Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Intel Reveals New Spectre-Like Vulnerability
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/16/2018 | 2:02:01 PM
Really, was it already there and we just did not know about it
It is interesting how companys try to save face when someone from the outside identified this vulnerability or the Spectre vulnerability. It seems that my trust in Intel has diminished. I will provide examples:

1. This vulnerability existing since the late 90s - to now, this was discussed years ago and no one except the researchers from three-four prominent schools that disseminated this information to the public - https://meltdownattack.com/. Intel knew about this vulnerability and did nothing about it for years and only until the researchers from Google, Univ of MD, Univ, Graz Univ of Technology, Adelaide and others presented this information is only then Intel decided to move in the direction to provide microcode or patches to address the problem. When did accountability leave the room?

2. Did Intel present this information to the public or were they forced by the researchers (Project Zero concepts, they give you 30 days to fix the problem) after they found other bugs in their existing CPU (microcode)? Again, another question where their reputation is on the line, they only react as opposed to working together as a team to resolve impending issues.

3. If Edward Snowden did not present this information to the public, this vulnerability would have still been out there without the public knowing about it (Thank you Mr. Snowden where ever you are, he stated NSA was using the vulnerabilities found to create backdoors, was this the case or not, we will never know).

This is not the only company that has tried to coverup their shortcomings (Booz Allen, Northrup Grumman, Lockheed Martin, Suntrust, Cryptocurrenty, S3 buckets (Accenture). I mean the list goes on and on.

At what point do you say, enough is enough, because the only thing the individuals got from Equifax hack was a $50 gift certificate they could use on their own hacked infrastructure. That is almost saying that I am betting on you in a fight after you already got knocked out.

List of others, actually from this site:
  • The Biggest Cybersecurity Breaches of 2018 (So Far)
  • LA County Nonprofit Exposes 3.2M PII Files via Unsecured S3 Bucket
  • SunTrust Ex-Employee May Have Stolen Data on 1.5 Million Bank Clients
  • Sears & Delta Airlines Are Latest Victims of Third-Party Security Breach
  • Panera Bread Leaves Millions of Customer Records Exposed Online
  • Hudson's Bay Brands Hacked, 5 Million Credit Card Accounts Stolen
  • Under Armour App Breach Exposes 150 Million Records
  • Baltimore Hit with Hack on 911 System
  • Hack Costs Coincheck Cryptocurrency Exchange $530 Million

I think the security practices and ways of securing the environment is not working, we need to find another way, something that keeps the companies accountable (BlockChain in the supply chain space), employ IPv6 in everything we do and ride ourselves from IPv4 (Networking), encrypt the data at rest (Bitlocker disk encryption where it does not give the user a choice, especially if it is used to entrust user data, PGP Disk encryption works as well) and eventually look at other micro-processor manufacturers like Nvidia or IBM Power CPUs (especially when Intel did nothing after 20 years of knowing there was a problem).

Please give me some of your thoughts, anyone.

T
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/16/2018 | 9:07:57 AM
Interesting note for history
Much of the architecture of contemporary systems still hold their lines back to the original IBM-AT 286 processor and config.  It was such a solid standard that everything today is still flagged back to it and the original Gang of 7 who rebelled against IBM scrapping that in favor of PS/2 ( a disaster ).   So when we come to this high level processor issues - I sometimes wonder how LONG have these flaws actually been around?    Sometimes i long for the 8088 and DOS 6.22.  


NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-3686
PUBLISHED: 2021-01-21
Possible memory out of bound issue during music playback when an incorrect bit stream content is copied into array without checking the length of array in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobi...
CVE-2020-3687
PUBLISHED: 2021-01-21
Local privilege escalation in admin services in Windows environment can occur due to an arbitrary read issue in XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
CVE-2020-3691
PUBLISHED: 2021-01-21
Possible out of bound memory access in audio due to integer underflow while processing modified contents in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon We...
CVE-2020-11167
PUBLISHED: 2021-01-21
Memory corruption while calculating L2CAP packet length in reassembly logic when remote sends more data than expected in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Weara...
CVE-2020-11179
PUBLISHED: 2021-01-21
Arbitrary read and write to kernel addresses by temporarily overwriting ring buffer pointer and creating a race condition. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon ...