Security Roundup - 2018-01-15

More Intel security woes. Last year appears to have been a rough year for Intel, with a security research from July disclosing how easy it is to gain remote access to machines with Intel’s Active Management Technology. While the attack does require physical access, it actually just involves rebooting the computer and gaining access to the bios and configuring Intel’s AMT with a default password. This could then allow an attacker to bypass Trusted Platform Module protections, or even Bitlocker disk encryption passwords. Mitigation is as simple as protecting the BIOS, and these options, with better passwords.

Lenovo fixes backdoors in network switches. After an internal firmware audit, Lenovo has fixed backdoors in 2 lines of switches. Added in 2004, when these devices were managed by Nortel and Lenovo states these were added on request from an OEM customer.

Let’s Encrypt disables TLS-SNI validation due to shared infrastructure concerns. Security researchers have discovered a way to abuse TLS-SNI validation in Let’s Encrypt to obtain TLS certificates for sites they don’t control This attack largely comes into play with shared infrastructure, where multiple accounts use the same IP, and the hosting provider doesn’t provide any checks around certificates. After reviewing potentially vulnerable providers, Let’s Encrypt has opted to remove this form of validation due to the overwhelming volume. Instead, they suggest moving to DNS and HTTP based verification.

India’s Aadhaar System. Recent weeks have contained criticism of India’s biometric database, specifically around their security. On Aadhaar’s side are plenty of comments that their system is ‘hack proof’. Offended by the concept of ‘hack proof’, Troy Hunt has done a partial rundown of their public security posture and it isn’t pretty.

EFF’s guide on vendor data security assessment. With breaches getting more and more prevalent, we should all be concerned about how our security is stored. And maybe you are someone at a SMB which doesn’t really have a security team, but want’s to think about that when vetting third parties you want to do business with. In that case, you will want to read the EFF’s guide on ‘How to Assess a Vendor’s Data Security’, covering things to think about, search for, and ask. As well a few things to make sure you find out about problems as quickly as possible.

Local network storage takeover. Seagate has fixed a problem in a series of network storage devices. A local call to the device could trick it into running commands and enabling remote access, but since these calls can be executed by the browser, there are a few attack vectors available, including phishing, malvertisements, or malicious browser extensions. Unfortunately, while Seagate has fixed the problem, they have apparently not actually responded to security researchers that contacted them about it.

Crackdown on Cybercrime celebrated with more Cybercrime. Taiwan recently celebrated a crackdown on cybercrime with a cybersecurity expo. Embarrassingly, winners of a cybersecurity knowledge quiz were awarded USB drives that has been infected by malware. Sadly, this isn’t the first time something like this has happened in the cybersecurity space, and we should keep in mind how USB drives are a security risk.

Written on January 15, 2018