https://twitter.com/pwnallthethings/status/892429696494956545
https://twitter.com/Firminat0r/status/892391239160614912
http://www.reuters.com/article/us-usa-cyber-congress-idUSKBN1AH474
Category: Uncategorized
Intel on SSD secure erase feature
What is secure erase, and is it certified on an Intel® SSD?
by Doug DeVetter | July 31, 2017
Intel SSD used with Secure Erase
I’m often asked whether the secure erase feature within Intel® SSDs is certified by NIST, U.S. DoD, or other government or industry bodies. Intel has implemented the secure erase feature consistent with the ATA and NVMe specifications. The designs and implementations have been internally reviewed and validated. A third-party has tested the implementation on a subset of our products and reported that the data was unrecoverable. Intel is unaware of any industry or government body which certifies or approves the implementation of this technical capability. NIST SP 800-88 is often cited as the guideline to be followed in the United States with regard to secure erase. NIST provides guidelines, however, NIST does not certify compliance to these guidelines. In addition to being consistent with the ATA and NVMe specifications, our implementation of secure erase is in line with the NIST guidelines for data sanitization.[…]
https://itpeernetwork.intel.com/secure-erase-certified-intel-ssd/
AMD Vega Pro GPU contains a Security Processor
Qubes 4.0-RC1 released
Hardened Linux: using CHIPSEC
DEF CON 25: some presentations available
Brian on UEFI security
Brian Richardson of Intel recently gave a talk about UEFI security at BSides Asheville, NC. Slides are on the below blog URL:
What you don’t know about firmware might get you 0wn3d
Following firmware developers on social media during Black Hat & Def Con can be a bit bewildering. Firmware is becoming more important in the realm of cybersecurity research. Most of the work I do is working with other firmware developers to make sure they understand current capabilities and trends, but that work may take months or years to hit the market. The people on the front lines of computer security need some understanding of what they can do today to help secure their systems. While many of my colleagues spent a very hot and crowded week in Las Vegas, I had a much cooler weekend at the Bsides conference in Asheville, NC. My “What you don’t know about firmware might get you 0wn3d” presentation is designed to describe the importance of firmware in computer security, and what can be done today to mitigate and detect common attacks against firmware. There are practical methods to prevent a number of common bootkit/rootkit attacks, platform security features to consider when purchasing new systems, and responsible ways to research firmware issues.[…]
CrowdStrike seeks UEFI/hypervisor researcher
Researcher – Strategic Research Initiatives (SRI):
As the core research and development arm of the CrowdStrike Falcon product, the Strategic Research Initiatives (SRI) Team is at the forefront of cutting-edge research into security-related systems and techniques. The team strives to deliver cross-platform features for mid to long-term, visionary projects that expand the capabilities of Falcon Sensor. New EDR techniques and data sources, UEFI/Hypervisor capability, PnP and network stack visibility, containerization, scripting engine introspection, and emulation/sandboxing are just a few examples of SRI projects.[…]
https://jobs.jobvite.com/careers/crowdstrike/job/oAlo4fw7?__jvst=Job%20Board
cellular baseband vulnerability for Nissan/Infinity/BMW/Ford
Advisory (ICSA-17-208-01)
Continental AG Infineon S-Gold 2 (PMB 8876)
ATTENTION: Remotely exploitable/low skill level to exploit. Public exploits are available.
Vendor: Continental AG
Equipment: Infineon S-Gold 2 (PMB 8876)
Vulnerabilities: Stack-Based Buffer Overflow, Improper Restriction of Operations within the Bounds of a Memory Buffer
AFFECTED PRODUCTS: All telematics control modules (TCUs) built by Continental AG that contain the S-Gold 2 (PMB 8876) cellular baseband chipset are affected. The S-Gold 2 (PMB 8876) is found in the following vehicles: <see full announcement for list of Nissan, Infinity, BMW, Ford, etc models.>
An attacker with a physical connection to the TCU may exploit a buffer overflow condition that exists in the processing of AT commands. This may allow arbitrary code execution on the baseband radio processor of the TCU. A vulnerability in the temporary mobile subscriber identity (TMSI) may allow an attacker to access and control memory. This may allow remote code execution on the baseband radio processor of the TCU.
Mickey Shkatov, Jesse Michael, and Oleksandr Bazhaniuk of the Advanced Threat Research Team at McAfee have reported the vulnerabilities.
https://ics-cert.us-cert.gov/advisories/ICSA-17-208-01
https://github.com/HackingThings/Publications/tree/master/2017
https://github.com/HackingThings/CAN-Bus-Arduino-Tool
AMI Intel Boot Guard S3 vulnerability?
Click on the image in the above tweet for more information. Hopefully we’ll see more information about this in the near future…
Betraying the BIOS: slides available
Alex and Yuriy form Eclypsium, Inc.
WOW! I just heard that Alex and Yuriy have left Intel Advanced Threat Research (McAfee) and have started Eclypsium, Inc.
Alex Bazhaniuk is the “Founder and VP of Technology at Eclypsium, Inc.”
Yuriy Bulygin is the “Founder and CEO at Eclypsium, Inc.”
http://www.eclypsium.com/
Twitter: @ABazhaniuk
Twitter: @c7zero/
https://github.com/chipsec/chipsec/blob/master/AUTHORS
MEITools: tools for communicating with Intel ME via MEI (HECI)
Tools for communicating with Intel Management Engine through MEI (HECI)
Zydis: x86/x64 disassembler C library
Zyan Disassembler Engine (Zydis)
Fast and lightweight x86/x86-64 disassembler library.
https://github.com/zyantific/zydis
sandsifter: x86 fuzzer
s a n d s i f t e r : the x86 processor fuzzer
The sandsifter audits x86 processors for hidden instructions and hardware bugs, by systematically generating machine code to search through a processor’s instruction set, and monitoring execution for anomalies. Sandsifter has uncovered secret processor instructions from every major vendor; ubiquitous software bugs in disassemblers, assemblers, and emulators; flaws in enterprise hypervisors; and both benign and security-critical hardware bugs in x86 chips. With the multitude of x86 processors in existence, the goal of the tool is to enable users to check their own systems for hidden instructions and bugs.[…]
Intel AMT PoC for CVE-2017-5698
Intel AMT authentication bypass example: This is a Proof-of-Concept code that demonstrates the exploitation of the CVE-2017-5689 vulnerability. It is essentialy a mitmproxy script that simply blanks an Authorization header “response” field. Example usage:
mitmdump -p 8080 -dd –no-http2 -s blank_auth_res
https://github.com/embedi/amt_auth_bypass_poc
Look here for presentation and white paper links:
https://www.embedi.com/news/intel-amt-some-new-stealth-vector-attacks-and-good-old-vulnerabilities
Black Hat Briefings: some presentations available
PreOS Security releases CHIPSEC quickref for SysAdmins
[Disclaimer: I work for PreOS Security.]
CHIPSEC is a suite of dozens of tests/tools/utilities, many of which are strictly for security researchers. Timed with SysAdmin Appreciation Day, PreOS Security has created a 1-page quick reference for CHIPSEC for sysadmins. The below message also mentions an upcoming short ebook for sysadmins:
Currently this quickref is only availble by filling out a form:
https://preossec.com/free+ebook/
on the PreOS Security site, with some opt-in stuff to help the new startup.
PS: PreOS Security has joined the Twitosphere(sp), first post above. And we have a LinkedIn page. Please ‘Follow us’. Thanks!
https://twitter.com/PreOS_Security/
https://www.linkedin.com/company/preos-security
Microsoft launches Windows Bounty Program
Announcing the Windows Bounty Program:
Windows 10 represents the best and newest in our strong commitment to security with world-class mitigations. One of Microsoft’s longstanding strategies toward improving software security involves investing in defensive technologies that make it difficult and costly for attackers to find, exploit and leverage vulnerabilities. We built in mitigations and defenses such as DEP, ASLR, CFG, CIG, ACG, Device Guard, and Credential Guard to harden our systems and we continue adding defenses such as Windows Defender Application Guard to significantly increase protection to harden entry points while ensuring the customer experience is seamless. In the spirit of maintaining a high security bar in Windows, we’re launching the Windows Bounty Program on July 26, 2017. This will include all features of the Windows Insider Preview in addition to focus areas in Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge. We’re also bumping up the pay-out range for the Hyper-V Bounty Program.[…]
https://blogs.technet.microsoft.com/msrc/2017/07/26/announcing-the-windows-bounty-program/
CHIPSEC for ARM: to be released at Black Hat
I nearly missed this CHIPSEC announcement in the below Black Hat abstract. Exciting.
Blue Pill for Your Phone
By Oleksandr Bazhaniuk & Yuriy Bulygin
In this research, we’ve explored attack surface of hypervisors and TrustZone monitor in modern ARM based phones, using Google Nexus 5X, Nexus 6P, and Pixel as primary targets. We will explain different attack scenarios using SMC and other interfaces, as well as interaction methods between TrustZone and hypervisor privilege levels. We will explore attack vectors which could allow malicious operating system (EL1) level to escalate privileges to hypervisor (EL2) level and potentially install virtualization rootkit in the hypervisor. We will also explore attack vectors through SMC and other low level interfaces, interactions between TrustZone and hypervisor (EL2) privilege levels. To help with further low level ARM security research, we will release ARM support for CHIPSEC framework and new modules to test issues in ARM based hypervisors and TrustZone implementations, including SMC fuzzer.
https://www.blackhat.com/us-17/briefings.html#blue-pill-for-your-phone
Firmware Security 
You must be logged in to post a comment.