Connect with us

Tech

Senators Fear Meltdown and Spectre Disclosure Gave China an Edge

4 min read

A Wednesday Congressional hearing on the Meltdown and Spectre chip vulnerabilities had all the technobabble and painful misunderstanding you might expect. But the Committee on Commerce, Science and Transportation also raised an important practical concern: No one informed the US government about the flaws until they were publicly disclosed at the beginning of January. As a result, the government couldn’t assess the national security implications of Meltdown and Spectre, or start defending federal systems during the months that researchers and private companies secretly grappled with the crisis.

“It’s really troubling and concerning that many if not all computers used by the government contain a processor vulnerability that could allow hostile nations to steal key datasets and information,” New Hampshire senator Maggie Hassan said during the hearing. “It’s even more troubling that these processor companies knew about these vulnerabilities for six months before notifying [the Department of Homeland Security].”

Attackers can exploit the Spectre and Meltdown chip bugs, which foreshadowed an entire new class of vulnerabilities, to steal many different types of data from a system. While the flaws have existed in the world’s most ubiquitous processing chips for 20 years, a series of academic researchers discovered them throughout the second half of 2017. Once informed of the issue, Intel and other chipmakers began a massive, clandestine effort to notify as many supply chain customers and operating system makers as possible, so that they could start creating patches.

‘It’s highly likely that the Chinese government knew about the vulnerabilities.’

Senator Bill Nelson

While Intel notified a group of international private tech firms—including some in China—during this process, DHS and the US government in general didn’t learn of the situation until it was publicly disclosed at the beginning of January. Numerous senators at Wednesday’s hearing noted that this delayed disclosure may have given foreign governments the early warning the US didn’t have. If nation state hackers weren’t already aware of Spectre and Meltdown and exploiting the bugs for espionage operations, they could have started in the months before patches started going out.

“It’s been reported that Intel informed Chinese companies of the Spectre and Meltdown vulnerabilities before notifying the US government,” Florida Senator Bill Nelson said on Wednesday. “As a result, it’s highly likely that the Chinese government knew about the vulnerabilities.”

Intel declined to attend the hearing, but Joyce Kim, chief marketing officer of ARM—a Softbank-owned company that creates processor architecture schematics that are then manufactured by other companies—told the Committee that ARM prioritized notifying its customers within 10 days of learning about Spectre and Meltdown. “At that point, given the unprecedented scale of what we were looking at, our focus was on making sure that we assessed the full impact of this vulnerability, as well as getting [information] to potential impacted customers and focusing on developing mitigations,” Kim told the Senators. “We do have architecture customers in China that we were able to notify to work with them on the mitigations.”

Since the initial disclosure in January, researchers have discovered multiple other variants of Meltdown and Spectre that chipmakers have worked to patch. Kim explained that as these new strains have emerged over the last six months, ARM has worked more closely with DHS to create communication channels for disclosure and collaboration.

“We always want to be informed of vulnerabilities as quickly as possible, so that we can validate, mitigate, and disclose vulnerabilities to our stakeholders,” a DHS official told WIRED.

Intel said in a statement to WIRED, “We have been working with the Senate Commerce Committee since January to address the Committee’s questions regarding the coordinated disclosure process and will continue to work with the Committee and others in Congress to address any additional questions.”

Managing vulnerability discoveries is always complicated, but becomes especially so when it involves numerous organizations. And the stakes of Spectre and Meltdown were even higher than usual, because the bugs were found to be in the majority of devices around the world, and had persisted for two decades. These conditions not only created a massive patching challenge for dozens of major companies, but also raised the question of whether the vulnerabilities had been discovered and quietly exploited for years by unknown entities or governments. The flaws would have been extremely valuable for intelligence-gathering if a country knew how to exploit them.

‘Nobody can address or even mention any of the real issues in these types of public hearings.’

Dave Aitel, Immunity

That’s what makes the notion, first reported by The Wall Street Journal, that Intel prioritized notifying Chinese firms over the US government so problematic. There is no specific evidence at this point that China actually abused Meltdown and Spectre as a result of these pre-disclosures, but the country is well known for aggressive state-sponsored hacking campaigns that have recently only grown in sophistication.

“A number of things probably combined to lead to the insufficiency of US government notification,” Art Manion, a senior vulnerability analyst at the CERT Coordination Center at Carnegie Mellon, which works on coordinating disclosures worldwide, told the Committee. “We are actively working with industry contacts to remind them of the existing practice of notifying critical infrastructure and important service providers before public disclosure happens to avoid costly surprises.” When pressed by the Committee, he added that the months-long wait to notify the US government about Meltdown and Spectre was a mistake on the part of chipmakers like Intel. “It is a rather long time and in our professional assessment it is probably too long, particularly for very special new types of vulnerabilities like this,” he said.

Analysts say that pre-notifying DHS would be valuable in situations where a major vulnerability is about to be publicly disclosed. But they also caution that Congressional hearings about security in general tend to mask or oversimplify deeply complex and nuanced topics. “Nobody can address or even mention any of the real issues in these types of public hearings,” says Dave Aitel, a former NSA researcher who now runs the penetration testing firm Immunity. “DHS probably won’t get substantially more cooperation.”


More Great WIRED Stories

Original article

Tech

Data breach exposes trade secrets of carmakers GM, Ford, Tesla, Toyota – TechCrunch

1 min read

Data breach exposes trade secrets of carmakers GM, Ford, Tesla, Toyota – TechCrunch

Security researcher UpGuard Cyber Risk disclosed Friday that sensitive documents from more than 100 manufacturing companies, including GM, Fiat Chrysler, Ford, Tesla, Toyota, ThyssenKrupp, and VW were exposed on a publicly accessible server belonging to Level One Robotics.

The exposure via Level One Robotics, which provides industrial automation services, came through rsync, a common file transfer protocol that’s used to backup large data sets, according to UpGuard Cyber Risk. The data breach was first reported by the New York Times.

According to the security researchers, restrictions weren’t placed on the rsync server. This means that any rsync client that connected to the rsync port had access to download this data. UpGuard Cyber Risk published its account of how it discovered the data breach to show how a company within a supply chain can affect large companies with seemingly tight security protocols.

This means if someone knew where to look they could access trade secrets closely protected by automakers. It’s unclear if any nefarious actors actually got their hands on the data. At least one source at an affected automaker told TechCrunch it doesn’t not appear that sensitive or proprietary data was exposed.

UpGuard’s big takeaway in all of this: rsync instances should be restricted by IP address. The researchers also suggest that user access to rsync be set up so that clients have to authenticate before receiving the dataset. Without these measures, rsync is publicly accessible, the researchers said.

The breach exposed 157 gigabytes of data—a treasure trove of 10 years of assembly line schematics, factory floor plans and layouts, robotic configurations and documentation, ID badge request forms, VPN access request forms. The breach even included sensitive non-disclose agreements, including one from Tesla.

Personal details of some Level One employees, including scans of driver’s licenses and passports, and Level One business data, including invoices, contracts, and bank account details.

The security team discovered the breach July 1. The company successfully reached Level One by July 9 and the exposure was closed by the following day.

Original article

Continue Reading

Tech

Pitch your startup to snag €3 million in TV advertising

2 min read

Presented by SevenVentures


Taking your product to market is the easy part. Building a leading brand separates the weak from the strong.

SevenVentures, a TV media investor and an investment arm of Europe’s largest broadcaster, ProSiebenSat.1 Group, is devoted to creating the next generation of market leaders by helping growth companies scale quickly using TV advertising.

And now the company is announcing that applications are open for their eighth annual SevenVentures Pitch Day (7VPD). They’re looking for the most innovative B2C startups, ready to establish themselves and grow in Germany. They’ll be pitching for the chance to win €3 million in TV advertising in this fast-growing market.

The 7VPD prize

7VPD will take place at the DMEXCO conference in Cologne, Germany on September 12, 2018, where four finalists who want to grow their brands in Germany will present their concepts to a jury of industry experts and entrepreneurs. One lucky winning startup will scoop €3 million in German TV advertising, €200k in online advertising, €30k for the creation of their own TV spot, and a mentoring program from Proctor and Gamble. According to Forbes Magazine, it’s one of the most valuable venture capital prizes in the world.

The hot German market

Germany is a hot and growing market for international companies. With more than 40 million financially solvent households and a gross domestic product (GDP) worth more than €3.7 billion, Germany is the leading EU economy, accounting for over a fifth (21.1 percent) of EU GDP.

From a launchpad in Germany, companies can also easily expand into Austria, Switzerland, and beyond. A local partner like SevenVentures can help international companies navigate these new waters.

Who can apply?

The competition is aimed at the most innovative and creative companies in the B2C space who have a unique physical or digital product, want to scale quickly, and are at the right stage of development to benefit from TV advertising power. Both German companies and international companies that are not yet active in the German market are eligible to participate.

Want to leave the competition behind? Then apply for 7VPD by August 22nd, 2018 for a chance to win over €3 million in advertising budget. 

2018 7VPD jury

The 7VPD offers a jury of industry experts:

  • Michael Stich is an entrepreneur, founder, and a former professional tennis player who counts the Wimbledon Men’s Single and Doubles titles and Olympic Men’s Doubles among his many sporting achievements.
  • Astrid Teckentrup has been vice president of sales at Proctor & Gamble DACH, one of the largest markets for P&G worldwide, since 2015. On a global level, she is responsible for a major global customer.
  • Florian Pauthner & Eun-Kyung Park will team up for the third jury spot: Eun-Kyung is managing director of SevenVentures, and since 2009 has held many executive positions at the ProSiebenSat.1 Group, including for ProSiebenSat.1 Digital (Video), TV channel six, and managing director of SevenOne Adfactory. Florian is managing director of SevenVentures and previously enjoyed a longstanding career as an investment expert as former SevenVentures’ CFO, and in M&A for one of the biggest financial institutions in Northern Europe and at a leading management consultancy.

Presenter Steven Gätjen will accompany the participants, jury, and audience through the hour-long program.

Apply for 7VPD by August 22nd, 2018 for the chance to win over €3 million in advertising spend.

DMEXCO: for key players in digital, marketing, and innovation: Bringing together 40,000 visitors, 1,100 exhibitors, and 500 speakers from around the world for a one-of-a-kind event each year in Cologne, DMEXCO (Digital Marketing and Expo Conference) has set the standard as the place for business minds to learn and inspire, build connections, and for ideas to become actions.


Sponsored posts are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. Content produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact [email protected].

Original article

Continue Reading

Tech

Open sourcing quantum: Get ready to help build a new future

0 min read

Jay Gambetta is a fellow at IBM, where he has contributed to the work on quantum validation techniques, quantum codes, improved gates and coherence, near-term applications of quantum computing, the IBM Quantum Experience, and the Qiskit open source framework and leads IBM’s quantum theory, software, and applications group. Previously, he worked at the Institute for Quantum Computing in Canada and was a postdoctoral fellow at Yale University. A quantum information scientist researching in the field of quantum information and computation, Jay h…

more

Original article

Continue Reading

Recently Posted

You may also like

Anthony Head to play Robin Fairbrother in Radio 4 soap Anthony Head to play Robin Fairbrother in Radio 4 soap
Health2 hours ago

Anthony Head to play Robin Fairbrother in Radio 4 soap

1 min read It was an affair that sent ripples through The Archers – young Elizabeth Archer falling for Robin...

Health1 day ago

First smallpox treatment approved amid fears virus could become “weaponised”

1 min read Smallpox – a contagious and often fatal disease responsible for the deaths of 300 million people in...

We can treat Aids with medicine – but only love will beat its insidious stigma We can treat Aids with medicine – but only love will beat its insidious stigma
Health2 days ago

We can treat Aids with medicine – but only love will beat its insidious stigma

1 min read Aids activism has always been about connecting with people on the margins. Our movement is defined by...

Conflict and breakdown in law and order drive scourge of modern slavery Conflict and breakdown in law and order drive scourge of modern slavery
Health2 days ago

Conflict and breakdown in law and order drive scourge of modern slavery

1 min read The UK has 2.1 slaves for every 1,000 people – around 136,000 in total. This figure is...

HIV and Aids in Africa has a new adversary – God and big pharma HIV and Aids in Africa has a new adversary – God and big pharma
Health3 days ago

HIV and Aids in Africa has a new adversary – God and big pharma

2 min read In Britain and much of the west you hardly hear of Aids anymore, only HIV, the fluid-borne...

Health3 days ago

EastEnders and Coronation Street ‘driving the decline of TV audiences’

1 min read Britain is falling out of love with soap operas, as viewers abandon the shows that once had...

Long-lost cache of British explorer discovered buried in Australian outback by former F1 driver Long-lost cache of British explorer discovered buried in Australian outback by former F1 driver
Health3 days ago

Long-lost cache of British explorer discovered buried in Australian outback by former F1 driver

2 min read Perkins, 68, decided to make another attempt and began scouring the records of the expedition at the...

Health3 days ago

Buy more vegetables instead of omega-3 supplements to improve heart health, report says 

1 min read The new research looked specifically at evidence of their impact on rates of heart disease, stroke and...

Health3 days ago

Londoners least liberal on homosexuality and pre-marital sex

1 min read London is known as a bastion of liberal values.  But by some measures the capital city is...

Scientists develop early warning system to predict dengue outbreak Scientists develop early warning system to predict dengue outbreak
Health4 days ago

Scientists develop early warning system to predict dengue outbreak

1 min read During periods of drought people tend to store water in containers, providing an ideal breeding ground for mosquitoes,...

Trending