Apple fixed firmware vulnerability found by Positive Technologies

June 14, 2018 ~ hucktech ~ Leave a comment

Apple fixed firmware vulnerability found by Positive Technologies https://t.co/Bp2vg0zqU0

— Nicolas Krassas (@Dinosn) June 14, 2018

June 14, 2018
The vulnerability allowed exploiting a critical flaw in Intel Management Engine and still can be present in equipment of vendors that use Intel processors. Apple released an update for macOS High Sierra 10.13.4, which fixes the firmware vulnerability CVE-2018-4251 found by Positive Technologies experts Maxim Goryachy and Mark Ermolov. For more details, see Apple Support.[…]

http://blog.ptsecurity.com/2018/06/apple-fixed-vulnerability-founde-by-PT-experts.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4251
https://support.apple.com/en-us/HT208849

SPIDriver: Hardware Adapter for Controlling SPI Devices from Your Computer

June 14, 2018June 14, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/HacksterPro/status/1006978355634241542

https://blog.hackster.io/spidriver-is-a-hardware-adapter-for-controlling-spi-devices-from-your-computer-5b484e90163e

https://www.crowdsupply.com/excamera/spidriver

http://www.excamera.com/sphinx/index.html

OEMs charge users to enable (or disable) security features

June 14, 2018 ~ hucktech ~ Leave a comment

Does the automotive industry charge for seat belts? 🙂

Maybe someone should create an open source project for Tianocore that has boot menu option (UEFI browser form) code to enable/disable everything that Intel/ARM/AMD/etc make configurble, an these menu options should be made available to any IBV/OEM that wants to include them. Having them there reduces friction for vendors who didn’t have those features before, and provides something for customers to point to when they say “I want more control of my security configurability in my firmware.”

Interesting… HP charges you $10 to “Permanently Disables Absolute Computrace from BIOS”.

You pay not to be tracked.

Let that sink in. pic.twitter.com/VxgjCK3lq2

— Arrigo Triulzi (@cynicalsecurity) June 14, 2018

https://twitter.com/Mario_Vilas/status/1007204344696098816

In this picture there is also a “Intel SGX Permanently Disable” which I would very much like to know the implementation of.

Do they ship a non-SGX chip or is there “another trick”? https://t.co/R3F7IhuSFU

— Arrigo Triulzi (@cynicalsecurity) June 14, 2018

VW firmware was used to defeat emission tests

June 14, 2018 ~ hucktech ~ Leave a comment

Open firmware is going to be foundational for security.

— Ben Laurie (@BenLaurie) June 14, 2018

Fir years I've been telling Intel (every chance I get, which is fairly often) that closed source BSP/FSP/etc only hurts them. It's honestly like they've been told not to hear it. https://t.co/GEiLahSs62

— Farce Majeure🌹 (@vathpela) June 14, 2018

We need independently auditable firmwares for many reasons. Legislators, forcing open binaries for such systems is a good thing and imposes little cost. https://t.co/s8OULPaHiK

— Halvar Flake (@halvarflake) June 13, 2018

The above 3 tweets apply to EVERYTHING, not just the story that started it, VW firmware. It seems the forensics community still does very little with firmware:

Volkswagen, together with @iotatoken will show at #cebit18 a proof of concept how the trusted transfer of software over-the-air to vehicles can be securely documented using the #tangle. Great example how distributed ledger technology can be used in the future pic.twitter.com/4wuc7pdKfv

— Johann Jungwirth (@JohannJungwirth) June 9, 2018

VW's firmware was used to defeat emissions tests:https://t.co/H1zs3gFLcc

Their response should be independently auditable, reproducible firmware updates.

Instead, they are relying on a system with a track record of broken, homegrown crypto for critical firmware updates. https://t.co/EyghznVjPV

— Steve Weis (@sweis) June 13, 2018

Click to access diesel-sp17.pdf

YubiCo -vs- security researchers

June 14, 2018 ~ hucktech ~ 1 Comment

Sorry, these tweets are not in chronological order.

https://www.yubico.com/2018/06/webusb-and-responsible-disclosure/

Security advisory YSA-2018-02

So @Yubico releases an advisory that is:

1. based on our work
2. does not give any credit besides "the researchers"
3. apparently applies a bounty for a replication of our work on March 5 (according to the advisory)https://t.co/mKthHffymf

— Markus Vervier (@marver) June 13, 2018

Yeah, nice credit: "They used a YubiKey NEO because they were unable to access an authenticator over USB HID over WebUSB on the Linux computer they used for testing."

Hey @Yubico: maybe we also used the CCID interface because it allowed to reprogram the Yubikey NEO via WebUSB?

— Markus Vervier (@marver) June 13, 2018

_Even_ if they had reported it before what kind of dick move is it to talk to us, asking about source for the PoC, then never contacting us again and sending in bug reports behind our back. And sending us some Yubico starter set as "thank you".

— Markus Vervier (@marver) June 13, 2018

You acted unprofessionally taking credits for research and work that isn’t yours.

When @marver and me had a private chat with your CSO Jesper Johansson, he was begging us to get the source code of the exploit. We even sent demo videos because the Yubico team COULD NOT REPLICATE https://t.co/H83zie9u7K

— antisnatchor (@antisnatchor) June 14, 2018

You even got 5K USD and donated to a dubious project. And of course if people on twitter wouldn’t let us know that you published such an elite updated on your elite research on your elite devices, the post would have been published WITHOUT ANY CREDITS to us. Classic. Thanks!!!

— antisnatchor (@antisnatchor) June 14, 2018

It is remarkable how @Yubico in one simple vulnerability post has managed to ensure that even fewer people are going to follow the “responsible disclosure” route.

Burn researchers, don’t credit, wrongly analyse their work, back-pedal.#golfclap

— Arrigo Triulzi (@cynicalsecurity) June 14, 2018

It gets even better, we showed this also in our @offensivecon talk and also again in a private call with the @Yubico CISO: "For instance, Yubico was able to use it to obtain a PGP signature from a PGP enabled YubiKey over WebUSB." (from the advisory)..

— Markus Vervier (@marver) June 13, 2018

In light of recent events we are publishing the talk from OffensiveCon 2018 by @marver and @antisnatchor Oh No, Where's FIDO?
A Journey into Novel Web-Technology and U2F Exploitation.https://t.co/RMS7SPiSQ8

— offensivecon (@offensive_con) June 14, 2018

You can attack even more than just U2F with WebUSB. In the video you can see us accessing the SmartCard interface of a YubiKey with PGP via WebUSB. If we would have got a slot at @defcon or @BlackHatEvents this year there would have been a lot more. 😉 https://t.co/yUeJ1TCnVT

— Markus Vervier (@marver) June 14, 2018

I remember times when we'd consider it only as a _joke_ if someone said: "WebUSB"…

Now eagerly awaiting "WebSMM"! https://t.co/NiSHwOWgKx

— Joanna Rutkowska (@rootkovska) March 2, 2018

Multiple Security Issues in Ecos Secure Boot Stick (SBS)

June 14, 2018 ~ hucktech ~ Leave a comment

Ecos Secure Boot Stick version 5.6.5 and System Management version 5.2.68 suffers from credential disclosure and various other security vulnerabilities that can lead to information disclosure.

https://telematik.prakinf.tu-ilmenau.de/ecos-sbs/advisory.html

https://packetstormsecurity.com/files/148180/Ecos-Secure-Boot-Stick-5.6.5-Credential-Disclosure-Information-Leak.html

https://www.ecos.de/en/products/access-components/secure-boot-stick/

New Intel mobile web app to remotely control Intel AMT systems

June 13, 2018 ~ hucktech ~ Leave a comment

[[SuperMicro has a phone app to control their systems’ IPMI. Now Intel has a phone app to control Intel AMT-based systems. I hope mobile systems are secure, these would seem to make great ‘pivots’ for attackers…]]

MeshCentral2 – New Mobile Web Application
By Ylian S. (Intel), published on June 12, 2018

It’s been a while since the last announcement but I have been hard at work on MeshCentral, the web-based open source remote management software. This week we got a big new feature with release of MeshCentral v0.1.8-c on NPM, we now have a new web application for mobile devices. When you install your own MeshCentral server and access it using a mobile device (like a phone or tablet), you will see a new web page tailored for small devices. This is the first version of it, but already it offers many of the main usages that are offered on the main web site in a more compact form.[…]

https://software.intel.com/en-us/blogs/2018/06/12/meshcentral2-new-mobile-web-application

https://www.npmjs.com/package/meshcentral

http://www.meshcommander.com/meshcentral2

Intel-SA-00145: Lazy Floating Point state restore

June 13, 2018 ~ hucktech ~ Leave a comment

Here’s the source of the Intel floating point issue:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html

Re: https://firmwaresecurity.com/2018/06/13/intel-floating-point-issue/

CHIPSEC new sgx_check module

June 13, 2018 ~ hucktech ~ Leave a comment

https://github.com/chipsec/chipsec/commit/45b50782c9585f79e1f01d5262ad0022f78540a5

Module name: ‘sgx_check’

Author: Sushmith Hiremath, INTEL DCG RED team

Check SGX related configuration

Reference: SGX BWG, CDI/IBP#: 565432

I’m unclear to the meaning of the numeric Reference #…

Nvidia seeks Offensive Firmware Security Researcher

June 13, 2018 ~ hucktech ~ Leave a comment

Nice job title, …and without using “Cyber”, even!

Job description is well-written, I can guess at who wrote it. 🙂

https://nvidia.wd5.myworkdayjobs.com/en-US/NVIDIAExternalCareerSite/job/US-CA-Santa-Clara/Offensive-Firmware-Security-Researcher_JR1914876

CopperheadOS and AndroidHardening project

June 13, 2018 ~ hucktech ~ 1 Comment

Re: https://firmwaresecurity.com/2018/06/04/copperheados-company-problems/

https://twitter.com/DanielMicay/status/1006662420700499969

https://twitter.com/DanielMicay/status/1006665999184285697

https://github.com/AndroidHardening

ZeroTrace: enables building systems secure against side-channels in SGX enclaves

June 13, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/sergey_nog/status/1006582302057619456

ZeroTrace, a system which enables instantiations of Oblivious-RAMs(ORAMs) on a server-device that supports Intel-SGX.

Supports PathORAM¹ and CircuitORAM². [HT: @jnazario)https://t.co/GMU7K0ENNC
__
¹ https://t.co/cDYtHBHjXn
² https://t.co/4P1OTVpMSI

— Arrigo Triulzi (@cynicalsecurity) June 13, 2018

ZeroTrace(ZT) is the first system that enabled instantiations of Oblivious-RAMs(ORAMs) on a server-device that supports Intel-SGX. ZT is also secure against known side-channel attacks against SGX.* Oblivous RAM or ORAMs have been theoretically known for a long while now [1], with the advent of secure hardware modules like Intel SGX, we notice an opportunity to make these incredible cryptographic primitives, deployable in practical scenarios.[…]

https://github.com/sshsshy/ZeroTrace

10-Part Introduction to KiCad video series available

June 13, 2018 ~ hucktech ~ Leave a comment

A 10-part video introduction to KiCad is now available:

The whole #KiCad series is done and live! The 10th and final episode is up on YouTube: https://t.co/AMgArNJf82 Thank you to everyone who has stuck with us for the whole journey! Let's make those badges blink! @digikey @oshpark #HowTo #DIY #electronics #engineering pic.twitter.com/YAJvpY5pmD

— Shawn Hymel – @shawnhymel@masto.ai (@ShawnHymel) June 12, 2018

Expliot: IoT Exploitation Framework (pronounced – expl-aa-yo-tee)

June 13, 2018 ~ hucktech ~ 1 Comment

T-0 And… your friendly neighborhood expliot – ioT exploitation framework can be found here https://t.co/iuxs3JREiG Please download, test, suggest and RT 🙂 pic.twitter.com/1PfN9IWW8p

— Aseem Jakhar (@aseemjakhar) June 12, 2018

Expliot (Pronounced – expl-aa-yo-tee)

Internet Of Things Exploitation Framework

Expliot is a framework for security testing IoT and IoT infrastructure. It provides a set of plugins (test cases) and can be extended easily to create new plugins. The name expliot is a pun on exploit and explains the purpose of the framework i.e. IoT exploitation. It is developed in python3[…]

https://gitlab.com/expliot_framework/expliot

Intel Floating Point issue?

June 13, 2018 ~ hucktech ~ 1 Comment

According to the oss-security list, there’s an ‘Intel FP issue’, and the BSDs are doing patches against it:

https://marc.info/?l=openbsd-cvs&m=152818076013158&w=2

http://lists.dragonflybsd.org/pipermail/commits/2018-June/672324.html

https://svnweb.freebsd.org/base?view=revision&revision=335072

I don’t know more about this FP issue other than above. For the record, I prefer the old days, when kernel mode didn’t rely on floating point, so the OS didn’t have to save state for drivers. 🙂

Facebook open sources Sonar, debugging tool

June 12, 2018 ~ hucktech ~ Leave a comment

Facebook is Open-sourcing Sonar, a new extensible debugging tool https://t.co/42FaZOngKM #programming #debugging

— Steffen Bauch (@steffenbauch) June 12, 2018

Open-sourcing Sonar, a new extensible debugging tool
Emil Sjölander

One challenge that comes from having many engineers working collaboratively on larger apps is that typically no single person knows how every module works. This segmentation of knowledge and expertise can make it difficult to develop new features, investigate bugs, or optimize performance. To help engineers at Facebook manage this complexity, we built Sonar, an extensible cross-platform debugging tool. Sonar gives us a surface where framework experts and developers can convey important information to framework users. Now we are adding functionality and sharing Sonar as an open source project to help others accelerate the app development process. With Sonar, engineers have a highly flexible, intuitive way to inspect and understand the structure and behavior of their iOS and Android applications. We believe Sonar improves on current tools by providing a more visual and interactive experience that is extensible to fit engineers’ specific needs.[…]

https://github.com/facebook/Sonar/

https://code.facebook.com/posts/1461914677288302/open-sourcing-sonar-a-new-extensible-debugging-tool/

https://fbsonar.com/

NEMU: fork of QEMU by Intel

June 12, 2018 ~ hucktech ~ Leave a comment

https://t.co/RrZAQPhCWQ NEMU — stripped down QEMU fork by Intel

— Dan Kaminsky (@dakami) June 11, 2018

NEMU is an open source hypervisor specifically built and designed to run modern cloud workloads on modern 64-bit Intel and ARM CPUs.

https://github.com/intel/nemu

Windows: new feature using IOMMU to block DMA access for Thunderbolt devices when machine is locked

June 12, 2018 ~ hucktech ~ Leave a comment

The latest version of Windows apparently has new protections against PCILeech and related attacks:

#WindowsInsider How cool is this — Windows insider preview has a new security feature which uses the IOMMU to block DMA access for thunderbolt devices when your machine is locked. @int0x6 #pcileech pic.twitter.com/bj9pnF1YXb

— David Weston (DWIZZZLE) (@dwizzzleMSFT) June 12, 2018

Totally awesome – a shiny settings toggle switch to enable! Must Try 😀 But I'll miss my DMA attacks 😢

— Ulf Frisk (@UlfFrisk) June 12, 2018

Introducing graphene-ng: running arbitrary payloads in SGX enclaves

June 12, 2018 ~ hucktech ~ Leave a comment

New post: "Introducing graphene-ng: arbitrary payloads in SGX enclaves" – a project we (ITL) have been working on for/with the @golemproject. Most of the coding by ITL's @dsredford & Rafał "Omeg" Wojdyła. Demo movie included 🙂 To be open-sourced soon™https://t.co/dRXsvVjqVg

— Joanna Rutkowska (@rootkovska) June 11, 2018

After months of hard work @rootkovska has published as a guest author in our blog, her in-depth article on Graphene-ng: running arbitrary payloads in SGX enclaves. Thank you Joanna and ITL for such a great effort, and we look forward to collaborating more! https://t.co/8q963yifG4

— Golem Network (@golemproject) June 11, 2018

fig1

Jun 11, 2018 by Joanna Rutkowska

A few months ago, during my keynote at Black Hat Europe, I was discussing how we should be limiting the amount of trust when building computer systems. Recently, a new technology from Intel has been gaining popularity among both developers and researchers, a technology which promises a big step towards such trust-minimizing systems. I’m talking about Intel SGX, of course. Intel SGX caught my attention for the first time about 5 years ago, a little while before Intel has officially added information about it to the official Software Developer’s Manual. I’ve written two posts about my thoughts on this (then-upcoming) technology, which were a superposition of both positive and negative feelings. Over the last 2 years or so, together with my team at ITL, we’ve been investigating this fascinating technology a bit closer. Today I’d like to share some introductory information on this interesting project we’ve been working on together with our friends at Golem for several months now.[…]

https://blog.invisiblethings.org/2018/06/11/graphene-ng.html

An ice-cold Boot to break BitLocker

June 11, 2018 ~ hucktech ~ Leave a comment

My colleague Pasi and I will show everyone how to unlock BitLocker on modern PCs at SEC-T in September. Cold Boot attacks made practical on fully hardened Windows 10! https://t.co/xya6HcnizX

— olle@WithSecure (@olle_withsecure) June 11, 2018

First round of speakers announced. https://t.co/6QbvhHKAfM @Viss @nxsolle @Acidgen @x33fcon @stefant etc.

— SEC-T (@SEC_T_org) June 11, 2018

An ice-cold Boot to break BitLocker
By Olle Segerdahl & Pasi Saarinen

A decade ago, academic researchers demonstrated how computer memory remanence could be used to defeat popular disk encryption systems. Not much has happened since, and most seem to believe that these attacks are too impractical for real world use. Even Microsoft have even started to play down the threat of memory remanence attacks against BitLocker, using words such as “they are not possible using published techniques”. We will publish techniques that allow recovery of BitLocker encryption keys from RAM on most, if not all, currently available devices. While BitLocker is called out in the title, the same attacks are also valid against other platforms and operating systems.

Olle is a veteran of the IT-security industry, having worked with both “breaking” and “building” security solutions for almost 20 years. During that time, he has worked on securing classified systems, critical infrastructure and cryptographic products as well as building software whitelisting solutions used by industrial robots and medical equipment. He is currently the Swedish Principal Security Consultant with F-Secure’s technical security consulting practice.

Pasi is an experienced security researcher with a background in both software and network security. In previous employment he has worked on a modern framework for white-box fuzz testing of binaries and security standardization of the 5G mobile network. While he has a very Finnish name, he plays for team Sweden in F-Secure’s technical security consulting practice.

https://www.sec-t.org/talks/