Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Intel Reveals New Spectre-Like Vulnerability
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/16/2018 | 2:02:01 PM
Really, was it already there and we just did not know about it
It is interesting how companys try to save face when someone from the outside identified this vulnerability or the Spectre vulnerability. It seems that my trust in Intel has diminished. I will provide examples:

1. This vulnerability existing since the late 90s - to now, this was discussed years ago and no one except the researchers from three-four prominent schools that disseminated this information to the public - https://meltdownattack.com/. Intel knew about this vulnerability and did nothing about it for years and only until the researchers from Google, Univ of MD, Univ, Graz Univ of Technology, Adelaide and others presented this information is only then Intel decided to move in the direction to provide microcode or patches to address the problem. When did accountability leave the room?

2. Did Intel present this information to the public or were they forced by the researchers (Project Zero concepts, they give you 30 days to fix the problem) after they found other bugs in their existing CPU (microcode)? Again, another question where their reputation is on the line, they only react as opposed to working together as a team to resolve impending issues.

3. If Edward Snowden did not present this information to the public, this vulnerability would have still been out there without the public knowing about it (Thank you Mr. Snowden where ever you are, he stated NSA was using the vulnerabilities found to create backdoors, was this the case or not, we will never know).

This is not the only company that has tried to coverup their shortcomings (Booz Allen, Northrup Grumman, Lockheed Martin, Suntrust, Cryptocurrenty, S3 buckets (Accenture). I mean the list goes on and on.

At what point do you say, enough is enough, because the only thing the individuals got from Equifax hack was a $50 gift certificate they could use on their own hacked infrastructure. That is almost saying that I am betting on you in a fight after you already got knocked out.

List of others, actually from this site:
  • The Biggest Cybersecurity Breaches of 2018 (So Far)
  • LA County Nonprofit Exposes 3.2M PII Files via Unsecured S3 Bucket
  • SunTrust Ex-Employee May Have Stolen Data on 1.5 Million Bank Clients
  • Sears & Delta Airlines Are Latest Victims of Third-Party Security Breach
  • Panera Bread Leaves Millions of Customer Records Exposed Online
  • Hudson's Bay Brands Hacked, 5 Million Credit Card Accounts Stolen
  • Under Armour App Breach Exposes 150 Million Records
  • Baltimore Hit with Hack on 911 System
  • Hack Costs Coincheck Cryptocurrency Exchange $530 Million

I think the security practices and ways of securing the environment is not working, we need to find another way, something that keeps the companies accountable (BlockChain in the supply chain space), employ IPv6 in everything we do and ride ourselves from IPv4 (Networking), encrypt the data at rest (Bitlocker disk encryption where it does not give the user a choice, especially if it is used to entrust user data, PGP Disk encryption works as well) and eventually look at other micro-processor manufacturers like Nvidia or IBM Power CPUs (especially when Intel did nothing after 20 years of knowing there was a problem).

Please give me some of your thoughts, anyone.

T
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/16/2018 | 9:07:57 AM
Interesting note for history
Much of the architecture of contemporary systems still hold their lines back to the original IBM-AT 286 processor and config.  It was such a solid standard that everything today is still flagged back to it and the original Gang of 7 who rebelled against IBM scrapping that in favor of PS/2 ( a disaster ).   So when we come to this high level processor issues - I sometimes wonder how LONG have these flaws actually been around?    Sometimes i long for the 8088 and DOS 6.22.  


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises Are Assessing Cybersecurity Risk in Today's Environment
The adoption of cloud services spurred by the COVID-19 pandemic has resulted in pressure on cyber-risk professionals to focus on vulnerabilities and new exposures that stem from pandemic-driven changes. Many cybersecurity pros expect fundamental, long-term changes to their organization's computing and data security due to the shift to more remote work and accelerated cloud adoption. Download this report from Dark Reading to learn more about their challenges and concerns.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-22703
PUBLISHED: 2022-01-17
In Stormshield SSO Agent 2.x before 2.1.1 and 3.x before 3.0.2, the cleartext user password and PSK are contained in the log file of the .exe installer.
CVE-2021-42357
PUBLISHED: 2022-01-17
When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be pr...
CVE-2022-0242
PUBLISHED: 2022-01-17
Unrestricted Upload of File with Dangerous Type in GitHub repository crater-invoice/crater prior to 6.0.
CVE-2021-38965
PUBLISHED: 2022-01-17
IBM FileNet Content Manager 5.5.4, 5.5.6, and 5.5.7 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 212346.
CVE-2021-33040
PUBLISHED: 2022-01-17
managers/views/iframe.js in FuturePress EPub.js before 0.3.89 allows XSS.