Hastily-written news/info on the firmware security/development communities, sorry for the typos.
There’s a talk from Kyle Rankin of Final Inc, on using Libreboot. It covers coreboot, Intel ME, Intel AMT, and covers replacing Lenovo X60 and X200 firmware with Libreboot, as well as covering use of Arduino as part of the reflashing solution.
https://twitter.com/lordbaco/status/691711050727702532
http://greenfly.org/talks/security/libreboot.html
https://github.com/bibanon/Coreboot-ThinkPads/wiki/Hardware-Flashing-with-Raspberry-Pi
QIRA describes itself as a competitor to GDB and Strace.
https://code.google.com/archive/p/qira/
https://github.com/BinaryAnalysisPlatform/qira
It has a unique debugger interface!
https://www.paragon-software.com/technologies/ufsd/ufsd-uefi.html
https://www.paragon-software.com/technologies/components/uefi-iscsi/
This gives me a big sense of “deja vu”, similar to how OSR created a FS Kit for NT file system APIs. 🙂
Chris Hoffman of PCWorld has an article on Ubuntu’s UEFI security:
http://blog.virustotal.com/2016/01/putting-spotlight-on-firmware-malware_27.html
In related news, Teddy Reed’s UEFI Firmware Parser has been recently updated:
Video of the Intel CHIPSEC team from 2015’s REcon is now online.
Business changes at EMC, impacting VMWare, multiple news sites with stories on it.
http://fortune.com/2016/01/26/vmware-charge-changes-cfo/
http://www.wsj.com/articles/vmware-names-new-cfo-will-cut-800-jobs-1453847929
http://www.theregister.co.uk/2016/01/27/vmware_fusion_and_workstation_development_team_fired/
HardwareCon3 is happening this March. It is a conference for hardware startups:
http://www.hardwarecon.com/hardwarecon-2016-the-future-of-hardware/
http://www.hardwarecon.com/schedule-2/full-schedule/
https://www.eventbrite.com/e/hardwarecon-2016-tickets-15904516838?discount=meetup15
http://www.hardwarecon.com/
[…] “As the hardware revolution has matured, startups can no longer rely on first to market and record breaking crowdfunding campaigns to help establish a business. Competition has rapidly expanded and once revolutionary new products are fast becoming commodity. But new sub-sets of markets are simultaneously arising – “enchanted objects” and new M2M devices are just starting to see mass adoption and are opening whole new markets. At the request of hardware entrepreneurs and last year’s participants, HardwareCon 2016 is expanding this year to include a Hardware University day at its start on Friday March 4th in addition to the expert advice and hard data provided to participants at HardwareCon.” […]
First to market with insecure product is no longer a reliable tactic? Nice to know! I can’t find anything on security at this conference. I am afraid this is one source of insecure IoT products, or as they like to call them, “enchanted objects”, after the book of the same name. If this conference continues, I hope the 4th/subsequent ones have a track on security.
Postmarket Management of Cybersecurity in Medical Devices
Draft Guidance for Industry and Food and Drug Administration Staff
DRAFT GUIDANCE
Document issued on: January 22, 2016
From Lexology.com:
Is Your Medical Device Cybersecure? FDA Issues Draft Guidance on Postmarket Cybersecurity in Medical Devices
Recently, the U.S. Food and Drug Administration (FDA) issued draft guidance outlining the agency’s recommendations for Postmarket Management of Cybersecurity in Medical Devices. The guidance is applicable to medical devices that contain software (including firmware) or programmable logic, as well as software that meets the definition of a medical device. The guidance does not apply to experimental or investigational medical devices. Comments on the draft guidance are due by April 21, 2016.
Full story:
http://www.lexology.com/library/detail.aspx?g=0d71435c-cfd5-4e49-8a43-198b9be8558e
Henry Newman has a new post on Enterprise Storage Forum about firmware, rootkits and security:
[…] The issue for both of these hacks was that the chain of custody of the firmware was not tracked.
[…] What I think is really meant is that, in most cases, there is a change in the firmware to allow the device to either boot something that is not what you expected or to run something that you did not expect. It could be firmware on the motherboard (which is also called BIOS) or firmware on peripheral equipment such as a storage controller, network or even the disk or SSD drives. So how would you secure a system against an attack on the basic firmware of the system, whether it be from the inside or outside, or a bit of both?
[…] I think as we move forward, it is time to start asking vendors the following questions:
   1. Who develops your firmware?
   2. Where is it developed (country)?
   3. How is the firmware inspected for malicious or bad code?
   4. Is the firmware being developed for the hardware on systems that are connected to the Internet?
   5. Is the firmware managed with secure hashes to ensure it is not perturbed from creation to loading?
[…] Firmware, I believe, is the next frontier in what is going to be attacked given how hard it is to detect bad firmware. Servers, networks, disks and SSD drives are all at risk unless vendors have a way of securing firmware. A secure firmware supply chain for your critical information – whether you are a small business, health care provider or a large multinational trying to protect your IP – is today, and will be tomorrow, a large challenge. […]
Full article:
http://www.enterprisestorageforum.com/storage-technology/rootkits-and-security.html
Charlie Osborne has an article in ZDNet about Shodan a search engine focused on non-existant security IoT:
Shodan: The IoT search engine for watching sleeping kids and bedroom antics
Shodan has made it even easier for our inner voyeur to spy upon the open webcams of homes across the world — but are the ramifications more pronounced than idle surveillance? Launched in 2013, Shodan is a search engine used to find Internet of Things (IoT) connected devices around the world. Webcams, security systems and routers are only some of the devices which, once connected to the Web, can offer a glimpse into our lives behind locked doors should poor security turn the key. Unfortunately, despite a steep rise in home Internet connectivity and the use of connected home devices — from lighting to cameras — and IoT-based vehicles, security comes up short. […]
Stefan Thom (Microsoft), Steve Hanna (Infineon), and Stacy Cannady (Cisco) have an article in Electronic Design on TPM use in embedded systems. If you are new to TPM, this is a nice introduction.
Standardizing Trust for Embedded Systems
It’s time to get more serious about the lack of security in embedded products. With recently developed standards, it’s implementation just got easier. If you haven’t been concerned about malicious players hacking into your products in the past, or haven’t found success with previous efforts, it’s time for renewed attention and action. Hacking efforts aren’t slowing and, in fact, are on the rise. These days, hackers can accomplish far more than ever before—and the repercussions are far more costly. […]
Full article:
http://electronicdesign.com/embedded/standardizing-trust-embedded-systems
The Blogger News Network has an article focused on consumers blindly buying the latest IoT gadgets without thinking about the downsides, and includes some basic tips for users to ask before buying the device, maybe you can use this advice for friends who don’t follow technology:
Pay attention to your IoT Device Security
Wow cool! A device that lets you know, via Internet, when your milk is beginning to sour! And a connected thermostat—turning the heat up remotely an hour before you get home to save money…and “smart” fitness monitors, baby monitors, watches… Slow down. Don’t buy a single smart device until you ask yourself these 10 questions. And frankly, there’s a lot of effort in some of these questions. But, security isn’t always easy. Check it out. […]
Full post:
http://www.bloggernews.net/137438
I hope there are some contrarian entrepreneurs out there, building IoT-free devices…
From FOSDEM, there’s a new laptop for those that care about about Open Source Hardware, and ‘blob’-free devices, to investigate, the Rombus Tech Libre Laptop, based on an Allwinner CPU.
[…] Luke Kenneth Casson Leighton (LKCL), did not give up on the idea, and has kept on working on EOMA68 standard with CPU cards from Allwinner and other SoC vendors. Recently, he’s been working on a Libre Laptop based on an Allwinner A20 EOMA68 CPU module, and will showcase the prototype at FOSDEM 2016 in Brussels this coming week-end. […]
http://rhombus-tech.net/community_ideas/laptop_15in/news/
http://lists.phcomp.co.uk/pipermail/arm-netbook/2016-January/thread.html
http://www.cnx-software.com/2016/01/26/rhombus-tech-15-6-libre-laptop-is-user-upgradeable-with-eoma68-cpu-cards/
Mouser is now shipping the Minowboard Turbot, the latest flavor of Minnowboard, from ADI Engineering.
Mouser Electronics, Inc. is now stocking the MinnowBoard Turbot, an enhanced open source development board. The MinnowBoard Turbot, now available from Mouser Electronics, is a powerful and expandable open-source platform that allows endless customization and integration potential. This compact embedded board is compatible with MinnowBoard MAX but adds the higher-performing dual-core Intel® Atom(TM) processor, FCC and CE certification, and designs and features that support commercial usage. With 2GBytes of DDR3L, Intel(R) HD Graphics, micro HDMI, Gigabit Ethernet, USB 3.0 and 2.0, and a Lure expansion board interface, the MinnowBoard Turbot combines robust hardware with support for several different operating systems (including Windows 10, Android 4.4, Debian GNU/Linux, Ubuntu, and Fedora) to help designers develop high-performance embedded applications. […]
http://www.mouser.com/publicrelations_adi_engineering_minnowboard_turbot_2015final/
http://www.mouser.com/new/adi-engineering/minnowboard-turbot/
https://firmware.intel.com/projects/minnowboard-uefi-firmware
http://lists.elinux.org/pipermail/elinux-minnowboard/
http://minnowboard.org/
https://twitter.com/SteveD3/status/691934387357782017
Exposed HP LaserJet printers offer Anonymous FTP to the public
Networked HP LaserJet printers, which have been made available to the public by the organizations hosting them, offer potential attackers a ready-made Anonymous FTP server. At present, there are thousands of these devices online. The exposed printers were the focus of a new blog post by Chris Vickery. Vickery has previously worked with Salted Hash on a number of stories – including database leaks that exposed class records at SNHU, 3.3 million Hello Kitty fans, 191 million voter records, and an additional 18 million voter records with targeted data. […]
Full article:
https://mackeeper.com/blog/post/185-spilling-the-beans
http://www.csoonline.com/article/3026184/security/exposed-hp-laserjet-printers-offer-anonymous-ftp-to-the-public.html
Kamil Domański has an article on Google Nest-flavored IoT reversing:
In the buzzword-powered world of IoT there doesn’t really seem to be as much innovation as some would have you think. The hundredth “smart” camera, door lock or lamp don’t really disrupt much, yet some players in this space seem to be getting far ahead of the others. A notable player in this space is Nest Labs who after their acquisition by Google rose to be one of the most prominent brand names in this space, now a subsidy of Alphabet. Here at Protonet we consider owning and having access to your own data as one of our core values – thus as much as we admire Alphabet’s tech, we’re sceptical about it’s cloud only approach to smart home products. It’s not much of a surprise then that we picked Nest products for our research efforts when looking into integration of different kinds of smart devices. […]
Full article: here (WordPress doesn’t like Tumblr.com URLs, refuses to show them.)
The Register has an article on Usenix Enigma security conference, which includes discussion on medical device firmware security:
Terrible infections, bad practices, unclean kit – welcome to hospital IT
Medicine is world’s worst industry for data security, it seems
[…] Therein lies the problem, he said, in that the lead time for medical devices is so long that they are outdated in today’s security terms. He showed off a pacemaker that had a debug routine that could interrupt a heartbeat and was open to anyone. In some cases, medical devices themselves were a point of infection. One device manufacturer shipped out a malware-infected firmware update that contained 38 Trojans, which then spread throughout hospitals. […]
Full article:
http://www.theregister.co.uk/2016/01/25/the_worst_industry_for_keeping_it_systems_clean_medicine/
Docker buys Unikernel Systems
Docker has purchased the Unikernel Systems, a Cambridge, U.K. start-up specializing in unikernel development, Docker announced Thursday. The purchase will help Docker expand the range of virtualization technologies if offers the enterprise can use, in effect turning Docker into a platform for running a wide range of workloads, not just container-based workloads. […]
Full story:
http://thenewstack.io/docker-buys-unikernel-systems-plans-bring-unikernels-data-center/
Dmytro “Cr4sh” Oleksiuk has a conversation on Twitter about using using his CHIPSEC-based exploit module against Lenovo models, noting some firmware vulnerabilities in Lenovo x220/x230 laptops.
Here are 5 tweets, let’s see how the non-deterministic WordPress.com rendering software will show them:
https://twitter.com/d_olex/status/6916255973326315
https://twitter.com/d_olex/status/69162603603585024252
It is nice to hear “The most recent ones looks not vulnerable.” Maybe the Lenovo QA team is improving? 🙂 Looking forward to more research on this, more than just a few Tweets, his research is usually very verbose! Also, he has updated the readme on his update script today:
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Discover the Desktop
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
News from coreboot world
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Just another WordPress.com site
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Firmware Security 
You must be logged in to post a comment.