Month: May 2018

VMWare and Microsoft Virtualization Based Security (VBS)

~ hucktech ~ Leave a comment

Introducing support for Virtualization Based Security and Credential Guard in vSphere 6.7
Mike Foley

Microsoft virtualization-based security, also known as “VBS”, is a feature of the Windows 10 and Windows Server 2016 operating systems. It uses hardware and software virtualization to enhance Windows system security by creating an isolated, hypervisor-restricted, specialized subsystem. Starting with vSphere 6.7, you can now enable Microsoft (VBS) on supported Windows guest operating systems. You may or may not be familiar with these new Windows features. Based on conversations I have with security teams, you might want to become familiar! What you will hear first and foremost is the requirement for “Credential Guard” which is why I added that to the title. In order to level set the conversation in this blog I will go over the features as they related to a bare metal installation of Windows and then a Windows VM on ESXi.[…]

https://blogs.vmware.com/vsphere/2018/05/introducing-support-virtualization-based-security-credential-guard-vsphere-6-7.html

GCC 8.1 Released

~ hucktech ~ Leave a comment

GCC 8.1 is a major release containing substantial new functionality not available in GCC 7.x or previous GCC releases.

This releases features significant improvements in the emitted diagnostics, including improved locations, location ranges and fix-it hints (especially in the C++ front-end), and various new warnings have been added.

Profile driven optimizations have been significantly improved, on x86 functions are now split into hot and cold regions by default. The link time optimizations now have a new way of emitting the DWARF debug information, which makes LTO optimized code more debuggable. New loop optimizers have added and existing improved and some, like -ftree-loop-distribution, -floop-unroll-and-jam and -floop-interchange have been enabled by default at-O3.

The AArch64 target now supports the Scalable Vector Extension, whichfeatures vectors with runtime determined number of elements.

http://gcc.gnu.org/gcc-8/porting_to.html
https://gcc.gnu.org/gcc-8/changes.html
http://www.gnu.org/order/ftp.html

 

Lojack (formerly CompuTrace) Becomes a Double-Agent

~ hucktech ~ Leave a comment

ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains. The InfoSec community and the U.S. government have both attributed Fancy Bear activity to Russian espionage activity. Fancy Bear actors typically choose geopolitical targets, such as governments and international organizations. They also target industries that do business with such organizations, such as defense contractors. Lojack, formally known as Computrace, is a legitimate laptop recovery solution used by a number of companies to protect their assets should they be stolen. Lojack makes an excellent double-agent due to appearing as legit software while natively allowing remote code execution. Although the initial intrusion vector for this activity remains unknown, Fancy Bear often utilizes phishing email to deliver payloads.

https://asert.arbornetworks.com/lojack-becomes-a-double-agent/

Wikipedia on LoJack: “Analysis of Computrace by Kaspersky Lab shows that in rare cases, the software was preactivated without user authorization. The software agent behaves like rootkit (bootkit), reinstalling a small installer agent into the Windows OS at boot time. This installer later downloads the full agent from Absolute’s servers via the internet. This installer (small agent) is vulnerable to certain local attacks[8][9] and attacks from hackers who can control network communications of the victim.”

https://en.wikipedia.org/wiki/LoJack_for_Laptops

https://www.absolutelojack.com/features/

 

AMI statement for Meltdown/Spectre for MegaRAC BMC

~ hucktech ~ Leave a comment

https://ami.com/en/tech-blog/ami-statement-in-response-to-meltdown-and-spectre-security-vulnerabilities-for-megarac-bmc-firmware-on-aspeed-armbased-platforms/

https://www.nikktech.com/main/news/8940-american-megatrends-statement-in-response-to-meltdown-and-spectre-security-vulnerabilities-for-megarac-bmc-firmware-on-aspeed-arm-based-platforms

Bypassing code protection on an Intel 8752

~ hucktech ~ Leave a comment

Bypassing code protection on an Intel 8752
Kibo Schaffer

The security bits that enforce code protection on the Intel 8752 can be cleared with UV, while keeping the main program memory mostly intact by applying a UV mask (nail polish) to the EPROM regions of the die.[…]

https://blog.inach.is/8752/

Ceramic chip decapping rig

Arm announces security features in Cortex-M35P

~ hucktech ~ Leave a comment

On Wednesday, 2nd May we announced a range of IP to protect silicon from physical attacks, extending our portfolio of Arm security IP to bring physical security within reach of any IoT product. Our new IP, all marked with a “P” tag for physical security, includes: the Cortex-M35P processor, as well as a new suite of security IP with added side-channel attack protection (CryptoIsland-300P and CryptoCell-312P). This post describes how the benefits and features of the Cortex-M35P bring anti-tampering protection to the widely-supported, user-friendly Cortex-M processor to guard against physical attacks, providing access to new markets for your product.[…]

https://www.arm.com/products/processors/securcore

https://community.arm.com/processors/b/blog/posts/arm-cortex-m35p-multilayered-security-at-heart-of-your-device

Microsoft introduces Trusted Cyber Physical Systems (TCPS)

~ hucktech ~ Leave a comment

Trusted Cyber Physical Systems looks to protect your critical infrastructure from modern threats in the world of IoT
Thomas Pfenning / Director Software Engineering
April 24, 2018

This week at Hannover Messe 2018 in Germany, we are excited to demonstrate how Microsoft is utilizing its more than 25 years of embedded and hardware security experience with a new project codenamed Trusted Cyber Physical Systems (TCPS). This solution seeks to provide end-to-end security that is resilient to today’s cyber-attacks so our industrial customers can operate their critical infrastructures with confidence and with no negative impact to their intellectual property and customer experience.[…]

https://blogs.windows.com/business/2018/04/24/trusted-cyber-physical-systems-looks-to-protect-your-critical-infrastructure-from-modern-threats-in-the-world-of-iot/

Click to access TCPS-WP.pdf

Click to access Protecting-Critical-Infrastructure.pdf

EFI-RPM-macros: helps packaging of EFI code into Red Hat RPMs

~ hucktech ~ Leave a comment

efi-rpm-macros provides a set of RPM macros for use in EFI-related packages.

The following variables are meaningful on the make command line:

EFI_ESP_ROOT the directory where the EFI System Partition is mounted
EFI_ARCHES the rpm arches %efi will match on
EFI_VENDOR the vendor name for your EFI System Partition directory

The following rpm macros are set:

%efi the arches that EFI packages should be built on, suitable for use with %ifarch
%efi_vendor the vendor name for your EFI System Partition directory
%efi_esp_root the directory where the EFI system Partition is mounted
%efi_esp_efi the full path to \EFI on the EFI System Partition
%efi_esp_boot the full path to \EFI\BOOT on the EFI System Partition
%efi_esp_dir the full path to your vendor directory on the EFI System Partition
%efi_arch the EFI architecture name, e.g. x64
%efi_arch_upper the EFI architecture name in upper case, e.g. X64

https://github.com/rhboot/efi-rpm-macros

 

upcoming queue of BMC/iLO research…

~ hucktech ~ Leave a comment

3 different submissions to upcoming conferences. One abstract (for SSTIC’18) is below:

https://twitter.com/nicowaisman/status/990232607253245957

https://www.sstic.org/2018/presentation/subverting_your_server_through_its_bmc_the_hpe_ilo4_case/

Subverting your server through its BMC: the HPE iLO4 case
Alexandre Gazet, Fabien Perigaud, Joffrey Czarny
Date : 13 juin 2018 à 11:30 — 30 min.

iLO is the server management solution embedded in almost every HP servers for more than 10 years. It provides the features required by a system administrator to remotely manage a server without having to physically reach it. iLO4 (known to be used on the family of servers HP ProLiant Gen8 and ProLiant Gen9) runs on a dedicated ARM micro-processor embedded in the server, totally independent from the main processor. We performed an initial deep dive security study of HP iLO4 and covered the following topics: firmware unpacking and memory layout, embedded OS internals, vulnerability discovery and exploitation as well as full compromise of the host server operating system through DMA. One of the main outcome of our study was the discovery of a critical vulnerability in the web server component allowing an authentication bypass but also a remote code execution. Still, one question remains open, namely; are the iLO systems resilient against a long term compromise at firmware level. For this reason, this paper is focused on the update mechanism and how a motivated attacker can achieve long term persistence on the system; how a new/backdoored firmware can be crafted then installed, to offer an attacker a stealth and resilient backdoor in an environment which has been compromised.