www.forbes.com
Open in
urlscan Pro
151.101.130.49
Public Scan
Submitted URL: https://apple.news/AgyLSBA7-Tc6kvWCgbTgImA
Effective URL: https://www.forbes.com/sites/zakdoffman/2020/05/17/microsoft-confirms-serious-new-windows-10-security-problem-says-go-b...
Submission Tags: falconsandbox
Submission: On July 26 via api from US — Scanned from DE
Effective URL: https://www.forbes.com/sites/zakdoffman/2020/05/17/microsoft-confirms-serious-new-windows-10-security-problem-says-go-b...
Submission Tags: falconsandbox
Submission: On July 26 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="search-modal__form"><input class="search-modal__input" type="text" placeholder="Search" autofocus=""><button class="search-modal__submit" role="button" tabindex="0" title="Submit"><svg class="fs-icon fs-icon--arrow-right"
xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20">
<path transform="rotate(-180 8.964 11)" d="M1 10h16v2H1z"></path>
<path transform="rotate(134.999 14.965 13.124)" d="M11 12.1h8v2h-8z"></path>
<path transform="rotate(-134.999 14.965 8.877)" d="M11 7.9h8v2h-8z"></path>
</svg></button></form>Text Content
Explore
* Billionaires
* All Billionaires
* World's Billionaires
* Forbes 400
* America's Richest Self-Made Women
* China's Richest
* India's Richest
* Indonesia's Richest
* Korea's Richest
* Thailand's Richest
* Japan's Richest
* Australia's Richest
* Taiwan's Richest
* Singapore's Richest
* Philippines' Richest
* Hong Kong's Richest
* Malaysia's Richest
* Money & Politics
* 2020 Money
* Innovation
* All Innovation
* 5G
* AI
* Big Data
* Cloud
* Cloud 100
* COP26
* Consumer Tech
* Cybersecurity
* Enterprise Tech
* Future Of Work
* Games
* Google Cloud BrandVoice | Paid Program
* Healthcare
* Innovation Rules
* SAP BrandVoice | Paid Program
* Science
* ServiceNow BrandVoice | Paid Program
* Social Media
* Splunk BrandVoice | Paid Program
* Sustainability
* Venture Capital
* Wind River BrandVoice | Paid Program
* Leadership
* All Leadership
* Careers
* CEO Network
* CFO Network
* CHRO Network
* CIO Network
* CMO Network
* CxO
* Deloitte BrandVoice | Paid Program
* Diversity, Equity & Inclusion
* Education
* Forbes EQ | Paid Program
* Forbes The Culture
* ForbesWomen
* Leadership Strategy
* PwC Cloud and Digital Transformation BrandVoice | Paid Program
* Under 30
* Working Remote
* Over 50
* Money
* All Money
* Banking & Insurance
* ETFs & Mutual Funds
* Fintech
* Hedge Funds & Private Equity
* Investing
* Investing Basics | Q.ai
* Markets
* Personal Finance
* Premium Investing Newsletters
* Retirement
* Taxes
* Top Advisor | SHOOK
* Wealth Management
* Forbes Digital Assets
* All Forbes Digital Assets
* Dashboard
* Traded Assets
* Research
* Events
* Crypto Portfolios
* Business
* All Business
* Aerospace & Defense
* Energy
* Food & Drink
* Hollywood & Entertainment
* Manufacturing
* Media
* Mitsubishi Heavy Industries BrandVoice | Paid Program
* Policy
* Retail
* SportsMoney
* Tableau BrandVoice | Paid Program
* Transportation
* Small Business
* All Small Business
* Entrepreneurs
* Franchises
* Small Business Strategy
* Lifestyle
* All Lifestyle
* Arts
* Boats & Planes
* Cars & Bikes
* Dining
* ForbesLife
* Forbes Travel Guide
* Spirits
* Style & Beauty
* Travel
* Vices
* Watches
* Real Estate
* All Real Estate
* Commercial Real Estate
* Forbes Global Properties
* Residential Real Estate
* Store
* All Store
* Vetted
* All Vetted
* Gear
* Health & Wellness
* Home & Kitchen
* Style
* Tech & Electronics
* Coupons
* All Coupons
* Purple
* Squarespace
* Verizon
* Lululemon
* AT&T
* Lowe's
* Brooks Brothers
* Tory Burch
* Dr Martens
* Dell
* Chewy
* Advisor
* All Advisor
* The Best Credit Cards Of 2022
* Best Balance Transfer Credit Cards
* Best Cash Back Credit Cards
* Best Travel Credit Cards
* Best Business Credit Cards
* Today's Mortgage Rates
* Today's Refinance Rates
* Best Mortgage Lenders 2022
* Best Crypto Exchange 2022
* Best Life Insurance
* Best Travel Insurance 2022
* Covid-19 Travel Insurance
* Online Car Insurance Quotes
* Car Insurance Companies
* Pet Insurance
* Personal Loans
* Debt Consolidation Loans
* Student Loan Refinance
* Business Loans
* Forbes Advisor UK
* Calculators
* Best Online Banks
* Best CD Rates
* Best Savings Accounts
* Best Checking Accounts
* Health
* All Health
* Mind
* Online Therapy
* Body
* BMI Calculator
* Calorie Calculator
* Family
* Due Date Calculator
* Healthy Aging
* Medical Alert Systems
* Hearing Aids
* Walk-In Tubs
* Health Insurance
* Medicare Advantage Plans
* Lists
* All Lists
* Video
* All Video
* Newsletters
* Crypto Confidential
* Editorial Newsletters
* Investing Digest
* Premium Investing Newsletters
* Forbes Magazine
* All Forbes Magazine
* Forbes Asia
* Free Issue of Forbes
* Latest
* Coronavirus Coverage
* Daily Cover Stories
* Dark Capital
* Editors' Picks
* Visual Web Stories
* Featured
* 4 Steps To Help Your Kids Build Smart Money Habits
* 30 Under 30 2022
* AWS Transformation BrandVoice | Paid Program
* DNA of Success
* Forbes Insights With SAP Concur | Paid Program
* Forbes Insights With Treasure Data | Paid Program
* How To Earn Cash Rewards For Everyday Spending | Paid Program
* Is It Better To Lease Or Buy A Car In Summer 2022?
* Qlik BrandVoice | Paid Program
* Right Now In Tech: PyCon U.S. 2022
* Snowflake Summit 2022
* The CISO Playbook | Paid Program
* The Fintech 50 2022
* Advertise with Forbes
* Report a Security Issue
* Site Feedback
* Contact Us
* Careers at Forbes
* Tips
* Corrections
* Privacy
* Do Not Sell My Personal Information
* Terms
* AdChoices
* Reprints & Permissions
© 2022 Forbes Media LLC. All Rights Reserved
Subscribe
Sign In
BETA
This is a BETA experience. You may opt-out by clicking here
MORE FROM FORBES
Jul 26, 2022,05:12am EDT
UK Spy Agency MI5 'Breached Surveillance Laws For More Than A Decade'
Jul 22, 2022,04:12am EDT
Google Chrome: 0Day Targets Journalists, 11 New Security Holes Plugged In Latest
Update
Jul 20, 2022,02:45pm EDT
iOS 15.6—Update Now Warning Issued To All iPhone Users
Jul 19, 2022,12:30pm EDT
The FBI Forced A Suspect To Unlock Amazon’s Encrypted App Wickr With Their Face
Jul 16, 2022,06:30am EDT
iOS 16—Why Users Of Older iPhones Should Upgrade This Fall
Jul 16, 2022,06:00am EDT
iOS 16—What You Need To Know About iPhone Lockdown Mode
Jul 15, 2022,06:04am EDT
New 0Day Hack Attack Alert Issued For All Windows Users
Edit Story
Cybersecurity
MICROSOFT CONFIRMS SERIOUS NEW SECURITY PROBLEM FOR WINDOWS 10 USERS
Zak Doffman
Contributor
Opinions expressed by Forbes Contributors are their own.
I cover security and surveillance and co-host 'Straight Talking Cyber'
New! Follow this author to improve your content experience. Got it!
May 17, 2020,02:34pm EDT|
This article is more than 2 years old.
* Share to Facebook
* Share to Twitter
* Share to Linkedin
SOPA Images/LightRocket via Getty Images
Microsoft has now joined Intel in confirming a newly reported security
vulnerability with Thunderbolt ports, one that enables an attacker with physical
access to a PC to modify the port’s controller firmware, disabling its security.
As I reported last week, almost all Windows PCs with Thunderbolt ports are
vulnerable, except a few from last year that shipped with Kernel DMA protection
enabled.
This new security threat has been dubbed “Thunderspy” by Björn Ruytenberg, the
Eindhoven University of Technology researcher who discovered and disclosed it.
Ruytenberg warns that despite locking or suspending a PC, setting up a Secure
Boot and strong system passwords, and enabling disk encryption, “all an attacker
needs is five minutes alone with the computer” to compromise a machine.
Such physical attacks on computers are complex, high-risk and thankfully rare.
But they do happen. A physical compromise such as this is nicknamed an “evil
maid” attack—the idea being that your machine is targeted when you’re staying in
a hotel and away from your room, or when the overnight cleaning crew come to
blitz your office. An attacker needs a few undisturbed minutes with no eyes-on.
MORE FOR YOU
IOS 15: APPLE ISSUES 22 IMPORTANT IPHONE SECURITY UPDATES
WIDELY-USED HIKVISION SECURITY CAMERAS VULNERABLE TO REMOTE HIJACKING
IOS 15 IS AVAILABLE NOW WITH THESE STUNNING NEW IPHONE PRIVACY FEATURES
If you’re a target, this will happen when you’re down at breakfast, out to
dinner or using the gym in your hotel. “I have even heard of someone finding all
the screws from his laptop on the table top after he took it out from his hotel
safe,” former British intel officer Philip Ingram told me. This is why security
professionals leave a “do not disturb” sign on their hotel room doors even when
they’re not inside—you get your room serviced by calling down and asking for it
to be done at a time of your choosing. And you have your devices with you while
it’s being done.
Now Microsoft has confirmed the risk that “an attacker with physical access to a
system can use Thunderspy to read and copy data even from systems that have
encryption with password protection enabled.” The vulnerability is in hardware,
and so cannot be patched. According to Microsoft, someone with physical access
to the device “could sign in and exfiltrate data or install malicious software.”
Microsoft’s advice to “stay ahead of advanced data theft” is to buy a new PC.
PLAY Forbes Innovation Video Settings Full Screen About Connatix V172468 Read
More Read More Read More Read More Read More Read More Revealed: Halley’s Comet
Could Damage NASA’s$10 Billion Webb Telescope Next Year 1/1 Skip Ad Continue
watching after the ad Visit Advertiser websiteGO TO PAGE
Not just any PC, of course, but one of their newly minted “secured-core PCs.”
These have been around since late last year and come with all the security bells
and whistles enabled in hardware and firmware, “mitigating Thunderspy and any
similar attacks that rely on malicious DMA.” Intel told me that a Thunderspy
attack “could not be successfully demonstrated on systems with Kernel DMA
protection,” a feature enabled by default on Microsoft’s Secured-core PCs.
How a Thunderspy attack works.
Microsoft
As Microsoft explains, “even if an attacker was able to copy malicious
Thunderbolt firmware to a device, the Kernel DMA protection on a Secured-core PC
would prevent any accesses over the Thunderbolt port unless the attacker gains
the user’s password... significantly raising the degree of difficulty.”
There is now a range of Secured-core PCs available, aimed at business users,
likely those with a heightened sense of security awareness, who travel regularly
(albeit not just at the moment), and who have valuable data on their machines.
This isn’t just spooks—business leaders, VIPs, negotiators, politicians, anyone
with sensitive data who travels and leaves their PC out of sight for periods of
time.
The alternative mitigation to a locked-down machine, according to Ingram, is
worse. “Take a burner device with only the data you need for those meetings on a
separate USB. Never connect it to any network when you return home and only use
it for travel to that country. If you ever leave it unattended assume the
hardware has been compromised. If you have been subject to extended searches at
an airport and have lost sight of your IT, assume it has been compromised.” You
get the point.
As security vulnerabilities go, Thunderspy is pretty niche—an issue on a massive
scale, but one which realistically only puts a very small percentage of users at
risk. That said, it is a security flaw and it does leave PCs open to compromise.
With that in mind, plus the fact this is now in the public domain, I’m sure many
users will look at the availability of Kernel DMA protection when they next
trade-up.
Follow me on Twitter or LinkedIn.
Zak Doffman
Zak is a widely recognized expert on surveillance and cyber, as well as the
security and privacy risks associated with big tech, social media, IoT and
smartphone
... Read More
* Editorial Standards
* Print
* Reprints & Permissions
Ukrainian Government And Banks Hit By New Wave Of Cyberattacks
Cookies on Forbes
YOUR CHOICES REGARDING COOKIES ON THIS SITE
Please choose whether this site may use cookies or related technologies such as
web beacons, pixel tags, and Flash objects ("Cookies") as described below. You
can learn more about how this site uses cookies and related technologies by
reading our privacy policy linked to below. Your choices on this site will be
applied globally. This means that your settings will be available on other sites
that set your choices globally. You can change your mind and revisit your
preferences at any time by accessing the "Cookie on Forbes" button on the left
side of this site.
While we need to use required cookies to make our site work, we won't set
optional cookies unless you enable them.
WE AND OUR PARTNERS
We and our partners: process personal data such as IP Address, Unique ID,
browsing data for: Informationen auf einem Gerät speichern und/oder abrufen |
Personalisierte Anzeigen, Anzeigenmessung und Erkenntnisse über Zielgruppen |
Personalisierte Inhalte und Inhaltemessung | Produkte entwickeln und verbessern
| Genaue Standortdaten verwenden | Geräteeigenschaften zur Identifikation aktiv
abfragen.
Accept All Choose Cookies
Privacy Statement
Powered by: