Tag: software

IPMI’s Inconvenient Truth: A Conversation With Dan Farmer

The work of brilliant computer security researchers often borders on a kind of madness. After all, it takes dedication and a certain amount of monomania to dig through the mush of disassembled source code or the output of application fuzzers and find the one software vulnerabilities – or chain of vulnerabilities – that might lead to a successful attack. Often, this work puts you at odds with what most of us consider “the real world.” Notably: the well-respected researcher Dragos Ruiu had many in the security community wondering about his sanity after he sounded the alarm about a super stealthy piece of BIOS malware he dubbed “BadBIOS” that seemed to be everywhere and nowhere, all at once. Dan Farmer finds himself in a similar position as he continues to sound alarms about the security threat posed by insecure implementations of the Intelligent Platform Management Interface (IPMI)– a ubiquitous protocol used to do remote […]

Continue Reading

For Smart TVs, Malware May Hide In Broadcast Content

Researchers at Columbia University have published research showing how new technology that combines broadband and broadcast content could enable a wide range of traditional and novel cyber attacks on smart televisions and other devices: forcing them to interact with malicious web pages, harvesting credentials or carrying out denial of service attacks. The paper, published in May, explores potential attacks on combined broadcast-broadband devices that use an industry specification called Hybrid Broadcast-Broadband Television (HbbTV). According to the researchers, Yossef Oren and Angelos D. Keromytis, the HbbTV specification combines broadband technologies like HTML and broadcast features in an insecure manner. The vulnerabilities affect a wide range of smart entertainment devices, including smart televisions, in Europe and the United States. “This enables a large-scale exploitation technique with a localized geographical footprint based on radio frequency (RF) injection, which requires a minimal budget and infrastructure and is remarkably difficult to detect,” the researchers write. “The technical complexity and […]

Continue Reading

IPMI Insecurity Affects 200k Systems

It has been almost a year since security researcher Dan Farmer first warned of the danger posed by Intelligent Platform Management Interface (IPMI) – a ubiquitous protocol used to do remote management of servers. According to a new report, however, that warning went unheeded. Writing last week (PDF), Farmer said that a world-wide scan for systems using the Intelligent Platform Management Interface (IPMI) protocol identified over 230,000 Baseboard Management Controllers (BMCs) exposed to the Internet. As many as 90% of the exposed systems could be compromised by exploiting what Farmer characterized as “basic configuration and protocol weaknesses.” Even more worrying, the 230,000 systems that are Internet accessible are probably just a fraction of all the vulnerable systems that might be attacked, with many deployed on (hackable) corporate and private networks. Farmer is reiterating calls for public and private sector organizations to wake up to the dangers posed by IPMI. Hackers who are able to compromise Baseboard Management […]

Continue Reading

Heart Attack? Fixes For More Critical Holes In OpenSSL

Just a month after a critical security hole in OpenSSL dubbed “Heartbleed” captured headlines around the globe, The OpenSSL Foundation has issued an other critical software update fixing six more security holes, two of them critical. The Foundation issued its update on Thursday, saying that current versions of OpenSSL contain vulnerabilities that could be used to carry out “man in the middle” (or MITM) attacks against OpenSSL clients and servers. SSL VPN (virtual private network) products are believed to be especially vulnerable. Users of OpenSSL versions 0.9.8, 1.0.0 and 1.0.1 are all advised to update immediately. According to information released by the OpenSSL Foundation, an attacker using a carefully crafted handshake can force the use of “weak keying material in OpenSSL SSL/TLS clients and servers.” That could lay the groundwork for man-in-the-middle attacks in which an attacker positions herself between a vulnerable client and server, decrypting and modifying traffic as it passes through the attacker’s […]

Continue Reading

DARPA Competition Seeks Autonomous Systems for Cyber Defense

We all know that ‘layer 8’ – humans – are the biggest attack surface in any IT environment. Companies can invest millions to harden their networks and endpoints. But all attackers have to do is convince one user to open a fake credit card bill for $20,000 or click a “You won’t believe this video!” link on Facebook and its game over. Our human failings came into the spotlight, most recently, with the breach at Target. According to news reports, the retailer had advanced threat detection software by FireEye deployed that actually alerted staff to some of the malicious activity that signaled the start of that (epic) hack.  Alas, Target’s IT staff in the U.S. dismissed the alerts, which were reported by a team working out of Bangalore, India. The result: 40 million credit card numbers were pilfered from Target’s network. That may be why the U.S. Department of Defense’s advanced […]

Continue Reading
1 86 87 88 89 90 117