Monthly Archives: September 2017

Security researchers studying the Intel Management Engine discovered an undocumented kill switch in the code, as well as references to a National Security Agency program.

Dmitry Sklyarov, Mark Ermolov and Maxim Goryachy, security researchers for Positive Technologies, based in Framingham, Mass., found the Intel kill switch that has the ability to disable the controversial Intel Management Engine (ME).

Experts have been wary of the Intel ME because it is an embedded subsystem on every chip that essentially functions as a separate CPU, with deep access to system processes, and it could be active even if the system were hibernating or shut off.

Lamar Bailey, director of security research and development at Tripwire Inc., based in Portland, Ore., said the Intel ME is “an out-of-band remote management interface” that is not uncommon in hardware.

“The problem happens when there are vulnerabilities in these interfaces or weak authentication issues. The remote management interface has the ability to take over and modify a system. So, to many, they are seen as security risks, and they are often the target of research and hackers,” Bailey told SearchSecurity. “Many organizations, both commercial and federal, disable these features due to security concerns.”

Finding the Intel kill switch

It was previously thought that the Intel ME was impossible to access or disable because, as the Positive Technologies researchers noted in their analysis, “the executable modules are compressed by Huffman codes with unknown tables.” But the researchers found a way around this.

When inspecting the Intel ME code, the researchers found a field labeled “High Assurance Platform (HAP) enable,” which is a reference to “a multiyear NSA program with the vision to define a framework for the development of the ‘next generation’ of secure computing platforms,” according to the Trusted Computing Group.

The researchers said this was essentially an Intel kill switch for the Management Engine, because once that feature was enabled, “quick checks showed that ME did not respond to commands or react to requests from the operating system.” And because the HAP feature disabled Intel ME at such an early stage of system boot, it won’t cause the ME to crash. However, the researchers couldn’t find a way to disable the Intel kill switch.

Intel did not respond to SearchSecurity’s requests for comment on this story. However, a company representative did confirm the Intel kill switch was introduced under request by the U.S. government and the HAP program, but noted the “modifications underwent a limited validation cycle and are not an officially supported configuration.”

Reactions to the Intel kill switch

Bailey said any customer big enough could make a vendor consider implementing a feature like the kill switch, “no matter if they are commercial or federal.”

“If I were using these in a highly classified area or even a secure data center, I would demand these features be turned just like we disable external port like USB,” Bailey said. “It’s just another lock on the system as companies and organizations secure their data and information.”

Satya Gupta, co-founder and CTO at application security vendor Virsec in San Jose, Calif., said the Intel kill switch “at the chip level may sound nefarious, [and] it’s almost inevitable for any technology to have a reboot function if all else fails.”

“Technology backdoors are always problematic and a very slippery slope. We’ve seen this with the encryption debate — if there’s a backdoor, it will almost inevitably get in the wrong hands and become a huge liability,” Gupta told SearchSecurity. “And if the U.S. has a backdoor, should this be shared with allies? Will China demand their own backdoors to allow access to their markets?”

Philip Lieberman, president of Lieberman Software Corp. in Los Angeles, said the design of the processor “may have flaws that can be exploited by high-capability attack teams, but it is doubtful that backdoors have been implemented by design.”

“The Management Engine has been a work in process that deserves criticism for its lack of transparency, and it has not exhibited consistent quality. I attribute lack of security and potential kill switches to poor engineering quality by Intel, rather than collaboration with intelligence agencies,” Lieberman told SearchSecurity via email. “In reality, government agencies may very well be helping Intel close security holes they have inserted by mistake — the U.S. government agencies might not be evil or conniving as some might believe.”

This is beginning to remind me of the books:

INVASION USA (Book 1) – The End of Modern Civilization

The shutdown of the United States of America, and 97% of the entire world.

via:  searchsecurity

Equifax Inc, a provider of consumer credit scores, said on Thursday a hack exposed the personal details of potentially 143 million U.S. consumers between mid-May and July.

The company’s shares were down 5.4 percent in after-market trading

The company said criminals had accessed details including names, social security numbers, and, in some cases, driver’s license numbers.

In addition, credit card numbers of around 209,000 U.S. consumers and certain dispute documents with personal identifying information of around 182,000 U.S. consumers were accessed, the company said.

Equifax also said personal information of certain UK and Canadian residents were also hacked.

The Atlanta-based company it would work with UK and Canadian regulators to determine the next steps.

Equifax, which discovered the unauthorized access on July 29, said it had hired a cybersecurity firm to investigate the breach.

The company said there was no evidence of a breach into its core consumer or commercial credit reporting databases.

The breach could be one of the biggest in the United States.

Last December, Yahoo Inc said more than 1 billion user accounts was compromised in August 2013, while in 2014 e-commerce company EBay Inc had urged 145 million users to change their passwords following a cyber attack.

via:  foxbusiness

Google has launched a new certification program for mobile web developers. As the name implies, the Mobile Web Specialist Certification is meant to help developers show off their mobile web development skills, no matter how they learned them. The program joins Google’s existing certification programs for Android developers, cloud architects and data engineers.

Taking the open book test will cost $99 (or 6500 INR in India) and consist of a number of coding challenges and a 10-minute exit interview, which allows you to explain why you chose a given solution to solve your exam questions. You’ll have four hours to complete the coding challenges and you can take three stabs at the exam if you don’t pass in your first attempt. Some of the topics covered here include basic website layout and styling, progressive web apps, performance optimization and caching, as well as testing and debugging.

Google also offers a study guide to help you prepare for the exam.

Once you pass the exam, you will get “a digital badge to display on your resume and social media profiles” (for reasons I can’t explain, Google notes that you can even use this badge on your Google+ profile…). This isn’t about some digital badge, of course. The main idea here is obviously to give developers a way to highlight their skills to potential employees. Given that this is an untested program, though, it remains to be seen how these certifications will actually influence hiring and interviewing decisions.

via:  techcrunch

The personal details of thousands of individuals who submitted job applications to an international security firm were exposed online due to an unprotected storage server set up by a recruiting services provider.

Chris Vickery of cyber resilience firm UpGuard discovered on July 20 an Amazon Web Services (AWS) S3 storage bucket that could be accessed by anyone over the Internet. The server stored more than 9,400 documents, mostly representing resumes of people who had applied for a job at TigerSwan, an international security and global stability firm.

The documents included information such as names, physical addresses, email addresses, phone numbers, driver’s license numbers, passport numbers and at least partial social security numbers (SSNs). In many cases, the resumes also provided information on security clearances from U.S. government agencies, including the Department of Defense, the Secret Service, and the Department of Homeland Security. Nearly 300 of the exposed resumes listed the applicant as having a “Top Secret/Sensitive Compartmented Information” clearance.

According to UpGuard, a majority of the individuals whose information was compromised were military veterans, but hundreds of resumes belonged to law enforcement officers who had sought a job at TigerSwan, a company recently described by The Intercept as a “shadowy international mercenary and security firm.”

The list of affected people also includes a former United Nations worker, an active Secret Service agent, a parliamentary security officer from Eastern Europe, and a logistical expert from Central Africa.

UpGuard also highlighted that some of the individuals whose details have been leaked are Iraqi and Afghan nationals who worked with U.S. and Coalition forces. Experts believe the leak could pose a serious risk to these individuals if someone other than UpGuard found the unprotected storage server.

UpGuard informed TigerSwan about the leak on July 21, but the files were left unprotected until August 24. In a statement published on its website, TigerSwan clarified that the files were exposed by TalentPen, a recruiting firm whose services it had used between 2008 and February 2017.

TigerSwan said it initially believed that UpGuard’s warnings via email and phone were part of a phishing attack, especially since the notifications came shortly after the WannaCry and NotPetya malware outbreaks and the URLs provided by the cybersecurity firm were not linked to TigerSwan. The company realized that UpGuard’s claims were legitimate only on August 31, when it was contacted by reporters, but by that time the storage server had been secured by TalentPen.

TigerSwan says it’s in the process of contacting affected individuals. The company has advised people who submitted a resume on its website between 2008 and 2017 to call a hotline (919-274-9717) to find out if they are impacted by the incident.

In order to help prevent these types of leaks, Amazon recently announced the launch of Macie, a new security service designed to help AWS users protect sensitive data.

via:  securityweek

Pacemaker Patients Must Visit Healthcare Provider for Firmware Update That Addresses Security Vulnerabilities

A firmware update to address security vulnerabilities has been approved and is now available for radio frequency (RF)-enabled St. Jude Medical (now Abbott) implantable pacemakers, the U.S. Food and Drug Administration (FDA) announced.

Vulnerabilities in St. Jude Medical’s devices were made public last year by MedSec and Muddy Waters, as investment strategy to short sell shares of St. Jude’s stock. The report claimed that attackers could, among other things, crash implantable cardiac devices and drain their battery at a fast rate.

St. Jude rushed to refute the allegations and even sued the two companies, while University of Michigan researchers analyzedthe MedSec/Muddy Waters report and discovered that their proof-of-concept (PoC) exploit did not actually crash the implanted cardiac device.

Muddy Waters and MedSec responded to the lawsuit in October, after contracting security consulting firm Bishop Fox to provide an expert opinion on St. Jude implantable cardiac devices. They also revealed additional attacks against those devices.

FDA and the Department of Homeland Security (DHS) also launched an investigation into the matter. In December 2016, FDA released guidance on the postmarket management of cybersecurity for medical devices, while St. Jude Medical pushed a security update to resolve some of the flaws in January 2017.

The newly released software update was approved on August 23 and is now available to “reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities for certain Abbott (formerly St. Jude Medical) pacemakers,” FDA announced.

The firmware is intended for St. Jude Medical’s implantable cardiac pacemakers and cardiac resynchronization therapy pacemaker (CRT-P) devices, including Accent, Anthem, Accent MRI, Accent ST, Assurity, and Allure devices. Implantable cardiac defibrillators (ICDs) or cardiac resynchronization ICDs (CRT-Ds) are not affected.

To install the update, patients must visit a healthcare provider, as the operation cannot be performed at home.

“The FDA recommends that patients and their health care providers discuss the risks and benefits of the cybersecurity vulnerabilities and the associated firmware update designed to address such vulnerabilities at their next regularly scheduled visit,” the FDA announced.

In an advisory, US CERT reveals that three different vulnerabilities are addressed with the new firmware update, all of which could be exploited via an adjacent network. However, an attacker looking to leverage the flaws needs to be in close proximity to the target pacemaker to allow RF communications, the advisory reads.

The first of the bugs, CVE-2017-12712, affects the pacemaker’s authentication algorithm, which can be compromised or bypassed to allow a nearby attacker to issue unauthorized commands to the pacemaker.

The second vulnerability, CVE-2017-12714, resides in the pacemakers not restricting or limiting the number of correctly formatted “RF wake-up” commands that can be received. Thus, a nearby attacker could drain the device’s battery by repeatedly sending commands.

Tracked as CVE-2017-12716, the third issue affects Accent and Anthem pacemakers, which transmit unencrypted patient information via RF communication, in addition to storing optional patient information without encryption. The Assurity and Allure pacemakers do not contain the vulnerability and also encrypt stored patient information.

The firmware releases meant to mitigate these issues include Accent/Anthem, Version F0B.0E.7E; Accent MRI/Accent ST, Version F10.08.6C; Assurity/Allure, Version F14.07.80; and Assurity MRI, Version F17.01.49.

“The pacemaker firmware update will implement “RF wake-up” protections and limit the commands that can be issued to pacemakers via RF communications. Additionally the updated pacemaker firmware will prevent unencrypted transmission of patient information (Accent and Anthem only),” the CERT advisory reads.

The firmware update can be applied to implanted pacemakers via the Merlin PCS Programmer and the operation should be performed by a healthcare provider.

via:  securityweek

Five vulnerabilities have been found in Arris-manufactured home networking equipment supplied in AT&T’s U-verse service. The vulnerabilities are considered so trivial to exploit that they have been disclosed to the public without waiting for remedial work from either Arris or AT&T.

On one of the vulnerabilities, Joseph Hutchins of Nomotion Software reported yesterday, “It is hard to believe that no one is already exploiting this vulnerability at the detriment of innocents. Which is why this report is not passing Go, not collecting $200, and is going straight to the public domain.”

Arris has said that it is investigating the claims and cannot yet comment; but that it will take any necessary action to protect users of its devices. SecurityWeek has reached out to AT&T, and will update this article with any response.

It is worth noting that Arris is not a stranger to vulnerabilities — a talk “CableTap: Wireless Tapping Your Home Network” was recently delivered at Def Con. It is also worth noting that Nomotion is not certain whether the vulnerabilities it discusses come from Arris or AT&T; but makes the point that AT&T is responsible to its users.

Right now, U-verse users should be aware that these are serious vulnerabilities. Tod Beardsley, Research Director at Rapid7, told SecurityWeek by email, they “include three separate maintenance interfaces over SSH and two hidden HTTP-based services, all of which are reachable from the internet with hard-coded credentials and susceptible to command injection attacks. In addition, Nomotion discovered an unauthenticated firewall bypass vulnerability, which appears to be a rudimentary reverse TCP proxy, allowing unfettered access from the internet to computers on the LAN side. Any one of these vulnerabilities is disastrous for AT&T U-Verse customers, since they ultimately bypass any security controls offered by these modems.”

In the first vulnerability described by Nomotion, the latest firmware update for the NVG589 and NVG599 modems enable SSH and contain hardcoded credentials. It seems to be connected to a module whose sole purpose appears to be to inject advertisements into the user’s unencrypted web traffic. Although there is no evidence that the module is being used, “it is present, and vulnerable,” says Hutchins.

He goes on to describe one potential exploit, but adds that “one can guess that hundreds of additional vulnerabilities exist.” The Censys search engine reports that there is likely at least 14,894 vulnerable hosts.

The second vulnerability involves default credentials on https server NVG599. “The username tech with an empty password field conveyed access to this highly vulnerable web server,” writes Hutchins.

The third vulnerability involves the same device, which is susceptible to a command injection attack. “There are countless ways to exploit this,” writes Hutchins, “but a few quick and dirty stacked commands using wget to download busybox with netcat (mips-BE) from an http server (no SSL support) and then spawn a reverse shell works well.” He estimates that there may be around 200,000 vulnerable hosts.

The fourth vulnerability involves a service on port 61001. This is considered the most prevalent but not the biggest threat. It requires knowledge of the device’s serial number. However, if this can be obtained, a “plethora” of information can be obtained.

“The server will hang for several seconds before returning a response,” says Hutchins. “Afterwards, several pieces of invaluable information are returned about the modem’s configuration, as well as its logs. The most sensitive pieces of information are probably the WiFi credentials and the MAC addresses of the internal hosts, as they can be used for the next vulnerability.”

That fifth vulnerability is the most prevalent: a firewall bypass with no authentication. It simply requires the device’s Mac address. If not obtainable through the previous vulnerability, this can be brute-forced or wifi-sniffed. “Basically,” says Hutchins, “if your neighbor knows your public IP address, you are in immediate danger of intrusion.”

Although Nomotion’s disclosure has not waited for remedial action from either AT&T or Arris, Hutchins does offer workarounds for each of the vulnerabilities. The difficulty here is that they tend to be technical solutions on home devices.

“The firewall bypass issue is resolved by a fairly straight-forward configuration change on the modem’s normal configuration interface,” said Beardsley; “but it’s unlikely that most of AT&T customers will be comfortable with making these changes on their own.” The remaining workarounds are even more difficult, and require, said Beardsley, “some fairly advanced ‘self-hacking’ to implement… and that comes with its own risks of accidentally (and permanently) disabling the affected hardware through a misplaced typo. So, while customers who have the technical chops to implement these fixes have some hope of side-stepping disaster, the vast majority of U-Verse customers are strongly urged to make a service call to AT&T’s technical support for assistance and updates.”

In short, warns Beardsley, “These vulnerabilities present a golden opportunity for widespread, automated damage at the hands of malicious hackers, up to and including another Mirai-like mass-hijack of affected modems. AT&T U-Verse customers are urged to take this disclosure seriously, and keep a close watch on AT&T’s plans for pushing out updated firmware to resolve these issues.”

via:  securityweek

Amazon closed on Whole Foods in a $13.7 billion deal and began slashing the chain’s grocery prices as a result. While the deal has much larger implications for Amazon, the goal with the price cuts — including those on many of its organic items — is to bring Whole Foods more in line with rival stores. But even with Amazon willing to slim its margins on Whole Foods’ groceries, can it really expect to compete with its top competitor Walmart when it comes to affordable groceries?

Today, Walmart’s brand is associated with a focus on low prices, while people tend to joke that Whole Foods should be called “whole paycheck,” because that’s what it takes to shop there.

Amazon had announced Whole Foods price cuts on things like bananas, organic avocados, organic large brown eggs, organic responsibly farmed salmon and tilapia, organic baby kale and baby lettuce, animal-welfare-rated 85 percent lean ground beef, creamy and crunchy almond butter, organic Gala and Fuji apples, organic rotisserie chicken, 365 Everyday Value organic butter and other items. As it turned out, it had already begun discounting other grocery staples today, including milk and cheese.

See our gallery of price comparisons.

To find out how the newly discounted Whole Foods groceries compared to Walmart, we shopped the same selection at two stores in the same region on the East Coast around the same time. This is by no means a definitive answer to the question at hand, of course — it’s too early for that — but rather more of a snapshot of how prices compare on Day One. It wouldn’t be surprising to see Walmart very quickly respond with price cuts of its own.

To be clear, we only looked at the same products that just received price cuts at Whole Foods today. Walmart, overall, may continue be more affordable — especially as you fill your cart with generics that aren’t organic, responsibly farmed, gluten-free and so on.

According to the comparison shopping results, Walmart was often cheaper. But that was not always the case.

With these price cuts, Whole Foods is beating Walmart on price for things like organic milk, almond butter, organic pasta sauce and organic bananas, for example. At times, those “beats” were just pennies, other times they were a lot more.

That said, where Walmart beat, it sometimes did so by a wide margin, too. It had the cheaper organic eggs, ribeye steaks, 12-packs of water and salmon.

But it also didn’t have as full a selection of organic items to choose from, which limited the possible comparisons. (Of course, inventory will vary by store, so your mileage may vary.)

This Walmart didn’t have organic avocados, organic apples, organic baby kale salad mix, organic almond milk or organic store-brand butter or cheese. Whole Foods did, and it made those items cheaper today.

In other words, if buying organic is important to you, Whole Foods may be the better choice, even if prices are higher — that’s why people starting shopping there to begin with, after all.

via:  techcrunch

Amazon has a gift for the back-to-school set in the form of drastically reduced prices on its subscription music service.

Amazon Music Unlimited (for students) is available in the U.S. starting today for the low-low price of $4.99 per month. That’s less than the $7.99 per month that Amazon charges its Prime Subscribers or the $9.99 per month for non-Prime customers.

For students who are eligible to be Prime Student members, Amazon is offering students the option to enroll for six months for $6.

The Music Unlimited service for Students also offers Alexa voice controls. The company sent over the following use cases in an email…

• Need music to help you study? Just ask, “Alexa, play classical music for studying,” or Alexa, play pop music for focusing.”
  
• Want music to help you wake up for class? Ask, “Alexa, play wake up music.”
  
• Can’t remember the name of a song you just heard? Just ask, “Alexa, play the song that goes ‘Don’t be afraid to catch feels,’” and Alexa will play “Feels” by Calvin Harris.
  
• Looking for the latest song by Justin Bieber? Ask, “Alexa, play the new song by Justin Bieber,” and Alexa will play, “Friends.”
  
• In the mood for songs to get ready for the big game? Ask, “Alexa, play the Tailgate Twangfest playlist.”
  
• Want to hear early Taylor Swift catalog? Just ask, “Alexa, play Taylor Swift from the 2000s” and Alexa will shuffle the singer’s first couple of albums.

(If you’re asking for that stuff, I might recommend that you ask for better taste in music instead… although Alexa probably won’t be able to help.)

The price wars that have hit every other corner of the music business seem to have landed in the student union now too. Apple has offered a $4.99 music deal to students since May 2016.

via:  techcrunch

Facebook is planning to open source LogDevice, the company’s custom-built solution for storing logs collected from distributed data centers. The company made the announcement as part of its Scale conference.

Logs are used to track database events. If a server suffers an outage for any reason, companies need a way to debug, perform security audits and ensure consistency between servers. This is particularly important to Facebook, which holds immense amounts of your content across its massive data centers around the world.

LogDevice is capable of recording data regardless of hardware or network issues. If something breaks, it will simply hand-off the task of collecting logs. And when everything turns back on, LogDevice can restore records at between five and 10 gigabytes per second.

If you’re Facebook, and will soon have 10 data centers, you need a system of record to ensure each center is on the same page. And things get extra complicated when you consider the complexity of backups the company needs to do with its data. LogDevice helps when you need to replicate data from these separate data centers.

If you get frustrated and regretfully throw an expensive server across the room, LogDevice will report exactly which records were lost. By separating record sequencing and storage, and randomly assigning records to different storage locations, it enhances resiliency of the entire data center.

Facebook didn’t give an exact date for when it expects to open source LogDevice, but it says it will occur later in 2017.

via:  techcrunch