John Loucaides

This one was instrumental for getting me interested in the space as well. Lots of stuff happened after this...

I'm trying to start a positive security trend of #ResearchRespect wherein we give shoutouts to researchers whose work we really respect and describe why. I'll go first (in no particular order) with "Attacking Intel BIOS" by Rafal Wojtczuk and @AlexTereshkin at BlackHat 2009

I’m glad this mentioned explicitly that it’s for the threat model of “Harvest Now, Decrypt Later”. Because until all the SecureBoot infrastructure is also post-quantum, the “attacker can sign arbitrary code for bootloader” attack assumption would still allow realtime coms capture

Lots of noise about `CVE-2024-21626 runc container escape`. As long as you have SELinux enabled, the container processes are blocked from reading sensitive data and writing all data. Podman enables SELinux by default and defaults to rootless mode.

If any random UEFI vendor wants to learn something from #LogoFAIL other than demanding 300+ days of embargoe that then gets broken by the very same vendor, let it be "we need to invest in exploitation prevention and hardening, because securing 10M+ LOC of C and ASL is impossible"

@dragosr @ryanaraine Standardization of system firmware has made attack reuse easier. (To be fair it made patching easier too) There are complications, sure, but for attackers, I would argue that system firmware attacks are actuality easier than many common attacks on browsers, OS components, etc.

@dragosr @ryanaraine We have definitely completed coordinated disclosure with patch and publication in 90 days for uefi. It's possible. Depending on how much the dependencies cascade, that can become too aggressive. In my experience, 180 days is usually enough for these. 300 seems excessive.

Arguing that a 300-day embargo on a vulnerability is somehow reasonable 👇| uefi.org/sites/default/…

We're excited to announce our collaboration w/@Intel to provide enhanced visibility into supply chains by integrating key supply chain & vulnerability insights from Intel’s Endpoint Cloud Services into Eclypsium's Infrastructure #SupplyChainSecurity suite! bit.ly/3QUSxmD

.@JohnLoucaides, SVP Strategy at Eclypsium, joins us on the show to discuss protecting the federal supply chain! #vulnerability #DoDs #firmware bit.ly/3PLnWpB

How does this make you feel?

I hope @vincentzimmer and friends are going to celebrate!

A #UEFI Forum webinar presented by @Intel focused on the changes made to the #EDK2 version of the #Python interpreter that were necessary to run @CHIPSEC. The presenters provide an overview of the Chipsec framework and why it’s useful: bit.ly/3FQmoHc

Like BIOSdisconnect before it, this allows attack code to download and run from the unmodified, legitimate updater. With so many update apps doing different things, it's very hard to be sure what to trust. Are you more secure updating frequently or tightly controlling updates?

@eclypsium (and many others) has published about a lot of attacks targeting update apps. The recent issue with gigabyte is a different variation, though. This update app is installed by firmware and fails to secure what it downloads and runs.

This malware appears to target dell machines and hide with the dell update app (command).

I talked with @securityweekly recently about firmware security and #OST2. Thankfully Paul asked questions about how OST2 helps teach fwsec, when I went off into the weeds on fwsec, since it's something I like talking about youtube.com/watch?v=gXaDBH…

@JohnLoucaides @guido_bertoni @KirkBrannock @securityweekly @eclypsium Good reference to learn more about Intel debug technology: intel.com/content/www/us…

@guido_bertoni @jerry_Intel @KirkBrannock @securityweekly @eclypsium Reading tianocore and coreboot code also help, but not for everyone... ;-)

@guido_bertoni Yeah. This is hard to piece together. This paper is a good start: intel.com/content/dam/ww… @jerry_Intel or @KirkBrannock may have other ideas. @securityweekly has some episodes on it and @eclypsium will be publishing more about it too.

This is an extremely important fact relative to the recent breach and leak at MSI.