Archiv: processors

14.05.2019 - 21:30 [ ]

ZombieLoad Attack: Watch out! Your processor resurrects your private browsing-history and other sensitive data.

After Meltdown, Spectre, and Foreshadow, we discovered more critical vulnerabilities in modern processors. The ZombieLoad attack allows stealing sensitive data and keys while the computer accesses them.

While programs normally only see their own data, a malicious program can exploit the fill buffers to get hold of secrets currently processed by other running programs. These secrets can be user-level secrets, such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys.

The attack does not only work on personal computers but can also be exploited in the cloud.

14.05.2019 - 21:29 [ ]

New secret-spilling flaw affects almost every Intel chip since 2011

Almost every computer with an Intel chips dating back to 2011 are affected by the vulnerabilities. AMD and ARM chips are not said to be vulnerable like earlier side-channel attacks.

29.03.2019 - 10:50 [ ]

There is mysterious ‘undocumented technology’ hidden on Intel computer chips, researchers say

Computer experts have claimed that the chips which power most of the computers in the world are hiding mysterious and ‘undocumented’ technology.

Analysts from Positive Technologies alleged that Intel chips and processors contain an enigmatic ‘logic signal analyser’ capable of reading ‘almost all data on a computer’.

The claims are likely to alarm conspiracy theorists …

13.02.2019 - 12:38 [ Universität Tel Aviv ]

Stealing Keys from PCs using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation

(April 2015) Q1: What information is leaked by the electromagnetic emanations from computers?

This depends on the specific computer hardware. We have tested numerous laptop computers, and found the following:
In almost all machines, it is possible to tell, with sub-millisecond precision, whether the computer is idle or performing operations.
On many machines, it is moreover possible to distinguish different patterns of CPU operations and different programs.
Using GnuPG as our study case, we can, on some machines:
distinguish between the spectral signatures of different RSA secret keys (signing or decryption), and fully extract decryption keys, by measuring the laptop’s electromagnetic emanations during decryption of a chosen ciphertext.

22.10.2018 - 10:51 [ Tom's Hardware ]

Intel ME’s Undocumented Manufacturing Mode Suggests CPU Hacking Risks

(3.10.2018) Positive Technologies (PT), a Russian security company that has discovered multiple bugs in Intel’s Management Engine (ME) over the last couple of years, this week revealed more details about Intel’s “Manufacturing Mode” for ME, saying it can expose users to remote hacking. This is the second undocumented mode in Intel ME that PT has found in recent years.

22.10.2018 - 10:45 [ Apple Insider ]

Apple left Intel processor management and testing tools unlocked for years

(5.10.2018) The Intel Management Engine (ME) is a subsystem used to handle tasks during the booting process and in the background, and has been in use since 2008. The Register reports the investigation by security firm Positive Technologies looked into how the subsystem could be abused, as a „side-channel threat“ to the processor.

Researchers Maxim Goryachy and Mark Ermolov, who previously were involved in the finding of a related Intel ME firmware flaw one year ago, posted on Tuesday about their latest discovery.

30.05.2018 - 11:52 [ Science Files ]

Überwachungsstaat: Wie in Deutschland EU-Direktiven erweitert werden

Die Veränderung und Erweiterung von EU-Verordnungen kann an zwei Schnittstellen erfolgen. Keine davon hat es bislang in das Bewusstsein von Wissenschaftlern geschafft. Die erste Schnittstelle ergibt sich bei der Übersetzung des englischen Originaltextes der EU-Verordnung in die deutsche Sprache. Wer führt diese Übersetzung durch? Welche Interessen werden mit der Übersetzung bedient? Die zweite Schnittstelle ergibt sich bei der Umsetzung der Übersetzung der EU-Verordnung in deutsches Recht. Hier wird hinzugefügt, ausgelassen, erweitert, gestrichen. Der für uns markanteste Unterschied zwischen der EU-Verordnung und dem Bundesdatenschutzgesetz findet sich darin, dass alle Begriffsbestimmungen, die notwendig sind, um festzulegen, welchen Gegenstand und welchen Zweck das Gesetz haben soll und die notwendig sind, um Willkür im Rahmen zu halten, im Bundesdatenschutzgesetz fehlen (siehe unten). Um dieses Manko auszugleichen, wurde der Anwendungsbereich, der in der EU-Verordnung auf „controller“ und „processor“ persönlicher Daten eingeschränkt ist, in Deutschland auf alle „natürlichen und juristischen Personen“ erweitert.