Supply Chain Vulnerabilities

This article began with ShadowHammer as the primary topic, a scathing rebuke of ASUS for their total lack of effort in securing an unnecessary utility that they install on every system they ship. However I then saw the news about OfficeDepot’s System Health Checker tool being a complete sham designed to pressure people into purchasing software and services they do not need which triggered memories of other similar betrayals. I can easily recall a dozen times “trusted third party vendors” were responsible for a breach: CCLeaner, a utility designed to improve performance, delivered malware. The malware ShadowPad was baked into popular server management tools. Saks Fifth Avenue and Lord & Taylor: 3rd party provided point of sale system. BestBuy, Sears, Kmart, Delta: customer service vendor. Corporation Service Company: unknown vendor. UnderArmour: MyFitnessPal (Acquired vulnerable environment) UMG: Cloud Storage provider. Target: HVAC contractor. Applebee’s: 3rd party provided point of sale system…

0 Comments

Are you trusting your Managed IT Provider with your security? You’re both wrong.

Don’t judge a book by its cover. Not all that glitters is gold. If it sounds too good to be true, then it probably is. These are critical phrases to keep in mind when hearing pitches from Managed Service Providers (MSPs), since many of them will make claims to get your business but then deliver the minimal amount of support and security possible. With the upsurge in the general public’s awareness regarding cybersecurity, the number of blatantly unethical claims regarding service provider ability to protect your environment has undergone a similar surge. Phrases like “#1 cybersecurity firm in <insert city name here>”, “Secure your systems with our advanced compliance package”, “Go beyond regular support and talk to us about our Security and Compliance offerings!” are prominently plastered on the home page of thousands of managed IT providers. This dangerous, but legal, misrepresentation of ability and skill sets hurts not only…

0 Comments

BSides ATL is almost here!

Have you got your ticket for BSides ATL yet? If not, hurry before they sell out and come join us at the Kennesaw State University Center this Saturday, May 5th for this great event! Critical Path Security is proud to be an official sponsor of this event for and by information security community members. BSides creates opportunities for individuals to participate in an intimate atmosphere that encourages collaboration with discussions, demos, and interaction from participants. This year's theme is "Standing on the Shoulders of Giants" and will focus on how the success of our predecessors fuels future innovations. Swing by the Critical Path Security booth anytime to check out some cool tech demos, have a conversation about security, or pick up a limited edition gun-wielding-unicorn t-shirt we had made specifically for BSides ATL 2018. Donations to the Electronic Frontier Foundation are appreciated. If you can’t find the time to catch…

0 Comments

The “Ryzenfall” of AMD

Security research firm CTS has disclosed four critical flaws in AMD’s latest CPU models based on the ZEN architecture: Ryzen and EPYC. Ironically enough the Secure Processor located on the main CPU is the source of the vulnerability. While the firm’s motivation is under some scrutiny due to poor reporting practices, the vulnerabilities appear to be real enough with some terrifying implications. Usually, a compromised machine can be cleaned of the infection and defended again with the appropriate patches or software upgrades. Not anymore. Three of the flaws, dubbed Ryzenfall, Fallout, and Masterkey, allow an attacker to plant malware in a “secure enclave” thereby skipping all detection and other security controls such as Microsoft’s Credential Guard, Virtualization based Security, and AMD’s own firmware Trusted Platform Module (fTPM), or they can just brick your motherboard. The flaws use the fact that the BIOS validation program can be tricked into believing a…

0 Comments
Close Menu