 5 years contain an unpatchable vulnerability that could allow hackers to compromise almost every hardware-enabled security technology that are otherwise designed to shield sensitive data of users even when a system gets compromised.

The flaw, if exploited (only theoretical this week) would allow hackers to extract the root encryption key in the Intel Mangement Engine – which is the same for all chips in a particular processor family.  That potentially would nullify all DRM and all whole disk encryption, among other things.  Source: The Hacker News

President Signs Bill To Help Rural Telecom Carriers Replace Chinese Equipment

The President signed the Secure and Trusted Communications Networks Act this week.  The bill mandates that US telecom carriers rip and replace any “suspect foreign network equipment”.  It requires the FCC to set up a compensation fund to help rural telecom carriers do this;  the bigger carriers are on their own – which will likely be reflected in your bill as a fee or surcharge.

Carriers have to provide a list of equipment and estimated costs to replace it by April 22.  Sometime after that, we will have a better estimate of the cost.

For some reason which is not clear to me, the bill will not cover the cost of replacing equipment purchased after August 14, 2018.  It appears that telcos do not need to replace new Chinese equipment.

The requests and status of replacement activities will be posted on the FCC’s website.

The law authorizes the FCC to spend $1 billion in this year’s budget to do this.

The bill also allows companies that won spectrum bids in the last auction to abandon their builds and get their money back for the spectrum if they determine that they can’t build out what they promised without using suspect gear.

It would also appear that if the telco buys or has bought Chinese gear without a government subsidy, they can continue to use it.  Source: Engadget

Microsoft Says: 99.9% of Compromised Accounts did NOT use Multi-Factor Authentication

Microsoft tracks 30 billion login events every day.

They say that roughly 0.5% of all accounts get compromised every month.  That translated to around 1.2 million accounts compromised in January.

THEY ALSO SAY THAT AROUND 99% OF ALL ATTACKS TARGET LEGACY PROTOCOLS, SO, IF THOSE PROTOCOLS CAN BE DISABLED AND MULTI-FACTOR AUTHENTICATION IS TURNED ON, SUCCESSFUL ATTACKS GO TO NEARLY ZERO.

THEY ALSO SAY THAT MULTI-FACTOR AUTHENTICATION BLOCKS 99.9% OF ALL ATTACKS.  Source: ZDNet

Security News Bites for Week Ending August 17, 2018

Hamas Creates Fake Missile Warning App to Hack Israelis

The Times of Israel is reporting that Hamas has created and was distributing a fake Code Red rocket warning app.

The app, according to Clearsky Cyber Security, takes over the phone and is impossible to remove, even if the app is deleted.

Once infected, the app allows the hacker to track the phone, take pictures, record sound, make calls and send messages – everything a normal user would do, except the person doing it, in this case, is a terrorist.

The message here is not just to avoid Hamas, but also to be wary of apps from untrusted sources as they may have unintended side effects.  Source: The Times of Israel.

Cisco and Others Release Patches for VPN Encryption Flaws

Cisco, Huawei, Clavister and ZyXEL network products are susceptible to an attack according to a paper to be presented at the Usenix Security Symposium.  This would allow an attacker to recover the encryption nonce which then would allow an attacker to decrypt all VPN data.

Note this is NOT a flaw in the encryption algorithm, but rather a bug in the software that implements it.  This is why people regularly successfully hack and steal millions in crypto currency – because no software is perfect.

It is interesting that Cisco is the only major player affected.

Cisco has released patches for IOS and IOS XE, but users can only get them if they pay Cisco for software maintenance, the main reason I do not recommend Cisco products.  The other vendors don’t charge users for fixes of security flaws.

For Cisco users that do not have maintenance or are running old, unsupported hardware, *IF* you have the ability to turn off rsa-encr authentication mode, that will solve the problem.  It may break other things, however.  Source: Bleeping Computer.

Oracle Releases Critical Security Patch

Oracle is urging its customers to quickly patch a critical vulnerability in their database installations which can result in a complete compromise of the database and provide shell access to the underlying server.

The attack only affects Oracle versions 11.2 and 12.2, is easy to exploit, can be exploited remotely but does require the attacker to have credentials.  The vulnerability is in the Java virtual machine.

Users running 12.1 on Windows or any version of Linux or Unix should install the July patches.  Source: Helpnet Security.

Yet Another Spectre/Meltdown Style Vulnerability Found

This is a strange security week between Oracle and Cisco.  Now we have news of yet another Spectre/Meltdown style vulnerability.  How is it that for 15 years no one found any of them and this year they have found at least 6, probably more?

This new bug affects the Intel Core- and Xeon families, i.e. the chip in every PC and Mac.  It is called the L1 Terminal Fault.  This new fault affects Intel’s SGX, which is kind of like the iPhone’s secure enclave, allowing an attacker to extract information from it – not good.

To add insult to injury, while the researchers found one attack, which Intel has confirmed, Intel itself says it found two more attacks.

Now here is the bad news.  Intel says that they will have a patch which will eliminate the problem with no performance impact on end user and non- virtualized environments, but for users running in a virtualized environment, especially in the cloud, that is a different story and Intel says that you will have to take additional steps – steps that you probably cannot actually take in a shared host environment like many AWS, Azure or Google environments. Source: Computing.Co .

Bitcoin Speculator Sues AT&T for $240 Million

The speculator is suing AT&T after they allowed a social engineer to port his phone number which he used for two factor authentication for his bitcoin transactions.

A hacker had broken into his account a few months earlier and AT&T had set up an account PIN (this should be standard) and flagged his account as high risk.  None the less, an employee allowed a hacker to port the phone number anyway, without any of that information.

Porting phone numbers to get around two factor authentication is becoming popular;  I was interviewed for a TV piece recently where someone’s number was ported and their bank account emptied out in just a few minutes.

AT&T is fighting the suit saying that they are not required to follow their own security protocols and certainly not responsible for what happens if they do not.  The speculator lost $23+ million in bitcoin.

For those who are in a high risk situation, using text messages for two factor is not sufficient and, in fact, given his account was hacked before, why didn’t HE change to a more secure second factor immediately weakens his case.

Stay tuned.  Source: The Register .

Friday News Bites – June 15, 2018

Details Emerge on TicketFly Hack

More details are coming out about the TicketFly attack.  First thing is that the web site was based on WordPress.  While WordPress is a very popular site for individuals and small businesses; using it for something as complex as a concert ticketing site is likely a mistake.  Hackers were able to get data on 27 million customers, but the good news is that no passwords or credit card data was accessed;  only names, addresses, phones, emails,etc. were compromised.  This is likely due to security minded design decisions made early in the development of the site. The site was down for almost a week, a disaster in the online ticketing business and likely they are going to have to pay the venues that use them significant compensation to keep them from jumping ship.  That is in addition to the megabucks spent in recovery and probably more megabucks in rebuilding the site using something other than Worpress. (Source: Variety )

FBI Arrests 74; recoups $14 Million

Business email compromise is a $5 billion industry according to the FBI (see article here).  The FBI says that they disrupted a business email compromise scheme, recovered $2.4 million and halted $14 in bogus wire transfers.  This represents 0.3 percent (about one third of one percent)  of the reputed losses.  While any arrests are a good thing, no one should think that this problem is handled, because, if anything, it is getting worse.  (Source: Ars Technica)

Apple Continues to Poke the Tiger in the Eye

Apple seems to be committed to doing battle with the feds while the rest of us enjoy popcorn.  When Apple refused to unlock an iPhone after the San Bernadino shooting (in part because the FBI did not follow Apple’s instructions), the FBI paid a third party to hack it.  Now Apple is saying that, in the next software release, they are going to disable data transfer from locked iPhones via the charging port after a phone has been locked for an hour.  Why that should have ever been open is not clear.  This will likely break some of the hacking software that the police are using.  (Source: NY Times)

Another Day, Another Intel Speculative Execution Bug

I am beginning to feel sorry for Intel.   In addition to the original Spectre and Meltdown bugs, some of which will never be fixed and others of which are hard to exploit, there recently were 8 more flaws announced with differing degrees of difficulty and impact.  This week brings Lazy State, an exploit that allows a process to infer the contents of floating point arithmetic registers of another process due to a time optimization called lazy floating point state restore.  Some operating systems have already turned this optimization off (Red Hat Enterprise Linux) and any Linux variant running version 4.9 of the Kernel or newer is also safe.  Others have patched the flaw recently (OpenBSD, FreeBSD).  I am assuming that Microsoft and Apple will fix this month since turning off this optimization does not require a microcode update.  Still, collectively, all of these fixes will reduce performance.  (Source: ZDNet)

Another Crypto-currency Breach

We continue to see attacks against crypto-currencies.  Why?  Because, hackers think it is easy to do and the odds of getting caught is low.  This week it is Ethereum and they lost about $20 million.  One more time, this is not an attack on the math, but rather on the implementation.  Users leaving ports open on their client computers which allowed the attackers to steal the user’s wallets. (Source: The Hacker News)

 

News Bites for Friday June 1

8 new Spectre-Class Vulnerabilities

Researchers have reportedly found *8* new Spectre-class vulnerabilties.  Intel has classified 4 of them high risk and 4 of them medium risk, although they are not releasing any details on them – yet.  The entire set is being referred to as Spectre Next Generation or Spectre-NG.  At least one of them is rumored to be able to capture data from other virtual machines, like passwords, running on the same computer – as would be the case in Microsoft Azure, Google Compute or Amazon EC2.

Supposedly Intel is planning on releasing some patches this month and some more in August.  Until then and until we get more information, it is a bit of a black hole.

As we saw with the earlier Spectre vulnerabilities, some chips could be patched while others could not.  That is likely the case here.

We also saw that it was hard to exploit the old Spectre vulnerabilities.  Apparently, for at least one of these new vulnerabilities, it is realtively easy to exploit.  Combine that with the suspicion that some chips may not be fixable …. not good.

It is rumored that at least some of these flaws affect ARM chips as well;  it is unknown if they affect AMD chips, which have their own set of flaws not affecting Intel.

Ultimately, this should have been expected.  As chip makers pushed harder and harder to make their chips faster – faster than the previous generation and faster than their competitors, they took calculated risks.  Now those risks are coming back to haunt them  (Source: The Hacker News).

The General Data Protection Regulation (GDPR)

The GDPR went into effect in the EU on Friday and it is likely to have an effect not only on EU residents but also people around the world. It significantly increases resident’s control over their information and how it is used.

The United States has a completely different view on the subject; specifically, businesses can pretty much do whatever they want with information that they collect about you and me.  Check out Facebook or Google if you have any questions about that.

Other countries such as Japan, South Korea, Brazil, Thailand, Bermuda and others seem to be lining up with the EU’s way of thinking because doing that allows for a more seamless transfer of information between the EU and those countries and that translates to more business.

The U.S. has negotiated an agreement with the EU called Privacy Shield, which was negotiated after the last agreement, Safe  Harbor, was shot down by the EU’s High Court.  Privacy Shield is now in front of the High Court and no one knows what that outcome will be.

With Friday’s law in place, a number of U.S. media companies like the LA Times and Chicago Tribune have blocked EU users from accessing their web sites rather than become compliant.  Not sure that is a great strategy, but maybe.  That strategy is especially suspect if more countries adopt EU-like laws.  If they do then companies that are not compliant may be limited to being visible in the United States.  That also means reduced business opportunities for those companies.

Literally, as soon as the law came into effect, complaints were filed in multiple countries against large U.S. companies like Facebook.  Stay tuned for the outcome of those complaints.  Like the Chinese proverb says: may you live in interesting times.  This qualifies (Source: Reuters).

Vermont Data Broker Regulation Now In Effect

Until now data brokers like Acxiom (yes, you have never heard of them and that is not a coincidence) collect and aggregate data from hundreds of sources and generate thousands of data points per person.  They know that you bought some particular medicine last week and infer what the disease it.  That isn’t covered under HIPAA because, they have not talked to your doctor.  They create their own variant of a credit score, but since it is not actually a credit score, it isn’t regulated.

Well as of last week, Vermont has become the first state in the country to regulate data brokers.  Hardly the end of the road for brokers, but, at least, there are now some security requirements for these folks.

Now they will have to meet security requirements, control access to the data, and, report breaches.  And, using their data for fraud is now a crime on its own.  Will other states follow?  Who knows; stay tuned (Source: Tech Crunch).

Blockchain Will Solve All Known Problems – As Soon As They Perfect The Software

From the title of this item, you can probably figure out where I stand on the Blockchain mania.

Chinese hackers have discovered a flaw in the EOS (blockchain) Smart Contract software that allows them to execute arbitrary code on on the the EOS nodes, from there to control an EOS supernode that manages other nodes and from there control other nodes.  Ultimately, potentially, completely compromising the integrity of the blockchain.

Other than that, it is perfect.

This is not a flaw in the cryptography.  Only a flaw in the software.  Kind of like forging your signature on a paper contract, only in that case, they can’t forge it from, say, China.  In this case, they can.

So as people drool in bliss over blockchain, remember that the blockchain is not loops of steel chain, but rather software and as soon as any piece of software exceeds about 2 lines of code, it is likely to have bugs in it.

It will likely be 10-20 years before there is sufficient case law to figure out who is liable for the software bugs, but you can count on one party claiming it is not them and that is the software developers.  The law still, pretty much, thinks you draw up contracts with a quill pen and and ink well, so don’t count on much help from the law if you wind up in the middle of a fraudulent smart contract.

Oxnard Investigating Data Breach

The city of Oxnard is investigating a breach of credit card information used by customers to pay their water bill.  The breach was caused by multiple vulnerabilities in their vendor’s (Superion) software which allowed bad guys to steal credit cards.  The breach started on Saturday and lasted until Tuesday.  As breaches go, that is an amazingly fast detection to remediation cycle (Source: VC Star).

President’s Executive Order on Cyber Security Produces Results

One year ago, in May 2017, the President signed an Executive Order on cyber security .  One year later we have the results of that EO.  The Office of Management and Budget released a report that says that 71 of 96 federal agencies participating in the assessment were either at risk or at high risk due to the use of old technology and the lack of competent cyber security help.  I feel more secure already (/End Sarcasm).  Only 25 agencies were found to be effectively managing risk.

Obviously, it is a hard problem to fix, but generating another report really doesn’t help the problem much.

Only 40% of the agencies participating were able to see if their data was being stolen.

After a year’s worth of work and who knows how many millions of tax dollars, at least from what was released, I do not see a Plan of Action with Milestones.  That is the hard part, that is what is required and that is what is missing.  Another agency kills a few more trees and likely nothing changes.  We will see if that is true, but from this report, I don’t see anything changing (Source: Federal Computer Weekly).  Unfortunately for you and me.

Friday News

Intel will NOT be patching all of its flawed chips

After saying, for months, that it would release firmware updates to all chipsets produced in the last 5 years, Intel is now backtracking saying that it won’t produce patches for the Bloomfield line, Clarksfield, Gulftown, Harpertown, Jasper Forest, Penryn, SoFIA 3GR, the Wolfdale line, and the Yorkfield line.  There were several reasons, number one being that it was too hard (read:impossible) given the architecture of those chips.  (Source: The Verge).

Microsoft Patch Tuesday Patches at Least 65 Vulnerabilities

From one perspective, given the breadth of Microsoft’s empire, releasing 65 SECURITY patches a month is not unreasonable.  On the other hand, given that they have been doing this for years, that is thousands of security flaws, which is a bit mind blowing.  This month’s patches affect Internet Explorer and Edge, Office, one more time, the Microsoft Malware Protection Engine, Visual Studio and Microsoft Azure.

A patch for the Malware Protection Engine (MPE) bug was release in an out-of-band patch last week because it affects all of Microsoft’s anti-malware products such as Windows Defender and Security Essentials.  This is at least 3 emergency patches to the MPE in recent months.

Corporate IT usually has patching handled, but when it comes to home users, things are a bit more spotty, so make sure that you install these patches (Source: Krebs On Security).

Identity thieves going after CPAs

If the IRS is warning tax preparers to “step up” their cybersecurity game, it must be bad. Brian Krebs details the story of a tax preparer who allowed his system to become compromised with a not very sophisticated keystroke logger.  The result was that his client’s data was hacked and false returns filed.  When the client’s real returns were rejected by the IRS, the CPA provided form letters to his clients to file with the IRS saying that they were the victim of identity theft but not saying that it was the accountant who was responsible.  No doubt the clients were left with the bill to client up their CPA’s mess on top of it all.

If you use a tax preparer, you should be asking questions about their cybersecurity practices and if he or she says not to worry, you should start worrying.  Or looking for a more astute CPA (Source: Brian Krebs).

Atlanta, Colorado spending millions after ransomware attack

Atlanta has spent over $2 million mitigating the ransomware attack which started on March 12.  The attackers asked for $50,000 which likely would have been covered by insurance.  The costs are for Secureworks, Ernst and Young and others.  If these costs are to upgrade inftrastructure, the insurance would not cover that.

The Colorado Department of Transportation (CDOT) has spent $1.5 million since their ransomware attack in February.  CDOT is still not fully operating yet.

Stories are that Atlanta’s IT was on life support due to lack of funding prior to the attack.  Assuming some of those millions are being spent on upgrading the infrastructure, maybe the attack has a silver lining.  (Source: SC Magazine).