The Team
This Hacking team are a pain in the arse. They appear to serve no useful purpose to this planet apart from help governments spy on people and undermine IT security.
Hacking Team RCS spyware came pre-loaded with an UEFI (Unified Extensible Firmware Interface) BIOS rootkit to hide itself on infected systems, it has emerged following the recent hacking of the controversial surveillance firm. The stealth infection tactic, which has been revealed through leaked emails arising from last …
This post has been deleted by its author
Come on, it's not revolutionary stuff.
Why, did you expect an unpublished pamphlet of Leon Trotsky in the stack?
Of course it's not "revolutionary". But so what. You are 1980's coder, you should diregard the inner child demanding "teh new" every single morning. The future is just like the past, only more so.
> What have we got, a few flash zero-days, and a UEFI BIOS hack? Come on, it's not revolutionary stuff.
No, that's what crumbs that one small Italian company has scratched together.
Several other, much larger companies (and the government that controls them) hold those two things too. However they all also hold the keys to all your computer equipment.
Think about that for a while.
Think about how much you trust them all to do the right thing with that great responsibility.
Think about how much you trust them all to safeguard that responsibility.
http://www.theregister.co.uk/2015/07/09/nsa_network_security_code_leaks_onto_github/
http://www.theregister.co.uk/2015/07/09/nsa_snooped_on_german_chancellors_for_decades_wikileaks/
http://www.theregister.co.uk/2015/06/12/second_opm_data_breach/
http://www.theregister.co.uk/2015/06/04/nsa_warrantless_internet_snooping/
http://www.theregister.co.uk/2015/03/19/cansecwest_talk_bioses_hack/
MSFT is the NSA's consumer software division. Has been ever since 1998. What do you suppose US vs MSFT was about and why do you suppose it just went away without MSFT mending its ways? The fact that the _NSAKEY was slipped in during 1999 must just be a coincidence too?
UEFI is a clusterfuck BY DESIGN. THIS is its purpose.
Same for "Intel's" AMT/vPro BTW.
MSFT is the NSA's consumer software division. Has been ever since 1998.
With oodles of black money to spend and lots of willing recipients in the tech industry, what's to stop the NSA or any other US/foreign entity to influence the consumer products.
Adobe has been giving away its PDF reader for years. Anyone want to guess why?
Google has all those nice free services that have already been shown to be open pipes to agency datastores.
Dell falls on hard times and then miraculously comes back to life. Who wouldn't trust a Dell BIOS?
"Various precautions to guard against this sort of attack are possible including enabling UEFI SecureFlash, updating the BIOS whenever there is a security patch and setting up a BIOS or UEFI password"
If someone has managed to bypass your entire office security, got into the server room and managed to reflash a machine without anyone noticing then IMHO a reflashed BIOS is probably the least of your worries.
Newsflash: Once someone has physical access to a machine its Game Over.
You did not read the article. This was targeting primarily laptops.
I have seen multiple times laptops coming back from conferences and trade shows with keyloggers installed. The usual procedure (in sane IT shops) is to zap anything and everything that has been to a list of countries + any trade show where people from said countries where in attendance. This would work against conventional spyware. Against this - I doubt it.
We've done away with the list. If you've been on travel, when you get back, it gets wiped and fresh image is installed.
Not that that would have helped with this particular hack.
If you're sufficiently paranoid these days, the correct procedure is actually to chuck it all to a reseller as soon as it comes back and give them a new, fresh out of the box, not re-furbed laptop. The BIOS, the hard drive, even the mouse might have been compromised with malware your OotB AV suite simply isn't equipped to deal with.
"If you're sufficiently paranoid these days, the correct procedure is actually to chuck it all to a reseller as soon as it comes back and give them a new, fresh out of the box, not re-furbed laptop."
What's to stop the laptop being compromised at the factory, before it even goes IN the box?
Nothing.
At that level of paranoia you're also certifying the factory and your transport service and implementing high level security controls for their facilities. Alos, think armored car transport principles without the obviousness of the armored car.
>If someone has managed to bypass your entire office security, got into the server room and managed to reflash a machine
Or they simply did it at the UPS facility when the server was on it's way to you or at the motherboard factory - depending whether you are being spied on by the good guys or the bad guys.
Those building in the spying at the factory in are evil henchmen of a commie dictatorship aimed at political enemies of the state.
Those intercepting the servers in transit and "updating them" are the brave guardians of law and order in their constant battle against the commie terrorists in our midst.
I really can't see how people could get confused
It is high time that a few big players, such as Gov/Police/etc insisted on a supply of PCs & laptops with an open and documented BIOS system, so that any bugs can be fixed (not saying they will be, mind) and tools developed to allow the safe wipe and re-installation of any potentially compromised BIOS.
One can dream :(
It's us who'd have to do the insisting. "Gov/Police/etc" are dead keen on b0rked crypto and backdoors. Where've you been hiding?
You're at liberty* to only buy kit supported by coreboot if you value such things.
*For the moment. I think. You might want to check with a lawyer on that..
You seem to mistake gov & TLAs for simple monolithic organisations with a singular goal. In reality they are complex, contradictory and often plain incompetent.
Some of the gov want back-doors and weaknesses in other people's systems, but most certainly do not want it in their own systems. But outside of the likes of NSA/GCHQ for secret-and-above projects, they all buy off the shelf computers and such p0wnage leaves them as vulnerable to other nations (and criminals) as we are.
Sadly most consumers don't understand and don't care, so they will apply no pressure on Dell, HP, Asus, Gigabit, etc, to offer us coreboot-compatible hardware (or the necessary documentation). My budget is for a couple of machines a year - will they listen?
So maybe having such UEFI malware from this hack out in the field is actually good in the long term as we, and major security vendors, can start asking pointed questions to suppliers about how to secure the BIOS, and how to put in our own more secure versions.
On the subject of items being compromised before they hit the shelves - where is the vast majority of consumer IT kit made....
Thats right - in the good ole People Repulic of China.
So if anybodys going to be watching you, its going to be them - which is why youd better be doing a better job of watching them than they are of you...
BIOS may have need to be updated but UEFI was a bad idea. Every vendor has a different implementation and it is plain to see that it was really designed with content management and lock-in in mind rather than addressing any shortcomings in BIOS or introducing feature that end users might actually want to use.
In light of the suggestion that this *possibly* could have a remote install vector in the bios attack, having to put a bios jumper in another physical position to reflash was a good idea after all...
But, I suspect the vast majority of people who cared about security said this at the time. Only to be shouted down by the IT ops people who no longer had to go round people's desks to do things.
I'd settle for a physical switch instead of a jumper. Depending on the motherboard some of those *&%*$!! jumpers were smaller than an eye glasses screw.
Also, all MBs these days should have a double BIOS setup: One flashable which is the primary boot chip, one ROM which by flipping another switch/setting another jumper can be used to restore the BIOS that originally shipped with the MB.
Agreed. We've only seen some tricks from a primary school kids IT project. This is nothing compared to what the big boys school can do.
Although I will say one thing. having worked with the UK police I think peoples views on how they operate is all wrong. If anything the UK police are the only ones I've seen who have rules for doing any of this sort of 'surveillance' on a suspect, rules they follow too. Ok you might get a bad egg police man who abuses his position, you get that in all walks of life, but on the whole they follow procedure, which by the way, includes a court issued warrant to carry out the 'surveillance'.
Same can't be said for other UK agencies, but the police I will defend, slightly, they are still the police after all!
Everything is now software.
USB controller chips in USB devices may have switched from ASICS to uCs, and so can be re-purposed to do their designer's bidding. Security scan your 32GB flash drive as much as you want, you won't find this. Maybe you shouldn't turn your back on your mouse, lest it suddenly pretend to be you.
Mobile phones will have another layer of (re)programmable base-band chipsets below the OS. They could contain malware, just not as we know it Jim.
It's hopeless. You can't even trust the kit brand new in the box.
"Hacking Teams" customers were governments, and those can simply get any firmware image they want signed by the manufacturer or demand the private key from the manufacturer. Secure Boot may protect you from your random commercial malware, but those rarely go through the effort of trying to be persistent.
Plus with Secure Boot you have no way of changing your own firmware, for example into some much simpler version of Coreboot.
and those can simply get any firmware image they want
The government of DumbF***istan? Give me a break.
Hacking team customers were small dictatorships operating under embargo or semi-embargo which could not purchase proper products from the big guys. Any such government making any demands along the lines you describe would have received a nice 3 finger salute response there and then.
I've still seen no real explanation about mitigation.
Regularly patching and applying BIOS/UEFI updates sound fine until you realise that the motherboard manufacturers aren't issuing any updates and patches.
So will this work?
(1) Remove all hard drives.
(2) Reflash motherboard with latest BIOS/UEFI.
(3) Boot from trusted CD.
(4) Scan all the hard drives you removed (plus any external devices including memory sticks, camera cards etc.) with software which can remove the (possible) infection. This includes all backups.
(5) Refit the hard drives and hope.
Of course if you have a network of PCS and a file server for backups a full shut down and clean
could be enormously time consuming.
Or are they saying that it just can't be removed?
I suspect the latter. Why would a persistent malicious UEFI overwrite itself without either:
1) Infecting the new image you're attempting to replace it with.
2) Generating some spurious error message (e.g. proclaiming the new image is corrupt) to tell you to fuck off.
3) Feigning a successful flash while actually doing nothing.
4) Performing some other equally enjoyable ruse for us to savour.
Now, if the chips weren't soldered onto the boards and encrusted with ever more elaborate tamper-proofing to obstruct their "owners" from taking ownership then we'd at least stand a chance of reprogramming them to our requirements. Of course that would rather defeat their purpose.
All your computer are belong to U.S.