Displaying items by tag: eclypsium

Las Vegas – So Black Hat 2023 and Def Con 31 have come and gone, and while the exhaustion that comes from this epic combined event might not be completely gone, I am ready to give my thoughts on the events. Before I get started, understand that this is my personal opinion on the show(s) as well as my general takeaways from them. As always, your milage may vary. Either way, I hope that you enjoy the article below and that your time and camp this year was amazing (mine was). So, let’s get started!

When I was in the military, one of the things that I noticed was a massive reluctance to create new and unusual scenarios for war games. Instead, we always seemed to train for the last major combat theater. When going to the National Training Center the OpFor (opposing force) team would just run circles around the visiting units. This is because they were always looking at new strategies, tactics, and logistical methods to support them. The visitors would come in with ideas that things would be the same as last time and just get their asses handed to them. There were rare occasions when the visiting units won, but they were the exception and not the rule.

This one goes in both the “failure of imagination” and “this is why we can’t have nice things” category. It seems that Gigabyte, for some reason, decided to embed an insecure update function into the UEFI BIOS of their motherboards, then shipped roughly 7 million of them to customers. The fatal flaw? Well, this is an update function that runs on startup. It writes a file to disk, reaches out to update servers over open HTTP then downloads any updates and installs them.