2009/07/30
TheRegister: Intel warns over bare-metal BIOS bug
by John Leyden
Intel has warned that some of its motherboards contain a flaw in their BIOS setup that creates a privilege escalation vulnerability.
As a result of the security bug, users already logged in as administrators could change code running in System Management Mode. SMM is a privileged operating environment that operates outside of operating system control, creating a possible mechanism (at least in theory) for mounting rootkit-style attacks on vulnerable systems.
Exploiting the bug would probably require physical access to affected systems, a fair amount of skill and not a little luck in locating a vulnerable box.
Desktop and server systems are both potentially affected by the bug, described by Intel as "important", so the flaw still merits close attention.
BIOS updates designed to mitigate against attack are available for vulnerable Intel motherboards, as explained in an advisory by the chip giant issued on Wednesday.
Intel lists the following desktop motherboards as potentially vulnerable: D5400XS, DX58SO, DX48BT2, DX38BT, DP45SG, DQ45CB, DQ45EK, DQ43AP, DB43LD, DG41MJ, DG41RQ, DG41TY, DG45ID, DG45FC, DG43NB, DP43TF, DQ35JO, DQ35MP, DG33BU, DG33FB, DG33TL, DP35DP, D945GSEJT, D945GCLF, D945GCLF2.
Intel Server Boards in the S3000, S3200, S5000 series, S5400 series, and S5500 series also need a BIOS update.
BIOS-related security flaws are rare but not unprecedented. The latest bug was discovered by researchers from Invisible Things Lab. Last year, the same researchers detailed a high-privilege rootkit vulnerability in Xen hypervisor that Intel addressed via a Bios update.
Invisible Things is due to present new research on attacking Intel BIOS at this week's Black Hat conference in Las Vegas, which is likely to be dominated by a detailed dissection of the issues arising from Intel's latest BIOS security advisory. ®
InfoWorld: Open source project aims to make secure DNS easier
by Jeremy Kirk
A group of developers has released open-source software that gives administrators a hand in making the Internet's addressing system less vulnerable to hackers.
The software, called OpenDNSSEC, automates many tasks associated with implementing DNSSEC (Domain Name System Security Extensions), which is a set a set of protocols that allows DNS (Domain Name System) records to carry a digital signature, said John A. Dickinson, a DNS consultant working on the project.
DNS records allow Web sites to be translated from a name into an IP (Internet Protocol) address, which can be queried by a computer. But the DNS system has several flaws dating from its original design that are being increasingly targeted by hackers.
By tampering with a DNS server, it's possible for a user to type in the correct Web site name but be directed to a fraudulent site, a type of attack called cache poisoning. That's one of many concerns that is driving a movement for ISPs and other entities running DNS servers to use DNSSEC.
With DNSSEC, DNS records are cryptographically signed, and those signatures are verified to ensure the information is accurate. Adoption of DNSSEC, however, has been held back by both the complexity of implementation and a lack of simpler tools, Dickinson said.
To sign DNS records, DNSSEC uses public key cryptography, where signatures are created using a public and private key and implemented on a zone level. Part of the problem is management of those keys, since they must be refreshed periodically to maintain a high level of security, Dickinson said. A mistake in managing those keys could cause major problems, which is one of the challenges for administrators.
OpenDNSSEC allows administrators to create policies and then automate managing the keys and signing the records, Dickinson said. The process now involves more manual intervention, which increases the chance for errors.
OpenDNSSEC "takes care of making sure that zone stays signed properly and correctly according to the policy on a permanent basis," Dickinson said. "All of that is completely automated so that the administrator can concentrate on doing DNS and let the security work in the background."
The software also has a key storage feature that lets administrators keep keys in either a hardware or security software module, an additional layer of protection that ensure keys don't end up in the wrong hands, Dickinson said.
The OpenDNSSEC software is available for download, although it is being offered as a technology preview and shouldn't be used yet in production, Dickinson said. Developers will gather feedback on the tool and release improved versions in the near future.
As of earlier this year, most top-level domains, such as those ending in ".com," were not cryptographically signed, and neither were those in the DNS root zone, the master list of where computers can go to look up an address in a particular domain. VeriSign, which is the registry for ".com," said in February it will implement DNSSEC across top-level domains including .com by 2011.
Other organizations are also moving toward using DNSSEC. The U.S. government has committed to using DNSSEC for its ".gov" domain. Other ccTLDs (country-code Top-Level Domains) operators in Sweden (.se), Brazil (.br), Puerto Rico (.pr) and Bulgaria (.bg), are also using DNSSEC.
CNet: Open source may be your only ticket out of the cloud
by Matt Asay
Enterprise IT sometimes behaves like the group of teenagers I counsel on a weekly basis as part of my church responsibilities: "Damn the future, let's live for the present!"
Stephen O'Grady offers a pungent critique of this nearsighted tendency in enterprise IT, especially as it pertains to the cloud:
Very much like Apple on the consumer level, (commercial cloud providers) Google et al demand sacrifices in return for convenience. Perhaps-
or make that likely-realizing that businesses will invariably sacrifice the future at the altar of the present. We'll give you the convenience and time to market now; just don't expect to leave later.And it's hard to blame (enterprise IT) for that, honestly. They've got jobs to do and kids to feed, and their blind trust in the technology industry to police itself and not lock them in this time as they've been locked in so many times before is as Peanuts touching as it is naive. Whether Lucy will yank the football out from under them yet again depends, as far as I can tell, on open source.
Why open source? Because open source helps to keep vendors like Google and Amazon honest by offering open alternatives to closed clouds (e.g., Eucalyptus).
Also, it's very possible that cloud computing will be nudged open in important ways due to the furor raised over proprietary practices.
This isn't simply a matter of open-source advocates castigating companies for locking in customers. It's also a clever sales tactic that an increasing array of companies will use to win over customers leery of signing over their data to a proprietary cloud provider, seemingly once and for all.
As the cloud gains relevance, we'll see an increasing array of companies that deliver software as a service (SaaS), but provide an "eject" mechanism via open-source, on-premise offerings. SugarCRM does this now, and I think we'll begin to see this more and more often.
The reality is that the service will be compelling enough to keep customers from bolting. But offering the safety blanket is worthwhile, even if no one ever uses it (and, frankly, I doubt many will, because very few are capable or running their own cloud, and even fewer want to).
O'Grady concludes that "Whether open source takes a role front and center...remains to be seen, but is certain that it will-
as it has to date-have a crucial role in shaping the cloud market to come." How significant that role is largely up to us.Disclosure: I am an advisor to SugarCRM.
