Intel’s Security-First Mindset and Ecosystem Approach

By Leslie Culbertson

As I reflect on the time that has passed since we renewed our commitment to security through our security‑first pledge a year ago, I’m proud of the work the Intel team has done to show our commitment to transparency and, above all, to the security of our products. And yet, as anyone familiar with the security landscape knows: We must remain vigilant as our work is never done. The nature of security threats will continue to evolve and we must actively evolve with it.

In the past year, Intel has taken many steps to keep pace with this evolution — new tools and processes, exciting new talent we’ve brought on board, and, of course, the ongoing work we’ve done to continue improving security, including protecting against new classes of security vulnerabilities like Spectre and Meltdown.

More: Security Exploits and Intel Products (Press Kit) | Security Research Findings (Intel.com) | Evolving for Today’s Security First Mindset (Imad Sousou blog)

If I think of this in terms of the milestones over the past year, there are several that really stand out for me:

Establishing the Intel Product Assurance and Security (IPAS) Group: While IPAS was formed in the same timeframe as the public disclosure of Spectre and Meltdown, its remit is much broader. Designed to serve as Intel’s security “mission control,” IPAS is a holistic product assurance and security effort that spans all of Intel, developing policy and best practices, and driving critical decisions across all our businesses. As the result of IPAS’ formation and our efforts throughout the year, we have made significant strides that have enhanced our agility from the very beginning of product design all the way through product manufacturing and post-sales support.

Completing the Microcode Updates: The new class of security vulnerabilities that includes Spectre and Meltdown has presented a challenge for the entire industry. While you have frequently heard me and other Intel leaders talk about our learnings and the complexity of the side channel methods presented, the way the industry rallied together to help protect customers and their data ultimately stands out to me. When vulnerabilities require updates to microcode, the code that controls transistors on the chip, Intel issues a microcode update (MCU). Working together with a customer-centric focus, we and our partners were able to provide our customers with microcode updates for more than nine years of Intel products.

Engineering New Protection into Hardware: One of the commitments we made early on was to advance security at the silicon level to help protect against side channel exploits. On the client side, we started introducing this with our 8th Generation Intel® Core™ U-series processor (Whiskey Lake) in August, followed by our 9th Gen Intel Core desktop processor (Coffee Lake) in October. And, our next-generation Intel® Xeon® Scalable processor (Cascade Lake) is the first x86 processor released to market that has hardware-based protections for Spectre V2.

Automating the Microcode Update Process: We recognized that a more predictable and consolidated update process for security as well as functional issues would be helpful to the entire ecosystem. So we are transitioning to a quarterly release model aligned with others in the ecosystem wherever possible. One of the challenges silicon vendors face is the MCU distribution process. This can be a complex process for OEM and software partners as well as consumers. One of the first major initiatives for IPAS was to improve the delivery of MCUs. In June 2018, we made our MCUs OS-loadable, making the update for Spectre V2 possible via Windows Update. Moving forward, we intend to enable delivery of MCUs through this automated process when possible.

Increasing Research Internally and Externally: Intel has always attracted the industry’s top talent, and we continue to build a world-class team of security researchers and engineers embedded across the company. We have actively increased our red team exercises – connecting deep offensive security research with deep product knowledge to find and address potential vulnerabilities before products ship. Our security researchers and engineers share their insights with the broader community by publishing findings and presenting to peers at industry events. In return, we continue to learn from the broader community though our bug bounty program and engaging academia through sponsored research and our “researcher in residence” program.

Committing to Coordination: As technologies become more and more complex, we believe it takes the ecosystem working together to collectively keep products and data more secure. We’ve built a model for collaboration and development among our partners that enables them to communicate directly. This approach takes a step beyond traditional multiparty collaboration and is one that we expect to build upon that will support an environment of continuous learning.

While I’m pleased with the progress we’ve made, our work is just beginning. So, as we look to 2019, two things are certain. First, security will continue to be an area where vigilance is required. Second – and just as important – we at Intel will continue to drive security innovation across our product portfolio to better protect customers and help drive the industry forward to make all our products more secure.

Leslie S. Culbertson is an executive vice president and general manager of Product Assurance and Security at Intel Corporation.

The post Intel’s Security-First Mindset and Ecosystem Approach appeared first on Intel Newsroom.

Trezor and Ledger Respond to Claims Security Claims

Three researchers and engineers have published a presentation from the 35th Chaos Communication Congress revealing claimed vulnerabilities in cryptocurrency hardware wallets. Trezor and Ledger have responded saying in short, their user’s cryptocurrency balances are safe. Dmitry Nedospasov, Thomas Roth, and Josh Datko, created the website wallet.fail and promised to publish their presentation to the Chaos

The post Trezor and Ledger Respond to Claims Security Claims appeared first on CCN

2018 Yearbook: Top Moments of Intel’s 50th Year

2018 yearbook 2x1

In 2018, Intel achieved the 50-year milestone, a huge accomplishment that most companies never achieve.

As the year ends, Intel’s 100,000 employees look back at 2018 with pride. But our focus is firmly fixed on building a smarter, more connected future for our communities and the world.

view yearbook button

The post 2018 Yearbook: Top Moments of Intel’s 50th Year appeared first on Intel Newsroom.

Video: Intel and Arm IoT Provisioning Prototype

Intel and Arm are collaborating on a joint vision to securely connect any Internet of Things device to any cloud. This prototype demo video shows Intel and Arm devices being powered on to be onboarded and provisioned to the Arm Pelion IoT platform. (Credit: Intel Corporation)

More: Intel and Arm Share IoT Vision to Securely Connect ‘Any Device to Any Cloud’

The post Video: Intel and Arm IoT Provisioning Prototype appeared first on Intel Newsroom.

Intel and Arm Share IoT Vision to Securely Connect ‘Any Device to Any Cloud’

lorie wigle

By Lorie Wigle

The Internet of Things (IoT) is transitioning from first proof-of-concept deployments into a new growth phase that is expected, according to industry analysts, to deploy 1 trillion devices by 2035.1 What is driving these lofty projections are the incredible business benefits that will be achieved with data-driven IoT initiatives such as edge computing, artificial intelligence (AI), predictive maintenance and autonomous systems. The more data that is collected, the more valuable the data becomes. However, this model may not be realized unless the industry can collaborate on more open and scalable methods to securely provision devices and their data to the cloud.

To answer these challenges, Intel is teaming up with Arm* to provide solutions to securely onboard2 both Intel and Arm IoT devices to any application or cloud framework.

First, let me walk you through the traditional manual onboarding process for IoT devices, which has multiple challenges. It typically takes more than 20 minutes per device and involves coordination among installation technicians, IT network/security operations and operational technology teams. The device identity and network access credentials are either painstakingly preloaded into the device at manufacturing or configured in the field from a standard image using insecure human processes. Compounding the security issues are the proliferation of cloud-specific provisioning methods without a consistent hardware-protected device identity model. For IoT to scale to a trillion devices in less than two decades, this process must be faster, safer and more flexible.

Now, the solution: Last October, Intel® Secure Device Onboard was launched as the first solution that enabled a “late binding” approach to provisioning, where customers could dynamically discover their target cloud platform for provisioning seconds after the device is powered on in the field. The collaboration with Arm aims to extend this capability from Intel devices to include the Arm devices that commonly are deployed together by customers. This strategic collaboration of two major ecosystems is designed to provide the industry with a more flexible provisioning method that can be natively enabled in devices.

So how does it work? Watch the prototype video below that shows how Intel and Arm devices can be credentialed and provisioned in seconds to join any cloud application framework.

As a result, customers should be able to choose their onboarding systems of record without being locked into a single cloud provider’s provisioning method or a single device architecture. Flexibility can be built in before the device is purchased to onboard into any cloud ecosystem. Device management systems such as Pelion*, cloud/on-premise IoT platforms and connected partner ecosystems all benefit from increased variety of devices, lower cost and faster deployment. Device suppliers can simplify manufacturing to a single SKU that can be provisioned with customer-specific credentials in the field rather than in the factory, dramatically reducing cost while decreasing time to market.

“Intel and Arm are simplifying one of IoT’s most complex and challenging barriers with regard to streamlining the manufacturing and security deployment workflows for IoT. This is an ROI win for the customer, who will be able to deploy both Intel- and Arm-based devices at a lower cost and with less friction between IT and OT, while at the same time retaining flexibility over their data and cloud partner choice until the deployment phase,” said Michela Menting, director, ABI Research.

Learn more about the solution at IoT Solution World Congress’s smart building customer case study presentation and view the joint demo that is nominated for top TestBed award. You may also attend the technical presentation at Arm TechCon that will showcase the Pelion Device Management zero-touch experience. Intel and Arm are seeking customer and ecosystem feedback on the prototypes and expect to engage pilot customers later this year. Contact iotonboarding@intel.com for more information on the pilot programs.

Intel’s collaboration with Arm allows us to progress a joint vision of “any device, any cloud” to span multiple device architectures. As we enter this accelerated growth phase for IoT, we will continue to collaborate with technology vendors to provide customers the protections they need. On behalf of the entire Intel team, I thank our industry partners and customers for their ongoing support.

Lorie Wigle is vice president of Software and Services Group and general manager of Internet of Things Security at Intel Corporation.

1Trillion devices by 2035- source ARM white paper https://community.arm.com/cfs-file/__key/telligent-evolution-components-attachments/01-1996-00-00-00-01-30-09/Arm-_2D00_-The-route-to-a-trillion-devices-_2D00_-June-2017.pdf

2From out-of-box to securely streaming data to an IoT Platform

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://www.intel.com/content/www/us/en/internet-of-things/secure-device-onboard.html.

Intel, the Intel logo, and Intel® Secure Device Onboard are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.

The post Intel and Arm Share IoT Vision to Securely Connect ‘Any Device to Any Cloud’ appeared first on Intel Newsroom.

Protecting Our Customers through the Lifecycle of Security Threats

By Leslie Culbertson

Intel’s Product Assurance and Security (IPAS) team is focused on the cybersecurity landscape and constantly working to protect our customers. Recent initiatives include the expansion of our Bug Bounty program and increased partnerships with the research community, together with ongoing internal security testing and review of our products. We are diligent in these efforts because we recognize bad actors continuously pursue increasingly sophisticated attacks, and it will take all of us working together to deliver solutions.

Today, Intel and our industry partners are sharing more details and mitigation information about a recently identified speculative execution side-channel method called L1 Terminal Fault (L1TF). This method affects select microprocessor products supporting Intel® Software Guard Extensions (Intel® SGX) and was first reported to us by researchers at KU Leuven University*, Technion – Israel Institute of Technology*, University of Michigan*, University of Adelaide* and Data61*1. Further research by our security team identified two related applications of L1TF with the potential to impact other microprocessors, operating systems and virtualization software.

More: Security Exploits and Intel Products (Press Kit) | Security Research Findings (Intel.com)

I will address the mitigation question right up front: Microcode updates (MCUs) we released earlier this year are an important component of the mitigation strategy for all three applications of L1TF. When coupled with corresponding updates to operating system and hypervisor software released starting today by our industry partners and the open source community, these updates help ensure that consumers, IT professionals and cloud service providers have access to the protections they need.

L1TF is also addressed by changes we are already making at the hardware level. As we announced in March, these changes begin with our next-generation Intel® Xeon® Scalable processors (code-named Cascade Lake), as well as new client processors expected to launch later this year.

We are not aware of reports that any of these methods have been used in real-world exploits, but this further underscores the need for everyone to adhere to security best practices. This includes keeping systems up-to-date and taking steps to prevent malware. More information on security best practices is available on the Homeland Security website.

About L1 Terminal Fault

All three applications of L1TF are speculative execution side channel cache timing vulnerabilities. In this regard, they are similar to previously reported variants. These particular methods target access to the L1 data cache, a small pool of memory within each processor core designed to store information about what the processor core is most likely to do next.

The microcode updates we released earlier this year provide a way for system software to clear this shared cache. Given the complexity, we created a short video to help explain L1TF.

Once systems are updated, we expect the risk to consumer and enterprise users running non-virtualized operating systems will be low. This includes most of the data center installed base and the vast majority of PC clients. In these cases, we haven’t seen any meaningful performance impact from the above mitigations based on the benchmarks we’ve run on our test systems.

There is a portion of the market – specifically a subset of those running traditional virtualization technology, and primarily in the data center – where it may be advisable that customers or partners take additional steps to protect their systems. This is principally to safeguard against situations where the IT administrator or cloud provider cannot guarantee that all virtualized operating systems have been updated. These actions may include enabling specific hypervisor core scheduling features or choosing not to use hyper-threading in some specific scenarios. While these additional steps might be applicable to a relatively small portion of the market, we think it’s important to provide solutions for all our customers.

For these specific cases, performance or resource utilization on some specific workloads may be affected and varies accordingly. We and our industry partners are working on several solutions to address this impact so that customers can choose the best option for their needs. As part of this, we have developed a method to detect L1TF-based exploits during system operation, applying mitigation only when necessary. We have provided pre-release microcode with this capability to some of our partners for evaluation, and hope to expand this offering over time.

For more information on L1TF, including detailed guidance for IT professionals, please visit the advisory on the security center. We’ve also provided a white paper and updated the FAQs on our security first website.

I’d like to again thank our industry partners and the researchers who first reported these issues for their collaboration and collected commitment to coordinated disclosure. Intel is committed to the security assurance of our products, and will continue to provide regular updates on issues as we identify and mitigate them.

As always, we continue to encourage everyone to take advantage of the latest security protections by keeping your systems up-to-date.

Leslie Culbertson is executive vice president and general manager of Product Assurance and Security at Intel Corporation.

1Raoul Strackx, Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F. Wenisch, and Yuval Yarom

The post Protecting Our Customers through the Lifecycle of Security Threats appeared first on Intel Newsroom.

The Cybersecurity Community Driving Insights into Security Solutions

By Doug Fisher

I continue to be amazed by the power of what a community can achieve together – from developers contributing to open source projects for solving real-world business or social-economic problems, to industry consortia aligning and setting standards and policies on the forefront of emerging technologies. Nothing demonstrates the power of the community more than industrywide events such as the recent Cyber Week. It was a great example of the community coming together to share insights and discuss solutions to issues facing the public and private sectors of every company, city and country in the world today. We all have a role to play.

More: Intel Security News | Intel Advances Silicon-Based Security for AI and Blockchain Workloads (Rick Echevarria Editorial)

Intel has been very clear about making the security assurance of our Intel products a priority. Our role is broader than assurance alone. We hold a unique position in the digital ecosystem, designing and protecting the hardware that is the root of trust. Intel powers everything ranging from the endpoint to the cloud, and we have both an opportunity and a responsibility to help simplify security for tens of thousands of hardware, software and service providers, as well as billions of people using these products and services every day.

Active Participation in the Security Community

Listening to the community at events like Cyber Week is critical. It helps inform Intel on emergent trends and particular problems facing industry segments. We are able to apply those insights and learnings back to our product development so we can deliver differentiating features and capabilities required to provide valuable security solutions across the Intel platform portfolio.

We have been making tremendous progress with our approach. Intel and ecosystem partners are advancing security across the emerging, data-centric workloads of artificial intelligence (AI) and blockchain. Collaborations with Docker*, Duality* and Fortanix* are helping secure data in AI implementations. Companies like Enigma* and the Tel Aviv Stock Exchange* are investing in Intel processor technologies to help improve the security, scalability and privacy of distributed ledger networks.

Advancing Our Strategy

Window Snyder
Window Snyder

To continue that momentum, I am pleased to share that Window Snyder is joining Intel, in the Software and Services Group, as chief software security officer, vice president and general manager of the Intel Platform Security Division, effective July 9.

Window is an industry veteran who comes to us from Fastly*, where she has been the chief security officer. Before that, she spent over five years working on security and privacy strategy at Apple* and was the “Chief Security Something-or-Other” at Mozilla. She was also a founding member at Matasano*, a services company, and a senior security strategist at Microsoft*.

In this role with Intel, Window will be responsible for ensuring the company maintains a competitive security product roadmap across all segments in support of business group objectives and continues to engage with the external security ecosystem to apply industry trends and sensing to Intel roadmap differentiation.

More specifically, this involves leading the following areas across Intel:

Industry sensing and response: Driving partnerships with the operating system and security ecosystem to ensure we are better informed on the growing complexity of attacks and to help guide our approach and response.

Applying industry sensing for differentiation: Applying industry sensing to our roadmap to deliver differentiated security capabilities to secure data, workloads and other assets based on Intel platforms.

Customer-centric route to market: Driving a two-pronged approach to market by partnering with the security ecosystem and the developer ecosystem to drive scale for security.

I am looking forward to Window leveraging her experience in the community and bringing further valuable industry insight into Intel’s hardware-enabled security solutions.

Doug Fisher is senior vice president and general manager of the Software and Services Group for Intel Corporation.

The post The Cybersecurity Community Driving Insights into Security Solutions appeared first on Intel Newsroom.

Intel Advances Silicon-Based Security for AI and Blockchain Workloads

rick echevarriaBy Rick Echevarria

The future of a trusted and secure computing environment hinges on our collective ability to deliver solutions that improve the performance across a variety of workloads, while also optimizing security.

This week, at Cyber Week in Israel, I am joined by partners, customers, and cybersecurity industry and policy leaders from across the globe. Intel is committed to providing silicon-based security solutions that address the most pressing issues. There are three key themes at the conference, highlighting the challenges and opportunities facing our industry.

Emerging Workloads Deliver More Data to Analyze and Secure

Incoming data is increasingly difficult to effectively leverage without the computing power to process and learn from its growing volume and complexity. Machine learning (ML) algorithms, and other artificial intelligence (AI) applications and capabilities, have achieved remarkable results and are being extensively used in different domains. ML algorithms often require access to sensitive data, especially as the focus on data privacy increases around the world. Limiting access to the right data may limit the outcomes that can be achieved with the use of AI. In the case of blockchain, the security and privacy of data join transaction scalability as key technical considerations.

Intel technologies provide unique capabilities that can help improve the privacy, security and scalability for data-centric workloads like AI and blockchain. We are in a position to accelerate customer success by helping protect algorithms and data for AI applications as well as digital assets and smart contract execution for blockchain solutions.

At Cyber Week, we are focused on security for these two data-centric workloads: AI and blockchain. Technologies like Intel® Software Guard Extensions (Intel® SGX) enable the ecosystem to design solutions with improved security and privacy. What makes Intel SGX compelling is that it provides a hardware trusted execution environment (TEE), allowing better protections for data in-use, at-rest and in-transit. Also, built-in CPU instructions and platform enhancements provide cryptographic assertions for the code that is permitted to access the data. If the code is altered or tampered, then access is denied and the environment disabled.

Security for AI: Efforts Focus on Securing AI Data

We see security, in the context of AI, in two implementations. First, there is security for AI, where we focus on protecting data, algorithms and parameters. Second is AI for security, where we use AI for the detection of advanced exploits. The Advanced Platform Telemetry capability in our Intel® Threat Detection Technology is a step toward improving the outcomes of AI for security.

In security for AI, a couple of usages start integrating security to improve the outcomes that AI solutions can deliver. First is multiparty machine learning, where access to critical data and the integrity of algorithms are enabled by using homomorphic encryption and hardware-based trusted execution environments, like Intel SGX. Second is federated learning, for applications where one can’t move the data to a centralized location. In this usage, data owners at the edge work collaboratively to improve a shared prediction model.

At Cyber Week, we are highlighting several collaborations to add security to AI implementations.

  • We are collaborating with Docker* to help make AI more secure, useful and shareable for federated learning, by hardening containers with Intel silicon-based security technologies.
  • Intel researchers are making great strides toward practical methods for homomorphic encryption, a method that will allow computer systems to perform calculations on encrypted information without first decrypting. Duality* is collaborating with Intel to explore the security challenges of AI workloads using homomorphic encryption on Intel platforms. Duality* will use homomorphic encryption across every stage of an AI solution pipeline to minimize data exposure.
  • Fortanix* announced enhancements to its Runtime Encryption solution to help enable secure execution of ML algorithms, using Intel SGX enclaves, with support for Python and R languages commonly used in research and modeling. This, in turn, supports secure data sharing and analysis for AI training models and applications.

Security for Blockchain: Industry Adoption and Collaboration

Blockchain continues to show promise in transforming business processes. Intel processor technologies offer capabilities to help improve the security, scalability and privacy of distributed ledger networks. At Cyber Week, we are introducing innovations in what we call “off-chain computing” to help address both privacy and throughput for blockchain implementations. We are also highlighting recently announced collaborations.

  • Enigma* has developed a unique privacy protocol that uses Intel SGX to protect data, while allowing computation over the data. In our collaboration, we’ll work together to integrate this functionality for private smart contracts on the Ethereum public ledger.
  • Two weeks ago, Intel joined SAP* to formalize efforts in a blockchain consortium to construct a blockchain proof of concept to improve international shipping efficiencies on SAP’s blockchain-as-a-service platform.
  • Last month, the Tel Aviv Stock Exchange*, Accenture* and The Floor* announced the development of a new blockchain securities lending platform powered by Intel. This platform will transform the securities lending market in Israel by enabling direct lending among all the major financial instruments.

Security is pivotal to our company’s strategy and a fundamental underpinning for all workloads, especially those that are as data-centric as AI and blockchain. We will continue to innovate and make our silicon an active participant in the threat defense lifecycle. The announcements at Cyber Week underscore the value that our investments can deliver to meet the cybersecurity needs of organizations today.

Rick Echevarria is vice president in the Software and Services Group and general manager of the Platforms Security Division at Intel Corporation.

The post Intel Advances Silicon-Based Security for AI and Blockchain Workloads appeared first on Intel Newsroom.

Facebook’s Data Security Meltdown Could Bolster Blockchain: Analyst

The social media giant shouldn’t mistake the forest for the trees. While Facebook continues to reel from a security breach involving the personal data of tens of millions of users, they may just have demonstrated the value of an unalterable public ledger, aka blockchain. RBC Capital Markets analyst Mitch Steves thinks so, according to a recent

The post Facebook’s Data Security Meltdown Could Bolster Blockchain: Analyst appeared first on CCN

Expanding Intel’s Bug Bounty Program: New Side Channel Program, Increased Awards

By Rick Echevarria

At Intel, we believe that working with security researchers is a crucial part of identifying and mitigating potential security issues in our products. Similar to other companies, one of the ways we’ve made this part of our operating model is through a bug bounty program. The Intel® Bug Bounty Program was launched in March 2017 to incentivize security researchers to collaborate with us to find and report potential vulnerabilities. This, in turn, helps us strengthen the security of our products, while also enabling a responsible and coordinated disclosure process.

More:  Security Exploits and Intel Products (Press Kit) | Security Research Findings (Intel.com)

Coordinated disclosure is widely regarded as the best way to responsibly protect customers from security exploits. It minimizes the risk that exploitable information becomes publicly known before mitigations are available. Working closely with our industry partners and our customers, we encourage responsible and coordinated disclosure to improve the likelihood that users will have solutions available when security issues are first published. Our Bug Bounty Program supports this objective by creating a process whereby the security research community can inform us, directly and in a timely fashion, about potential exploits that its members discover.

In support of our recent security-first pledge, we’ve made several updates to our program. We believe these changes will enable us to more broadly engage the security research community, and provide better incentives for coordinated response and disclosure that help protect our customers and their data.

Updates to our program include:

  • Shifting from an invitation-only program to a program that is open to all security researchers, significantly expanding the pool of eligible researchers.
  • Offering a new program focused specifically on side channel vulnerabilities through Dec. 31, 2018. The award for disclosures under this program is up to $250,000.
  • Raising bounty awards across the board, with awards of up to $100,000 for other areas.

More details on the program, including these new updates, can be found online on the Intel security site or our HackerOne page.

We will continue to evolve the program as needed to make it as effective as possible and to help us fulfill our security-first pledge. Thank you, in advance, to all of those across the industry who choose to participate.

Rick Echevarria is vice president and general manager of Platform Security at Intel Corporation.

The post Expanding Intel’s Bug Bounty Program: New Side Channel Program, Increased Awards appeared first on Intel Newsroom.