Infosec in brief Securing a computer’s BIOS and boot process is essential to modern security – but knowing it’s important isn’t the same as actually taking steps to do so.
For example, take the research published last week by security specialists at firmware security vendor Binarily. Researchers found hundreds of PCs sold by Dell, Acer, Fujitsu, Gigabyte, HP, Lenovo and Supermicro – and components sold by Intel – using what appears to be a 12-year-old test platform key (PK) that expired in 2022 . to protect its UEFI Secure Boot Implementations.
“An attacker with access to the private portion of the PK can easily bypass Secure Boot by manipulating the key exchange key database, the signature database, and the forbidden signature database,” the boffins at Binarily wrote.
And it’s not like the manufacturers using the incorrect PK had no reason to know it wasn’t reliable and wasn’t intended for use outside the lab: it said so right on the package.
“These test keys have strong indications that they are not reliable,” Binarily noted. “For example, the issuer of the certificate contains the strings ‘DON’T TRUST’ or ‘DO NOT DELIVER’.”
According to Binarily, more than ten percent of the firmware images in its data set are vulnerable to exploits with the untrusted PK – which was released by American Megatrends International, possibly as early as May 2012. The researchers note that this makes this issue “one of the most – long lasting [supply chain vulnerabilities] of its kind.”
If an attacker uses PK in an attack, they can execute untrusted code during the boot process, even with secure boot enabled.
“This compromises the entire security chain, from the firmware to the operating system,” Binarily added.
Binarily has released a free scanning tool to check systems for vulnerability to what it calls “PKFail”. Letting him go seems like the smart thing to do. When it comes to fixing this problem, device manufacturers are going to have to step up.
Critical Vulnerabilities of the Week: It’s KEV how old?
We’re kicking off this week with a new report on a very old vulnerability being exploited in the wild.
According to NIST, a post-release exploit vulnerability in Internet Explorer versions 6 through 8 that allows remote attackers to execute arbitrary code — first discovered and identified in the wild in 2012 — is still being exploited today.
If for some reason you still have a machine running IE 6 to 8, maybe it’s time to put it out to pasture?
Also worth pointing out is a quartet of vulnerabilities identified in the Berkeley Internet Name Domain 9 DNS system flagged last week by the Internet Systems Consortium (CVE-2024-4076, CVE-2024-1975, CVE-2024-1737, CVE-2024- 0760).
If exploited, these flaws could result in a denial of service. Although not as critical as other vulnerabilities, the fact that they reside at the DNS level deserves these patches to be installed as soon as possible.
Another tracking software vendor has been hacked
It seems like we can barely go two weeks without another stalkerware vendor getting hacked, but here we are. TechCrunch obtained a batch of files stolen from Minnesota-based SpyTech last week.
The files – which have reportedly been verified as authentic – were installed on phones, tablets and computers monitored by SpyTech software, which secretly monitors the machines to monitor what their users are doing. Data belonging to more than 10,000 devices was found since 2013.
Oddly enough, SpyTech’s CEO was reportedly unaware of the breach when asked about it — which just goes to show you that these shops are more about making money than protecting the private data they collect from customers name.
… And plug in an MFA while you’re at it
Security researchers at Cisco Talos released their quarterly incident response trends report last week, and one startling trend stood out: About 80 percent of ransomware engagements in the second quarter occurred in organizations whose systems did not use multi-factor authentication.
And here we thought Snow White might have taught the world something.
Compromised credentials were the most popular way to gain initial access for the third quarter in a row, Talos noted — just like the cause of all those Snowflake failures.
Ransomware engagements overall increased 22 percent from the first quarter to the second quarter, accounting for 30 percent of all incidents Talos responded to. Combined with the increase in attacks using stolen credentials and reliance on the lack of MFA, it might be a good idea to take some time this week to enable it for everyone – no exceptions.
TracFone fined $16 million for three violations
Verizon subsidiary TracFone has agreed to pay the FCC $16 million to end investigations into three data breaches that occurred between 2021 and 2023.
According to the FCC, TracFone failed to secure several of its customer database APIs, resulting in criminals stealing customer account and device information as well as personal information. The breaches resulted in “numerous unauthorized ports.”
Not to be confused with SIM switching – another scam that most carriers are terrible at preventing – port outs involve porting a number to an entirely different operator. Both give attackers control over client devices.
TracFone has been ordered to implement mandatory cybersecurity programs “with new provisions to reduce API vulnerabilities,” as well as SIM and port swap protections. ®
