One Article Review
| Source |  SecurityWeek |
|---|---|
| Identifiant | 516713 |
| Date de publication | 2018-03-15 17:22:02 (vue: 2018-03-15 17:22:02) |
| Titre | CTS Labs Provides Clarifications on AMD Chip Flaws (Recyclage) |
| Texte | As a result of massive backlash from the industry, Israel-based security firm CTS Labs has provided some clarifications about the recently disclosed AMD processor vulnerabilities and its disclosure method. CTS Labs this week published a report providing a brief description of 13 critical vulnerabilities and backdoors found in EPYC and Ryzen processors from AMD. The flaws can allegedly be exploited for arbitrary code execution, bypassing security features, stealing data, helping malware become resilient against security products, and damaging hardware. The vulnerabilities affect AMD's Secure Processor, an environment where critical tasks are executed in order to secure the storage and processing of sensitive data and applications. The flaws have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA, and exploiting them requires elevated privileges to the targeted machine. AMD was only notified 24 hours before the vulnerabilities were disclosed, but no technical details have been published in order to prevent exploitation for malicious purposes. CTS Labs was only launched recently and its founders' work experience has raised some questions. This, combined with the lack of technical details in the report has made many people doubt that the vulnerabilities exist or that they are as critical as the company claims. However, Dan Guido, CEO of Trail of Bits, and Alex Ionescu, a reputable researcher and Windows security expert, have confirmed CTS Labs' findings after reviewing technical information provided by the company. Guido was paid to review the work, but Ionescu said he wasn't. CTS Labs has come under fire for not giving AMD time to release patches before its disclosure. A disclaimer from the firm and a report from a controversial company named Viceroy Research suggest that the existence of the vulnerabilities was made public as part of an investment strategy, similar to the 2016 incident involving MedSec, Muddy Waters and St. Jude Medical. In response to criticism, CTS Labs CTO Ilia Luk-Zilberman argued that the company's approach to “responsible disclosure” is more beneficial for the public. He proposes that instead of notifying vendors and giving them a certain amount of time to release patches before disclosing full technical details, researchers should notify the public and the vendor at the same time without ever making technical details public, unless the flaws have been patched. |
| Notes | |
| Envoyé | Oui |
| Condensat | 2018 2018u abuse amd applied april audits bachelor bay before can career chip ciso clarifications columns computer conference contributing cts cyber data degree editor editors eduard electrical emerges energy engineering escalationedge fined firm flaws flawshackers forum from hacked half high holds ics incident incidentcloud industrial industry informatics journalism kovacs kovacs:cts labs links luminate management master million moon news oct over previous privilege provides pwn2own register reporter response safari school security securityweek singapore softpedia sponsored starting stealth strategy tags: teacher techniques text two usa virtualbox vulnerabilities worked years |
| Tags | |
| Stories | |
| Move | 
|
Les reprises de l'article (1):
| Source | SecurityWeek |
|---|---|
| Identifiant | 513761 |
| Date de publication | 2018-03-14 18:02:05 (vue: 2018-03-14 18:02:05) |
| Titre | U.S. Energy Firm Fined $2.7 Million Over Data Security Incident |
| Texte | An energy firm in the United States has been fined $2.7 million over a data security incident that resulted in the exposure of critical cyber assets. The North American Electric Reliability Corporation (NERC) revealed last month that an unnamed power company had agreed to pay the massive penalty and take action to avoid future leaks. The affected entity has not been named, but the penalty notice published by NERC provides some details about the incident and clarifies that while the energy firm agreed to pay the fine, it neither admitted nor denied violating Critical Infrastructure Protection (CIP) NERC reliability standards. The incident, which has been assigned a risk rating of “serious,” involved a third-party contractor that improperly copied data from the energy firm to its own network. Despite receiving training, the contractor failed to comply with the company's information protection program. A security researcher discovered that the contractor allowed anyone to access the data without a username or password. According to NERC, more than 30,000 records were exposed, including critical cyber assets (CCAs), IP addresses, and server host names. The information was available online for 70 days. E&E News, which first reported on the fine, pointed out that one suspect is Pacific Gas and Electric (PG&E), a California-based natural gas and electric utility that exposed a lot of information back in 2016. Researcher Chris Vickery, who at the time worked for MacKeeper, discovered a misconfigured database containing information on 47,000 computers, servers, virtual machines and other devices. PG&E initially said the data was fake, but later admitted that a vendor had exposed its records. Many of the details mentioned in the NERC document match the PG&E incident. Vickery told E&E that PG&E had him delete the data and sign an affidavit, which is exactly what the NERC document describes. SecurityWeek has reached out to PG&E for comment and will update this article if the company responds. Following the significant cyberattacks that hit Ukraine a few years ago, the energy sector in the United States has been taking steps to prevent such incidents. The U.S. Energy Department announced recently its intention to invest over $20 million in cybersecurity projects, and the launch of the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) |
| Notes | |
| Envoyé | Oui |
| Condensat | 2018 access bay ciso compliance data energy fined firm forum half ics identity incident industry links management million moon news over protection register response scada security sponsored strategy tags: |
| Tags | |
| Stories | |
| Move |
|
L'article ressemble à 1 autre(s) article(s):
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
|
2018-03-30 12:48:02 | (Déjà vu) VMware Acquires Threat Detection and Response Firm E8 Security (lien direct) | >VMware announced this week that it has acquired threat detection and response company E8 Security, whose technology will be used to improve the Workspace ONE digital workspace platform. This is the third acquisition made by VMware in less than two months.
California-based E8 Security emerged from stealth mode in March 2015 and it has raised a total of nearly $22 million – more than $23 million if you count seed funding.
E8 Security has developed a platform that helps organizations detect malicious activity by monitoring user and device behavior. The product also improves incident response by providing the data needed to analyze threats.
VMware plans on using E8 Security's technology to improve its Workspace ONE product, specifically a recently announced intelligence feature that provides actionable information and recommendations, and automation for remediation tasks.
“By adding E8 Security's user and entity behavior analytics capabilities to insights from VMware Workspace ONE Intelligence, our customers will be able to streamline management, remediation, and automation to improve the employee experience and the security of their digital workspace,” explained Sumit Dhawan, senior vice president and general manager of VMware's End-User Computing (EUC) business.
VMware announced in February the acquisition of CloudCoreo, a Seattle-based cloud security startup launched less than two years ago. The company has created a product that allows organizations to identify public cloud risks and continuously monitor cloud infrastructure to ensure that applications and data are safe.
The virtualization giant plans on using the CloudCoreo technology and team to help customers secure their applications in the cloud.
Also in February, VMware announced its intent to buy CloudVelox, a company that specializes in providing workload mobility between the data center and public clouds. CloudVelox's solutions also include d |