Language Selection

English French German Italian Portuguese Spanish

Security

Security: Onity, Instagram and Intel Management Engine (ME) Back Doors

Filed under
Security
  • The Epic Crime Spree Unleashed By Onity's Ambivalence To Its Easily Hacked Hotel Locks

    Back in 2012, we wrote about Onity, the company that makes a huge percentage of the keycard hotel door locks on the market, and how laughably easy it was to hack its locks with roughly $50 of equipment. Surprisingly, Onity responded to the media coverage and complaints from its hotel customers with offers of fixes that ranged from insufficient (a piece of plastic that covered the port used to hack the door locks) to cumbersome (replacing the circuit boards on the locks entirely) and asked many of these customers to pay for these fixes to its broken product. Many of these customers wanted to sue Onity for obvious reasons, but a judge ruled against allowing a class action suit to proceed. That was our last story on the subject.

  • Site sells Instagram users’ phone and e-mail details, $10 a search

    At first glance, the Instagram security bug that was exploited to obtain celebrities' phone numbers and e-mail addresses appeared to be limited, possibly to a small number of celebrity accounts. Now a database of 10,000 credentials published online Thursday night suggests the breach is much bigger.

  • Celebs’ phone numbers and e-mail addresses exposed in active Instagram hack
  • Intel kill switch code indicates connection to NSA

    Dmitry Sklyarov, Mark Ermolov and Maxim Goryachy, security researchers for Positive Technologies, based in Framingham, Mass., found the Intel kill switch that has the ability to disable the controversial Intel Management Engine (ME).

    Experts have been wary of the Intel ME because it is an embedded subsystem on every chip that essentially functions as a separate CPU with deep access to system processes and could be active even if the system were hibernating or shut off.

Security: Pacemaker Security, Female Hackers, Internet of Things 'Leaks'

Filed under
Security
  • FDA, Homeland Security Issue First Ever Recall, Warnings About Flimsy Pacemaker Security

    We've well established that the internet of things (IOT) market is a large, stinky dumpster fire when it comes to privacy and security. But the same problems that plague your easily hacked thermostat or e-mail password leaking refrigerator take on a decidedly darker tone when we're talking about your health. The health industry's outdated IT systems are a major reason for a startling rise in ransomware attacks at many hospitals, but this same level of security and privacy apathy also extends to medical and surgical equipment -- and integral medical implants like pacemakers.

    After a decade of warnings about dubious pacemaker security, researchers at Medsec earlier this year discovered that a line of pacemakers manufactured by St. Jude Medical were vulnerable to attacks that could kill the owner. The researchers claimed that St. Jude had a history of doing the bare minimum to secure their products, and did little to nothing in response to previous warnings about device security. St. Jude Medical's first response was an outright denial, followed by a lawsuit against MedSec for "trying to frighten patients and caregivers."

  • What Being a Female Hacker {sic} Is Really Like
  • Even encrypted data streams from the Internet of Things are leaking sensitive information; here’s what we can do

    As the Internet of Things (IoT) begins to enter the mainstream, concerns about the impact such “smart” devices will have on users’ privacy are growing. Many of the problems are obvious, but so far largely anecdotal. That makes a new paper from four researchers at Princeton University particularly valuable, because they analyze in detail how IoT devices leak private information to anyone with access to Internet traffic flows, and what might be done about it. Now that basic privacy protections for Internet users have been removed in the US, allowing ISPs to monitor traffic and sell data about their customers’s online habits to third parties, it’s an issue with heightened importance.

Security: Intel ME Back Door, Updates, Back Doors in Cars, Pacemaker, FCC, Hotel and GitHub Flukes

Filed under
Security
  • A Workaround To Disable Intel Management Engine 11

    Positive Technologies is now reporting on a discovery by one of their researches to be able to disable Intel Management Engine 11 (Skylake era) after discovering an undocumented mode.

    The security researchers discovered "an undocumented PCH strap that can be used to switch on a special mode disabling the main Intel ME functionality at an early stage." Those wanting to learn more can read this blog post.

  • Security updates for Thursday
  • Quebec man fights back after dealer remotely disables car over $200 fee

     

    A car dealership in Sherbrooke, Que., may have broken the law when it used a GPS device to disable the car of a client who was refusing to pay an extra $200 fee, say consumer advocates consulted by CBC News.

     

    [...]

     

    "To turn off somebody's vehicle after he had already paid off the loan is clearly illegal … it's not your car anymore," Iny said.

  • 465k patients told to visit doctor to patch critical pacemaker vulnerability

    Talk about painful software updates. An estimated 465,000 people in the US are getting notices that they should update the firmware that runs their life-sustaining pacemakers or risk falling victim to potentially fatal hacks.

    Cardiac pacemakers are small devices that are implanted in a patient's upper chest to correct abnormal or irregular heart rhythms. Pacemakers are generally outfitted with small radio-frequency equipment so the devices can be maintained remotely. That way, new surgeries aren't required after they're implanted. Like many wireless devices, pacemakers from Abbott Laboratories contain critical flaws that allow hijackers within radio range to seize control while the pacemakers are running.

  • FDA alerts on pacemaker recall for cyber flaw

     

    The FDA issued an alert Aug. 29 regarding manufacturer Abbott's recall notice affecting six pacemaker devices. The recall is for firmware updates that will "reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities," the FDA wrote in its alert.

  • FCC “apology” shows anything can be posted to agency site using insecure API

    The Federal Communications Commission's website already gets a lot of traffic—sometimes more than it can handle. But thanks to a weakness in the interface that the FCC published for citizens to file comments on proposed rule changes, there's a lot more interesting—and potentially malicious—content now flowing onto one FCC domain. The system allows just about any file to be hosted on the FCC's site—potentially including malware.

  • Inside an Epic Hotel Room Hacking {sic} Spree

     

    Even after my article on Brocious’ lock hacking and his high-profile Las Vegas reveal, Onity didn’t patch the security flaw in its millions of vulnerable locks. In fact, no software patch could fix it. Like so many other hardware companies that increasingly fill every corner of modern society with tiny computers, Onity was selling a digital product without much of a plan to secure its future from hackers. It had no update mechanism for its locks. Every one of the electronic boards inside of them would need to be replaced. And long after Brocious’ revelation, Onity announced that it wouldn’t pay for those replacements, putting the onus on its hotel customers instead. Many of those customers refused to shell out for the fix—$25 or more per lock depending on the cost of labor—or seemed to remain blissfully unaware of the problem.

     

    [...]

     

    and demanded Cashatt’s entire communication history from Facebook.

  • How I lost 17,000 GitHub Auth Tokens in One Night

     

    Turns out that there was a bug in my logic but not necessarily my code. After all, it did run flawlessly for a few years. So if my code was fine, where was the bug?

     

    Looking at the update time of some of the records, I was able to place them roughly around the time of another event: A GitHub outage.

  • 7 Things to Know About Today's DDoS Attacks

    Distributed denial-of-service (DDoS) attacks continue to be a weapon of choice among threat actors seeking to extort money from victims, disrupt operations, conceal data-exfiltration activities, further hacktivist causes, or even to carry out cyberwar.

    What was once a threat mostly to ISPs and organizations in the financial services, e-commerce, and gaming industry, has become a problem for businesses of all sizes. A small company is just as likely these days to become a target of a DDoS attack, as a big one — and for pretty much the same reasons.

  • Security ROI isn't impossible, we suck at measuring

    As of late I've been seeing a lot of grumbling that security return on investment (ROI) is impossible. This is of course nonsense. Understanding your ROI is one of the most important things you can do as a business leader. You have to understand if what you're doing makes sense. By the very nature of business, some of the things we do have more value than other things. Some things even have negative value. If we don't know which things are the most important, we're just doing voodoo security.

Security: False Claim of Wikileaks 'Hack', Spambot Data Breach, and Intel Back Door

Filed under
Security
  • WikiLeaks 'hacked' as OurMine group answers 'hack us' challenge [Ed: not Wikileaks' fault at all]

    The group appears to have carried out an attack known as “DNS poisoning” for a short while on Thursday morning. Rather than attacking WikiLeaks’ servers directly, they have convinced one or more DNS servers, which are responsible for turning the human-readable “wikileaks.org” web address into a machine-readable string of numbers that tells a computer where to connect, to alter their records. For a brief period, those DNS servers told browsers that wikileaks.org was actually located on a server controlled by OurMine.

  • More Than 700 Million Passwords Exposed in Massive Spambot Data Breach

    In one of the largest data breaches in history, a misconfigured spambot computer program publicly leaked more than 700 million email addresses and passwords, though experts say that repeated or fake email addresses could reduce the number of real people impacted.

  • Eureka! The Intel Management Engine can finally be disabled, thanks to the NSA

    Researchers from security firm, Positive Technologies have just stumbled upon something truly phenomenal. They have found a method to disable the much hated Intel Management Engine (ME) in a way that still allows the computer to boot up. This discovery could potentially secure many businesses and state institutions from being compromised by highly sophisticated malware.

Angelfire

Filed under
Microsoft
Security

Today, August 31st 2017, WikiLeaks publishes documents from the Angelfire project of the CIA. Angelfire is an implant comprised of five components: Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS, and the Windows Transitory File system. Like previously published CIA projects (Grasshopper and AfterMidnight) in the Vault7 series, it is a persistent framework that can load and execute custom implants on target computers running the Microsoft Windows operating system (XP or Win7).

Solartime modifies the partition boot sector so that when Windows loads boot time device drivers, it also loads and executes the Wolfcreek implant, that once executed, can load and run other Angelfire implants. According to the documents, the loading of additional implants creates memory leaks that can be possibly detected on infected machines.

Keystone is part of the Wolfcreek implant and responsible for starting malicious user applications. Loaded implants never touch the file system, so there is very little forensic evidence that the process was ever ran. It always disguises as "C:\Windows\system32\svchost.exe" and can thus be detected in the Windows task manager, if the operating system is installed on another partition or in a different path.

BadMFS is a library that implements a covert file system that is created at the end of the active partition (or in a file on disk in later versions). It is used to store all drivers and implants that Wolfcreek will start. All files are both encrypted and obfuscated to avoid string or PE header scanning. Some versions of BadMFS can be detected because the reference to the covert file system is stored in a file named "zf".

The Windows Transitory File system is the new method of installing AngelFire. Rather than lay independent components on disk, the system allows an operator to create transitory files for specific actions including installation, adding files to AngelFire, removing files from AngelFire, etc. Transitory files are added to the 'UserInstallApp'.

Read more

Security: Updates, Keys, Intel Management Engine, Paper by Martin Schallbruch

Filed under
Security

Security: Updates, Reproducible Builds, IoT Applications

Filed under
Security

Purism on Coreboot and More

Filed under
OSS
Security
  • Coreboot and Skylake, part 2: A Beautiful Game!

    While most of you are probably excited about the possibilities of the recently announced “Librem 5” phone, today I am sharing a technical progress report about our existing laptops, particularly findings about getting coreboot to be “production-ready” on the Skylake-based Librem 13 and 15, where you will see one of the primary reasons we experienced a delay in shipping last month (and how we solved the issue).

  • Purism Highlights Challenges During Coreboot Development

    Taking a brief break from their Librem 5 smartphone campaign, there's a new Purism blog post today that explains at length why this summer's Librem laptop shipments were delayed due to a pesky Coreboot bug lasting weeks and what it took to come to a workaround.

  • Linux Phone Crowdfunder Passes $100k Milestone

    Computer maker Purism‘s crowdfunding campaign for a privacy-focused phone powered by open-source software has raised over $100,000 in just 4 days.

    At the time of writing $104,300 has been pledged to the project, which aims to deliver a full-featured Linux phone powered, in part, by Matrix.org‘s communication platform.

Disabling NSA Back Door (Intel ME)

Filed under
Security
  • Researchers Find a Way to Disable Much-Hated Intel ME Component Courtesy of the NSA

    Researchers from Positive Technologies — a provider of enterprise security solutions — have found a way to disable the Intel Management Engine (ME), a much-hated component of Intel CPUs.

    Intel ME is a separate processor embedded with Intel CPUs that runs its own operating system complete with processes, threads, memory manager, hardware bus driver, file system, and many other components.

    Intel has always advertised Intel ME as a way for companies to manage computers running on their internal networks. Intel ME includes tools that allow system administrators to monitor, maintain, update, upgrade, and repair computers from a remote, central location.

  • Now you, too, can disable Intel ME 'backdoor' thanks to the NSA

    A team of researchers from Positive Technologies discovered an undocumented configuration setting, designed for use by government agencies, to disable Intel Management Engine 11. Now you too can partake in this government privilege to inactivate Intel’s proprietary CPU master controller.

  • Researchers say Intel's Management Engine feature can be switched off

    That's not an option for the general public, but researchers at Russian security firm Positive Technologies have found a way to use these government-only privileges to disable ME.

    ME is a core component of modern Intel chips that if compromised can provide an attacker with a powerful backdoor. As the researchers note, ME can't be completely disabled because of its role in initializing hardware, power management, and launching the main processor.

Security: PKI, ME, and Titan

Filed under
Security
  • PKI is needed for micro-services

    Someone would say: but we can trust the source IP!
    The short answer to this is: no.

    The long answer is: no! no! no! no! no! no! no! no! no!

    An IP address is not secure by design, the network can be manipulated quite easily with an L2 access (like one server compromised).

    Also, the IP layer is not encrypted by default, so if you have to use some kind of encryption on top in your application, what’s the point of encrypting everything with a pre shared key when you can use an asymmetric layout?

  • Disabling Intel ME 11 via undocumented mode

    Our team of Positive Technologies researchers has delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. government's High Assurance Platform (HAP) program.

    Disclaimer: The methods described here are risky and may damage or destroy your computer. We take no responsibility for any attempts inspired by our work and do not guarantee the operability of anything. For those who are aware of the risks and decide to experiment anyway, we recommend using an SPI programmer.

    [...]

    Some users of x86 computers have asked the question: how can one disable Intel ME? The issue has been raised by many, including Positive Technologies experts. [, ]. And with the recently discovered critical (9.8/10) vulnerability in Intel Active Management Technology (AMT), which is based on Intel ME, the question has taken on new urgency.

    The disappointing fact is that on modern computers, it is impossible to completely disable ME. This is primarily due to the fact that this technology is responsible for initialization, power management, and launch of the main processor. Another complication lies in the fact that some data is hard-coded inside the PCH chip functioning as the southbridge on modern motherboards. The main method used by enthusiasts trying to disable ME is to remove everything "redundant" from the image while maintaining the computer's operability. But this is not so easy, because if built-in PCH code does not find ME modules in the flash memory or detects that they are damaged, the system will not start.

    Intel representatives have been informed about the details of our research. Their response has confirmed our hypothesis about the connection of the undocumented mode with the High Assurance Platform program.

    [...]

    We believe that this mechanism is designed to meet a typical requirement of government agencies, which want to reduce the possibility of side-channel leaks. But the main question remains: how does HAP affect Boot Guard? Due to the closed nature of this technology, it is not possible to answer this question yet, but we hope to do so soon.

  • Google opens up on Titan security: Here's how chip combats hardware backdoors

    Google has detailed how its custom Titan security chip will prevent threats that use firmware-based attacks.

    When it unveiled its tiny Titan chip, Google said it planned to use the processor to give each server in its cloud its own identity.

Syndicate content

More in Tux Machines

Linux: To recurse or not

Linux and recursion are on very good speaking terms. In fact, a number of Linux command recurse without ever being asked while others have to be coaxed with just the right option. When is recursion most helpful and how can you use it to make your tasks easier? Let’s run through some useful examples and see. Read more

Today in Techrights

Android Leftovers

today's leftovers

  • MX Linux Review of MX-17 – For The Record
    MX Linux Review of MX-17. MX-17 is a cooperative venture between the antiX and former MEPIS Linux communities. It’s XFCE based, lightning fast, comes with both 32 and 64-bit CPU support…and the tools. Oh man, the tools available in this distro are both reminders of Mepis past and current tech found in modern distros.
  • Samsung Halts Android 8.0 Oreo Rollouts for Galaxy S8 Due to Unexpected Reboots
    Samsung stopped the distribution of the Android 8.0 Oreo operating system update for its Galaxy S8 and S8+ smartphones due to unexpected reboots reported by several users. SamMobile reported the other day that Samsung halted all Android 8.0 Oreo rollouts for its Galaxy S8/S8+ series of Android smartphones after approximately a week since the initial release. But only today Samsung published a statement to inform user why it stopped the rollouts, and the cause appears to be related to a limited number of cases of unexpected reboots after installing the update.
  • Xen Project Contributor Spotlight: Kevin Tian
    The Xen Project is comprised of a diverse set of member companies and contributors that are committed to the growth and success of the Xen Project Hypervisor. The Xen Project Hypervisor is a staple technology for server and cloud vendors, and is gaining traction in the embedded, security and automotive space. This blog series highlights the companies contributing to the changes and growth being made to the Xen Project and how the Xen Project technology bolsters their business.
  • Initial Intel Icelake Support Lands In Mesa OpenGL Driver, Vulkan Support Started
    A few days back I reported on Intel Icelake patches for the i965 Mesa driver in bringing up the OpenGL support now that several kernel patch series have been published for enabling these "Gen 11" graphics within the Direct Rendering Manager driver. This Icelake support has been quick to materialize even with Cannonlake hardware not yet being available.
  • LunarG's Vulkan Layer Factory Aims To Make Writing Vulkan Layers Easier
    Introduced as part of LunarG's recent Vulkan SDK update is the VLF, the Vulkan Layer Factory. The Vulkan Layer Factory aims to creating Vulkan layers easier by taking care of a lot of the boilerplate code for dealing with the initialization, etc. This framework also provides for "interceptor objects" for overriding functions pre/post API calls for Vulkan entry points of interest.