Your Feed is from https://www.safeharboroncyber.com/Blog/
CyberWisdom Safe Harbor Commentary on Intel Alert:
What is most likely to be an overlooked story from theregister.co.uk recaps the truth about Intel warned Chinese companies before they notified the U.S. government at US-CERT about its infamous Meltdown and Spectre processor vulnerabilities.
According to The Wall Street Journal, big customers, including Lenovo and Alibaba.com, were aware of design mistakes sometime before they pass on the information to U.S. government and small cloud providers, citing some unknown people familiar with the matter and a few related companies.
The disclosure schedule has raised the possibility that some Chinese government officials may have known the vulnerabilities before the U.S. technology giant Intel disclosed it to the U.S. government and the public.
Two chip vulnerabilities, Meltdown and Spectre, were first discovered by members of Google’s Project Zero security team before being independently discovered and reported by other security researchers. “Intel had planned to make the discovery public on Jan. 9… but sped up its timetable when the news became widely known on Jan. 3, a day after U.K. website The Register wrote about the flaws,” the WSJreports.
Intel is dedicated to addressing vulnerabilities with security researchers at Google and other teams, as well as PC makers (especially large OEMs) and cloud computing companies. Informed persons include Lenovo, Microsoft, Amazon, and Arm.
The Wall Street Journal did not mention when Lenovo and others were notified, but a memorandum Intel leaked to computer makers showed that at least one group of unnamed OEM disclosure agreements, as previously reported.
Lenovo quickly walked out of the portal on January 3 and issued a statement telling customers the reason for the vulnerabilities as it had previously worked with industry processors and operating system partners.
Speculation on Intel Alert
According to one person familiar with the company, China’s largest cloud service provider Alibaba Group was also notified in advance. A spokesman for Alibaba told The Wall Street Journal the idea that the company may share threat intelligence with the Chinese government is “speculative and unfounded.” Lenovo said Intel’s information is protected by a confidentiality agreement.
Jake Williams, president and former NSA worker for security firm Rendition Infosec, said Beijing is aware that the exchange of information between Intel and its Chinese technology partners is “near certainty” because local authorities often Monitor all such communications.
An official at the U.S. Department of Homeland Security operating CERT in the United States said it learned of processor vulnerabilities only from earlier news reports. They added: “We certainly hope to get this notice.
White House chief cybersecurity officer Rob Joyce publicly claimed that the NSA also did not know the chip flaws known as Meltdown and Spectre
Because of their early warnings, Microsoft, Google, and Amazon were able to roll out protection for their cloud computing customers before the details of Meltdown and Specter were made public. This is important because Meltdown, which allows malware to extract passwords and other secrets from Intel-powered computers’ memory, can easily be leveraged and cloud computing environments are particularly exposed as they allow customers to share servers. Someone rented a virtual machine on a cloud box that could fail with Meltdown design and use the same host server to spy on another person.
Small-scale cloud service providers are beaten to “catch up.” Joyent, a U.S. cloud service owned by Samsung Electronics, is one of the companies that may benefit from the warning but was not included in the advisory group until it was publicly disclosed.
Bryan Cantrill, the company’s chief technology officer, told The Wall Street Journal “Others are six months ahead.” “We’re fighting for it.”
“I do not understand why CERT will not be your first stop,” Canterbury added. This is an understatement that Intel put ahead of their big customers before us. Maybe we should follow some of GDPR rules.
El Reg asked Intel to comment on its disclosure policy. Chipzilla told us in a statement that it does not have the ability to notify all those who plan ahead of time – including the US government – because of the loopholes that preceded the Jan. 9 announcements:
The Google Project Zero team and affected vendors, including Intel, follow best practices for responsible and coordinated disclosure. The initial disclosure criteria and proven practices are to work with industry participants to develop solutions and deploy fixes prior to publication. In this case, Intel immediately hired the U.S. government and a few others just prior to the public disclosure date of the industry coalition.
US-CERT, under Department of Homeland Security agency initially suggested that this “Spectre” vulnerability could only be resolved by swapping unaffected processors before repositioning it, suggesting that adequate mitigation is provided by applying the vendor-supplied patches. US-CERT -Automated Indicator Sharing (AIS) is available for free through the Department’s NCCIC, a 24/7 cyber situational awareness, incident response, and management center which was designated as the central hub for the sharing of cyber threat indicators between the private sector and the Federal Government by the Cybersecurity.
‘We certainly would have liked to have been notified of this’ says Homeland Security Intel warned Chinese firms about its infamous Meltdown and Spectre processor vulnerabilities before informing the US government, it has emerged. Engaging post, Read More…
thumbnail courtesy of theregister.co.uk
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home »
The post Intel alerted Chinese cloud giants ‘before US govt’ about CPU bugs appeared first on Safe Harbor on Cyber.
Powered by WPeMatico