Breaches involving major players in the hospitality industry continue to pile up. Today, travel industry giant Sabre Corp. disclosed what could be a significant breach of payment and customer data tied to bookings processed through a reservations system that serves more than 32,000 hotels and other lodging establishments.
According to Sabre’s marketing literature, more than 32,000 properties use Sabre’s XynXis reservations system, described as an inventory management Software-as-a-Service (SaaS) application that “enables hoteliers to support a multitude of rate, inventory and distribution strategies to achieve their business goals.” Sabre said it has engaged security forensics firm Mandiant to support its investigation, and that it has notified law enforcement. “The unauthorized access has been shut off and there is no evidence of continued unauthorized activity,” reads a brief statement that Sabre sent to affected properties today. “There is no reason to believe that any other Sabre systems beyond SynXis Central Reservations have been affected.” Sabre’s software, data, mobile and distribution solutions are used by hundreds of airlines and thousands of hotel properties to manage critical operations, including passenger and guest reservations, revenue management, flight, network and crew management. Sabre also operates a leading global travel marketplace, which processes more than $110 billion of estimated travel spend annually by connecting travel buyers and suppliers. Sabre told customers that it didn’t have any additional details about the breach to share at this time, so it remains unclear what the exact cause of the breach may be or for how long it may have persisted. A card involving traveler transactions for even a small percentage of the 32,000 properties that are using Sabre’s impacted technology could jeopardize a significant number of customer credit cards in a short amount of time. The news comes amid revelations about a blossoming breach at Intercontinental Hotel Group (IHG), the parent company that manages some 5,000 hotels worldwide, including Holiday Inn and Holiday Inn Express. KrebsOnSecurity first reported in December 2016 that cards used at IHG properties were being sold to fraudsters, but it took until February 2017 for IHG to announce it had found malicious software installed at front-desk systems at just a dozen of its properties. On April 18, IHG disclosed in an update on the investigation that more than 1,200 properties were affected, and that there could well be more added in the coming days. According to Verizon‘s latest annual Data Breach Investigations Report (DBIR), malware attacks on point-of-sale systems used at front desk and hotel restaurant systems “are absolutely rampant” in the hospitality sector. Accommodation was the top industry for point-of-sale intrusions in this year’s data, with 87% of breaches within that pattern. “Apparently, it is not only The Eagles that are destined for a long stay at the hotel,” Verizon mused in its report. “The hackers continue to be checked in indefinitely as well. Breach timelines continue to paint a rather dismal picture—with time-to-compromise being only seconds, time-to-exfiltration taking days, and times to discovery and containment staying firmly in the months camp.” Card-stealing cyber thieves have broken into some of the largest hotel chains over the past few years. Hotel brands that have acknowledged card breaches over the last year after prompting by KrebsOnSecurity include Kimpton Hotels, Trump Hotels (twice), Hilton, Mandarin Oriental, and White Lodging (twice). Card breaches also have hit hospitality chains Starwood Hotels and Hyatt. In many of those incidents, thieves planted malicious software on the point-of-sale devices at restaurants and bars inside of the hotel chains. Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malicious code usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register. Thieves can then sell that data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to purchase high-priced electronics and gift cards from big-box stores like Target and Best Buy. Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance). Tags: Data Breach Investigations Report 2017, IHG breach, InterContinental Hotels Group breach, Mandiant, Sabre Corp breach, SynXis Central Reservations system, Verizon
You can skip to the end and leave a comment. Pinging is currently not allowed. The post Breach at Sabre Corp.’s Hospitality Unit appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/breach-at-sabre-corp-s-hospitality-unit/
0 Comments
After investigating a number of issues with Symantec certificates, Mozilla joined Google in urging the antivirus vendor to temporarily hand over its certificate authority operations to another trusted organization. Last week Symantec announced a plan for sweeping changes within its certificate authority business following public criticism and warnings from Google and Mozilla. However, Mozilla this week found lacking Symantec’s proposal to remediate its certificate authority business and posted its own remediation proposal while urging Symantec to essentially outsource its operations to another trusted certificate authority. Mozilla’s proposal comes after weeks of scrutiny from two of the three major web browsers. Google posted its first proposal, titled “Intent to Deprecate and Remove: Trust in Existing Symantec-issued Certificates,” in March, which called for reducing the validity period for new Symantec certificates to nine months, revalidating and replacing all Symantec-issued certificates, and removing the Extended Validation (EV) status of Symantec-issued certificates for at least one year. However, after meetings in April with Google, Symantec was offered an alternative plan, under which it would work together with one or more existing CAs that could take over and replace Symantec’s problematic infrastructure and validation processes while allowing Symantec to continue its business relationships with its customers. “Chrome’s second proposal suggested that Symantec stand up a new [public key infrastructure (PKI)], cross-signed by their existing roots. Actual issuance for this PKI would initially be contracted out by Symantec to another trusted CA or CAs, and then brought back in house later,” wrote Gervase Markham, software engineer at Mozilla, in the new proposal. “We feel that Google’s second proposal to Symantec appropriately balances the need to minimize impact on the ecosystem with the need for Symantec to make a break with the past and re-establish trust in the future. So we would encourage Symantec to reconsider whether implementing it might be an option they could take, and are open to discussing that possibility with them,” Markham wrote. Use of audits is not enoughMozilla’s review of Symantec’s comments and counter-proposal mostly validated Mozilla’s concerns over Symantec certificate issues, including worries about a heavy reliance on the use of audits. Symantec’s proposal calls for extensive use of third-party auditors to audit all active EV certificates, to audit all active certificates as well as Symantec’s remediation process, to increase frequency of audits to every three months until Symantec achieves four consecutive “clean” audits, and more. “While audit has a place in managing CA behavior, it is difficult to use it as a process to restore trust; there are enough gaps in the audit regime (and things audits are not designed to opine about) that while Mozilla sees clean audits as a baseline requirement for being in our root program, we don’t see them as a guarantor of appropriate conduct,” Markham wrote. “Symantec, of all organizations, should know this after the issues they had with their [registration authority] program and its audits.” Mozilla’s revised plan at this point is less onerous than the one Google first proposed in March. While Mozilla presented its own plan for Symantec certificates, the company urged Symantec to go with Google’s proposal to avoid losing trust in its certificates. “Symantec should seriously consider Google’s proposal for simplifying and restoring trust in their public PKI,” Markham wrote. If Symantec does not choose Google’s proposal, Mozilla’s proposal would require Symantec to “immediately come up with a plan, in short order, to cut off via intermediate revocation (which we will carry in OneCRL) all parts of their public PKI which issue certificates trusted by users of Mozilla’s root store and are not BR-compliant,” Markham wrote.
Once the plan is complete, Symantec would be required to prove it by providing “a full PKI diagram of the hierarchy under all of the roots it has in the Mozilla root program, including all sub-CAs and cross-signs, with annotations to show which are technically capable of issuing TLS certs, which are EV-enabled, and with evidence of appropriate audits for all the remaining connected pieces. This will not be a simple document — but then, an inability to produce such a thing in a reasonable timeframe would be further reinforcement of the idea that Symantec is not in control of the scope of its PKI.” Mozilla’s plan also reduces maximum lifetime to 13 months for newly-issued Symantec certificates, with existing certificate lifetime being gradually reduced to 13 months as well. Symantec Extended Validation certificates no longer an issueThe news from Mozilla was not all bad for Symantec. Noting that while issuance of Extended Validation (EV) certificates had proven problematic in the past, Symantec has already taken action to gain control over EV certificate issuance. “The loss of control of EV issuance (via sub-CAs uncontrolled by Symantec in the [Federal PKI program]) was serious,” Markham wrote. “However, the risk has now been eliminated, and no existing Symantec EV certificates are affected. Therefore, if we are basing the presence of absence of EV status solely on the quality of EV vetting (and that is not a given), the removal of EV status seems unwarranted.” Mozilla offered its proposal for comment and discussion until May 8, 2017. The final decision on Mozilla’s response to Symantec’s certificate authority issues rests with Kathleen Wilson, program manager at Mozilla and the module owner of the CA Certificates module. The post Mozilla: Symantec certificate remediation plan not enough appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/mozilla-symantec-certificate-remediation-plan-not-enough/ Google pushed out its monthly Android patches Monday, addressing 17 critical vulnerabilities, six of which are tied to its problematic Mediaserver component. An additional four critical vulnerabilities related to Qualcomm components in Android handsets including Google’s own Nexus 6P, Pixel XL and Nexus 9 devices were also patched. “The most severe of these issues is a critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files,” wrote Google in its May Android Security Bulletin. That “most severe” vulnerability traces back to Android’s Mediaserver component. According to Google, an attacker could exploit the Mediaserver vulnerability by using a specially crafted file to cause memory corruption during media file and data processing and execute remote code. Qualcomm bootloader vulnerabilities triggered two critical patches (CVE-2016-10275 and CVE-2016-10276) issued by Google. The bugs create conditions ripe for an elevation of privilege attacks. “An elevation of privilege vulnerability in the Qualcomm bootloader could enable a local malicious application to execute arbitrary code within the context of the kernel,” according to the bulletin. An additional critical Qualcomm vulnerability (CVE-2017-0604) in the chipmaker’s power driver could also enable a local malicious application to execute arbitrary code within the context of the kernel, Google wrote. With this update, as with previous Android updates, Google split patches into two levels. One is the May 1, partial security patch level and the second is May 5, the complete security patch level. Having two patch levels, Google explains, “provide Android partners with the flexibility to more quickly fix a subset of vulnerabilities that are similar across all Android devices.” The 2017-05-05 addresses all previous security patch level strings, it said. Six of the 17 critical patches are addressed with the 2017-05-01 partial security patches. Of all the critical, high and moderate vulnerabilities reported Monday, Google said there were no reports of exploited bugs in the wild. It’s also worth noting that last week Google said two Nexus devices (6 and 9) released in November 2014 would no longer be “guaranteed” to receive security updates after October 2017. It also offered a similar timeline for Pixel XL of October 2019. The move underscores larger struggles by Google to balance device fragmentation with a timely rollout of security patches for all of its own devices and those made by third-party manufacturers. The post Google Patches Six Critical Mediaserver Bugs in Android appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/google-patches-six-critical-mediaserver-bugs-in-android/ IDG Contributor Network: Using defense-in-depth to prevent self-inflicted cybersecurity wounds5/2/2017 This past week, I encountered an all too common situation — a user gets a targeted phishing attempt. Despite a strong training program, the user opens the attachment and gets infected with ransomware. For many organizations, this would have resulted in a disaster. Ransomware would have encrypted files on any servers, and the organization would have been forced to either restore the files from a backup, assuming they had them, or to hold their nose and pay a ransom. The news was better, however, for the organization I mentioned above. Fortunately, the premise of their security planning was that someone would eventually shoot them in the foot. With a security plan that assumed this, they had a depth of layered controls to help. While their anti-virus software did not prevent the infection, it did recognize and send an alert about it, after the fact. In the meantime, their web filtering appliances and their DNS service provider, recognizing the call from the infected PC to a command and control server to get an encryption key, blocked access. Since the ransomware client never got the key, it did not encrypt any files. The blocking of command and control access provided the extra time needed to get the PC pulled out of service and repaired. The organization referenced above had a happy ending. For every such happy ending, though, I suspect that there are hundreds that end badly. Since these often happen in small organizations, or those that attempt to keep such matters quiet, we often don’t hear about them, but they do exist. It is these sorts of attacks that resulted in an estimated $209 million ransomware payout in the the first three months of 2016, according to Forbes. There is no end it sight for these attacks, because bad actors are working hard to make the process easier. These efforts have resulted in a new class of malware — Ransomware as a Service (RaaS), a turn-key approach for those who wish to extort people, but don’t have the technical chops to pull off an attack. The hackers do the coding, and make the software available, either for a purchase price or a percentage of any ransoms paid. As such, new hackers can join the fray with little risk. If you are placing your hopes in law enforcement to stop the trend, or to help you out when you’re hit, you probably should go ahead and by some bitcoins. It is not that law enforcement does not want to help. Quite the contrary, they are working hard to combat the trend. But because there are so many bad actors participating, and because they are often in countries where we can’t get to them, law enforcement is almost helpless. If the above situation gives you a sense of hopelessness, don’t despair quite yet. As with the aforementioned organization, you, too can plan for the worst — and have layered defenses approach we in the industry call defense-in-depth. A defense-in-depth strategy assumes that something will go wrong with your basic security precautions. This can be the result of user error, a really smart hacker, or just Murphy’s Law in full force. To address the problem, you assume in advance that something will break, and you plan for additional controls to make up for that failure. This approach is hard for many organizations to accept, because they hate to spend money multiple times to solve the same problem. The fallacy of this thinking is that, outside of the helm on information security, we implement defense-in-depth all the time. Consider, for example, a warehouse that invests in a sprinkler system to extinguish fires. Even if they have purchased the best possible sprinkler system, they will still pay for an alarm system to notify the fire department of the emergency — just in case. If you think about it, you probably have many such precautions already in place. Why should cybersecurity be different? When planning your defense-in-depth strategy, think about the different categories or layers of protection you need: PerimeterThis is the front line of defense from outside attacks against your network. Using a firewall to prevent unwanted traffic from entering or leaving your network is the key to a strong perimeter defense. The good news is that many organizations have such a firewall. The bad news is that they are often mismanaged. It is critical to only allow traffic in and out of the firewall that is essential for the operation of the organization. Everything else should be blocked. All too many organizations install a firewall, turn it on, and think they are protected out of the box. This is a false sense of security. Mid-networkThis layer should include intrusion prevention, web filtering, and similar systems. These devices monitor for, and filter out, unusual traffic that is missed at other layers. Web filtering prevents users from aiming a gun at your feet by visiting sites that are known to be infected. This layer is also a good place to employ a technique called a honeypot, which acts as bait to detect a hacker who has penetrated your perimeter defenses, and is moving laterally through your network. Finally, a good log consolidation system, such as Splunk, can correlate information from various system logs, and generate alerts for suspicious activities. EndpointThis is the layer that resides on your users’ workstations. It is the first line of protection against malware, user downloads, malicious web sites, etc. It is important to use products that can be managed centrally and will report malware back to a console so that alerts can be issued. It also helps to have an endpoint product that that can communicate with other layers of your defense strategy, such as McAfee or Cisco AMP. Don’t forget your mobile devices connecting to your network, because they have many problems of their own. Include a good mobile device management system, such as VMware’s AirWatch. Bottom line — your employees will ultimately shoot you in the foot, either accidentally or intentionally. You can’t do anything to stop that. You can and should, however, deploy defense-in-depth strategies to protect from such events. This article is published as part of the IDG Contributor Network. Want to Join? The post IDG Contributor Network: Using defense-in-depth to prevent self-inflicted cybersecurity wounds appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/idg-contributor-network-using-defense-in-depth-to-prevent-self-inflicted-cybersecurity-wounds/ ![]() CNET Yahoo has awarded a researcher $7,000 for disclosing a Flickr security flaw which enabled attackers to hijack user accounts without limit. The issue, patched on 10 April, permitted attackers to intercept and grab access tokens by circumventing Flickr protections. According to security researcher Michael Reizelman who privately disclosed the bug to Yahoo-owned photo and video-sharing website Flickr before making the details public, the problem was caused by the way Flickr handled access tokens. More security news
When a user wants to login to Flickr.com, they click a sign-in button which redirects them to a Yahoo account login page. After being prompted to enter their credentials and completing the form to login, the user is directed first to a Yahoo endpoint where the credentials are verified. If valid, they are then redirected back to a Flickr URL. However, if the user is already logged into Yahoo and clicks the initial sign-in Flickr link, then only one click is needed for verification. With this in mind, Reizelman investigated and found that the .done parameter, which controls where login tokens are sent, can be manipulated. While Flickr already has some endpoint protections in place to prevent tokens from being leaked to external servers, tweaking an URL and adding a backslash bypasses these protections through the Flickr forum. The researcher then discovered a way to leak user account tokens to his own server by posting crafted images which forced the Flickr service to relinquish the tokens on forum pages which did not have Content Security Policy protections in place. See also: Wassenaar Arrangement: When small words have the power to shatter security Should a user click on a malicious link posted within the forum, the redirection code would then send the authentication token to an attacker’s server and allow the threat actor to browse the site using the victim’s account. “An attacker had a complete access to the victim’s account,” Reizelman told ThreatPost. “He actually was logged in to the site with the victim’s account, so he could do any action on the victim’s behalf: uploading content, deleting it, or any other thing he wants.” Once disclosed through Yahoo’s bug bounty program hosted on HackerOne’s platform on 2 April, the issue was investigated within 24 hours. It took the Flickr team a further week to resolve the issue and prepare for public disclosure. The researcher was then awarded his bounty. Bug bounties are becoming a popular way to entice skilled security researchers to ferret out security flaws in products and services before attackers do. Last week, the US Air Force invited hackers to do their worst and find security vulnerabilities in the military’s websites. The post Flickr Account Hijack Flaw Earns Researcher $7k appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/flickr-account-hijack-flaw-earns-researcher-7k/ Fuze, an enterprise-grade voice and video collaboration platform, has patched a vulnerability that exposed recordings of private meetings. A fix was made server-side by Fuze, and a patch was pushed to its endpoint client apps within 11 days of being privately notified by researchers at Rapid7. Program manager Samuel Huckins said there were two glaring issues that put voice, video and text data recorded between parties at risk. The first is that recordings could be shared without requiring authentication. The second was an issue he identified where URLs at which recordings were accessible included a seven-digit identifier that increased incrementally over time and could be brute-forced. “You couldn’t set a password; it wasn’t required at first. And you could guess other folks’ URLs,” Huckins said. “In this case, the format itself wasn’t a problem. The lack of authentication was the main issue. The URL structure just exacerbated that by just making it easier to find.” Similar to other collaboration platforms such as WebEx and GoToMeeting, sessions can be recorded and shared via a URL. Since the fix was implemented, users are now required to set a password before sharing; it’s unknown whether other platforms have similar vulnerabilities. Huckins said that some recording files were also indexed by search engines. “That was initially how I came across these. If this isn’t behind a password, who can see it?” Huckins said. “I found a few searching that way. It wasn’t a huge number, so I really don’t know what the trigger was for some to be indexed and some not, but some were. Those may have been intentionally shared. I didn’t spot things that looked confidential. They could have been completely intentional as shared.” Fuze applications are delivered as software-as-a-service components, in addition to endpoint clients for desktop and mobile. Recordings, Rapid7 said, are saved to the vendor’s cloud hosting service and accessed by the shared URL. “Before [the patch], you would share the meeting, get the link and you were off to the races,” Huckins said. “For what Fuze is focused on, that makes good sense. They’re all about bringing people together, enhancing collaboration, lowering that barrier to entry, so it was a good user experience for that. This additional set of controls makes it that such if there’s sensitive content in those recordings, then they are safe.” The vulnerability was privately disclosed Feb. 27 and two days later, Fuze removed public access and required a password to view recordings from the cloud or clients. Fuze released version 4.3.1 of its client applications on March 10. There’s also no evidence the issue was abused publicly, Rapid7 said. “From what we saw and know from Fuze, we don’t have any evidence of that. That would be difficult to determine without being in a position like Google,” Huckins said. “Due to the speed of remediation and knowledge we have, no indication of that.” The post Fuze Patches Bug That Exposed Recordings of Private Business Meetings appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/fuze-patches-bug-that-exposed-recordings-of-private-business-meetings/ Intel patched a critical vulnerability that dates back nine years and impacts business desktop PCs that utilize the company’s Active Management Technology. According to an Intel security bulletin, the flaw could allow an adversary to elevate privileges on a vulnerable system. Intel said there are two attack vectors that could be exploited. One allows a network attacker to gain system privileges to provision Intel systems running effected versions of Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM). Second, a local attacker could provision manageability features and gain unprivileged network or local system privileges on affected systems running versions of AMT, ISM and Intel Small Business Technology (SBT). Intel said a researcher disclosed the vulnerability last month, warning of critical firmware flaws in business PCs and devices that utilize AMT, ISM and SBT. “We have implemented and validated a firmware update to address the problem, and we are cooperating with equipment manufacturers to make it available to end-users as soon as possible,” said William Moss, a spokesperson for Intel told Threatpost. Moss said no consumer PCs are impacted and that Intel is unaware of any exploitation of this vulnerability in the wild. Mitigation of the vulnerability include a firmware update for some models or alternatively removing or disabling Local Manageability Services (LMS) from impacted systems, according to the Intel security advisory. Intel credited researcher Maksim Malyutin from Embedi for discovering the vulnerability and disclosing it to Intel. “We have been warning Intel about the vulnerability tied to Active Management Technology for years. Now, finally it’s realized there is a vulnerability here that needs to be patched,” said Charlie Demerjian, founder of Stone Arch Networking Services in an interview with Threatpost. He maintains that every Intel platform, from Nehalem in 2008 to Kaby Lake in 2017, has a remotely exploitable security hole in the chipset’s Management Engine (ME). In an article posted to the website SemiAccurate.com Monday–before Intel issued its advisory–Demerjian asserted Intel would patch a flaw first identified in June 2016 by researcher Damien Zammit. In an expose of Intel’s Management Engine, Zammit claimed last year that there was a vulnerability in Intel x86s chips that created a secret backdoor allowing a third-party to use undetectable rootkits against Intel PCs. In a statement in response to Zammit’s allegation, Steve Grobman, chief technology officer for Intel Security, refuted the claim calling the feature a boon to admins who managed large installs of remote PCs. When Threatpost asked Intel if the vulnerability that it warned of on Monday was tied to the same security issues discussed in June 2015, Moss said he was looking into it. “I don’t know if there is any relationship to prior allegations. This current update is based on a report that we received in March from a security researcher. And to my knowledge it doesn’t have anything to do with anything before that,” Moss told Threatpost. The vulnerability patched by Intel on Monday is a flaw found in an aspect of the Active Management Technology system called Intel Management Engine. This component runs on an ARC microprocessor that’s physically located inside the Intel chipset. “The ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system,” according to Zammit. “The problem is quite simple, the ME controls the network ports and has DMA (direct memory access) access to the system. It can arbitrarily read and write to any memory or storage on the system, can bypass disk encryption once it is unlocked (and possibly if it has not, SemiAccurate hasn’t been able to 100 percent verify this capability yet), read and write to the screen, and do all of this completely unlogged. Due to the network access abilities, it can also send whatever it finds out to wherever it wants, encrypted or not,” Demerjian wrote in his post. Matthew Garrett, a developer at Red Hat, wrote on his blog Monday that the flaw will only impact those that have explicitly enabled Active Management Technology at some point. “Most Intel systems don’t ship with AMT. Most Intel systems with AMT don’t have it turned on,” he said. Garrett added, fixing the problem won’t be easy for Intel or admins. “Fixing this requires a system firmware update in order to provide new ME firmware (including an updated copy of the AMT code). Many of the affected machines are no longer receiving firmware updates from their manufacturers, and so will probably never get a fix. Anyone who ever enables AMT on one of these devices will be vulnerable,” he said. The post Intel Patches Nine-Year-Old Critical CPU Vulnerability appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/intel-patches-nine-year-old-critical-cpu-vulnerability/ Intel is reporting a firmware vulnerability that could let attackers take over remote management functions on computers built over nearly the past decade. The vulnerability, disclosed on Monday, affects features in Intel firmware that are designed for enterprise IT management. Enterprises using Intel Active Management Technology, Intel Small Business Technology and Intel Standard Manageability on their systems should patch them as soon as possible, the company says. The vulnerable firmware features can be found in some current Core processors and all the way back to Intel’s first-generation Core, called Nehalem, which shipped in 2008. They’re part of versions 6.0 through 11.6 of Intel’s manageability firmware. No consumer PCs are affected, the company said. Nor are data-center servers running Intel Server Platform Services. Intel Active Management Technology is a feature in Core processors that lets organizations remotely track, manage and secure whole fleets of connected computers. For example, it can be used to monitor and repair retail checkout systems, digital signage and PCs at places like stores, offices and schools. Intel didn’t provide technical details of the vulnerability, but it said a hacker could use the flaw to take over the remote management functions. In an email, Intel said it learned about the vulnerability from a security researcher in March. “We are not aware of any exploitation of this vulnerability,” the company said. Intel said it has prepared a patch and is working with manufacturers to roll it out to users as soon as possible. Intel’s security advisory also lays out steps users can take to find out if they’re affected. For example, PCs built with its vPro technology will have the vulnerable Intel Active Management feature. In addition, the advisory has tips for what to do if there’s no firmware update available from the system manufacturer. Disabling or removing a Windows service called Local Manageability Service can mitigate the vulnerability, Intel said. The post Vulnerability hits Intel enterprise PCs going back 10 years appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/vulnerability-hits-intel-enterprise-pcs-going-back-10-years/ Vuln reported in March, now fix is coming… slowlyFor the past nine years, millions of Intel desktop and server chips have harbored a security flaw that can be exploited to remotely control and infect vulnerable systems with spyware. Specifically, the bug is in Intel’s Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6. According to Chipzilla, the security hole allows “an unprivileged attacker to gain control of the manageability features provided by these products.” That means hackers exploiting the flaw can log into a vulnerable computer’s hardware – right under the nose of the operating system – and silently snoop on users, read and make changes to files, install virtually undetectable malware, and so on. This is potentially possible across the network because AMT has direct access to the network hardware, and with local access. These management features have been available in various Intel chipsets for nearly a decade, starting with the Nehalem Core i7 in 2008, all the way up to Kaby Lake Core parts in 2017. Crucially, the vulnerability lies at the very heart of a machine’s silicon, out of sight of the running operating system, applications and any antivirus. It can only be fully fixed with a firmware-level update, and it is present in millions of chips. It is effectively a backdoor into computers all over the world. Intel’s vulnerable AMT service is part of the vPro suite of processor features. If vPro is present and enabled on a system, and AMT is provisioned, unauthenticated miscreants on your network can access the at-risk computer and hijack it. If AMT isn’t provisioned, a logged-in user can still potentially exploit it. Intel reckons this vulnerability basically affects business and server boxes, because they tend to have vPro and AMT present and enabled, and not systems aimed at ordinary consumers, which typically don’t. You can follow this document to check if your system has AMT switched on. Basically, if you’re using a machine with vPro features enabled, you are at risk. According to Intel today, this critical security vulnerability, labeled CVE-2017-5689, was reported in March by Maksim Malyutin at Embedi. To get the patch to close the hole, you’ll have to pester your machine’s manufacturer for a firmware update, or try the mitigations here. These updates are hoped to arrive within the next few weeks, and should be installed ASAP. “In March, 2017 a security researcher identified and reported to Intel a critical firmware vulnerability in business PCs and devices that utilize Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), or Intel Small Business Technology (SBT),” an Intel spokesperson told The Register in the past few minutes. “Consumer PCs are not impacted by this vulnerability. We are not aware of any exploitation of this vulnerability. We have implemented and validated a firmware update to address the problem, and we are cooperating with equipment manufacturers to make it available to end-users as soon as possible.” Specifically, according to Intel:
The fixed firmware versions to look out for are, depending on the processor family affected:
“The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole,” explained chip journo Charlie Demerjian. “Even if your machine doesn’t have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network.” Demerjian also pointed out that it’s now up to computer makers to distribute the digitally signed patches to people and IT admins to install. That means if your supplier is a big name like Dell, HP or Lenovo, you’ll hopefully get an update shortly. If it’s a white box, no-name hardware slinger, you’re likely screwed: things like security and cryptography and firmware distribution is too much work in this low-margin business. What is AMT?AMT is an out-of-band management tool: it lays bare complete control over a system to the network, allowing IT bods and other sysadmins to reboot, repair and tweak servers and workstations remotely. God help you if this service is exposed to the public internet. It is supposed to require an admin to authenticate themselves before granting access, but the above bug allows an unauthenticated person to freely waltz up to the hardware’s control panel. Even if you’ve firewalled off your systems’ AMT access from the outer world, someone or malware within your network – say on a reception desk PC – can potentially exploit this latest vulnerability to drill deep into workstations and servers, and further compromise your business. AMT is part of Intel’s Management Engine (ME), a technology that has been embedded in its chipsets in one way or another for over a decade, since around when the Core 2 landed in 2006. This software runs at what’s called ring -2, below the operating system kernel, and below any hypervisor on the box. It is basically a second computer within your computer, and it has full access to the network, peripherals, memory, storage and processors. Amusingly, it’s powered by an ARC CPU core, which has a 16- and 32-bit hybrid architecture and is a close relative to the Super FX chip used in Super Nintendo games such as Star Fox. Yes, the custom chip doing the 3D math in Star Fox is an ancestor to the ARC processor secretly and silently controlling your Intel x86 tin. Details of Intel’s ME have been trickling out into the open over the past few years: Igor Skochinsky gave a great talk in 2014 about it, for instance. The ARC core runs a ThreadX RTOS from SPI flash. It has direct access to the Ethernet controller. These days it is built into the Platform Controller Hub, an Intel microchip that contains various hardware controllers and is connected to the main processors on the motherboard. AMT is a black box that Intel doesn’t like to talk about too much – although it is partially documented on intel.com – and it freaks out privacy and security conscious people: no one quite knows what it is really doing, and if it can be truly disabled, as it runs so close to the bare metal in computers. On some chip families, you can switch off ME with extreme prejudice by strategically wiping parts of the system flash. For years now, engineers and infosec types have been warning that, since all code has bugs, at least one remotely exploitable programming blunder must be present in Intel’s AMT software, and the ME running it, and thus there must be a way to fully opt out of it: to buy a chipset with it not present at all, rather than just disabled or disconnected by a hardware fuse. Finding such a bug is like finding a hardwired, unremovable and remotely accessible administrator account, with the username and password ‘hackme’, in Microsoft Windows or Red Hat Enterprise Linux. Except this Intel flaw is in the chipset, running out of reach of your mortal hands, and now we wait for the cure to arrive from the computer manufacturers. ® Sponsored: The post Intel Patches Remote Execution Hole That's Been Hidden In Its Chips Since 2008 appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/intel-patches-remote-execution-hole-thats-been-hidden-in-its-chips-since-2008/ Apple revoked a legitimate developer certificate used by hackers behind malware dubbed OSX/Dok, which was able to eavesdrop on secure HTTPS traffic of infected systems. On Sunday, Apple also rolled out an update to its XProtect built-in antimalware software to fend off existing and upcoming OSX/Dok-type attacks. OSX/Dok was reported by Check Point last week. According to researchers, an infected system allowed a malicious third party to gain “complete access to all victim communication” including those protected by SSL. Check Point said it’s unclear how many systems may have been impacted by the malware. Attackers are able to eavesdrop on SSL-protected communication by redirecting a victim’s traffic through a malicious proxy server, explained Ofer Caspi, malware researcher with Check Point in a blog. “When attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings,” Caspi wrote. “The user traffic is then redirected through a proxy controlled by the attacker, who carries out a man-in-the-middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please.” OSX/Dok was spread via a phishing attack, mostly targeting European users. In an email sent to targets, purportedly from the “Swiss tax office,” was a .zip file (Dokument.zip) that contained a malware bundle signed April 21, 2017 by Seven Muller, called Truesteer.AppStore, Caspi said. Any user who double-clicked on the .zip file sets off the infection chain where malware copied itself to the /User/Shared folder and executed. Next, a pop-up message warns that the software bundle was damaged and couldn’t be opened. “If a loginItem (Login Item) named ‘AppStore’ exists, the malware will delete it, and instead add itself as a loginItem, which will persist in the system and execute automatically every time the system reboots, until it finishes to install its payload,” Caspi said. The warning window prompts the victim to enter a password. “The victim is barred from accessing any windows or using their machine in any way until they relent, enter the password and allow the malware to finish installing. Once they do, the malware gains administrator privileges on the victim’s machine,” according to the report. With that access, the attackers install the package manager brew, used to install further tools Tor and SOCAT. The malware will then change the target’s network settings so that traffic passes through a proxy controlled by the attacker. “The malware will then proceed to install a new root certificate in the victim’s system, which allows the attacker to intercept traffic using a man-in-the-middle (MiTM) attack. By abusing the victim’s new-found trust in this bogus certificate, the attacker can impersonate any website, and the victim will be none the wiser,” Caspi wrote. What makes the malware so unique is that it impacted all versions of OSX and recorded zero detections on VirusTotal (as of last week), researchers said. “(OSX/Dok) is signed with a valid developer certificate (authenticated by Apple), and is the first major scale malware to target OSX users via a coordinated email phishing campaign,” according to Check Point the report. Because the certificates used by the malware were valid, the macOS security features such as Gatekeeper recognized OSX/Dok as legitimate. The malware is then free to operate undetected. Check Point theorizes that hackers were able to hijack a valid Apple developer’s certificate. The post Apple Revokes Certificate Used By OSX/Dok Malware appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/apple-revokes-certificate-used-by-osxdok-malware/ |
ABOUT USFree, secure collections for I.T recycling and CESG approved data erasure for individuals, businesses and large-scale projects. I.T Asset Disposal | Computer Recycling | Re-marketing & Cashback | Secure Data Erasure. Archives
May 2017
Categories |