News Posts matching "Security"

Return to Keyword Browsing

Intel Announces Root Cause of Meltdown, Spectre Patch Reboot Issue Identified

Intel has finally come around towards reporting on the state of the reboot issues that have been plaguing Intel systems ever since the company started rolling out patches to customers. These patches, which aimed to mitigate security vulnerabilities present in Intel's chips, ended up causing a whole slew of other problems for Intel CPU deployment managers. As a result of Intel's investigation, the company has ascertained that there were, in fact, problems with the patch implementation, and is now changing its guidelines: where before users were encouraged to apply any issued updates as soon as possible, the company now states that "OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior." A full transcription of the Intel press release follows.

AMD Is Served: Class Action Lawsuit Launched Over Spectre Vulnerabilities

Despite the grunt of the media's attention and overall customer rage having been thrown largely at Intel, AMD hasn't moved past the Spectre/Meltdown well, meltdown, unscathed. News has surfaced that at least two law firms have announced their intention of filing a class action lawsuit against AMD, accusing the company of not having disclosed their products' Spectre vulnerability, despite knowledge of said vulnerabilities.

AMD stated loud and clear that their processors weren't affected by the Meltdown flaw. However, regarding Spectre, AMD's terms weren't as clear cut. The company stated that its CPUs were vulnerable to the Spectre 1 flaw (patchable at a OS level), but said that vulnerability to Spectre 2's variant had "near-zero risk of exploitation". At the same time, the company also said that "GPZ Variant 2 (Branch Target Injection or Spectre) is applicable to AMD processors", adding that "While we believe that AMD's processor architectures make it difficult to exploit Variant 2, we continue to work closely with the industry on this threat.

AMD Confirms They are Affected by Spectre, too

The public disclosure on January 3rd that multiple research teams had discovered security issues related to how modern microprocessors handle speculative execution has brought to the forefront the constant vigilance needed to protect and secure data. These threats seek to circumvent the microprocessor architecture controls that preserve secure data.

At AMD, security is our top priority and we are continually working to ensure the safety of our users as new risks arise. As a part of that vigilance, I wanted to update the community on our actions to address the situation.

Intel AMT Security Issue Lets Attackers Bypass Login Credentials

F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists within Intel's Active Management Technology (AMT) and potentially affects millions of laptops globally.

The security issue "is almost deceptively simple to exploit, but it has incredible destructive potential," said Harry Sintonen, who investigated the issue in his role as Senior Security Consultant at F-Secure. "In practice, it can give an attacker complete control over an individual's work laptop, despite even the most extensive security measures."

Google, ARM, Microsoft Issue Statements Regarding Discovered Security Flaws

After Intel and AMD's differing statements on the same issue, now is the time for Google, ARM, and Microsoft to release statements regarding the recently discovered (and still in the spotlight) security flaws that impact almost all Intel CPUs from the last decade. Google is the company that originally alerted Intel to the existence of the security vulnerabilities, and mentioned some reservations regarding AMD and ARM's immunity as well. Microsoft, as the maker of the world's most recognized and widely-used OS, has also issued a statement. The ARM statement follows, with both Google and Microsoft's statements transcribed after the break.

ARM
This method requires malware running locally and could result in data being accessed from privileged memory. Our Cortex-M processors, which are pervasive in low-power, connected IoT devices, are not impacted.

GIGABYTE Outs Security Measures Against Intel ME and TXE Vulnerabilities

GIGABYTE TECHNOLOGY, a leading manufacturer of motherboards and graphics cards, has implemented safety measures aligned with Intel's response to the Intel Management Engine (ME) and Intel Trusted Execution Engine (TXE) security vulnerabilities, so customers can be reassured their motherboards are fully protected. For all customers who have purchased GIGABYTE motherboards for Intel platforms, please visit the official website to download the latest BIOS versions as well as ME and TXE drivers.

The updates for the motherboards will be released starting with the Z370, 200 series and then previous generation motherboards. For more information on the Intel ME and TXE security vulnerabilities, please visit this page. GIGABYTE is committed to ensuring the quality and service of our motherboards. Any issues that affect the user's experience with our products will be addressed with the utmost concern.

MSI Intros TXE 3.0 Security Update for Intel 100, 200, and 300-series Chipset

In order to avoid severe security vulnerabilities for the platforms, MSI motherboards now support the latest Intel Trusted Execution Engine (TXE) 3.0 for safer system protection. According to recent Intel comprehensive security review, security vulnerabilities are identified and could potentially allow attackers to gain unauthorized access to platforms features, secrets and 3rd party secrets protected by Intel TXE. Therefore, Intel has validated and released Intel TXE 3.0 updates to address the encountered security situations.

Currently all MSI 100,200 and 300 series motherboards are supporting the newest Intel TXE 3.0 by updating to the latest BIOS and installing the latest software updates. MSI always places strong emphasis on security and anti-hack issues to makes sure all MSI motherboard users are operating under the most secure circumstances. MSI will continue to provide additional updates if necessary to ensure maximum platform security protection for users.

Taking Hold of Your Signal - Critical Flaw Discovered in WPA2 Wi-Fi Security

Researchers have recently discovered a critical flaw that affects all WPA2 protected Wi-Fi devices. This can't be remedied solely by user intervention, or password changes, or even by the usage of HTTPS website; this is a flaw with the core of WPA's protection scheme, and means that an attacker could intercept every single traffic data point that your device sends over Wi-Fi, including passwords, credit card details, images - the whole treasure trove. Adding insult to injury, it's even possible for attackers using this method to inject malware into your devices. The new attack method - dubbed KRACK for Key Reinstallation Attack - basically forces your device's encryption code to default to a known, plain-text all-zero decryption key, which is trivial for hackers to reuse.

Adding to the paranoia, this is basically a device and software-agnostic attack - it's effective against devices running Android, Linux, and OpenBSD, and to a lesser extent macOS and Windows, as well as MediaTek Linksys, and other types of devices. HTTPS isn't the best solution either, simply because some website's implementation of it isn't the best, and there are scripts (such as SSLScript) that can force a website to downgrade its connection to a simple HTTP link - which can then be infiltrated by the attacker.

AMD Confirms its Platform Security Processor Code will Remain Closed-Source

Since the launch of AMD Ryzen, a small piece of hardware that handles basic memory initialization as well as many security functions has been the center of some controversy. Called the Platform Security Processor (the "PSP" for short) it is essentially an arm core with complete access to the entire system. Its actions can be considered "above root" level and are for the most part invisible to the OS. It is similar in this regard to Intel's Management Engine, but is in some ways even more powerful.

Why is this a bad thing? Well, let's play a theoretical. What happens if a bug is discovered in the PSP, and malware takes control of it? How would you remove it (Answer: you couldn't). How would you know you needed to remove it? (answer, unless it made itself obvious, you also wouldn't). This scenario is obviously not a good one, and is a concern for many who asked AMD to open-source the PSPs code for general community auditing.

Samba at Risk from Wormable Bug Similar to WannaCry: Present on Many NAS boxes

Samba, the open source implementation of the Windows CIFS file sharing protocol found on Linux and many home NAS-systems, now has its own version of a "WannaCry" grade bug ready to cause users grief. Like WannaCry, Sambas bug enables remote code execution and is totally wormable. Unlike WannaCry however, it does require write access to the SMB share, limiting it's effect unless you run an unauthenticated share on the internet.

So why is this newsworthy at all? It is of course newsworthy in its own right because of bad security practices that run rampant in our industry, I would argue, but that's not really why I posted this, I will confess. Yes, I'm trying to make a point again with that blunt instrument we call "editorial." I do apologize for the inconvenience (not really).

US House of Representatives Confirms Senate's Privacy Stance on ISPs

Only yesterday, the United States' House of Representatives carried the US Senate's joint resolution to eliminate broadband privacy rules. These rules, which are now seemingly on their way to political oblivion, would have required ISPs to get consumers' explicit consent before selling or sharing Web browsing data and other private information with advertisers and other companies. Much like last week's Senate joint resolution, the House's voting fell mainly along partisan lines (215 for, 205 against, with 15 Republican and 190 Democratic representatives voting against the repeal) to scrap the proposed FCC rules.

President Trump's desk (and the President himself) are now all that stand before the ISP's ability to collect geo-location data, financial and health information, children's information, Social Security numbers, Web browsing history, app usage history, and the content of communications - information that gives the most unthinkable leeway in understanding your daily habits. However, President Trump's administration have issued a statement whereas they "strongly support House passage of S.J.Res. 34, which would nullify the Federal Communications Commission's final rule titled "Protecting the Privacy of Customers of Broadband and Other Telecommunication Services".

Invading Subscriber Privacy - Senate Says ISPs Can Now Sell Your Data

The US Senate on Thursday passed a joint resolution to eliminate broadband privacy rules that would have required ISPs to get consumers' explicit consent before selling or sharing Web browsing data and other private information with advertisers and other companies. This win was pulled by a hair - 48 Nay against 50 Yea - and went entirely through party lines, with Republicans voting Yea, and the Democrats voting Nay. The effects won't be immediate, mind you - the measure will have to pass the House and then be signed by President Donald Trump before it can become law.

AMD's ZEN to Implement Advanced Security Features not found in Intel's solutions

Thanks to AMD's incorporation of an ARM-based "AMD Secure Processor" in their upcoming ZEN micro-architecture, the company is poised to offer something competitor Intel's microprocessors yet don't: memory encryption. This processor, and its underlying technologies, could prove to be a stepping-stone for AMD towards regaining lost server market share. Essentially, because in a market ever more steered by cloud computing considerations, it allows for the client's data to be encrypted at every moment of the work chain. Assuming all works as intended, for the first time not even cloud providers, with either hypervisor-level privileges or even physical access to the servers, will be able to carry out any malicious actions against their clients.

One only has to consider the writing on the wall: Morgan Stanley predicts that by 2018, 30% of Microsoft's revenue will stem from its cloud services; Amazon Web Services (AWS) generated $7.88B in revenue on Q4 2015, up 69% over 2014; and worldwide spending on public cloud services by itself will grow from $70B in 2015 to an estimated $141B in 2019. Cloud computing is here to stay, and with security being as important as it is for some businesses, this is an important area of investment for AMD. This "AMD Secure Processor" will work on essentially two fronts: SME (Secure Memory Encryption) and SEV (Secure Encrypted Virtualization), backed by an hardware-based SHA (Secure Hash Algorithm).

Microsoft to Release Nine Security Updates Next Week

With only a few more days until this month's Patch Tuesday Micrsosoft took to the web to announce that it plans to roll out no less than nine updates - two rated 'Critical' and seven rated 'Important'. The upcoming patches address vulnerabilities found in Windows, Office, Microsoft Server Software, SQL Server, .NET, and Internet Explorer.

The August updates are scheduled to be made available this Tuesday, August 12, at 10 AM PDT. For more info check out the advance notification published here.

Microsoft To Roll Out Six Security Updates Next Week

Microsoft Corp. has just announced its plans for this month's Patch Tuesday and they include the release of six updates - two rated 'Critical', three rated 'Important' and one rated 'Moderate'. The upcoming updates target vulnerabilities found in Windows operating systems, in Internet Explorer and in Microsoft Server Software.

The six patches will be made available this coming Tuesday, July 8, 2014, at about 10:00 am PDT. The bulletin advance notification for this month's releases can be found here.

Eurocom Ships Complete Line of Mobile Workstations with TPM Hardware Encryption

Eurocom is providing a complete line of 15.6" to 17.3" high performance, fully upgradeable Mobile Workstations equipped with NVIDIA Quadro K5100M to K1100M graphics and Trusted Platform Modules to secure the systems and their intellectual property from unauthorized access.

At Eurocom we take security very seriously, implanting several systems with three security layers, one being the Kensington Lock Slot which prevents physical theft of the computer system, one being the TPM module to protect certificate private keys and the other being the biometric finger print reader to lock down access to the computer to only authorized individuals.

Microsoft To Roll Out Seven Security Updates Next Week

The first Patch Tuesday of Summer '14 is coming up and it will see Microsoft release seven updates - two bearing a 'Critical' rating and five rated 'Important'. The incoming patches target vulnerabilities found in Windows (Vista, 7, 8/8.1, Server 2003, Server 2008 and Server 2012), Internet Explorer (6 to 11), Office (2007, 2010) and Lync (2010, 2013).

Microsoft's software updates will be made available Tuesday, June 10th at about 10:00 AM PDT. The Advance Notification for this month's patches can be found here.

Apacer Unveiling New SSD Data Security Technologies at Computex 2014

The world-leading industrial SSD manufacturer, Apacer,presents a mass of SSD data security protection technologies at COMPUTEX TAIPEI 2014, which upgrades SSD value-added technology - once again. To achieve comprehensive secure data storage, Apacer drives the evolution of the original CoreSecurity technology and launches Boot Protect security function with strengthened protection management, which can be activated immediately by the UrKey, a USB-based 2 way dongle for data protection.

Furthermore, the seamless wide-temp waterproof industrial SSDs, groundbreaking MLC-mix technology enabling combination with MLC chips and PCIe Adapters will all be unveiled at this exhibition, innovating SSD applications.

Four Microsoft Security Updates Coming Next Week

This month's Patch Tuesday (the last one for Windows XP and Office 2003) will see Microsoft roll out four fresh security updates, two rated Critical and two rated Important, targeting remote code execution vulnerabilities found in Windows, Office and Internet Explorer. One of the updates is set to resolve a Word bug that was made public last week (on March 24th) and is known to have been exploited in 'limited, targeted attacks directed at Microsoft Word 2010'.

The April patches will be made available next week on April 8th, at about 10:00 a.m. PDT. For a bit more info check out the Advance Notification published here.

Microsoft Readies Five Patches for Next Week

This coming Tuesday Redmond-based Microsoft Corp. is planning to make available five fresh security updates - two with a 'Critical' rating and three tagged 'Important'. The incoming parches are set to address bugs found in Windows, Internet Explorer and Silverlight.

One of the Critical updates will fix an Internet Explorer issue that has already been acknowledged and was exploited in a 'limited number of attacks'. Additional information about Tuesday's releases can be found in the Security Bulletin Advance Notification published here.

Microsoft to Roll Out Four Security Updates Next Week

The first Patch Tuesday of 2014 is less than a week away and it will see Microsoft deliver four updates, all rated 'Important', that tackle vulnerabilities found in Windows, Office, and Dynamics AX.

One of the updates is set to resolve a previously-acknowledged elevation of privilege vulnerability that affects Windows XP and Windows Server 2003 and has already seen limited, targeted attacks. The patches will become available this coming Tuesday, January 14, at about 10:00 AM PST.

For a bit more info check out the Advance Notification found here.

Samsung Announces 840 EVO SSD with Enhanced Security Solution

Samsung Electronics America, Inc. today announced a new advanced security solution for the 840 EVO SSD, Samsung's SSD Self-Encrypting Drive (SED), compatible with professional security software.

The new data security enhancements are now shipping on the recently announced Samsung 840 EVO mSATA drive and can be enabled through a firmware update for the 840 EVO SSD SATA drive, launched last August. The new features are designed to meet security requirements for enterprise applications and are compliant with TCG Opal and IEEE 1667 standards.

Microsoft Releasing 11 Patches Next Week

The last Patch Tuesday of 2013 is closing in fast and, as revealed today, it will see Microsoft deliver no less than eleven updates - five rated 'Critical' and six rated 'Important'. The upcoming patches target vulnerabilities found in Windows, Office, Internet Explorer, SharePoint Server, Exchange, Lync, and Developer Tools. One of the critical updates addresses the Microsoft Graphics Component bug acknowledged last month.

The December 2013 MS patches will be rolled out on December 10, at about 10:00 a.m. PST. For a bit more info check out the Microsoft Security Bulletin Advance Notification available here.

QNAP Also Introduces the Cost-Efficient VS-2100L Series VioStor NVR

QNAP Security today launched the newest Linux-based VioStor NVR VS-2100L series. The 2-bay VS-2100L series, available in a tower form factor with 4 and 8 channels, is designed micro-size with macro-functions for the home and small office users. Compact but fully loaded with advanced features, the VS-2100L series supports smart recording, multi-stream support, edge recoding, dewarping function, and more.

The VS-2100L series supports up to 8TB to accommodate high quality H.264, MPEG-4, M-JPEG, and MxPEG video recording. "The VS-2100L series provides many advanced features parallel to those available in superior models at a low total cost of ownership," said Amily Fang, product manager of QNAP Security. "We aim to offer a cost-efficient surveillance solution for home surveillance needs such as childcare, elder care, and home security."

Kingston Digital Ships Two New Secure USB Flash Drives

Kingston Digital, Inc., the Flash memory affiliate of Kingston Technology Company, Inc., the independent world leader in memory products, today announced the release of the DataTraveler Vault Privacy 3.0 (DTVP) secure USB Flash drive, as well as the DataTraveler Vault Privacy 3.0 Anti-Virus, which helps enterprises safeguard business data and set security policies for end-users at an affordable price point. DTVP 3.0 provides 100-percent hardware-based encryption of confidential information and is also available separately with ClevX DriveSecurity powered by ESET anti-virus protection. The anti-virus engine utilizes ESET's NOD 32 proactive award-winning technology, which protects corporate end-users wherever they work or plug in.

As the workforce becomes more mobile, businesses must take the appropriate steps to educate their employees and establish security policies so sensitive data cannot be accessed by unauthorized users or cybercriminals. Kingston's DataTraveler Vault Privacy 3.0 USB Flash drive provides affordable business-grade security with 256-bit AES hardware-based encryption using XTS block cipher mode, which offers stronger protection than CBC and ECB modes. It is the first-to-market hardware-encrypted secure USB Flash drive with USB 3.0 performance.
Return to Keyword Browsing