Intel VISA: Through the Rabbit Hole Undocumented Concern ??

    The end of last month at Black Hat Asia 2019, Mark Ermolov and Maxim Goryachy from Positive Technologies gave a presentation titled “Intel VISA: Through the Rabbit Hole”. Slashdot characterized the presentation as researchers had discovered and abused new and undocumented features in intel chipsets.

    The capability is named Intel Visualization of Internal Signals Architecture (Intel VISA) and it is a utility included in modern Intel chipsets to help with testing/debugging during manufacturing. It is included with Platform Controller Hub (PCH) chipsets, is a part of modern Intel CPUs, and functions much like a logic signal analyzer. It is able to collect signals sent from internal buses and peripherals to the PCH and CPU. Effectively this means unauthorized access to the VISA would expose ANY data to examination by an unscrupulous person to intercept and collect data from the computer memory and function at the lowest possible level.

    The real question is: Is there a real threat? The researchers said they have several methods of enabling Intel VISA and capturing data, including the secretive Intel Management Engine (ME) which has been housed in the PCH since the release of the Nehalem processors and 5-Series chipsets.  But there are caveats. On the positive side, Intel has not publicly disclosed the feature and is only shared with others under a non-disclosure agreement. Additionally, the feature is disabled by default, so attackers must first figure out how to enable it before exploiting it. On the negative side, the researchers found a way to disable Intel VISA using an older Intel ME vulnerability. Intel released a firmware patch that fixes that particular vulnerability in 2017 (INTEL-SA-00086), but unless there was an explicit update to the firmware (it’s not correctable via OS update) the CPU remains affected.

      It’s worth noting that if the attacker has exploited the Intel ME vulnerability, they are well into your system and there is little additional capability offered via VISA that they don’t already have. But back on the negative side, if an attacker finds an alternate to enable VISA, that could indeed become a new attack vector.

     The researchers indicated that they know three alternate ways to enable VISA, which they revealed in the presentation slides (link below). The bigger question remains: what other secret or undocumented modes/ features lie in Intel’s CPUs? Intel may try to keep them secret from the public, but security through obscurity is no paradigm to follow.
   As the researchers proved, people will uncover those secret features, and some will abuse them.

Sources:

https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Goryachy-Ermolov-Intel-Visa-Through-the-Rabbit-Hole.pdf

https://www.zdnet.com/article/researchers-discover-and-abuse-new-undocumented-feature-in-intel-chipsets/

Steganography techniques that deliver malware

    Researchers at Blackberry’s Cylance Labs have discovered novel techniques utilizing steganography, the practice of concealing a file, message, image, or video within another file, message, image, or video, to load malware payloads onto victims’ machines. 

    The Advanced Persistent Threat (APT) group “OceanLotus”, primarily believed to be Vietnam-based, is using steganography techniques to deliver malware backdoors on compromised systems. The malware loader utilizes steganography techniques to read an encrypted payload contained within an image file to decrypt and execute the malicious payload which loads one of two backdoors onto the machine. The backdoors are associated with OceanLotus’ parent cyber espionage group, APT32, and were first discovered back in 2017, namely the Denes backdoor and the Remy backdoor. 

    Researchers at Cylance labs pointed out that it would not be difficult to swap out the backdoors for some other malicious payload and that what is essential is the tactic of using steganography to hide the payload and that it would still be just as effective. The threat actor would encode the image with their payload of choice before distributing it with a simple decoder to the target.   The obfuscation of the malware payload loading portion of the technique is what’s impressive from a security detection point of analysis.

    The group has seemingly avoided discovery using common steganography detection techniques. To accomplish this, they utilize the “bespoke” tool to encode data into the images using a least significant bit approach to both minimize visual differences between the encoded image with it’s original and to avoid detection/ analysis by discovery tools.

    “The user does not interact with the image (nor is the image sent via email), rather the image is used to hide the payload from analysts/tools/monitoring software. In a way, the payload is hiding in plain sight, as an image carrying a payload will be virtually indistinguishable from an original image”, said Tom Bonner, BlackBerry Cylance director of threat research.  

    The payload, once executed and loaded onto the machine, then downloads Dynamic Link Libraries (DLL) and Command and Control communications libraries that are heavily obfuscated with large quantities of useless junk code, said researchers from Cylance. The junk code significantly inflates the library’s size which makes both static analysis and debugging more difficult.

Source:
• https://cyware.com/news/oceanlotus-threat-actor-group-leveragessteganography-to-deliver-backdoors-781be11c 

NIST Mobile Application Single Sign-On: 2nd Draft of SP 1800-13 Available for Comment

The National
Cybersecurity Center of Excellence (NCCoE) at NIST is seeking comments on
a
revised draft
of the practice guide
NIST
SP 1800-13, Mobile Application Single Sign-On
. The
guide aims to help public safety first responder personnel efficiently and
securely gain access to their mission-critical data via mobile devices and
applications. 

The goal of this project is to
illustrate a method for public safety organizations to deploy efficient and
interoperable multifactor authentication and single sign-on tools to protect
access to sensitive information while meeting the demands of an operational
environment that relies on rapid response. This revision of the original NIST SP
1800-13 was updated at the request of the public safety community to
incorporate iOS version 12. Organizations are encouraged to review the draft
and provide feedback for possible incorporation into the practice guide.

This project will result in a
publicly available NIST Cybersecurity Practice Guide (NIST SP 1800 series) –a
detailed implementation guide of the practical steps needed to implement a
cybersecurity reference design that addresses a particular challenge. 

The public comment period ends on June 28, 2019. See the publication details for links to
the document files and instructions for submitting comments.

Publication details:
https://csrc.nist.gov/publications/detail/sp/1800-13/draft

Project homepage:
https://www.nccoe.nist.gov/projects/use-cases/mobile-sso

 

What new in Windows 10 build 1903

Microsoft has always focused on building
the tools and platforms that IT needs to be successful. In this era of
digital disruption, we are working to deliver a modern workplace
experience that is loved by users and trusted by IT. This focus is at
the heart of how we build Windows 10—bringing you the latest advances in
security, IT tools, and productivity, anchored in intelligence powered
by the cloud. 

I’m happy to announce that Windows 10,
version 1903 is now available through Windows Server Update Services
(WSUS) and Windows Update for Business, and will be able to be
downloaded today from Visual Studio Subscriptions, the Software Download Center (via Update Assistant or the Media Creation Tool), and the Volume Licensing Service Center[i]. Today marks the start of the servicing timeline for this Semi-Annual Channel release,
and we recommend that you begin rolling out Windows 10, version 1903 in
phases across your organization—validating that your apps, devices, and
infrastructure work well with this new release before broad deployment.

As you look to roll out this new update to
your organization, here are some of the new capabilities that will
enable you to benefit from intelligent security, simplified updates,
flexible management, and enhanced productivity. For a closer look at
these improvements, join me and my colleague Alan Meeus for a one-hour webcast on Tuesday, May 28, 2019, then bring your questions to our next Windows 10 Ask Microsoft Anything (AMA) event on Tuesday, June 4, 2019.
To see the full article go here

Microsoft Releases a critical Remote Code Execution vulnerability for Windows 7, Windows Server 2008 R2, and Windows Server 2008

Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote
Desktop Services – formerly known as Terminal Services – that
affects some older versions of Windows. The Remote Desktop Protocol
(RDP) itself is not vulnerable. This vulnerability is pre-authentication
and requires no user interaction. In other words, the vulnerability is
‘wormable’, meaning that any future malware that exploits this
vulnerability could propagate from vulnerable computer to vulnerable
computer in a similar way as the WannaCry malware spread across
the globe in 2017. While we have observed no exploitation of this
vulnerability, it is highly likely that malicious actors will write an
exploit for this vulnerability and incorporate it into their malware. 

Now that I have your attention, it
is important that affected systems are patched as quickly as possible to
prevent such a scenario from happening. In response, we are taking the
unusual step of providing a security update for all customers to protect
Windows platforms, including some out-of-support versions of Windows. 

Vulnerable in-support systems include
Windows 7, Windows Server 2008 R2, and Windows Server 2008. Downloads
for in-support versions of Windows can be found in the Microsoft Security Update Guide. Customers who use an in-support version of Windows and have automatic updates enabled are automatically protected.  

Out-of-support systems include Windows
2003 and Windows XP. If you are on an out-of-support version, the best
way to address this vulnerability is to upgrade to the latest version of
Windows. Even so, we are making fixes available for
these out-of-support versions of Windows in KB4500705

Customers running Windows 8 and Windows
10 are not affected by this vulnerability, and it is no coincidence that
later versions of Windows are unaffected. Microsoft invests heavily in
strengthening the security of its products, often through major
architectural improvements that are not possible to backport to earlier
versions of Windows.  

There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled.
The affected systems are mitigated against ‘wormable’ malware or
advanced malware threats that could exploit the vulnerability, as NLA
requires authentication before the vulnerability can be triggered.
However, affected systems are still vulnerable to Remote Code
Execution (RCE) exploitation if the attacker has valid credentials that
can be used to successfully authenticate. 

It is for these reasons that we strongly
advise that all affected systems – irrespective of whether NLA is
enabled or not – should be updated as soon as possible.  

Resources
Links to downloads for Windows 7, Windows 2008 R2, and Windows 2008
Links to downloads for Windows 2003 and Windows XP  


Source Microsoft TechNet

New About Bitlocker enhancements


Microsoft is excited to announce enhancements to BitLocker management capabilities in both Microsoft Intune and System Center Configuration Manager (SCCM), coming in the second half of 2019. Whether your management infrastructure is on-premises or in the cloud, robust BitLocker management is required for today’s enterprises to secure modern endpoints.

 
Microsoft provides a range flexible BitLocker management alternatives to meet your organization’s needs, as follows:

  •     Cloud-based BitLocker management using Microsoft Intune
  •     On-premises BitLocker management using System Center Configuration Manager
  •     Microsoft BitLocker Administration and Monitoring (MBAM)


To learn more about the new enhancements to BitLocker Go Here
Detailed Information found on Microsoft web site..

Alert: Phishing Scam Email From “sales@icann.org”

Normally I would not post a Phishing attack but this one seems to be working

02 May 2019
LOS ANGELES – 2 May 2019 – The Internet
Corporation for Assigned Names and Numbers (“ICANN”) has received
reports that a phishing
email
from “sales@icann.org
has been sent to ICANN contracted parties.
The sales@icann.org
email address, for example, is not a valid ICANN organization email address.
Contracted parties may have recently received emails from “accounting@erp.icann.org“,
which is a valid ICANN org email address. If you receive an email from the
sales@icann.org” address, or
any other suspicious email address, do not respond. Please forward the email
in its entirety to globalsupport@icann.org.
For additional information about phishing
scams, visit https://www.icann.org/resources/pages/phishing-2013-05-03-en.

About ICANN

ICANN’s mission is to help ensure a stable,
secure, and unified global Internet. To reach another person on the Internet,
you need to type an address – a name or a number – into your computer or
other device. That address must be unique so computers know where to find
each other. ICANN helps coordinate and support these unique identifiers
across the world. ICANN was formed in 1998 as a not-for-profit public-benefit
corporation with a community of participants from all over the world.
 

New NIST draft practice guide, SP 1800-15, “Securing Small-Business and Home Internet of Things (IoT) Devices

The National Cybersecurity Center of Excellence (NCCoE)
has published a preliminary draft practice guide, SP 1800-15, “Securing
Small-Business and Home Internet of Things (IoT) Devices: Mitigating
Network-Based Attacks Using Manufacturer Usage Description (MUD),” and is
seeking public comments. The popularity of IoT devices is growing rapidly, as
are concerns over their security. IoT devices are often vulnerable to malicious
actors who can exploit them directly and use them to conduct network-based
attacks. SP 1800-15 describes for IoT product developers and implementers an
approach that uses MUD to automatically limit IoT devices to sending and
receiving only the traffic that they require to perform their intended
functions.

We will use this feedback to help shape the next version
of this document.

Please
submit your comments by June 24, 2019. See the publication details link below
for a copy of the document and instructions for submitting comments.

New NIST Drafts 8213 Reference for Randomness Beacons: Format and Protocol Version 2

NIST has
released Draft NIST Internal Report (NISTIR) 8213,
A Reference for Randomness Beacons: Format and Protocol
Version 2
, for public comment. A randomness beacon is a timed
source of public randomness. It pulsates fresh randomness at expected times and
makes it available to the public. The pulses contain random values that are
timely generated, stored, timestamped, signed and hash-chained in a publicly-readable
database. Thereafter, any external user can retrieve—via database queries—any
past pulse and its associated data. Beacons offer the potential to improve
fairness, auditability and efficiency in numerous societal applications that
require randomness. A notable benefit of using public randomness is in enabling
after-the-fact verifiability, for the purpose of public transparency.

Draft NISTIR 8213 provides a
reference for implementing interoperable randomness beacons. The document
defines terminology and notation, a format for pulses, a protocol for beacon
operations, hash-chaining and skiplists of pulses, and the beacon interface
calls. It also provides directions for how to use beacon randomness, and
includes security considerations. With the release of this draft publication,
NIST intends to seek constructive feedback from interested parties.

The public comment period for this draft closes
on August 5, 2019
. See the publication details link below for
the document and instructions for submitting comments.

NOTE:  A call for patent claims is included on page iv of
this draft. For additional information, see the Information
Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL
Publications
.

Publication detaills:
https://csrc.nist.gov/publications/detail/nistir/8213/draft

NIST Randomness Beacon project:
https://www.nist.gov/programs-projects/nist-randomness-beacon

E-mail Signature Verification Methods Secuity Issue

    E-mail changed the communication world forever, allowing for instant communication as opposed to what is now commonly referred to as “snail mail”. When it was designed, security was not really a concern that was built in. Over time cryptographic methods were developed to help communicators verify the authenticity of senders through electronic signatures, such as the OpenPGP and Signed Multipurpose Internet Mail Extensions (S/MIME) standards. However, new research has discovered some serious flaws in many popular implementations of these methods.

    Researchers from Ruhr University Bochum and Münster University of Applied Sciences tested 25 popular e-mail clients from various operating systems including Windows, Linux™, macOS, iOS, and Android as well as web-based clients to see how they fared against signature spoofing attacks. The team used five attack classes with the goal of the attacker being able to “create and send an email with arbitrary content to Bob whose email client falsely indicates that the email has been digitally signed by Alice” where Bob and Alice are legitimate communicators who have securely exchanged cryptographic keys/certificates.

These classes are:
    • Exploiting flaws due to mishandling of Cryptographic Message Syntax (CMS).
    • Performing GnuPG API injection attacks.
    • MIME attacks against handling of partially signed messages.
    • Displaying a valid ID on the e-mail header with a false signature.
• Using HTML and CSS to mimic valid signatures in the user interface.
    The testing revealed that 14 of 20 OpenPGP clients and 15 of 22 S/MIME clients were at least partially vulnerable to these attacks. Many were able to be tricked with spoofed signatures on all UI levels, with all of the subset being able to spoof a signature even with limitations that could still go unnoticed by users. The only client to show no vulnerabilities on the OpenPGP or S/MIME tests was the web client Horde/IMP. This testing shows that just because certain standards and methods may be in wide use doesn’t necessarily mean they are secure by default. For a full list of tested clients and detailed testing methods and results, please refer to the “johnny-fired” PDF from the researchers linked below.
Sources:
https://thehackernews.com/2019/04/email-signature-spoofing.html 
https://github.com/RUB-NDS/Johnny-You-Are-Fired/raw/master/paper/johnny-fired.pdf
https://www.technadu.com/popular-email-clients-vulnerable-signaturespoofing-attacks/66443/05