critical infrastructure

Update: Another IPMI Mishap? Researcher Claims Supermicro Devices Vulnerable

There’s more bad news for companies that rely on the Intelligent Platform Management Interface (IPMI) to manage servers and other hardware in their IT environments. Specifically: researcher Zachary Wikholm over at Cari.net has published evidence of what he says is a head-slapping vulnerability affecting devices that use IPMI Base Management Controllers (BMCs) made by the firm SuperMicro. According to Wikholm, servers equipped with Supermicro BMCs store a password file, PSBlock, in plain text and – making matters worse- leave it open to the world on port 49152. “You can quite literally download the BMC password file from any UPnP enabled Supermicro motherboard running IPMI on a public interface,” he wrote. Baseboard Management Controllers (BMCs) are small, embedded systems attached to a system’s motherboard that manage IPMI communications. Wikholm says that Supermicro has fixed the problem in the latest version of its IPMI firmware. However, companies are often reluctant to flash […]

Continue Reading

U.S. looks to create an ‘Internet of Postal Things’ – Computerworld

There’s an interesting article by Patrick Thibodeau over at Computerworld about how the U.S. Postal Service is soliciting ideas about leveraging Internet of Things technologies throughout its (massive) system. The Postal Service published a solicitation for a “supplier who has the expertise and critical knowledge of the Internet of Things,” as well as (big) data analytics. The goal is to harness data from throughout the Postal Service’s massive infrastructure in order to increase efficiency and lower costs. The U.S. Postal Service is one of world’s most extensive and efficient. But it has also been bleeding red ink in recent years. The Services reported a $15.9 billion net loss in fiscal year 2012 – much of it tied to mandated payments to meet future retiree health benefits. Those losses have narrowed in recent years. In May, the USPO reported a net loss of $1.9 billion in the second quarter and increased […]

Continue Reading

IPMI’s Inconvenient Truth: A Conversation With Dan Farmer

The work of brilliant computer security researchers often borders on a kind of madness. After all, it takes dedication and a certain amount of monomania to dig through the mush of disassembled source code or the output of application fuzzers and find the one software vulnerabilities – or chain of vulnerabilities – that might lead to a successful attack. Often, this work puts you at odds with what most of us consider “the real world.” Notably: the well-respected researcher Dragos Ruiu had many in the security community wondering about his sanity after he sounded the alarm about a super stealthy piece of BIOS malware he dubbed “BadBIOS” that seemed to be everywhere and nowhere, all at once. Dan Farmer finds himself in a similar position as he continues to sound alarms about the security threat posed by insecure implementations of the Intelligent Platform Management Interface (IPMI)– a ubiquitous protocol used to do remote […]

Continue Reading

Big GOV Shift To Secure Cloud?

For those of us covering the cyber security beat, there haven’t been many feel-good stories coming out of the federal government in – well – forever. Even before the advent of nation state sponsored hacking, the news was mostly of the federal government’s bloated and unwieldy IT infrastructure, byzantine procurement systems and the difficulty of attracting top talent away from private sector employers who could offer more pay, more autonomy and a better working environment.   Then came the gut wrenching display of offensive prowess by the U.S.’s main enemies – nations like China, Russia and Iran. Those stories started, in earnest, with news about operations like Titan Rain (in 2003) and continue to the present day. The problem has gotten so bad that the military’s preferred euphemism for Chinese hackers – “advanced persistent threat,” or “APT” has become part of the nomenclature of the IT security world far beyond […]

Continue Reading

Report: Hell is Unpatched Systems

One of the ‘subplots’ of the Internet of Things revolution concerns embedded devices. Specifically: the tendency of embedded devices to be either loosely managed or – in some cases – unmanageable.   The future holds the promise of more, not fewer of these. That’s the gist of a piece I wrote for InfoWorld, and that you can read here. In short: we’re already seeing the beginning of a shift on the threat landscape. While attacks against traditional endpoints (like Windows desktops, laptops and servers) are still the norm, there are more stories each day about cyber criminal groups and malicious actors who are compromising non-standard endpoints like home wifi routers.  In March, for example, the security consultancy Team Cymru identified a botnet consisting of some 300,000 compromised home routers and other in-home devices. The virus called “TheMoon” was also identified spreading between vulnerable home routers and other embedded devices. The […]

Continue Reading
1 27 28 29 30 31 35