Podcasts about uefi secure boot

Windows Insider Program Release Preview channel updates (including 26H1 for the first time? - A preview of the June Patch Tuesday updates - Shared audio, NPU usage in Task Manager, multi-app camera support, Magnifier improvements. Taskbar updates come to Insiders! Also in Canary, weʼre throwing them a bone this time. Enshittification remedies all around Microsoft just held a WinHEC for the first time since 2018 and thereʼs a new Windows Driver Initiative! Microsoft will soon let us remap Copilot key to Right Ctrl, which is what it was in the first place. A Linux privacy nut YouTuber confuses privacy and security and doesnʼt understand Windows 11 so... ... Paul wrote a complete guide to the local account de-Microsoft experience in Windows 11 Microsoft Edge will stop loading all passwords into clear text on startup like a big boy browser. Hardware Paul came home to an ASUS Zenbook A16 and ohmygodohmygodohmygod Surface Microsoft finally revs Surface Laptop and Surface Pro for Business, with Intel chips and VERY high prices. Snapdragon X2 variants in late 2026 because of supply issues wa-waa-waaaaa. AI MDASH is Microsoftʼs answer to Anthropic Mythos, in-house only. Elon Musk and Sam Altman are both terrible but a jury decided against Muskʼs frivolous lawsuit. OpenAI and Apple might head to court over Siri promises OpenAI Codex is on mobile via the ChatGPT app Google unleashes an AI tsunami at Google IO this week. A few relevant takeaways: Overview of the major announcements Google advances Android as a developer platform Chrome is turning into a proactive assistant Google AI subscriptions are an incredible value Related: The Gemini Intelligence feature for Googlebooks and more has steep hardware requirements - 12 GB of RAM, flagship SoC So Pixel 10 series/Galaxy S26 series and newer only etc. Just a reminder that Microsoft makes a Linux distribution ... for Azure specifically More dev WWDC schedule is up for June 8 opening day Build 2026 kicks off June 2 in SFO After another boring .NET 11 preview release, we finally get our first look at a major change: MAUI is switching from the Mono runtime to the CoreCLR runtime. And we should pause for a moment to remember S "Soma" Somasegar, who sadly passed away this week. Xbox and Gaming Next Xbox Elite controller leaks and it is glorious Related: An Xbox Cloud-Connected controller leaks too and it is less than glorious. Forza Horizon 6 is here, and itʼs on Game Pass on Day One. Be sure to read Laurentʼs detailed review. Haters gonna keep hating: Fans want Xbox exclusives because their heads are still in the sand. Sony is allegedly returning to this model for single player experiences Related: Sony raises prices on PS Plus Fortnite comes back to the Apple App Store worldwide *excluding Australia for some reason. Tips and Picks Tip of the week: Google AI Studio. Vibe-code your next app with this incredible free tool. Related: A look at Markdown editors. App pick of the week: DeskScapes 2026 Stardock DeskScapes 2026 is normally $9.99 but it will cost just $6.99 during the launch period. Also: Firefox 151 is a big update on desktop and mobile, the latter gets the AI kill switch RunAs Radio this week: UEFI Secure Boot with Richard Hicks Brown liquor pick of the week: Daftmill Winter Batch Release These show notes have been truncated due to length. For the full show notes, visit https://twit.tv/shows/windows-weekly/episodes/984 Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Sponsors: outsystems.com/twit trustedtech.team/windowsweekly365 zscaler.com/security

Windows Insider Program Release Preview channel updates (including 26H1 for the first time? - A preview of the June Patch Tuesday updates - Shared audio, NPU usage in Task Manager, multi-app camera support, Magnifier improvements. Taskbar updates come to Insiders! Also in Canary, weʼre throwing them a bone this time. Enshittification remedies all around Microsoft just held a WinHEC for the first time since 2018 and thereʼs a new Windows Driver Initiative! Microsoft will soon let us remap Copilot key to Right Ctrl, which is what it was in the first place. A Linux privacy nut YouTuber confuses privacy and security and doesnʼt understand Windows 11 so... ... Paul wrote a complete guide to the local account de-Microsoft experience in Windows 11 Microsoft Edge will stop loading all passwords into clear text on startup like a big boy browser. Hardware Paul came home to an ASUS Zenbook A16 and ohmygodohmygodohmygod Surface Microsoft finally revs Surface Laptop and Surface Pro for Business, with Intel chips and VERY high prices. Snapdragon X2 variants in late 2026 because of supply issues wa-waa-waaaaa. AI MDASH is Microsoftʼs answer to Anthropic Mythos, in-house only. Elon Musk and Sam Altman are both terrible but a jury decided against Muskʼs frivolous lawsuit. OpenAI and Apple might head to court over Siri promises OpenAI Codex is on mobile via the ChatGPT app Google unleashes an AI tsunami at Google IO this week. A few relevant takeaways: Overview of the major announcements Google advances Android as a developer platform Chrome is turning into a proactive assistant Google AI subscriptions are an incredible value Related: The Gemini Intelligence feature for Googlebooks and more has steep hardware requirements - 12 GB of RAM, flagship SoC So Pixel 10 series/Galaxy S26 series and newer only etc. Just a reminder that Microsoft makes a Linux distribution ... for Azure specifically More dev WWDC schedule is up for June 8 opening day Build 2026 kicks off June 2 in SFO After another boring .NET 11 preview release, we finally get our first look at a major change: MAUI is switching from the Mono runtime to the CoreCLR runtime. And we should pause for a moment to remember S "Soma" Somasegar, who sadly passed away this week. Xbox and Gaming Next Xbox Elite controller leaks and it is glorious Related: An Xbox Cloud-Connected controller leaks too and it is less than glorious. Forza Horizon 6 is here, and itʼs on Game Pass on Day One. Be sure to read Laurentʼs detailed review. Haters gonna keep hating: Fans want Xbox exclusives because their heads are still in the sand. Sony is allegedly returning to this model for single player experiences Related: Sony raises prices on PS Plus Fortnite comes back to the Apple App Store worldwide *excluding Australia for some reason. Tips and Picks Tip of the week: Google AI Studio. Vibe-code your next app with this incredible free tool. Related: A look at Markdown editors. App pick of the week: DeskScapes 2026 Stardock DeskScapes 2026 is normally $9.99 but it will cost just $6.99 during the launch period. Also: Firefox 151 is a big update on desktop and mobile, the latter gets the AI kill switch RunAs Radio this week: UEFI Secure Boot with Richard Hicks Brown liquor pick of the week: Daftmill Winter Batch Release These show notes have been truncated due to length. For the full show notes, visit https://twit.tv/shows/windows-weekly/episodes/984 Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Sponsors: outsystems.com/twit trustedtech.team/windowsweekly365 zscaler.com/security

Windows Insider Program Release Preview channel updates (including 26H1 for the first time? - A preview of the June Patch Tuesday updates - Shared audio, NPU usage in Task Manager, multi-app camera support, Magnifier improvements. Taskbar updates come to Insiders! Also in Canary, weʼre throwing them a bone this time. Enshittification remedies all around Microsoft just held a WinHEC for the first time since 2018 and thereʼs a new Windows Driver Initiative! Microsoft will soon let us remap Copilot key to Right Ctrl, which is what it was in the first place. A Linux privacy nut YouTuber confuses privacy and security and doesnʼt understand Windows 11 so... ... Paul wrote a complete guide to the local account de-Microsoft experience in Windows 11 Microsoft Edge will stop loading all passwords into clear text on startup like a big boy browser. Hardware Paul came home to an ASUS Zenbook A16 and ohmygodohmygodohmygod Surface Microsoft finally revs Surface Laptop and Surface Pro for Business, with Intel chips and VERY high prices. Snapdragon X2 variants in late 2026 because of supply issues wa-waa-waaaaa. AI MDASH is Microsoftʼs answer to Anthropic Mythos, in-house only. Elon Musk and Sam Altman are both terrible but a jury decided against Muskʼs frivolous lawsuit. OpenAI and Apple might head to court over Siri promises OpenAI Codex is on mobile via the ChatGPT app Google unleashes an AI tsunami at Google IO this week. A few relevant takeaways: Overview of the major announcements Google advances Android as a developer platform Chrome is turning into a proactive assistant Google AI subscriptions are an incredible value Related: The Gemini Intelligence feature for Googlebooks and more has steep hardware requirements - 12 GB of RAM, flagship SoC So Pixel 10 series/Galaxy S26 series and newer only etc. Just a reminder that Microsoft makes a Linux distribution ... for Azure specifically More dev WWDC schedule is up for June 8 opening day Build 2026 kicks off June 2 in SFO After another boring .NET 11 preview release, we finally get our first look at a major change: MAUI is switching from the Mono runtime to the CoreCLR runtime. And we should pause for a moment to remember S "Soma" Somasegar, who sadly passed away this week. Xbox and Gaming Next Xbox Elite controller leaks and it is glorious Related: An Xbox Cloud-Connected controller leaks too and it is less than glorious. Forza Horizon 6 is here, and itʼs on Game Pass on Day One. Be sure to read Laurentʼs detailed review. Haters gonna keep hating: Fans want Xbox exclusives because their heads are still in the sand. Sony is allegedly returning to this model for single player experiences Related: Sony raises prices on PS Plus Fortnite comes back to the Apple App Store worldwide *excluding Australia for some reason. Tips and Picks Tip of the week: Google AI Studio. Vibe-code your next app with this incredible free tool. Related: A look at Markdown editors. App pick of the week: DeskScapes 2026 Stardock DeskScapes 2026 is normally $9.99 but it will cost just $6.99 during the launch period. Also: Firefox 151 is a big update on desktop and mobile, the latter gets the AI kill switch RunAs Radio this week: UEFI Secure Boot with Richard Hicks Brown liquor pick of the week: Daftmill Winter Batch Release These show notes have been truncated due to length. For the full show notes, visit https://twit.tv/shows/windows-weekly/episodes/984 Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Sponsors: outsystems.com/twit trustedtech.team/windowsweekly365 zscaler.com/security

Windows Insider Program Release Preview channel updates (including 26H1 for the first time? - A preview of the June Patch Tuesday updates - Shared audio, NPU usage in Task Manager, multi-app camera support, Magnifier improvements. Taskbar updates come to Insiders! Also in Canary, weʼre throwing them a bone this time. Enshittification remedies all around Microsoft just held a WinHEC for the first time since 2018 and thereʼs a new Windows Driver Initiative! Microsoft will soon let us remap Copilot key to Right Ctrl, which is what it was in the first place. A Linux privacy nut YouTuber confuses privacy and security and doesnʼt understand Windows 11 so... ... Paul wrote a complete guide to the local account de-Microsoft experience in Windows 11 Microsoft Edge will stop loading all passwords into clear text on startup like a big boy browser. Hardware Paul came home to an ASUS Zenbook A16 and ohmygodohmygodohmygod Surface Microsoft finally revs Surface Laptop and Surface Pro for Business, with Intel chips and VERY high prices. Snapdragon X2 variants in late 2026 because of supply issues wa-waa-waaaaa. AI MDASH is Microsoftʼs answer to Anthropic Mythos, in-house only. Elon Musk and Sam Altman are both terrible but a jury decided against Muskʼs frivolous lawsuit. OpenAI and Apple might head to court over Siri promises OpenAI Codex is on mobile via the ChatGPT app Google unleashes an AI tsunami at Google IO this week. A few relevant takeaways: Overview of the major announcements Google advances Android as a developer platform Chrome is turning into a proactive assistant Google AI subscriptions are an incredible value Related: The Gemini Intelligence feature for Googlebooks and more has steep hardware requirements - 12 GB of RAM, flagship SoC So Pixel 10 series/Galaxy S26 series and newer only etc. Just a reminder that Microsoft makes a Linux distribution ... for Azure specifically More dev WWDC schedule is up for June 8 opening day Build 2026 kicks off June 2 in SFO After another boring .NET 11 preview release, we finally get our first look at a major change: MAUI is switching from the Mono runtime to the CoreCLR runtime. And we should pause for a moment to remember S "Soma" Somasegar, who sadly passed away this week. Xbox and Gaming Next Xbox Elite controller leaks and it is glorious Related: An Xbox Cloud-Connected controller leaks too and it is less than glorious. Forza Horizon 6 is here, and itʼs on Game Pass on Day One. Be sure to read Laurentʼs detailed review. Haters gonna keep hating: Fans want Xbox exclusives because their heads are still in the sand. Sony is allegedly returning to this model for single player experiences Related: Sony raises prices on PS Plus Fortnite comes back to the Apple App Store worldwide *excluding Australia for some reason. Tips and Picks Tip of the week: Google AI Studio. Vibe-code your next app with this incredible free tool. Related: A look at Markdown editors. App pick of the week: DeskScapes 2026 Stardock DeskScapes 2026 is normally $9.99 but it will cost just $6.99 during the launch period. Also: Firefox 151 is a big update on desktop and mobile, the latter gets the AI kill switch RunAs Radio this week: UEFI Secure Boot with Richard Hicks Brown liquor pick of the week: Daftmill Winter Batch Release These show notes have been truncated due to length. For the full show notes, visit https://twit.tv/shows/windows-weekly/episodes/984 Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Sponsors: outsystems.com/twit trustedtech.team/windowsweekly365 zscaler.com/security

Windows Insider Program Release Preview channel updates (including 26H1 for the first time? - A preview of the June Patch Tuesday updates - Shared audio, NPU usage in Task Manager, multi-app camera support, Magnifier improvements. Taskbar updates come to Insiders! Also in Canary, weʼre throwing them a bone this time. Enshittification remedies all around Microsoft just held a WinHEC for the first time since 2018 and thereʼs a new Windows Driver Initiative! Microsoft will soon let us remap Copilot key to Right Ctrl, which is what it was in the first place. A Linux privacy nut YouTuber confuses privacy and security and doesnʼt understand Windows 11 so... ... Paul wrote a complete guide to the local account de-Microsoft experience in Windows 11 Microsoft Edge will stop loading all passwords into clear text on startup like a big boy browser. Hardware Paul came home to an ASUS Zenbook A16 and ohmygodohmygodohmygod Surface Microsoft finally revs Surface Laptop and Surface Pro for Business, with Intel chips and VERY high prices. Snapdragon X2 variants in late 2026 because of supply issues wa-waa-waaaaa. AI MDASH is Microsoftʼs answer to Anthropic Mythos, in-house only. Elon Musk and Sam Altman are both terrible but a jury decided against Muskʼs frivolous lawsuit. OpenAI and Apple might head to court over Siri promises OpenAI Codex is on mobile via the ChatGPT app Google unleashes an AI tsunami at Google IO this week. A few relevant takeaways: Overview of the major announcements Google advances Android as a developer platform Chrome is turning into a proactive assistant Google AI subscriptions are an incredible value Related: The Gemini Intelligence feature for Googlebooks and more has steep hardware requirements - 12 GB of RAM, flagship SoC So Pixel 10 series/Galaxy S26 series and newer only etc. Just a reminder that Microsoft makes a Linux distribution ... for Azure specifically More dev WWDC schedule is up for June 8 opening day Build 2026 kicks off June 2 in SFO After another boring .NET 11 preview release, we finally get our first look at a major change: MAUI is switching from the Mono runtime to the CoreCLR runtime. And we should pause for a moment to remember S "Soma" Somasegar, who sadly passed away this week. Xbox and Gaming Next Xbox Elite controller leaks and it is glorious Related: An Xbox Cloud-Connected controller leaks too and it is less than glorious. Forza Horizon 6 is here, and itʼs on Game Pass on Day One. Be sure to read Laurentʼs detailed review. Haters gonna keep hating: Fans want Xbox exclusives because their heads are still in the sand. Sony is allegedly returning to this model for single player experiences Related: Sony raises prices on PS Plus Fortnite comes back to the Apple App Store worldwide *excluding Australia for some reason. Tips and Picks Tip of the week: Google AI Studio. Vibe-code your next app with this incredible free tool. Related: A look at Markdown editors. App pick of the week: DeskScapes 2026 Stardock DeskScapes 2026 is normally $9.99 but it will cost just $6.99 during the launch period. Also: Firefox 151 is a big update on desktop and mobile, the latter gets the AI kill switch RunAs Radio this week: UEFI Secure Boot with Richard Hicks Brown liquor pick of the week: Daftmill Winter Batch Release These show notes have been truncated due to length. For the full show notes, visit https://twit.tv/shows/windows-weekly/episodes/984 Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Sponsors: outsystems.com/twit trustedtech.team/windowsweekly365 zscaler.com/security

Windows Insider Program Release Preview channel updates (including 26H1 for the first time? - A preview of the June Patch Tuesday updates - Shared audio, NPU usage in Task Manager, multi-app camera support, Magnifier improvements. Taskbar updates come to Insiders! Also in Canary, weʼre throwing them a bone this time. Enshittification remedies all around Microsoft just held a WinHEC for the first time since 2018 and thereʼs a new Windows Driver Initiative! Microsoft will soon let us remap Copilot key to Right Ctrl, which is what it was in the first place. A Linux privacy nut YouTuber confuses privacy and security and doesnʼt understand Windows 11 so... ... Paul wrote a complete guide to the local account de-Microsoft experience in Windows 11 Microsoft Edge will stop loading all passwords into clear text on startup like a big boy browser. Hardware Paul came home to an ASUS Zenbook A16 and ohmygodohmygodohmygod Surface Microsoft finally revs Surface Laptop and Surface Pro for Business, with Intel chips and VERY high prices. Snapdragon X2 variants in late 2026 because of supply issues wa-waa-waaaaa. AI MDASH is Microsoftʼs answer to Anthropic Mythos, in-house only. Elon Musk and Sam Altman are both terrible but a jury decided against Muskʼs frivolous lawsuit. OpenAI and Apple might head to court over Siri promises OpenAI Codex is on mobile via the ChatGPT app Google unleashes an AI tsunami at Google IO this week. A few relevant takeaways: Overview of the major announcements Google advances Android as a developer platform Chrome is turning into a proactive assistant Google AI subscriptions are an incredible value Related: The Gemini Intelligence feature for Googlebooks and more has steep hardware requirements - 12 GB of RAM, flagship SoC So Pixel 10 series/Galaxy S26 series and newer only etc. Just a reminder that Microsoft makes a Linux distribution ... for Azure specifically More dev WWDC schedule is up for June 8 opening day Build 2026 kicks off June 2 in SFO After another boring .NET 11 preview release, we finally get our first look at a major change: MAUI is switching from the Mono runtime to the CoreCLR runtime. And we should pause for a moment to remember S "Soma" Somasegar, who sadly passed away this week. Xbox and Gaming Next Xbox Elite controller leaks and it is glorious Related: An Xbox Cloud-Connected controller leaks too and it is less than glorious. Forza Horizon 6 is here, and itʼs on Game Pass on Day One. Be sure to read Laurentʼs detailed review. Haters gonna keep hating: Fans want Xbox exclusives because their heads are still in the sand. Sony is allegedly returning to this model for single player experiences Related: Sony raises prices on PS Plus Fortnite comes back to the Apple App Store worldwide *excluding Australia for some reason. Tips and Picks Tip of the week: Google AI Studio. Vibe-code your next app with this incredible free tool. Related: A look at Markdown editors. App pick of the week: DeskScapes 2026 Stardock DeskScapes 2026 is normally $9.99 but it will cost just $6.99 during the launch period. Also: Firefox 151 is a big update on desktop and mobile, the latter gets the AI kill switch RunAs Radio this week: UEFI Secure Boot with Richard Hicks Brown liquor pick of the week: Daftmill Winter Batch Release These show notes have been truncated due to length. For the full show notes, visit https://twit.tv/shows/windows-weekly/episodes/984 Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell Sponsors: outsystems.com/twit trustedtech.team/windowsweekly365 zscaler.com/security

The original Secure Boot certificate expires in June 2026! Richard talks to Richard Hicks about how Secure Boot works and how the expiration of the master certificate can leave PCs vulnerable to boot-related malware, such as rootkits. Richard discusses recent Microsoft communications on SecureBoot and how to check which certificate your machines have. Workstations using managed updates are likely already up to date, but servers are a different issue. When the certificate expires, you'll no longer receive updates to Secure Boot for known exploits, leaving your machines vulnerable. Update today! Links Secure Boot Certificates Expiring Sony Rootkit Scandal Secure Boot Playbook for Windows Client Windows Update Management Registry Key Updates for Secure Boot Richard's Blog Post on Secure Boot EUFI Certificates Expiring Get-UEFICertificate in PowerShell Gallery Recorded March 9, 2026

We all have data to rescue, you just don't realize it yet. This week we build our own custom live rescue distros, recover real data, and show you how to make your own.Sponsored By:Jupiter Party Annual Membership: Put your support on automatic with our annual plan, and get one month of membership for free!Managed Nebula: Meet Managed Nebula from Defined Networking. A decentralized VPN built on the open-source Nebula platform that we love.Support LINUX UnpluggedLinks:

*Threat Hunting Workshop: Hunting for Persistence - Level 2 September 24, 2025 | 12:00 - 1:00 PM ET Sign Up: https://www.intel471.com/resources/webinars/threat-hunting-workshop-16-hunting-for-persistence-level-2 ---------- Top Headlines: Jamf Threat Labs | Learn about ChillyHell, a modular Mac backdoor: https://www.jamf.com/blog/chillyhell-a-modular-macos-backdoor/ SecureList | Malicious MCP servers used in supply chain attacks: https://securelist.com/model-context-protocol-for-ai-integration-abused-in-supply-chain-attacks/117473/?web_view=true Bitdefender Blog | EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company: https://www.bitdefender.com/en-us/blog/businessinsights/eggstreme-fileless-malware-cyberattack-apac welivesecurity | Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass: https://www.welivesecurity.com/en/eset-research/introducing-hybridpetya-petya-notpetya-copycat-uefi-secure-boot-bypass/ ---------- Stay in Touch! Twitter: https://twitter.com/Intel471Inc LinkedIn: https://www.linkedin.com/company/intel-471/ YouTube: https://www.youtube.com/channel/UCIL4ElcM6oLd3n36hM4_wkg Discord: https://discord.gg/DR4mcW4zBr Facebook: https://www.facebook.com/Intel471Inc/

ShinyHunters hits Vietnam National Credit Information Center HybridPetya is a Petya/NotPetya copycat with UEFI Secure Boot bypass CISA seeks control over CVE Huge thanks to our sponsor, Drata Leading security teams trust SafeBase by Drata to turn trust into a growth engine. Our enterprise-grade Trust Center puts your security posture in one secure, customer-facing portal, giving buyers instant visibility into your company's continuous controls, certifications, and policies. With AI-powered Questionnaire Assistance, blast through inbound security questionnaires in minutes instead of days, automate cross functional workflows, and eliminate friction. That means less manual work, and faster deal cycles. Win with Trust. Learn more at SafeBase.io. Find the stories behind the headlines at CISOseries.com.

Enjoying the content? Let us know your feedback!In this episode, we'll be exploring a particularly intriguing file types: polyglot files. These digital shapeshifters have become a powerful tool in the arsenal of cyber attackers, capable of bypassing security measures, confusing systems, and delivering malicious payloads in ways that are both creative and devastating.Over the next  20 to 30 minutes or so, we'll break down what polyglot files are, how they work, and why they're so dangerous. We'll also examine some real-world examples where polyglot files were used in cyberattacks. We will reference the MITRE ATT&CK framework to understand how these techniques fit into the broader landscape of adversarial tactics. Finally, we'll discuss mitigation strategies and close with a cybersecurity myth that needs bustingBefore we dive into the main topic, lets glance what is happening on the security front:UEFI Secure Boot bypass vulnerability- https://en.wikipedia.org: Polyglot- https://attack.mitre.org: Masquerading- https://arxiv.org: Where the Polyglots Are: How Polyglot Files Enable Cyber Attack Chains and Methods for Detection & Disarmament- https://medium.com: Polyglot Files A Hackers Best Friend- https://www.bleepingcomputer.com: New polyglot malware hits aviation, satellite communication firmsBe sure to subscribe! You can also stream from https://yusufonsecurity.comIn there, you will find a list of all previous episodes in there too.

In this episode, we cover how to use honeypot data to keep your offensive infrastructure alive longer, three critical vulnerabilities in SimpleHelp that must be patched now, and an interesting vulnerability affecting many systems allowing UEFI Secure Boot bypass. Leveraging Honeypot Data for Offensive Security Operations [Guest Diary] A recent guest diary on the SANS Internet Storm Center discusses how offensive security professionals can utilize honeypot data to enhance their operations. The diary highlights the detection of scans from multiple IP addresses, emphasizing the importance of monitoring non-standard user-agent strings in web requests. https://isc.sans.edu/diary/Leveraging%20Honeypot%20Data%20for%20Offensive%20Security%20Operations%20%5BGuest%20Diary%5D/31596 Security Vulnerabilities in SimpleHelp 5.5.7 and Earlier SimpleHelp has released version 5.5.8 to address critical security vulnerabilities present in versions 5.5.7 and earlier. Users are strongly advised to upgrade to the latest version to prevent potential exploits. Detailed information and upgrade instructions are available on SimpleHelp's official website. https://simple-help.com/kb---security-vulnerabilities-01-2025#send-us-your-questions Under the Cloak of UEFI Secure Boot: Introducing CVE-2024-7344 ESET researchers have identified a new vulnerability, CVE-2024-7344, that allows attackers to bypass UEFI Secure Boot on most UEFI-based systems. This flaw enables the execution of untrusted code during system boot, potentially leading to the deployment of malicious UEFI bootkits. Affected users should apply available patches to mitigate this risk. https://www.welivesecurity.com/en/eset-research/under-cloak-uefi-secure-boot-introducing-cve-2024-7344/

ESET researchers have discovered a vulnerability affecting the majority of UEFI-based systems that allows actors to bypass UEFI Secure Boot. This vulnerability, assigned CVE-2024-7344, was found in a UEFI application signed by Microsoft's "Microsoft Corporation UEFI CA 2011" third-party UEFI certificate. ESET researchers discovered a new vulnerability, CVE-2024-7344, that allows actors to bypass UEFI Secure Boot on the majority of UEFI-based systems. Exploitation of this vulnerability allows execution of untrusted code during system boot, enabling deployment of malicious UEFI bootkits. The issue was fixed by affected vendors; the vulnerable binaries were revoked by Microsoft in the January 14, 2025, Patch Tuesday update. Exploitation of this vulnerability can lead to the execution of untrusted code during system boot, enabling potential attackers to easily deploy malicious UEFI bootkits (such as Bootkitty or BlackLotus) even on systems with UEFI Secure Boot enabled, regardless of the operating system installed. ESET reported the findings to the CERT Coordination Center (CERT/CC) in June 2024, which successfully contacted the affected vendors. The issue has now been fixed in affected products, and the old, vulnerable binaries were revoked by Microsoft in the January 14, 2025, Patch Tuesday update. The affected UEFI application is part of several real-time system recovery software suites developed by Howyar Technologies Inc., Greenware Technologies, Radix Technologies Ltd., SANFONG Inc., Wasay Software Technology Inc., Computer Education System Inc., and Signal Computer GmbH. "The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window shows that even such an essential feature as UEFI Secure Boot should not be considered an impenetrable barrier," says ESET researcher Martin Smolár, who discovered the vulnerability. "However, what concerns us the most with respect to the vulnerability is not the time it took to fix and revoke the binary, which was quite good compared to similar cases, but the fact that this isn't the first time that such an obviously unsafe signed UEFI binary has been discovered. This raises questions of how common the use of such unsafe techniques is among third-party UEFI software vendors, and how many other similar obscure, but signed, bootloaders there might be out there." Exploitation of this vulnerability is not limited to systems with the affected recovery software installed, as attackers can bring their own copy of the vulnerable binary to any UEFI system with the Microsoft third-party UEFI certificate enrolled. Also, elevated privileges are required to deploy the vulnerable and malicious files to the EFI system partition (local administrator on Windows; root on Linux). The vulnerability is caused by the use of a custom PE loader instead of using the standard and secure UEFI functions LoadImage and StartImage. All UEFI systems with Microsoft third-party UEFI signing enabled are affected (Windows 11 Secured-core PCs should have this option disabled by default). The vulnerability can be mitigated by applying the latest UEFI revocations from Microsoft. Windows systems should be updated automatically. Microsoft's advisory for the CVE-2024-7344 vulnerability can be found here. For Linux systems, updates should be available through the Linux Vendor Firmware Service. For a more detailed analysis and technical breakdown of the UEFI vulnerability, check out the latest ESET Research blog post, "Under the cloak of UEFI Secure Boot: Introducing CVE-2024-7344" on WeLiveSecurity.com. Guest post by ESET Ireland. You can follow ESET Ireland on X (ex-Twitter), Facebook or LinkedIn for more cybersecurity tips.

President Biden issues a comprehensive  cybersecurity executive order. Updates on Silk Typhoon's US Treasury breach. A Chinese telecom hardware firm is under FBI investigation. A critical vulnerability has been found in the UEFI Secure Boot mechanism. California-based cannabis brand Stiiizy suffers a data breach. North Korea's Lazarus Group lures freelance developers. The FTC highlights major security failures at web hosting giant GoDaddy. Veeam patches a critical vulnerability in their Backup for Microsoft Azure product. Hackers leak sensitive data from over 15,000 Fortinet firewalls. Our guest today is Oren Koren, Veriti's Co-founder and CPO, sharing insights about the state of healthcare cybersecurity. Shiver me timbers! Meta's AI trains on a treasure chest of pirated books. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest today is Oren Koren, Veriti's Co-founder and CPO, sharing insights about the state of healthcare cybersecurity. You can read more in their “The State of Healthcare Cybersecurity 2025” report.  Selected Reading Biden to sign executive order on AI and software security (Axios) Treasury Breach by Chinese Sponsored Hackers Focused on Sanctions, Report Says (Bloomberg) Exclusive: Chinese tech firm founded by Huawei veterans in the FBI's crosshairs (Reuters) New UEFI Secure Boot Bypass Vulnerability Exposes Systems to Malicious Bootkits (Cyber Security News) 380,000 Impacted by Data Breach at Cannabis Retailer Stiiizy (SecurityWeek) North Korean Hackers Targeting Freelance Software Developers (SecurityWeek) GoDaddy Accused of Serious Security Failings by FTC (Infosecurity Magazine) Veeam Azure Backup Solution Vulnerability Allows Attackers To Enumerate Network (Cyber Security News) Hacking group leaks Fortinet users' details on dark web (Computing) Meta Secretly Trained Its AI on a Notorious Piracy Database, Newly Unredacted Court Docs Reveal (WIRED) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

We explore the certificate issue in which secure boot is potentially compromised because of certificates that have been compromised in ways they could be easily used as for an attack vector. This is a very significant flaw and something that should be on your purview and radar to fix. We're going to talk about what the issue is, why it's important, how secure boot works, and what you can do to mitigate this problem in your own infrastructure. This is a really important episode for anybody running or managing desktops, data centers or infrastructure of any type. Transcript: https://otter.ai/u/59uYpJpra5SutJOpEB_bPZ2CUqI?utm_source=copy_url

ESET believes this bootkit is likely an initial proof of concept, and based on ESET telemetry, it has not been deployed in the wild. However, it is the first evidence that UEFI bootkits are no longer confined to Windows systems alone. The bootkit's main goal is to disable the kernel's signature verification feature and to preload two as yet unknown ELF binaries via the Linux "init" process (which is the first process executed by the Linux kernel during system startup). The previously unknown UEFI application, named "bootkit.efi," was uploaded to VirusTotal. Bootkitty is signed by a self-signed certificate, thus is not capable of running on systems with UEFI Secure Boot enabled by default. However, Bootkitty is designed to boot the Linux kernel seamlessly, whether UEFI Secure Boot is enabled or not, as it patches, in memory, the necessary functions responsible for integrity verification. The bootkit is an advanced rootkit that is capable of replacing the boot loader, and of patching the kernel ahead of its execution. Bootkitty allows the attacker to take full control over the affected machine, as it co-opts the machine's booting process, and executes malware before the operating system has even started. During the analysis, ESET discovered a possibly related unsigned kernel module that ESET named BCDropper - with signs suggesting that it could have been developed by the same author(s) as Bootkitty. It deploys an ELF binary responsible for loading yet another kernel module unknown at the time of analysis. "Bootkitty contains many artifacts, suggesting that this is more like a proof of concept than the work of a threat actor. Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems since it can affect only a few Ubuntu versions, it emphasizes the necessity of being prepared for potential future threats," says ESET researcher Martin Smolar, who analyzed Bootkitty. "To keep your Linux systems safe from such threats, make sure that UEFI Secure Boot is enabled, your system firmware, security software and OS are up-to-date, and so is your UEFI revocations list," he adds. After booting up a system with Bootkitty in the ESET testing environment, researchers noticed that the kernel was marked as tainted (a command can be used to check the tainted value), which was not the case when the bootkit was absent. Another way to tell whether the bootkit is present on the system with UEFI Secure Boot enabled is by attempting to load an unsigned dummy kernel module during runtime. If it's present, the module will be loaded; if not - the kernel refuses to load it. A simple remedy to get rid of the bootkit, when the bootkit is deployed as "/EFI/ubuntu/grubx64.efi", is to move the legitimate "/EFI/ubuntu/grubx64-real.efi" file back to its original location, which is "/EFI/ubuntu/grubx64.efi". Over the past few years, the UEFI threat landscape, particularly that of UEFI bootkits, has evolved significantly. It all started with the first UEFI bootkit proof of concept (PoC), described by Andrea Allievi in 2012, which served as a demonstration of deploying bootkits on modern UEFI-based Windows systems, and was followed with many other PoCs (EfiGuard, Boot Backdoor, UEFI-bootkit). I t took several years until the first two real UEFI bootkits were discovered in the wild (one of those was ESPecter in 2021 by ESET), and it took two more years until the infamous BlackLotus - the first UEFI bootkit capable of bypassing UEFI Secure Boot on up-to-date systems - appeared (in 2023, discovered by ESET). A common thread among these publicly known bootkits was their exclusive targeting of Windows systems. For a more detailed analysis and technical breakdown of Bootkitty, the first bootkit for Linux, check out the latest ESET Research blogpost, "Bootkitty: Analyzing the first UEFI bootkit for Linux," on WeLiveSecurity.com. Make sure to follow ESET Research on X for the latest news from ESET Rese...

Da rollt etwas auf uns zu: Microsoft verändert Secure Boot für Windows. Die Tücken der Sicherheitsfunktion im Podcast Bit-Rauschen, Folge 2024/7.

Towards the end of 2022, an unknown threat actor boasted online that they created a new and powerful UEFI bootkit called BlackLotus. Its most distinctive feature? It could mysteriously bypass UEFI Secure Boot, a feature built into all modern computers to prevent them from running unauthorized software. What at first sounded like a myth turned into reality a few months later when ESET researchers discovered a sample that perfectly matched all the mentioned attributes of a UEFI bootkit known as BlackLotus. Listen to the fascinating story of ESET Malware Researcher Martin Smolár describing his threat hunt to our host ESET Distinguished Researcher Aryeh Goretsky. For more info about this research, read the blogpost on WeLiveSecurity.com. Host: Aryeh Goretsky, ESET Distinguished Researcher Guest: Martin Smolár, ESET Malware Researcher Materials: BlackLotus UEFI bootkit: Myth confirmed

Pernicious Permissions: How Kubernetes Cryptomining Became an AWS Cloud Data Heist CISA, MITRE Look to Take ATT&CK Framework Out of the Weeds Meta unveils a new large language model that can run on a single GPU BlackLotus bootkit bypasses UEFI Secure Boot on patched Windows 11 Microsoft to Store World's Music Collection on Quartz Wafers Andre Keartland, Solutions Architect at Netsurit Professional Services talks about how enterprise organizations can implement DevSecOps to enhance security. Hosts: Louis Maresca, Brian Chee, and Curtis Franklin Guest: André Keartland Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: bitwarden.com/twit kolide.com/twiet decisions.com/twit

Pernicious Permissions: How Kubernetes Cryptomining Became an AWS Cloud Data Heist CISA, MITRE Look to Take ATT&CK Framework Out of the Weeds Meta unveils a new large language model that can run on a single GPU BlackLotus bootkit bypasses UEFI Secure Boot on patched Windows 11 Microsoft to Store World's Music Collection on Quartz Wafers Andre Keartland, Solutions Architect at Netsurit Professional Services talks about how enterprise organizations can implement DevSecOps to enhance security. Hosts: Louis Maresca, Brian Chee, and Curtis Franklin Guest: André Keartland Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: bitwarden.com/twit kolide.com/twiet decisions.com/twit

Pernicious Permissions: How Kubernetes Cryptomining Became an AWS Cloud Data Heist CISA, MITRE Look to Take ATT&CK Framework Out of the Weeds Meta unveils a new large language model that can run on a single GPU BlackLotus bootkit bypasses UEFI Secure Boot on patched Windows 11 Microsoft to Store World's Music Collection on Quartz Wafers Andre Keartland, Solutions Architect at Netsurit Professional Services talks about how enterprise organizations can implement DevSecOps to enhance security. Hosts: Louis Maresca, Brian Chee, and Curtis Franklin Guest: André Keartland Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: bitwarden.com/twit kolide.com/twiet decisions.com/twit

Pernicious Permissions: How Kubernetes Cryptomining Became an AWS Cloud Data Heist CISA, MITRE Look to Take ATT&CK Framework Out of the Weeds Meta unveils a new large language model that can run on a single GPU BlackLotus bootkit bypasses UEFI Secure Boot on patched Windows 11 Microsoft to Store World's Music Collection on Quartz Wafers Andre Keartland, Solutions Architect at Netsurit Professional Services talks about how enterprise organizations can implement DevSecOps to enhance security. Hosts: Louis Maresca, Brian Chee, and Curtis Franklin Guest: André Keartland Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: bitwarden.com/twit kolide.com/twiet decisions.com/twit

On The Cloud Pod this week, the team struggles with scheduling to get everyone in the same room for just one week. Plus, Microsoft increases pay for talent retention while changing licensing for European Cloud Providers, Google Cloud introduces AlloyDB for PostgreSQL, and AWS announces EC2 support for NitroTPM. A big thanks to this week's sponsor, Foghorn Consulting, which provides full-stack cloud solutions with a focus on strategy, planning and execution for enterprises seeking to take advantage of the transformative capabilities of AWS, Google Cloud and Azure. This week's highlights

The GNOME Foundation and Endless launch a new contest aimed at engaging young coders with FOSS, Tails 4.5 brings support for UEFI Secure Boot, the first release of Krustlet brings WebAssembly to Kubernetes, and Qt considers further limiting access to its releases.

The GNOME Foundation and Endless launch a new contest aimed at engaging young coders with FOSS, Tails 4.5 brings support for UEFI Secure Boot, the first release of Krustlet brings WebAssembly to Kubernetes, and Qt considers further limiting access to its releases.

W pierwszym (testowym) odcinku naszego podcastu porozmawiamy o ostatnich odkryciach ujawnionych w artykule Bloomberga na temat instalowania implantów (backdoorów) sprzętowych w płytach głównych produkowanych przez Supermicro.Według źródła, odkryte miały zostać małe układy scalone, których rzekomym celem działania było wykradanie informacji z serwerów pracujących w amerykańskich sieciach telekomunikacyjnych oraz popularnych usługach chmurowych i sieciach społecznościowych.Ponieważ na co dzień zajmujemy się produkcją oprogramowania układowego (Firmware/BIOS), a tym samym posiadamy praktyczną wiedzę z zakresu budowy zarówno sprzętu jak i standardów dla oprogramowania embedded, postanowiliśmy przyjrzeć się tym rewelacjom i skonfrontować je z faktami.Na początku odcinka przekazujemy informacje ogólne na temat tematyki implantów (backdoorów) sprzętowych. Słuchacze bardziej biegli w temacie mogą od razu przejść do 15 minuty gdzie rozpoczynamy techniczną analizę prawdopodobnego scenariusza ataku, który pokrywałby się z informacjami przedstawionymi przez Bloomberga.Podczas naszej analizy odwołujemy się do standardów takich jak: BMC, IPMI, ACPI, UEFI, ATF, NC-SI, TPM. Jeżeli szukasz twardych technicznych dokumentów na te tematy koniecznie sprawdź linki poniżej.Prowadzący: Radosław Biernacki, Michał Stanek, Jan Dąbroś, Wojciech MacekLinki (chcesz wiedzieć więcej?):Hardware trojan:https://en.wikipedia.org/wiki/Hardware_TrojanBloomberg:https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companieshttps://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecomInne źródła na temat publikacji:https://www.servethehome.com/yossi-appleboum-disagrees-bloomberg-is-positioning-his-research-against-supermicro/https://www.servethehome.com/explaining-the-baseboard-management-controller-or-bmc-in-servers/https://securinghardware.com/articles/hardware-implants/IPMI - because ACPI and UEFI weren't terrifying enough:https://www.youtube.com/watch?v=GZeUntdObCABMC/IPMI:https://www.intel.com/content/dam/www/public/us/en/documents/product-briefs/ipmi-second-gen-interface-spec-v2-rev1-1.pdfhttps://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/https://www.reddit.com/r/homelab/comments/74o47w/psa_do_not_connect_your_ipmi_to_outside_world/OpenBMC:https://www.youtube.com/watch?v=HO9qDPoWWrghttps://github.com/openbmc/openbmcUEFI:https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interfacehttps://github.com/tianocore/edk2ACPI:https://en.wikipedia.org/wiki/Advanced_Configuration_and_Power_Interfacehttp://www.uefi.org/sites/default/files/resources/ACPI_6_2.pdfhttps://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Heasman.pdfARM Trusted Firmware / UEFI Secure Boot:https://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdfhttps://www.trustedfirmware.org/about/https://github.com/ARM-software/arm-trusted-firmwareNC-SI:https://en.wikipedia.org/wiki/NC-SIhttps://www.dmtf.org/sites/default/files/standards/documents/DSP0222_1.0.0.pdfhttps://sthbrx.github.io/blog/2017/09/22/ncsi-nice-network-youve-got-there/TPM:https://en.wikipedia.org/wiki/Trusted_Platform_Modulehttps://online.tugraz.at/tug_online/voe_main2.getvolltext?pCurrPk=59565PUF:https://www.coursera.org/lecture/hardware-security/physical-unclonable-functions-puf-basics-Ab4sfhttp://cryptowiki.net/index.php?title=Physically_unclonable_functions_(PUF)HW Counterfeits:https://www.electronicsweekly.com/news/business/fbi-arrests-counterfeit-chip-traffickers-2015-12/https://www.netnames.com/insights/blog/2014/03/counterfeit-aircraft-parts-in-the-usa/https://zeptobars.com/en/read/Nordic-NRF24L01P-SI24R1-real-fake-copyps: już po naszej publikacji pojawił się poniższy art.https://www.servethehome.com/investigating-implausible-bloomberg-supermicro-stories/

It's not even the first proper episode but Chris and Joe talk about kernel security, UEFI Secure Boot, the latest Raspberry Pi news, Nexus devices being abandoned and MP3 becoming (sort of) free. GrSecurity Kernel Patches Will No Longer Be Free To The Public - Phoronix (http://www.phoronix.com/scan.php?page=news_item&px=GrSecurity-No-Longer-Free) Secure Boot booted from Debian 9 'Stretch' (https://www.theregister.co.uk/2017/05/01/debian_stretch_omits_secure_boot/) Devuan GNU/Linux 1.0 "Jessie" to Support Raspberry Pi 3, Acer Chromebook Devices (http://news.softpedia.com/news/devuan-gnu-linux-1-0-jessie-to-support-raspberry-pi-3-acer-chromebook-devices-515469.shtml) Get a free AIY Projects Voice Kit with The MagPi 57! - The MagPi MagazineThe MagPi Magazine (https://www.raspberrypi.org/magpi/google-aiy-voice-magpi-57/) What is this bullsh*t, Google? Nexus phones starved of security fixes after just three years • The Register (https://www.theregister.co.uk/2017/05/01/google_eol_for_nexus_phones/) Full MP3 Support Being Added To Fedora Linux - Phoronix (http://www.phoronix.com/scan.php?page=news_item&px=Full-MP3-Support-In-Fedora)

It's not even the first proper episode but Chris and Joe talk about kernel security, UEFI Secure Boot, the latest Raspberry Pi news, Nexus devices being abandoned and MP3 becoming (sort of) free. GrSecurity Kernel Patches Will No Longer Be Free To The Public - Phoronix (http://www.phoronix.com/scan.php?page=news_item&px=GrSecurity-No-Longer-Free) Secure Boot booted from Debian 9 'Stretch' (https://www.theregister.co.uk/2017/05/01/debian_stretch_omits_secure_boot/) Devuan GNU/Linux 1.0 "Jessie" to Support Raspberry Pi 3, Acer Chromebook Devices (http://news.softpedia.com/news/devuan-gnu-linux-1-0-jessie-to-support-raspberry-pi-3-acer-chromebook-devices-515469.shtml) Get a free AIY Projects Voice Kit with The MagPi 57! - The MagPi MagazineThe MagPi Magazine (https://www.raspberrypi.org/magpi/google-aiy-voice-magpi-57/) What is this bullsh*t, Google? Nexus phones starved of security fixes after just three years • The Register (https://www.theregister.co.uk/2017/05/01/google_eol_for_nexus_phones/) Full MP3 Support Being Added To Fedora Linux - Phoronix (http://www.phoronix.com/scan.php?page=news_item&px=Full-MP3-Support-In-Fedora)

It's not even the first proper episode but Chris and Joe talk about kernel security, UEFI Secure Boot, the latest Raspberry Pi news, Nexus devices being abandoned and MP3 becoming (sort of) free. GrSecurity Kernel Patches Will No Longer Be Free To The Public - Phoronix (http://www.phoronix.com/scan.php?page=news_item&px=GrSecurity-No-Longer-Free) Secure Boot booted from Debian 9 'Stretch' (https://www.theregister.co.uk/2017/05/01/debian_stretch_omits_secure_boot/) Devuan GNU/Linux 1.0 "Jessie" to Support Raspberry Pi 3, Acer Chromebook Devices (http://news.softpedia.com/news/devuan-gnu-linux-1-0-jessie-to-support-raspberry-pi-3-acer-chromebook-devices-515469.shtml) Get a free AIY Projects Voice Kit with The MagPi 57! - The MagPi MagazineThe MagPi Magazine (https://www.raspberrypi.org/magpi/google-aiy-voice-magpi-57/) What is this bullsh*t, Google? Nexus phones starved of security fixes after just three years • The Register (https://www.theregister.co.uk/2017/05/01/google_eol_for_nexus_phones/) Full MP3 Support Being Added To Fedora Linux - Phoronix (http://www.phoronix.com/scan.php?page=news_item&px=Full-MP3-Support-In-Fedora)

Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Kallenberg/DEFCON-22-Corey-Kallenberg-Extreme-Privilage-Escalation.pdf Additional Materials available here: https://defcon.org/images/defcon-22/dc-22-presentations/Kallenberg/DEFCON-22-Corey-Kallenberg-Extreme-Privilage-Escalation-WP-UPDATED.pdf Extreme Privilege Escalation On Windows 8/UEFI Systems Corey Kallenberg MITRE Xeno Kovah MITRE It has come to light that state actors install implants in the BIOS. Let no one ever again question whether BIOS malware is practical or present in the wild. However, in practice attackers can install such implants without ever having physical access to the box. Exploits against the BIOS can allow an attacker to inject arbitrary code into the platform firmware. This talk will describe two such exploits we developed against the latest UEFI firmware. The UEFI specification has more tightly coupled the bonds of the operating system and the platform firmware by providing the well-defined "runtime services" interface between the OS and the firmware. This interface is more expansive than the interface that existed in the days of conventional BIOS, which has inadvertently increased the attack surface against the platform firmware. Furthermore, Windows 8 has introduced APIs that allow accessing this UEFI interface from a userland process. Vulnerabilities in this interface can potentially allow a userland process to escalate its privileges from "ring 3" all the way up to that of the platform firmware, which includes permanently attaining control of the very-powerful System Management Mode (SMM). This talk will disclose two vulnerabilities that were discovered in the Intel provided UEFI reference implementation, and detail the unusual techniques needed to successfully exploit them. Corey Kallenberg is a security researcher for The MITRE Corporation who has spent several years investigating operating system and firmware security on Intel computers. In 2012 he coauthored work presented at DEF CON and IEEE S&P on using timing based attestation to detect Windows kernel hooks. In 2013 he helped discover critical problems with current implementations of the Trusted Computing Group's "Static Root of Trust for Measurement" and co-presented this work at NoSuchCon and Blackhat USA. Later, he discovered several vulnerabilities which allowed bypassing of "signed BIOS enforcement" on a number of systems, allowing an attacker to make malicious modifications to the platform firmware. These attacks were presented at EkoParty, HITB, and PacSec. Recently, Corey has presented attacks against the UEFI "Secure Boot" feature. Corey is currently continuing to research the security of UEFI and the Intel architecture. twitter: @coreykal Xeno Kovah is a Lead InfoSec Engineer at The MITRE Corporation, a non-profit company that runs 6 federally funded research and development centers (FFRDCs) as well as manages CVE. He is the team lead for the BIOS Analysis for Detection of Advanced System Subversion project. On the predecessor project, Checkmate, he investigated kernel/userspace memory integrity verification & timing-based attestation. Both projects have a special emphasis on how to make it so that the measurement agent can't just be made to lie by an attacker. Xeno is also the founder and leading contributor to OpenSecurityTraining.info. twitter: @xenokovah Special thanks to the contributing researchers for their help in co-authoring: John Butterworth is a security researcher at The MITRE Corporation who currently specializes in Intel firmware security. In 2012 he co-authored the whitepaper "New Results for Timing-Based Attestation" which used timing based attestation to detect Windows kernel hooks. This research was presented at DEF CON and the 2012 IEEE Symposium on Security and Policy. In 2013 he and his colleagues authored "BIOS Chronomancy:Fixing the Static Root of Trust for Measurement" which proposed using Timing-Based Attestation during the BIOS boot process to resolve critical problems which they had found with current implementations of the Trusted Computing Group's "Static Root of Trust for Measurement". He has presented this research at NoSuchCon, Black Hat USA, SecTor, SEC-T, Breakpoint, and Ruxcon. Following this he has created a tool called Copernicus designed to determine just how prevalent vulnerable BIOS is in industry. John is currently continuing to research the security of BIOS/UEFI and the Intel architecture. Sam Cornwell is a Sr. InfoSec Engineer at The MITRE Corporation, a not-for-profit company that runs 6 federally funded research and development centers (FFRDCs) as well as manages CVE. Since 2011 he has been working on projects such as Checkmate (a kernel and userspace memory integrity verification & timing-based attestation tool), Copernicus, a (BIOS extractor and configuration checker), and several other private security sensors designed to combat sophisticated threats. He has also researched and developed attacks against UEFI SecureBoot.