How is this so? No one's ever mentioned this when talking about stolen laptops. They talk about high level software like Prey or whatever Apple uses. How would you use this to find your laptop? There's a central server that almost every laptop on earth talks to? Seems highly doubtful.
It’s also had a history of major security issues, and a vendor who does not understand how to deal with vulnerability reports.
They aren’t on Apple laptops though, just most OEMs.
Personally, I think it’s absolutely fantastic that this has finally been publicly exploited in the wild and repurposed for malicious purposes, because this was called out as an obvious threat almost 10 years ago now, and none of the vendors took it seriously or cared. Now they can’t ignore it with the “we have no reports of any customers being attacked” deflection and they will likely face far more scrutiny. It’s just like what happened with the Intel ME staying under the radar for so long, but at least to Intel’s credit, they actually attempted to build security in.
- Install more software to make it more secure
- Put secure software in the lowest ring possible to make it more secure
- "The good can use it against the bad" but not the other way round
- Proof of ownership based on "I said it first"
- Of course, closed source, because security
Sorry for the tinfoil interpretation, but I believe it's hard to convince every company to (most likely) pay for this stuff without some sort of coercion.
Looks to me like Intel ME, secure platform processors, mandatory backdoors for devices, and the likes.
And once again Linux is a solution.
Where this code lives they can sit passively by until you've decrypted your hard drive (capturing your key in the process), patch the kernel with a rootkit, and start processes or drop files that will be invisible and inaccessible to even other kernel processes.
This isn't a vulnerability in Windows, or Linux. This is drinking from a polluted pool before they come into existence and poisoning the system.
If software at this level is malicious, it has equal privileges as your BIOS before any kernel gets loaded. It doesn't matter what the operating system is, it just has to be designed for it. It can return TPM approved checksums to your kernel and continue a secure boot as long as it knew what those checksums were before it modified them. Oh you use an external drive for your unencrypted boot partition? That can be modified as it is read off disk, before you're ever prompted for a disk passphrase, and it will report the correct checksum before it gets loaded.
This is a vicious level of access for malicious software, and it is OS agnostic as far as the attack goes. THIS instance is Windows only because that is what it was targeted at.
Does it need to? Is there anything stopping the firmware dropping, say, a systemd service on the disc?
Disable UEFI. https://github.com/corna/me_cleaner
Disable the ACPI hooks that register the kernel with UEFI. http://heim.ifi.uio.no/~knuto/kernel/4.14/admin-guide/kernel...
Use full disk encryption - unlike Microsoft Bitlocker which left backdoors for LoJack, linux vulnerabilities are publicized and you can update as soon as the patch appears on the internet.
Switch to a filesystem that the UEFI malware does not understand. Or move fields and magic numbers around in an existing filesystem to create a "custom" filesystem.
Or a combination of all of the above.
Certainly not. The exploit depends on Windows-specific and Windows-only behavior.
What's stopping firmware from patching GRUB to patch the kernel to do things it's not supposed to do? There is nothing inherent to Linux that makes it invulnerable to this kind of thing.
If you can't trust the underlying hardware or firmware, you cannot trust the machine.
Using Linux is likely a good move, and encrypting your filesystem even better. But both of these could be defeated by an appropriately targeted UEFI program. I get the appeal for an enterprise that wants a chance at remotely tracking a stolen laptop, but now we can see how much power can be misappropriated when the system is compromised.
Anything launched prior to your OS can do that, like boot-sector viruses of the old days.
What’s different here is how someone (with luck) can infect your firmware stealthily and deploy a UEFI payload (typically intended to provide base HW drivers with a machine) which Windows will actively detect and install and run without question.
And thus the initial agent gets deployed and installed.
Windows installs the root kit into its own FS, all by itself.
But only on Windows, because Linux does NOT look for or use that UEFI driver payload.
Linux is immune to this attack. Really.
If your entire firmware gets corrupted and replaced by a hostile material, obviously you’re screwed, but what is the chances of that happening and your machine booting?
Only Windows obliges to this request. Linux is immune.
I’m baffled to say the least.
MS allows its employees to comment on matters in a personal capacity with a disclaimer indicating such.
Apple employees are not supposed to comment at all, and can be terminated for doing so.
Both explicity forbid shilling, and there is no encouragement by the company to do anything like what you’re describing. This should be obvious if one considers how many lawyers they employ whose sole job it is to prevent them from being sued, charged, or investigated.
I know folks at both companies, and while everyone is unique, I noticed that many have a lot of pride in their employer, have a strong dislike for competitors, and would likely engage in expressing their disagreement voluntarily.
1. Are there any probable/plausible examples of such manipulation? I say this from a 100% naive standpoint - literally: I've never seen it myself, so it unfortunately does work. Not to say I doubt it exists; I've read about the concept enough times that I accept that it exists.
2. Regarding (3), do you think it would be possible to cultivate that mindset again, in a different setting/environment, or are these trends influenced by the contemporary status quo? :/
2a. If you _do_ think it might be possible, I'm very interested to absorb ideas on how to create constructive discussions online. People have had more than enough interactions with the current mainstream (twitter, facebook, reddit, here, etc) to probably have _some_ idea on how to massively improve tooling/UX/etc.
2) I do think it is possible, but it is much more difficult to gain those users back who have fled due to those issues. It would require a public shift in forum management style that openly acknowledges it's issues, which especially in a place like this would be hard because for the most part dang et al actually do a great job and the issues we are talking about are very nuanced...
2a) If you come to some conclusions on this I'd like to hear them too. Its something I think about often, and I'm yet to find some silver bullet. I tend to gravitate towards some mishmash of past techniques, for example, I really liked Slashdot mod system, where random users were given mod ability, and instead of just points, you could label something informative, funny, etc. I also think exclusivity can be a boon, so for example invite-only forums or some other exclusion method can naturally curate conversations, but on the flip side you will tend to keep otherwise good commentators silent that way. steemit's idea of monetization via crypto of good content is another approach... none of them alone seems to be enough...
One idea I've had that's technically challenging would be some sort of AI comment judge with preselected criteria, so let's say a commentor makes many logically fallacious comments, then that person gets a temp-ban.
Another has been just purely based on comment depth/length. If a user often goes in depth, a few one sentence quips would reduce their score-weight but they could still post, but another user who only does one line quips would get a temp-ban.
in short, I don't know, but whoever figures this out is going to be a big deal
Any suggestions on where to go next?
I also still enjoy irc, usenet, and deepnet sites (such as onion sites, etc) for the less mainstream, old school hacker vibe.
> UEFI let’s the FW signal to the OS upon boot “please install this driver blindly”, but it can’t force the OS.
> Only Windows obliges to this request. Linux is immune.
UEFI firmware runs before the OS and with greater privileges – e.g. it has control over System Management Mode (SMM), which is hidden from the OS. It can force the OS to do whatever it wants. For example, it can modify system files on disk, which should be enough to compromise most Linux installations. If that isn't possible (because something verifies the files), it could, e.g., patch the next stage bootloader it loads (which could be GRUB or the kernel itself via EFISTUB), in memory before executing it. Or, as an easier approach, it could just add a SMI handler that patches the kernel later on.
It is true that Windows 8 and later exposes a way for UEFI to "ask it nicely" to load a given driver, without having to patch anything, namely the WPBT (Windows Platform Binary Table). As you note, this is the mechanism Lenovo used to persist Superfish. The reason it exists, however, is for anti-theft software such as Computrace/LoJack. Earlier versions of Computrace took a "brute force" route to installing its persistence driver, patching system files on disk, and there wasn't really anything Microsoft could do to stop it. So instead they decided to give them a sanctioned route to accomplish the same thing, which at least is less likely to break something in the process.
However, at least according to the white paper, the LoJax UEFI rootkit does not use WPBT at all. Instead it uses an approach that seems to be inspired by older (pre-WPBT) versions of Computrace.  Specifically, it drops a binary "autoche.exe" into the filesystem, then modifies the registry to execute autoche.exe on boot instead of the normal autochk.exe (note that the last letter is different).
Thus, WPBT is irrelevant in this case. The malware hijacks Windows by modifying its filesystem, and if the authors cared enough to target Linux, they could hijack most Linux installations the same way (and all installations with a somewhat more difficult approach). But then, even if some piece of malware did decide to use WPBT when targeting Windows, it could still use the more elaborate methods to target Linux. At most, WPBT makes it slightly easier for UEFI malware to target Windows than it would otherwise be. But it really doesn't make much difference.
 To clarify: As the white paper describes, a later stage of the bootstrap, rpcnetp.exe, is actually copied from an older version of Computrace and merely patched to change the C&C server address. However, the UEFI part of the malware is custom, and merely uses a similar (but slightly different) overall approach. Computrace's own UEFI driver worked by actually modifying autochk.exe, whereas the malware modifies the registry to execute a different filename instead.
You probably shouldn't be. All this "fanboying" annoys the hell out of people because faboys are constantly trying to sell linux as the solution to all problems, and then when people give them reasons why linux isn't a solution to their problems they get really defensive and start using canned excuses like "well it works for me", "you didn't pick the right distro", "normal users don't need that", "you need to research your hardware", "you have the source so you could fix it yourself", or even "Windows/MacOS have problems too!".
The community alone is enough reason to avoid linux.
note: in this instance, "linux" is being used as shorthad for "the GNU/Linux Desktop".
This is true for nearly anything imaginable, not just Linux.
> The community alone is enough reason to avoid linux.
If you selectively pick the worst of any given (tech related) community, you'd probably be using nothing.
Yes, it is, but that doesn't mean you should be doing it if you actually care about linux.
> If you selectively pick the worst of any given (tech related) community, you'd probably be using nothing.
I'm not selectively picking anything. This is the part of the community I am constantly exposed to because it is the part that evangelizes.
That's definitely why you're hanging out on a website built for armchair intellectuals. There's definitely no bias on the selection of people who visit and comment here. /s
However, it's also quite inappropriate to completely ignore the main point of someone else's comment and vent all these frustrations on them for using the informal term "fanboying", and I don't think that doing so contributes anything to the current discussion about whether GNU/Linux is vulnerable to this rootkit.
Also, WRT turning it off, there are typically two options: deactivate and disable. One is just "temporary" (in that it can be turned back on later), the other is (supposedly) permanent and "impossible" to revert. Make sure you choose the right one (for you).
This is useful, but not obviously good. It's good only if it's securely implemented, but as a user, I'm not sure. I've disabled Computrace on every laptop I own, and now stopped worrying about it after installing coreboot.
Anti-virus software was very easy to circumvent in the past. Getting the kernel32 address from the PEB, having your own PE loader and having most code xored with the Mersenne twister output in the data segment for obfuscation, as well as some runtime is_sandbox() heuristics and no AV would detect anything malicious.
Don't know if it got better or worse, but AV software was not very good at finding malicious code explicitly written to not run in plain sight in the past.
Having Windows Defender on is sufficient for the casual threats most people would encounter.
This sounds much like survivorship bias to me.
So unless you going to say that vaccination is survivorship bias because we don't have them against some diseases I really don't see your point.
Windows Defender will block virtually every common infection these are what most people get hit by, it will also block virtually all ransomware and you can see just how much the ransomware "market" got hit once they implemented it to see that it is effective.
Yes it won't protect you against NSA or some high end hacking group that writes completely custom malware to target single individuals but you are also not likely being the target of these.
But you are likely be target of the 1000's of known threats that are spread through driveby attacks, infected media and pretty old stuff you'll be surprised just how common 5 year old infections still are.
And for many things WD is simply much better than any solution this includes offline removal of rootkits (it can boot into a WinPE environment for a scan) and Ransomware protection where Windows Defender can restrict apps from accessing folders that tend to keep user data: https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/...
Basically if you have Windows 7, 8 or 10 keep Windows Defender on it actually does work.
If you share removeable media with other people and have people who use your computer or on your network that aren’t exactly security conscious it’s not a terrible idea to have it enabled.
> "The tool described above is able to update the system’s firmware only if the SPI flash memory protections are vulnerable or misconfigured. Thus, you should make sure that you are using the latest available UEFI/BIOS available for your motherboard. Also, as the exploited vulnerability affects only older chipsets, make sure that critical systems have modern chipsets with the Platform Controller Hub (introduced with Intel Series 5 chipsets in 2008)."
Does the SPI chip have a write protect line? Or could it be subbed with one that does?
> (2) The perps are probably a Russian hacking group (military, KGB, FSB, or something similar), known by a bunch of names, but I call them Fancy Bear, for no particular reason other than it was the first name I knew them by, and it's a neat name. These are the same guys that (probably) broke into a factory in Taiwan in Feb 2018, and modified firmware in a bunch of computers, headed for the German government.
How could he possibly be so sure (that he implies) that this is the same group? Sure, he adds a couple of “probably”s, but the style is completely undoubting.
> (6) Interestingly, the modus operandi of the Lenovo rootkit and the modified Lo Jacks, are _remarkably_ similar. This might be pure coincidence… or … maybe something else.
Maybe what? Why is he being cagey about what it could be? It looks like he wants the reader to feel like the “in”-group who knows what he means, but in reality nobody does.
But yes, not letting people reset their computer by accident is just good user interface.
I don’t know why security-conscious people would willingly load a PDF but there you go.
> Scripts can supposedly do things like make arbitrary database connections, detect attached monitors, import external resources, and manipulate 3D objects.
That's an unprecedented level of power for what is supposedly a simple document format.
That being said, PDFs are only a threat when opened in a with support for these obscure APIs, such as Adobe's own readers. You (probably) will be fine opening untrusted PDFs in Chrome's PDF reader (PDFium) and Preview.
Not that PDFium is any worse than Adobe, but certainly not much better.
Microsoft got it right with (O)XPS -- none of that dynamic stuff that lets you do all kinds of naughty things to the system with a properly formed document like PDF can do.
On the other hand, they also get it wrong with other things and we end up with SYSTEM-level compromises due to a vulnerability in a font!
PDF is not just a representation of paper, you can for instance also build forms.
It would be nice if there was a separate ‘static paper’ only extension/mime type but there isn’t.