Greetings. Thanks to the Thanksgiving holiday in the U.S., a special Wednesday edition of the Threat Thursday Update. This week, a vulnerability potentially affecting millions of computers running Intel chips, and Uber reveals a data breach – from a year ago. To share your attitude of gratitude, or any relevant opinions, reactions, and/or suggestions, feel free to write. Thanks in advance.

Millions of Intel-Based Systems Threatened by Firmware Vulnerabilities

This week, Intel Corp. released a security alert highlighting newly discovered vulnerabilities in many of its chips. The vulnerabilities may affect millions of enterprise systems, and it will likely be a while before effective patches become widely available.

  • In its alert, Intel acknowledged it had performed an “in-depth comprehensive security review” in response to “issues identified by external researchers” at vulnerability and compliance management solution provider Positive Technologies. “As a result, Intel has identified several security vulnerabilities that could potentially place impacted platforms at risk.”
  • Systems using Intel® Management Engine (ME) Firmware versions 11.0, 11.5, 11.6, 11.7, 11.10, or 11.20, Intel® Server Platform Services (SPS) Firmware version 4.0, and Intel® Trusted Execution Engine (TXE) version 3.0 are “impacted,” according to the company. Affected products include the following.
    • 6th, 7th & 8th Generation Intel® Core™ Processor Family
    • Intel® Xeon® Processor E3-1200 v5 & v6 Product Family
    • Intel® Xeon® Processor Scalable Family
    • Intel® Xeon® Processor W Family
    • Intel® Atom® C3000 Processor Family
    • Apollo Lake Intel® Atom Processor E3900 series
    • Apollo Lake Intel® Pentium™
    • Celeron™ N and J series Processors
  • Intel has begun issuing patches intended to remediate the vulnerabilities. The company has also released an article with links to a tool to determine if your systems are affected, and to support information from system manufacturers. However, as Bank Info Security reported, “The firmware for the ME is usually modified by individual OEMs. In order to patch, those companies will need to take what Intel has released and ensure compatibility. Because this affects systems going back several years, they will have to write the patches, test them thoroughly and only then make them available.”

What We Say: Effective cybersecurity requires constant vigilance and sufficient agility to respond quickly when new vulnerabilities are discovered, whatever their source. You must ensure that your cybersecurity strategy and solution set include support for comprehensive, accurate discovery and inventory of IT resources, and rapid identification, testing, and deployment of patches for all critical systems. (See “The Equifax Breach, Patch Management, and Your Cybersecurity” and “Three Components Required for a Complete IT Asset Management Solution (Part 2 of 4): Discovery.”)

Uber Reveals Massive Data Breach – in 2016

Uber Technologies Inc. has been chastised by regulators in the United Kingdom (UK), and fired its chief security officer and one of his staffers, for hiding a significant data breach for more than a year.

  • As Bloomberg reported, hackers “stole the personal data of 57 million customers and drivers from Uber” in October 2016. Compromised data included the “names, email addresses and phone numbers of 50 million Uber riders around the world,” as well as the personal information of some seven million drivers, “including some 600,000 U.S. driver’s license numbers.”
  • “At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken.” Instead, the company’s now-fired “chief security officer and one of his deputies” paid the unidentified hackers $100,000 to “delete the data and keep the breach quiet.”
  • As Bank Info Security reported, “British regulators have launched a probe of the massive data breach.” “’Uber's announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics,’ says James Dipple-Johnstone, deputy commissioner of Britain's Information Commissioner's Office. The ICO functions as the U.K.'s data privacy watchdog and has the power to impose fines of up to £500,000 ($660,000) when organizations fail to properly safeguard U.K. citizens' personal data.”

What We Say: The General Data Protection Regulation (GDPR) is due to come into effect on May 25, 2018. Under GDPR, companies that fail to protect the personal information of European Union (EU) citizens will be subject to fines as high as four percent of global annual revenues or €20 million ($23.5 million), whichever is higher. Companies will also be required to report data breaches within 72 hours of their discovery. Wherever your company does business, if it touches the personal information of EU citizens, that information must be protected, and those protections must be credibly documented. (See our GDPR blog posts, and take our interactive, online GDPR readiness assessment.)

Protect and Prepare Your Organization with Ivanti

Effective cybersecurity must protect your organization from known threats, and prepare it to respond to new threats as they appear. Ivanti can help you succeed with both tasks. We can help you manage your users’ applications, devices, and admin rights, get and keep your client and server system patches up to date, and combat and remediate malware and other attacks. Explore our cybersecurity solutions online, then get in touch to see how we can help you protect and prepare your organization. (Meanwhile, please accept our gratitude for your continued reading, sharing, and commenting on our security blog posts, especially our Patch Tuesday and Threat Thursday updates.)