What service? Informing of attacks and helping (!) to resolve? Redmond? Unless they collect info from other reputable sources, that will be just crap. Or they figured out how to index and search Dark Web?
Fun never ends!
47 posts • joined 21 Jul 2017
What people are usually saying when found that pwned? Oops ... we do not believe!
With all China great reputation for hacking and stealing secrets what else is needed to stay away from them handling your major resources?
May be some influx of Chinese immigrants to keep Merkel happy?
I wonder about stupidity of both guys caught by Apple security, see the article how that happened. China is known very much for stealing secrets. So, why to hire a guy with certainly weak background (dad in China, i.e. the family is there) for the secret project when it was already the same kind of case?
Do not tell me about EOE when we see in US East Coast IT departments 100% guys from India. So, just avoid hiring guys with questionable background. Or we do not have enough American citizens to do coding? Then why? Would it be better to educate guys here for free than exporting potential spies?
I also see very bad security level at Apple secret facility - guy was able to copy from network (!) to his personal storage (!). Why do they permit storing secret files on personal computers? Apple network does not work?
It seems to me that Apple is fitting in the case "security by obscurity". They are building Maginot Line to defend while not so stupid guys can always go around.
I'm not in London, I'm in THE US. And frankly, do not understand people's concern. may be with the exception of wasting tax money. All your faces are in ID/passport etc. systems. All your faces have been captured on various security cameras. recorded and saved and kept for long time. So, what is your "privacy" concern over guys playing hi-tech toy with low level of success? Liberty and overall liberals' politically motivated speculations when nothing wrong happened and will not? Anybody detained, behind bars?
As I always said being CISSP - do not expect any privacy when you are in public space, do not use Internet if you are worry about you freedom rights, do not encrypt email as it is useless. Only people who have something to hide should worry about stupid hi-tech toys. Ask guys for your picture and have a fun!
BMC actually is not "baseband management controller" but Baseboard Management Controller. And alterations of management system in BMC flash memory have long and great story. You guys can take a look back in 2008 when Russian guy found hidden hypervisor in Intel motherboards. If you do not read Russian see the site www.rubos.com for both Russian and English. The people who think it is minor stuff can possibly change the mindset. See also articles on malicious hypervisors there. Have a fun!
Another inconsistence in this article that to change management software one needs root access. Actually not. Root is about "ring-0" level. And root belongs to the OS. System management software is ring -2 and that is two levels down from root. It is really funny that people do not know that such embedded software CANNOT be identified from OS level using any currently available security means. Sorry, it is ring -2.
Technically speaking, Huawei equipment installed in a country Internet infrastructure seems as controlled by local specialists and not by guys from China. Not entirely correct. The update of Huawei equipment will come from China. It means UK guys wasting time checking the code. They are checking "public" version. An update to new "private" version may easy bring as many backdoors as China government wants.
People who did not read about world and particular China history do not understand Chinese mind set. It was last 5000 years the country of slaves, I would use "robots" as it is much closer. It was always the upper not even class but a group of governing people. Not Emperor but his closest circle always ruled the country. Nothing changed. CH government while presenting as "modern communists" are actually the some junta as before. 5000 years back. And current purpose is to dominate the world. They have 1,500.000.000 people, they have a lot of cash, and they sent millions young people to study in the best Western universities. US universities of the best quality occupied by Chinese. The idea is very simple - we have money, we have #1 industry, we want to be the technical and thus real leader of the world. The problem still exists - by gens, Chinese guys cannot think free as Western race. China still needs inventions, trade secrets - in general - ideas. Millions of slaves can do manufacturing but cannot do ideas. So, millions youngsters in the US and other Western countries is the attempt to create a class of Western-thinking technology leaders.
Until they overcome their nature, they will need backdoors and other hacks in Chine Made equipment.
You are right. But people on this list have no clue about China, Russia, etc. They live by "all people united". Left or liberal, they follow the song "Imagine all the people...". Any company in China by definition, is under government control. If CH government wants Huawei to implant a back door, the company will.
Guys, take some time to read about communist countries, USSR and China (which had been created by USSR direct help) history. China was 5000 years back an empire, and it is empire governed by modified communists. Entire world of capitalism helped to grow it to technically modern country. That changed nothing in CH junta mind set. They want to be #1 and control you guys. You think about US as it is "empire". Not really. Simply the US is the state trying to protect you from such things as 1,500.000.000 robots controlled by a dozen of maniacs.
Fix you ignorance, read books (put down you mobile sucker for a couple of years) and you will find out that things as much much more complex than you can imagine. And travel to CH to see thing by yourself.
You write :"I would have expected Bloomberg to have produced some physical evidence - even a single demonstrably hacked motherboard"
So, do you really expect that such evidence can be found? All what was altered has been destroyed. It was not in Apple or Amazon or Super Micro interest to keep any evidence for investigation.
It is really funny - have anybody tried to follow the link in the article likely to pointing to a report from independent company? It goes to Super Micro site saying that it was a company and a report. Super Micro DOES NOT provide a link or a document or disclosing the name of the company. So, what are you talking about? What SM proved as we cannot see it published?
Nobody mentioned in original article really wants INDEPENDENT PUBLIC investigation. It is all cover-up. Too much money and reputation i.e. money involved.
So far Super Micro does bla-bla-bla and no proof that Bloomberg was incorrect.
Good point but will not help. Even if the site he probably used says "Click that you are at least 17/18" that is the person's responsibility to somehow figure out the age. Otherwise it is his/her fault. Like not knowing law ...
What ever he is and what ever he did, it is really bad situation when US agencies are against you. Options are really limited.
My finding after a lot of thinking and re-thinking is: Underlying basic human instinct is not Aggression but Ignorance. How is it related to the matter in question? Ignorance in code development triggers Linus' aggression. Simple like that. No need to consult any doctor or analyst. But he needs some rest definitely. Better where there is no people but sharks. Easier to deal with.
Agree. There are A LOT OF MEANS of checking code before sending as a patch. So, sending crap is simply ignorance and wasting of other people's valuable time. Read this humor/anecdote below:
Doctor looks at a contractor head in emergency room covered with blood. Doctor: What happened, man? Contractor: Well, John dropped his hammer on my head from the roof. Doctor: What did you say? Contractor: I said - You are not entirely right, John!
Do we expect Torvalds' comment on crap like that? As the center point of HUGE development effort, how much crap he gets for each release?
Mr. Torvalds, you do not need help. You were 90% right. May be you've been a bit over. But I would not blame a person who gets a dozen of hammers on his head daily!
There are no fanatics. Either idiots or Redmond C-team on the pay.
xNIX platform proved much much better in everything. I bet M$ will slide in Linux based system after W10 like MAC OS is based on BSD. W10 and other server versions cannot be better because they reach the summit entropy point. After that is simple chaos and system degradation. That is what we see in failing patches and updates. After 25 years of attempts to make such process stable.
After 25 years of dominating IT OS market Redmond crap is going to die as OS. 25 years wasted and thousands of strokes and heart attacks.
I remember W95 presentation and advertising clip. Completely stupid and idiotic. With Bill of Redmond as the star. Behaving correspondingly. That was the label for all Windows OS versions I used since that.
Auto patching system may fail. I've seen that. In particular funny (sorry) was that I explained IT director that vulnerability scanning is standard way to check if patching works. He was not idiot but ... So, when they hired IT boss on the top of him and we resumed scanning, we found that 30% of computers were not patched while system reported they were. Then virus outbreak happened on the top of multiple vulnerabilities.
So, patching we discuss here IS NOT THE GOAL. It should be always Vulnerability Scanning after.
Is it possible to do within a month? Very hard. Almost impossible considering complex IT systems. The only one success story was when I did VM for Navy installation of 4,000 computers ten years back. Somehow IT guys managed to patch and I was able to do my scanning. Since that I see only sad stories.
The chaos result of of what we have now was created by IT giants rushing for profit no matter what.
They created the environment of "IT jungle" where we - the food for predators and them aka "hackers" - will coexist forever. The only one way to limit your risks is to limit your Internet connections. Pack your bag, forget your computer and go South. Bingo.
This vector is known publicly since 2011 when Russian scientist published a paper (originally in Russian) that Intel motherboards' BMCs have malicious hypervisor embedded. Plus, guys at Michigan University had research on that matter published in 2012. So, all about that see our papers and presentations on www.rubos.com
Sorry, too much to repeat all what we published. Enjoy the NEWS of 2011 - 2012 at Rubos, Inc. site!.
Well, it has been University of Michigan research around 2012 about problems with system management software, and Russian Scientist found spyware hypervisor in Intel motherboards BMC around 2008, and we talked about all this stuff twice at DeepSec 2014 and 2016... So, hwy it is a NEWS? People, search Inet for news and read what was published. Well, see all related research and presentations at www.rubos.com
Enjoy the article about malicious hypervisor embedded in Intel motherboards in English. Nobody knows that Intel has spyware in its management software, or at least had?
So, guys want to be on bad news again. They created a buzz after being caught on collecting and sending user info to Russian FSB and following US government embargo to use. That damaged reputation and others are following US government, or at least thinking. Instead of paying something even if not legally obligated, they want the K-name to be in discussion again. However, IT/Security world is not a Hollywood. Bad reputation is really bad thing.
I would suggest researches to sell Kaspersky related bugs on open market as K-guys are really cheap and in bad shape financially. Or PR is stupid as it gets.
I understand Oracle's concern. A piece of big pie is worth of trying.
I impressed that Pentagon is going to trust cloud while it has been proved that clouds are less secure than traditional local enterprise infrastructure.
However, the story background is different from public. Such huge money usually appear on play table when one of a few high ranking generals are going to retire. Somehow happens that they finally lend up in companies which were rewarded contracts. After a few months of legally required waiting period.
I've see myself such story when US Navy decided to build useless Navy and Marine Corp Intranet and a few billions got in IT companies. Participating admirals finally moved in IT companies chairs.
The same happened with Vivek Kundra who was Obama federal CIO and ended up in Salesforce which got 50 millions. After hiding in Harvard hole for six months.
Well, two important topics are forgotten:
- Kaspersky himself had and has friends in FSB. It means he will do what they ask for
-They did not promise to stop sending information from user computer to Kaspersky data center(s), which where ever it/they is/are or will be will send info in Moscow. Where it will be available to Mr. K FSB friends. The same way they grabbed NSA info from stupid NSA contract facing bars. Running on government computers they will collect confidential info and send it ... I really to not care about my "personal" info. I simply know that "privacy" is good to believe in but does not exist anymore. But I think any government info should not be widely available. Mr K lovers can download and use Kaspersky company software.
As soon as the company moves its headquarters in EU, and developments as well, and Mr K steps down, the problem will dissolve. But that won't happen simply because they use the company as FSB helper.
You people are so naive! Not actually understanding any aspect of security, business and Russia government FSB/KGB. First of all, The Lab is not moving its headquarters from Russia nor sw development. Kaspersky himself has been educated at KGB academy while not field operations but computer security. He had and has connections in FSB. Moreover - personal friends. Do you think having data center in Swiss will prevent from silently dumping user data to RF FSB? Until Putin = FSB couple exists do not even think of using ANY computer product Made In RF. Read more about USSR and then Russia activities to spread their ideology and influence around the globe. And think about if you can trust Lenovo notebooks with China made firmware. Same stuff as Kaspersky.
I agree. As Dr. Freud once and a while ago mentioned, the basic human instinct is "aggression". However, my ten cents to psychology - the basic instinct is "ignorance" and its child is "aggression". We ignore almost everything and will be aggressive until the end of this civilization. Arms' race will never stop until humanoids exist on this planet. So, activists against the war and warfare may need to wait until next civilizations comes in ... After all, there are still 1.5 billions of commies on this planet (as the result of ignorance) and such states as Russia and China will use AI in any form to get warfare advantage. Open your eyes and see imperfect world you live in.
It boils down to that all so named experts know basically nothing what they are taking about and plus did not try to do any estimate on any matter. For instance, the status of WOMD in 2040 when nuclear powers as US and Russia rush in small caliber arms race. What about computer power and the capability of what ever military wants to simulate? What exactly AI can do and what cannot concerning complex scenarios? Basically, it is bla-bla-bla research with simple outcome - something may happen in 2040. Well, why 2040 but not 2030 or 2050? Guys seems to retire in different world in 2040, by their estimate, and thus nobody will blame them for screwed predictions.
Let EU do its own domains and the rest of the nworld will stick with the US. So far only EU rulers objected current system on the ground its own regulation. So, keep your regulation for yourself (EU) and do not disturb other people who are OK with the current system.
One cannot overcome a few people who think they are smart but were not smart enough to understand how what they invented will work. I mean GDPR and EU Commission. EU Commies are sitting on their hairs and feeling they are gods on Olympus. They expect everybody across EU and around the world will become compliant. Did they issue any recommendations how to do that in a form of a framework? No, they did not. But I DID. In 2012 when it was the draft. It is very complex implementation and 99% still have no clue that it is not about security controls but mostly about privacy controls. Very different story.
So, shortly - one story it to write the regulation. Completely different story is to implement. Guys please come down to us from your EU Olympus and explain how to implement what you've invented.
That is a shame!!! Not AMD, because bugs are bugs and there is a process to fix. For the company expense. What CTS-Labs did was "good piracy" and my suggestion is to do what normal people do with ANY pirate - hang them! They are not about security, they are about money and getting it in the most dirty way. In InfoSec world of terms. I would suggest NOT to deal with the company, otherwise one day your own hands will get dirty as well. Or they trade you for yet another money.
But, they are not only greedy but also stupid! They expected AMD stocks react on their "news". Well, the case of Meltdown etc. shows that the reaction is minimal if at all. Investors use different criteria. and judge by different information.
Frankly, I've been in InfoSec since 2003 and do not remember such misconduct of vulnerability announcement. May be they need PR themselves? But that is not about Information Security. That works in Hollywood.
I commented on a few posts. Now are my 10 cents.
It was never a time when US government agencies had good security. May be CIA and NSA. But others, including DoD, are affected by internal politics. IT never wanted independent security management. However, CIO will never be good CSO, and first of all because there is ONE budget for everything. Only at the end of 2016 OMB got Director of Security, which still reports to Federal CIO. The worse case was Obama ruling. His first CIO nearly escaped jail right in the beginning of his job. But having absolutely no knowledge or experience in security this Guy Vivek Kundra initiated with Obama blessing federal "Cloud First" program. He had no clue about cloud security, NIST had no related documents and nether anybody in the government, but they started and started with moving in "cloud" NASA. NASA got OIG assessment in the same way as DHS and found disastrous situation.
So, what should we expect from US government concerning security when they do not have independent leader even in perspective? A couple of years ago US government estimated that they need 30,000 REAL security professionals. Where could they get them? Inside DC boarders? There are no security pros living in DC ... Come and see.
We simply do not have complete information concerning the audit. They may audited just a part of entire department
Concerning the number - US government rile is "fix ALL new vulnerabilities within a month or less and report ALL which cannot be fixed". So, should be "0" by US government rules. Also please consider who lives within DC and works for the government. Got it? People with adequate security experience do not exist within DC boarders. The government a couple years back estimated that it needs 30,000 security professional.
You are right. Chaos is the security status including the US. I worked for a company which required HIPAA compliance. They never were besides of my best efforts. They reported to DHHS that compliant every year basically giving false statements. The best compliance level was when I finally left - around 15%. The reason - I was only one who understood what the security means, and was reporting to the long line of IT management. They simply ignored whatever I said or did exactly what I recommended not to do..
Not exactly right. I worked for US government for total around 7 years starting around 2003.. And it was ALWAYS like that. The most devastating in security were Obama's initiatives. First - misunderstanding that InfoSec is not IT. In general the government does not has separate line of security management reporting to upper manager. For instance, for long time it was Federal CIO position and it was NO position of a security manager. At the end of 2016 (!) they finally got something like Director but reporting to Federal CIO. It means security does not have its own budget and does not hire by its understanding who they need.
Just to add my ten cents to public opinion that the proposed law is completely stupid and the result of incompetence. As CISSP and PhD I can say that people are right. It is stupid law. My POV is that it will not improve security at all. State of Georgia Cyber Security Task Force (I do not think it exists) will not be able to identify who exactly is trying to access a computer residing in this state. FBI will not. They are not stupid to help this state in such useless activity. Needless to say that the most serious penetrations happened came from spams. Wanna try to catch spammers? You'll get a bot probably sitting in one of G-senators' computer. Then jail this guy who actually was voting for this fake law.
After twenty years of such spam history people still click ... The most of US population knows that FBI either sends a letter, or calls, or knocking in the door ... Never sends emails. That is applicable to other US government agencies. I would name such "clicking" as "statistically existing ignorance". Very likely will exist forever to feed various malicious activity.
By what I've read, AMD does not need Meltdown patch as it has only Spectre problem. Does not help victims of just freshly baked hot-fix but may be answers what is the root reason for crashing computers. M$ puts crap and honey in one barrel and guess what is the result ...
You both guys are known, at least I've read all you security related articles posted on your site and available on Inet as well. Highly appreciated. I use them for references. However, I neither support people who question others' knowledge and background nor "others" trying to claim their land. That is basically not polite and useless.
Concerning the concept is question, the discussion around it shows its questionable matter. What ever is between black and white is grey. Too wide to discuss and useless as well. Everybody knows about these colors and shades. There is only one way (from my personal experience) to prove the land ownership - make clear what was before you said the word and what is after. Show the difference. If possible, make that in math. At least try that. If succeeded, you won, if not then the matter is possibly obvious. Takes time but clarifies a lot. All my due respect. Mikhail Utin, CISSP, PhD.
Here is another part of the story concerning US "cloudization" program Cloud First. They finally got MS Dynamics serving various US government agencies including defense. Whether this flaw in question affects US government actually does matter. The cloud was and is and will be the resource for such flaws simply because it is sharing environment.
Another piece of info for cloud lovers - US government requires two-factor authentication which Dynamics does not provide, at least they do not mention that in particular. Once I found one CIA guy post of LinkedIn security group . The guy was proved that the agency works in cloud now ... Errrrr... Good luck spooky boy!!
They say FREEDOM and mean the freedom of making money. They say SECURITY and mean the security of corporate income. Unfortunately, our civilization is governed by IT giants, and that will bring it to collapse. Many thanks to Steven King for his Cell novel and detailed description of out future.
Once working on US government project I found that MS Dynamics for Government cloud service does not have two factor authentication which was government requirement. The project went on anyway. Deloitte also used MS stuff and very likely was not able to secure by two-factor as it does not exist in MS set of cloud security. You get what you get..
How can we talk about any compliance to either UK law or GDPR IF there is no a tool on market which would discover malicious hypervisor(s) planted in your system? Do the majority of security pros still consider rootkit hypervisor i.e. malicious hypervisor as a fake object thus not doing anything bad? Does not exist at all? Never saw it walking around? However, the key words are "hidden from any malware discovery tool". Not expected to be seen though ...
Intel TXT, AMD similar stuff and now Google. However, what they promote, and even in metal, is just a promise not TESTED solution. Had anybody seem these big guys ever mentioned any testing against root-kit hypervisor/malicious hypervisor?
Yes, correct, whatever is in their firmware is BIG question. Russians found a hypervisor acting from Intel BMC BIOS management software actually working as nested hypervisor with the user own hypervisor. . That happened around 2008 ... Intel never commented on that. How many such hypervisors for silent collection of all and any information from system management level had been installed around the globe?
System management software is claimed by vendors (Intel, AMD, etc.) always as proprietary and they are not going to release the code. But, we all depend on its quality and what they EMBEDDED in. Can we trust guys? I do not think so. System management software should be publicly disclosed.
There is one problem across the world and in Cloud centers in particular - compliance. Besides of all other regulations they are not compliant to GDPR by definition. There is Malicious Hypervisor threat and the possibility that such software has been silently installed in unknown number of computers. Unknown because there is NO malicious hypervisor identification software on market yet. We simply know nothing about which computer has it.
Biting the hand that feeds IT © 1998–2019