Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/23/2018
12:00 PM
Kelly Sheridan
Kelly Sheridan
Slideshows
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail

10 Can't-Miss Talks at Black Hat Asia

With threats featuring everything from nation-states to sleep states, the sessions taking place from March 20-23 in Singapore are relevant to security experts around the world.
2 of 11

I Don't Want to Sleep Tonight: Subverting Intel TXT with S3 Sleep

"This caught the attention of many of us," says Giuliano of the Regional Review Board. "They're tapping into a strategy, a technique that many wouldn't think about: when you're turning your computer off or powering it back on."

When you shut down and reboot a computer, restarting components takes time, and security devices might be temporarily shut down. However, many PCs, laptops and servers that support enhanced configuration and power interface have six sleeping states, and if the firmware only powers down as far as the S3 sleeping state, it can reactivate security devices somewhat more quickly.

This more wakeful S3 state can be manipulated, however. Jun-Hyeok Park and Seunghun Han, both researchers with the National Security Research Institute of South Korea, will explain how attackers can use the S3 sleeping state to neutralize the Intel Trusted eXecution Environment (TXT), a hardware-based mechanism that validates platform trustworthiness during boot and launch. The attackers target tBoot, which protects the Virtual Machine Monitor and OS, to neutralize Intel TXT. This attack has never been published.

"What they're doing is very innovative, thinking outside the box," says Giuliano.

(Image: MikhailSh via Shutterstock)

2 of 11
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6868
PUBLISHED: 2020-06-01
ZTE's PON terminal product is impacted by the access control vulnerability. Due to the system not performing correct access control on some program interfaces, an attacker could use this vulnerability to tamper with the program interface parameters to perform unauthenticated operations. This affects...
CVE-2020-7659
PUBLISHED: 2020-06-01
reel through 0.6.1 allows Request Smuggling attacks due to incorrect Content-Length and Transfer encoding header parsing. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer Encoding headers were found to be parsed as val...
CVE-2020-4019
PUBLISHED: 2020-06-01
The file editing functionality in the Atlassian Companion App before version 1.0.0 allows local attackers to have the app run a different executable in place of the app's cmd.exe via a untrusted search path vulnerability.
CVE-2020-4020
PUBLISHED: 2020-06-01
The file downloading functionality in the Atlassian Companion App before version 1.0.0 allows remote attackers, who control a Confluence Server instance that the Companion App is connected to, execute arbitrary .exe files via a Protection Mechanism Failure.
CVE-2020-4021
PUBLISHED: 2020-06-01
Affected versions are: Before 8.5.5, and from 8.6.0 before 8.8.1 of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the XML export view.