Information Security News
A remote hijacking flaw that lurked in Intel chips for seven years was more severe than many people imagined, because it allowed hackers to remotely gain administrative control over huge fleets of computers without entering a password. This is according to technical analyses published Friday.
As Ars reported Monday, the authentication bypass vulnerability resides in a feature known as Active Management Technology. AMT, as it's usually called, allows system administrators to perform a variety of powerful tasks over a remote connection. Among the capabilities: changing the code that boots up computers, accessing the computer's mouse, keyboard, and monitor, loading and executing programs, and remotely powering on computers that are turned off. In short, AMT makes it possible to log into a computer and exercise the same control enjoyed by administrators with physical access.
AMT, which is available with many vPro processors, was set up to require a password before it could be remotely accessed over a Web browser interface. But, remarkably, that authentication mechanism can be bypassed by entering any text string—or no text at all. According to a blog post published Friday by Tenable Network Security, the cryptographic hash that the interface's digest access authentication requires to verify someone is authorized to log in can be anything at all, including no string at all.
I read an interesting article in aBelgian IT magazine. Every year, they organise a big survey to collect feelings from people working in the IT field (not only security). It is very broad and covers their salary, work environments, expectations, etc. For infosec people, one of the key points was that people wanted to attend moretrainings and conferences. The salary is not the key element. When I was visiting the Hack in the Box conference in Amsterdam a few weeks ago, there were flyers distributed to participate in an online survey about trainings infosec.
When I twitted about the Belgian article, the author of this survey contacted me and told me that the results of his survey demonstrated that 76% of participantsare ready to search for a new position if they arent allowed to attend (enough) security conferences! This reminds me the joke of the CFO speaking to the CEO:
CFO: What happens if we train them and leave?
CEO: What happens if we dont and they stay?
We are working in a field where things are changing at light speed. We mustattend trainings, we must meet peers and share our experience! Have a nice weekend!
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant