Microsoft Announces Secured-core PCs To Counter Firmware Attacks (venturebeat.com) 53
Microsoft today announced a new initiative to combat threats specifically targeted at the firmware level and data stored in memory: Secured-core PCs. From a report: Microsoft partnered with chip and computer makers to apply "security best practices of isolation and minimal trust to the firmware layer, or the device core, that underpins the Windows operating system." Secured-core PCs will be available from Dell, Dynabook, HP, Lenovo, Panasonic, and Surface. Microsoft hasn't released a full list of Secured-core PCs, but two examples include HP's Elite Dragonfly and Microsoft's Surface Pro X.
Firmware is used to initialize the hardware and other software on the device. The firmware layer runs underneath the OS, where it has more access and privilege than the hypervisor and kernel. Firmware is thus emerging as a top target for attackers since the malicious code can be hard to detect and difficult to remove, persisting even with an OS reinstall or a hard drive replacement. Microsoft points to the National Vulnerability Database, which shows the number of discovered firmware vulnerabilities growing each year. As such, Secured-core PCs are designed for industries like financial services, government, and healthcare. They are also meant for workers who handle highly sensitive IP, customer, or personal data that poses higher-value targets for nationstate attackers.
Firmware is used to initialize the hardware and other software on the device. The firmware layer runs underneath the OS, where it has more access and privilege than the hypervisor and kernel. Firmware is thus emerging as a top target for attackers since the malicious code can be hard to detect and difficult to remove, persisting even with an OS reinstall or a hard drive replacement. Microsoft points to the National Vulnerability Database, which shows the number of discovered firmware vulnerabilities growing each year. As such, Secured-core PCs are designed for industries like financial services, government, and healthcare. They are also meant for workers who handle highly sensitive IP, customer, or personal data that poses higher-value targets for nationstate attackers.
Am I incorrect or isn't this just TPM renamed? (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
A Microsoft cannot change its inherent shittiness.
I would suggest that it's not so much "shiftiness" as a resolute determination to maximize profits. Other corporations talk about maximizing profits, but Microsoft really do it. That has been their policy since Day One, and they are very consistent. If an act helps to increase long-term profits, they do it. If it doesn't, then... not so much.
Customers may or may not like it; it may or may not contribute to quality; but none of that matters in the least. (Except inasmuch as happy customers and better quality
Re: (Score:2)
I would imagine M$ wouldn't do it directly, but instead take the trenchcoat, fedora, and a suitcase full of money approach.
(Shady M$ guy in a dark alley) "PSSST! Hey kid, how would you like to make some money?"
Re: (Score:3, Insightful)
There is a difference. Microsoft has spent years improving their PR. They are no longer the evil overload they are just a boring reliable business offering quality services. Unlike the newest set of bad guys like Apple, Amazon, Google and Facebook.
Re: (Score:3)
There is a difference. Microsoft has spent years improving their PR. They are no longer the evil overload they are just a boring reliable business offering quality services. Unlike the newest set of bad guys like Apple, Amazon, Google and Facebook.
Cannot tell if you are being sarcastic or not, pls advise
Re: (Score:2)
Well I am not implying that we should just trust Microsoft to the benevolent owners of our PC. However their PR department has done a good job at slowly getting the Anti-Microsoft Everything rage out of our system. Just check posts in Slashdot from 10 years ago. A post saying anything good about Slashdot would have been marked as a troll.
The thing is, due to the rise of Mobile Computing, and Microsoft failure to get into that area, they computing infrastructure is no as Microsoft Dependent as it use to be.
Re: (Score:2)
Well their PR has worked, Microsoft didn't really change all that much over the past few decades. But what happened is they are not so public about the hostility towards open source. Microsoft even 20 years ago was a big supporter to open source software, but they were publicly hostile toward it. I give this to the early 2000's tough guy image that was popular at the time. Where successful companies were called out for how much they can bully their competition. Post Enron, and Financial Crisis, this bully
Re: (Score:2)
Exactly.
Re: (Score:3)
Say hello to the new Microsoft, same as the old Microsoft.
Re: (Score:3)
I wish they would take the money from this initiative and put it into QA for their EXISTING OS works. Seems like every regular security patch for Win10 these days are full of issues or regressions.
Re: (Score:2)
So what you're saying is security is a black and white concept, and that TPM was supposed to turn that black to white? Or Secure boot was supposed to turn that black to white?
Next time just write: "I don't know what I'm talking about, mod me up!". It's shorter and easier to type.
Re: Am I incorrect or isn't this just TPM renamed? (Score:1)
Bypass Firmware Drivers (Score:2)
I was able to tame a MacBook Pro with rogue Firmware via the grub nativedisk command which bypasses firmware drivers. https://www.gnu.org/software/grub/manual/grub/html_node/nativedisk.html#nativedisk
Secure PC huh? (Score:4, Interesting)
Lenovo huh?
Superfish ring any bells to anyone?
Because we all can "trust" MS! (Score:5, Insightful)
LOL.
Just like SecureBoot or UEFI! /s
Re: (Score:2)
So since you clearly are the expert here, maybe point to us the cases where Secureboot has not achieved what it was designed to do?
Or do you think that just because I fix a security vulnerability in one area it means everything everwhere is supposed to be fixed? Because frankly that would be the dumbest thing written on the internet ... at least until 8chan gets back online.
Re: (Score:2)
And if you had an IQ larger than the number of fingers on your hands you'd realise they are both doing two very different things.
Re: (Score:2)
While I don't trust MS farther than I can drop-kick their main headquarters ("Windows Genuine Advantage", I'm looking at you), you should be more concerned about MS locking in your OS and then your applications via this, rather than ranting about UEFI and Secure Boot.
It is true that UEFI has had issues where it has been hacked (that I know about) but two things you should be aware of:
1) you're looking at Intel, AMD, and third-party firmware developers, when you are blaming UEFI for something, not Microsoft
Re: (Score:2)
Hmm... sorry, ambiguous. But it holds true for both the business clients and the software clients:
The software clients are a separate piece of software added on on top of UEFI. All you can do is lock down the UEFI API as best you can and recommend settings to the folks using it.
The business clients are going to be business clients, and have irremediable sociological and psychological vulnerabilities that the NVD database doesn't cover.
Windows only systems with an chip for DCL like con (Score:2)
Windows only systems with an chip for DCL like control. Want to use a non dell ssd or pci-e card pay up!
Odd! because (Score:3)
Just my 2 cents
Re: (Score:2)
Targeted (Score:3)
"Please tell us whether you plan to use this PC for highly sensitive data, so that we may send you one of our 'specially prepared' PCs."
Yeah, no (Score:5, Interesting)
I'm not saying that firmware-based attacks don't happen, but these sorts of systems rarely - if ever - allow for users to mod their own firmware.
By contrast, virtually every low level attack I've read about has either 'physical access' or at the very least approval of a UAC prompt; I'm hard pressed to find an example of a firmware attack that doesn't require user intervention at some point in the process. Hell, HP has a good system, where disabling Secure Boot in the BIOS requires the user to input a randomly generated 4-digit code in order to actually disable secure boot, providing a solid balance between security and allowing users to install Windows 2000 if they feel like it.
No, this isn't about a concern over security - every security breach I've seen over the past five years has been the same amateur hour stuff it's been for a decade - e-mail attachments, SQL injection, exposed RDP ports, and crappy passwords. This is about cutting off the last handful of modders and rooters, the people who still believe that ownership changes hands when the money does.
Re: (Score:2)
I agree with you. We see a lot more "security" as in anti-jailbreaking, and end user hostile features, as opposed to real "security", as in dealing with data exfiltration or remote attacks.
Why can't MS put in a security feature I saw on an old HP desktop over 15 years ago: Hardware, OS independent firewall rules, which, as the parent mentioned, needed a random code inputted to access, modify, or cede control to a signed application. This would be quite useful in guarding against data exfilteration, as we
Re: (Score:2)
I agree with you. We see a lot more "security" as in anti-jailbreaking, and end user hostile features, as opposed to real "security", as in dealing with data exfiltration or remote attacks.
No, those 2 things are inexorably linked.
And that's entirely the fault of the manufacturers that force us to find exploits in order to install our own shit on our own devices.
Since the dawn of computing, permanently resident malware has always been the goal. It makes real sense to have the CPU verify boot payload, and in fact, is done that way on nearly all mobile processors today worth mentioning.
Unfortunately, they misuse that real need to also lock us out of our devices, amplifying the number of peopl
Re: (Score:2)
every security breach I've seen over the past five years has been the same amateur hour stuff it's been for a decade
Every breach of massive scale of data has been amateur hour stuff targeted randomly. The ones you are less likely to hear about are precisely those sophisticated attacks that target specific secure entities, who are also the target market for this stuff. Just because you focus on the news cycle of Equifax using admin:admin to secure their servers doesn't mean that company and application specific and sophisticated malware isn't being used out there.
This is about cutting off the last handful of modders and rooters
From business devices targeted at a subset of businesses? P
Eyes roll (Score:3, Insightful)
Comment removed (Score:5, Insightful)
Re: (Score:2)
It's the same thing when they tried UFEI only bios that wouldn't let you load linux at first and had to do a ton of work arounds.
By "tried" you mean implemented a feature that was required to be 100% optional and user configurable in order to get that little MS certification sticker on a PC, and that no device ever mandated except for the Windows RT tablet?
This affected you running Linux? Bullshit! Stop lying.
Re: (Score:2)
Mod the parent up!
Me neither ...
There is no good reason for this, since there are no rampant attacks via unsigned boot images. Instead, most attacks now are by attachments in emails, or via Javascript, or some other vector that is not UEFI, BIOS or anything boot related.
Comment removed (Score:4, Interesting)
Boot Licker.. Boot Locker! (Score:4, Insightful)
What's it called?
It will only boot Microsoft "Linux", right?
Here's a new idea. Put the OS on Read Only Memory! And if you wanna be really nasty, don't let the machine boot from anything else.
Now, seal the thing in epoxy, when the screen goes black [blue], chuck the thing into the landfill.
Re: (Score:1)
What's it called?
It will only boot Microsoft "Linux", right?
Here's a new idea. Put the OS on Read Only Memory! And if you wanna be really nasty, don't let the machine boot from anything else.
Now, seal the thing in epoxy, when the screen goes black [blue], chuck the thing into the landfill.
Maybe not actual ROM; but I am certainly in favor of the old-timey "Write Enable" Jumper. Yes, it isn't necessarily practical on laptops (but anything with an Access Door of any kind could have an accessible jumper); but on accessible motherboards, it's a no-brainer.
It has been many years since I built-up a PC from scratch; so I don't know if today's mobos still have that jumper. If so, nevermind!
Re: (Score:1)
It's in reverse now. The "write enable" jumper is now just a "reset" thing.
I remember when I could physically lock my floppies. You can't do that with those USB things. It is very difficult to lock the machine without powering it down and disconnecting the power source.
Re: (Score:3)
It will only boot Microsoft "Linux", right?
It was called SecureBoot, and the ability to disable Secureboot in the BIOS was mandated as part of Microsoft certification for devices.
So while the angry nerd rage nerd-raged, the rest of the world had absolutely zero problems running Linux, even on Microsoft's own devices.
What is it? (Score:1)
There is of course much easier, less complex and more reliable methods of securing systems from persistent threats.
1. Do not allow any subsystem to contain field reprogrammable roms. Firmware updates can only be pushed out to subsystems during boot and never survive a reboot.
2. Use hardware based latching to prevent any OS modification after OS has booted into a mode where any user code is executed.
None of the above is difficult relative to present day secure boot bullshit. It does not require elaborate t
Win 10 is a black box pushing unwanted updates. (Score:2)
Re: Win 10 is a black box pushing unwanted update (Score:1)
Microsoft Standard PR (Score:3)
Light on Detail, Heavy on Propaganda.
And they fail to mention that this will also require the new "Windows 10 Workstation Professional Secure Enterprise" edition of the software, for which the Microsoft Tax price will be $1,000.00 per license, only available to Volume License Subscribers who purchase at least 1 Million licenses, and is not otherwise available.
Sort of like all the rest of the Microsoft Security airy-faery security shit that is only available to Windows 10 Enterprise volume licensee's and not available on any version of Windows that anyone can actually buy.
Makes more sense these days (Score:2)
In the past, going from a BIOS module to internet connection would have involved cramming some very fundamental functionality into a very small space.
EFI was designed to be powerful, flexible, and extensible---which makes the environment an easier target for malware.
I have motherboards that can be configured with DHCP to download updates without an OS. And these are cheap consumer boards that don't even bother to advertise the feature. Basically, IP connectivity from the firmware level is almost ubiquitous
Why is this even a thing? (Score:3)
Re: (Score:3)
you mean a third-party who is "untrustworthy". All parties except the first-party (he who owns the computer hardware) are inherently untrustworthy.
Re: (Score:2)
They are 'trustworty; because they have the gold.
Then again, the Mafia and 3rd world tinpot dictators also have the gold.
Not Good (Score:2)
Under the name of "Security" this is only going to be used to further isolate owners from their systems.
Many Businesses have made it clear that the objective is to remove as much ownership from consumers as the law will allow so they can bill customers for every little thing and ensure control.
Smart devices have become a tell all for how much the consumer fundamentally just does not care.
Will Secured-core run Linux? (Score:1)
So Microsoft will finally achieve total control of the IBM PC.
trust (Score:2)
good idea, because we all know that all the firmware in your device can be 100% trusted/secure/...!