ReFirm labs gets 1.5mil in funding, launches Centrifuge Platform

November 15, 2017 ~ hucktech ~ Leave a comment

[…] Led by National Security Agency (NSA) alumni, ReFirm Labs aims to close the firmware security gap exploited by hackers to gain control of or disable IoT devices such as digital cameras, home appliances, routers, servers, printers and other connected machines. These common devices can be remotely taken over, destroyed or hijacked for Botnet attacks that effectively shut down or slow major web services such as Twitter, Spotify, Netflix, and PayPal. Distributed denial of service (DDoS) attacks use infected devices to bombard websites and have cost some organizations as much as $22,000 a minute in lost business and remediation costs. “Manufacturers often have little visibility or control over the firmware of third-party components that are integrated into their devices,” said ReFirm Labs CEO and co-founder Terry Dunlap, an NSA veteran with deep experience in wireless network security. “ReFirm Labs’ Centrifuge Platform makes it possible to rapidly assess the security posture of a device at any point in the lifecycle chain, identifying backdoor accounts, hard-coded passwords and potential zero-day threats.” Other key members of the ReFirm Labs team include co-founder and CTO Peter Eacmen, a Naval Postgraduate School alumni and former Department of Defense cyber expert for the NSA, FBI, and US Special Forces; and Principal Research Engineer Craig Heffner, author of the open source firmware project “binwalk,” a tool for reverse engineering compiled firmware images of embedded systems, and Firmware Mod-Kit. Additionally, John Stewart, Chief Security Officer of Cisco and Jay Emmanuel, Chief Architect at DataTribe, joined the ReFirm Labs board of directors.[…]

https://globenewswire.com/news-release/2017/11/15/1193408/0/en/ReFirm-Labs-Announces-1-5-Million-in-Funding-From-Startup-Studio-DataTribe-and-Launches-Firmware-Validation-Platform.html
https://www.refirmlabs.com/

Palantir on osquery

November 15, 2017 ~ hucktech ~ Leave a comment

Palantir has a new blog post on OSquery.

[…]The goal of this blog post is twofold: first, to provide configuration guidance for a multi-platform osquery deployment, and second to describe our open-source set of osquery configurations:[…]

We're releasing a blog post on how we've deployed @osquery at Palantir and have open sourced our configuration files and query packs!

Blog: https://t.co/8MaXZKmcSA
Github Repo: https://t.co/H0VBRbdBHD

— Chris Long (@Centurion) November 13, 2017

Arg, WordPress messes up medium.com-based URLs. Remove the 2 spaces in the below URL, or click on the URL from the above tweet instead:
https:// medium.com /@palantir/osquery-across-the-enterprise-3c3c9d13ec55

http://www.palantir.com/

https://github.com/palantir/osquery-configuration

CopperheadOS: business model concerns

November 15, 2017 ~ hucktech ~ Leave a comment

CopperheadOS is “A security and privacy focused mobile operating system compatible with Android apps.“.

It appears the company is having problems trying to monetize an open sourced operating system. I hope they can solve things, they’re doing interesting security things with Android.

https://t.co/OUf86TcH7Y Since they built illegitimate businesses on the *official releases*, it doesn't matter that any checks we implement will be open source code…

— CopperheadOS (@CopperheadOS) November 14, 2017

Users on devices that were sold illegally will be able to contact us to purchase a commercial license to have the device whitelisted. Many of these devices will have been sold with potentially malicious apps / device managers installed and we'll be able to help with that too.

— CopperheadOS (@CopperheadOS) November 14, 2017

https://t.co/h8hjRbvOT5

No, they steal our work and use it against the terms of the licensing forbidding commercial usage. They download our Nexus releases, flash them onto phones, add their apps and sell them to organized crime.

Why should we keep offering downloads for them?

— CopperheadOS (@CopperheadOS) November 12, 2017

They can take our sources and even our unaltered releases and sell refurbished phones as new to organized crime. Our license forbids it and we're willing to enforce that in court but they have bigger legal issues than us.

It's not possible to expect people to act in good faith.

— CopperheadOS (@CopperheadOS) November 12, 2017

The only thing we're committed to doing is honoring our update / support commitments to customers. We're not locked into doing this for the rest of our lives if we decide it's not working out and the way we do it is in flux and needs to change based on what does and doesn't work.

— CopperheadOS (@CopperheadOS) November 12, 2017

Giving everything away for free under permissive licensing wasn't ever going to work out.

Our expectation of being able to make money on support and custom work on open source software was extremely far from the mark.

Rather than giving up, we've kept adapting to keep on going.

— CopperheadOS (@CopperheadOS) November 12, 2017

We've enabled over-the-air updates again to avoid impacting our remaining customers on Nexus devices and other legitimate users. However, downloads on the site will no longer be available and we'll be making changes to the update client for Nexus devices. https://t.co/jJTI6fpy5b

— CopperheadOS (@CopperheadOS) November 11, 2017

https://copperhead.co/android/
https://github.com/copperheados/

Kees on Linux 4.14 security enhancements

November 15, 2017 ~ hucktech ~ Leave a comment

Linux kernel v4.14 has a bunch of security features I'm excited about: https://t.co/iIG5w0t271

— Kees Cook (@kees_cook) November 15, 2017

Kees Cook has a new blog post, talking about new security features in Linux kernel 4.14.

vmapped kernel stack on arm64
set_fs() balance checking
SLUB freelist hardening
setuid-exec stack limitation
randstruct automatic struct selection
structleak passed-by-reference variable initialization
improved boot entropy
eBPF JIT for 32-bit ARM
seccomp improvements

security things in Linux v4.14

ME Analyzer 1.33.0 released (and microcode document revised)

November 14, 2017 ~ hucktech ~ Leave a comment

Plato updates ME Analyzer, and an Intel microcode document!

I updated my "Intel Microcode Extra Undocumented Header" paper with everything new since April such as HeaderType, Flags, Unknown1, UpdateRevision, Unknown9, RSA Block and more! Also new MC Extractor v1.11.0 with usage pics & better docs. https://t.co/Be4Jv3Md1q pic.twitter.com/NSQY00qzzB

— Plato Mavropoulos (@platomaniac) November 13, 2017

ME Analyzer v1.33.0 adds CSTXE 3.1 & 3.3 support & fixes BPDT parsing. It seems that a lot of MEA users (thank you 😍) don't know its advanced capabilities outside of basic info display. Thus, I've also improved the ReadMe and added cool feature pictures. https://t.co/Snttp8fULE pic.twitter.com/iQ6C6QWerI

— Plato Mavropoulos (@platomaniac) November 11, 2017

https://github.com/platomav/MEAnalyzer

https://github.com/platomav/MCExtractor/wiki/Intel-Microcode-Extra-Undocumented-Header

new ARM instructions for 8.4-A*

November 14, 2017 ~ hucktech ~ Leave a comment

"Armv8.4-A adds a flag … indicating that you want the execution time of instructions to be independent of the data." https://t.co/Zd7w7edbht

— Adam Langley (@agl__) November 7, 2017

The Arm Architecture is continually evolving, and this blog gives a high-level overview of some of the changes made in Armv8.4-A*. We develop these changes by listening to the Arm Ecosystem and working with them to provide new functionality that benefits everyone. These are incremental changes to the architecture and do not introduce any significant new features. Previous incremental versions of the architecture have been introduced for v8.3-A, v8.2-A, and v8.1-A. The rest of this blog introduces some of the new functionality. It does not offer a complete feature list. However, over the next few months we will be describing this functionality in more detail.[…]

https://community.arm.com/processors/b/blog/posts/introducing-2017s-extensions-to-the-arm-architecture

ARM assembler quickref

November 14, 2017 ~ hucktech ~ Leave a comment

As I was laying in bed with a cold yesterday, I felt like I should use that time to create a cute little cheatsheet on ARM assembly basics for you guys. Enjoy! 🖤https://t.co/KPsDAV0Vai pic.twitter.com/nahw1EKK7e

— Azeria (@Fox0x01) November 9, 2017

ARM Assembly Basics Cheatsheet

This ARM assembly basics cheatsheet covers registers, instructions, branching, and conditional execution. You can use it as a guideline if you’re starting out with ARM assembly and need a little refresher of the basics.

Assembly Basics Cheatsheet

C/C++ hardening blog series

November 14, 2017 ~ hucktech ~ Leave a comment

If you write C/C++ code, here’s a new blog to start watching:

Hardening C/C++ Programs (Part 1 – Stack Protector) : https://t.co/xzS4qrgk5y , Part II – Executable-Space Protection and ASLR : https://t.co/jxVt8laIzu

— Binni Shah (@binitamshah) November 14, 2017

Hardening C/C++ Programs Part I – Stack Protector

Hardening C/C++ Programs Part II – Executable-Space Protection and ASLR

elf2efi and peiutil

November 13, 2017 ~ hucktech ~ Leave a comment

Here are two more tools that convert to or from UEFI image formats to other formats. There are a handful of others.

elf2efi: convert statically linked ELF binaries to PE images for UEFI
https://github.com/efidroid/modules_elf2efi

PEIUtil: Tool to convert UEFI images from PEI (TE or VZ files) to PE for analysis.
https://github.com/rickmark/peiutil

edk2-trace: stack trace support on x64 platforms

November 13, 2017 ~ hucktech ~ Leave a comment

edk2-trace: Proof-of-concept user space application for stack trace support in UEFI on x64 platforms. The PE/COFF executable basically prints out call stack information at runtime.

Dependencies: x64 platform, GNU make, MinGW toolchain, Wine (if you’re using Linux)

https://github.com/pcacjr/edk2-trace

FOSDEM 2018 CfP: Hardware Enablement Devroom

November 13, 2017 ~ hucktech ~ Leave a comment

FOSDEM is happening in Brussels, Belgium in early February.

FOSDEM Hardware Enablement Devroom Call for Participation

In this devroom we want to discuss topics surrounding hardware enablement. Subjects can range from the firmware running on the bare metal machine, drivers and plumbing all the way to the user interface. We welcome a board range of presentations, including but not limitied to technical talks, state of union summaries as well as discussions that facilitate the collaboration between community members, software vendors and OEMs. A particular emphasis will be given to talks covering a significant part of the software stack involved in hardware enablement, with an obvious focus on using open source throughout the whole stack.

Topics & Examples
* UX design to enable users to use their HW effectively
* Firmware:
– coreboot
– flashrom
– UEFI EDK2 (Tianocore)
– Security
– Lockdown of platform using firmware
– Updating
* Secure Boot
* Hardware testing / certification
* Thunderbolt 3 security modes
* Gaming input devices (keyboards, mice, piper)
* Biometric authentication
* Miracast or controlling remote devices
* Why vendors should facilitate upstream development

https://fosdem.org/

There are many more devrooms, as well:
https://fosdem.org/2018/news/2017-10-04-accepted-developer-rooms/

crosstool-ng project for UEFI

November 13, 2017November 13, 2017 ~ hucktech ~ Leave a comment

The efidroid project is working on a new toolchain for UEFI. Tianocore’s build environment is strange enough that it is hard to use outside Tianocore, like when a distro needs to build a .efi binary, for example.

crosstool-ng project for UEFI
Crosstool-NG config and patches for building a UEFI toolchain

https://github.com/efidroid/crosstool-ng-uefi

http://efidroid.org/

Reversing Toshiba laptop BIOS protection

November 12, 2017 ~ hucktech ~ Leave a comment

Michał Kowalczyk has an interesting presentation on Intel BIOS reversing, focusing on a Toshiba system. Presentation is in Polish. If you have a Toshiba, see the excerpt below with advisory info.

Slides (PL) from a talk given by @q3k and me about reversing/hacking Toshiba laptop BIOS protection + EC signature system: https://t.co/VGgz88KjEP pic.twitter.com/x1gCAUUaJ9

— Michał Kowalczyk 🇺🇦 (@dsredford) November 9, 2017

https://twitter.com/q3k/status/928672822808973312

Oficjalne stanowisko Toshiby
Toshiba is working on a temporary BIOS update that can be used to prevent the security issue that has been raised and expects to release this update on its website within the next 2 weeks.
Toshiba plans to start the release of a permanent fix for some models from January, 2018 and will complete the releases of permanent fix for all applicable models by the end of March 2018.

Click to access bd81619010b3b8ef012ff8af491a034bd9c6c3adfd76ddbb180c43c15f291fc1.pdf

http://dragonsector.pl/

Inside a low budget consumer hardware espionage implant

November 12, 2017 ~ hucktech ~ Leave a comment

Wow, amazing!

Check out @0x6d696368 's awesome writeup and work dissecting the USB tracking cable: https://t.co/CayQ1bZOqd

— Joe Fitz (@securelyfitz) November 11, 2017

I took a look at those Chinese GSM location tracking UBS cables tweeted about by @securelyfitz a while ago.

Write up: https://t.co/YXtLEqiZAA pic.twitter.com/XFOTgfCRCE

— mich (@0x6d696368) November 11, 2017

I didn't expect this to become so popular.

I'm humbled and would like to pass on the thanks and give a shout-out to the makers of the tools I used: @bunniestudios @xobs @urjaman @flashrom_org @laf0rge @openbts (and those I missed)

— mich (@0x6d696368) November 12, 2017

Inside a low budget consumer hardware espionage implant
Analysis of the S8 data line locator
mich @0x6d696368

The following analysis was performed on a S8 data line locator […]A while back Joe Fitz tweeted about the S8 data line locator1. He referred to it as “Trickle down espionage” due to its reminiscence of NSA spying equipment. The S8 data line locator is a GSM listening and location device hidden inside the plug of a standard USB data/charging cable. It supports the 850, 900, 1800 and 1900 MHz GSM frequencies. Its core idea is very similar to the COTTONMOUTH product line by the NSA/CSS [1] in which an RF device is hidden inside a USB plug. Those hidden devices are referred to as implants. The device itself is marketed as a location tracker usable in cars, where a thief would not be able to identify the USB cable as a location tracking device. Its malicious use-cases can, however, not be denied. Especially since it features no GPS making its location reporting very coarse (1.57 km deviation in my tests). It can, e.g., be called to listen to a live audio feed from a small microphone within the device, as well as programmed to call back if the sound level surpasses a 45 dB threshold. The fact that the device can be repackaged in its sliding case, after configuring it, i.e. inserting a SIM, without any noticeable marks to the packaging suggests its use-case: covert espionage.[…]
I was not able yet to write new firmware via flashrom because I was not able to disable block protection on the flash, yet. Maybe a different avenue for flashing new firmware could be the SPFlash tool4 and/or the Flash tool. However, that would not be open source. If know something about the weird FAT12 file system used in the device or are able to flash your S8 data line locator please contact me with details![…]
No writeup would be complete without at least one fuck up. So here it is: While using the S8 data line locator with OpenBTS I provisioned imaginary numbers. When switching SIM cards I forgot to turn of the voice activated callback. So long story short, some guy with the number 3333333 listend in on me for 2 minutes:

Provider call log fail. I did not notice this until I reviewed the logs! So my resume on these little hardware espionage implants: They are stealthy and dangerous as fuck![…]

https://ha.cking.ch/s8_data_line_locator/

Restart2UEFI: restart UEFI systems to firmware (for Windows)

November 11, 2017 ~ hucktech ~ Leave a comment

This is a new project, a C# GUI that requires Windows and Visual Studio to build. It appears to be a wrapper to the Windows shutdown.exe utility.

https://github.com/spoonieau/Restart2UEFI

Restart2UEFI: Utility’s to restart uefi systems to firmware. An easyer way to get your system to boot to the motherboards firmware interface than going Win’s recovery options, to finding a pappercilp the certain notebooks.

Restart2UEFI winforms build ported to UWP. Needs Restart2UEFIHelper.exe in projects win32 dir. Was going to be release on the windows store but due to needing the use of a win32exe and only holding a developer licence. So I was unable to submit and have a compiled App available.

osquery

November 11, 2017 ~ hucktech ~ Leave a comment

osquery is in the news a few places this week. They won an award at O’Reilly Security, the 2017 Project Defender Award. They were at Microsoft BlueHat, and they’ve got a new blog post.

https://twitter.com/mikearpaia/status/928638474651078656

Great & honest look at the state of @osquery on @trailofbits blog. If you use osquery & have feedback let them know. https://t.co/D44gTxfsnl

— Kolide (@kolide) November 9, 2017

Great post! However, osquery and CarbonBlack have almost no feature overlap on Windows/OSX and I would disagree that it’s a suitable replacement (except on Linux). Running them side by side provides incredible introspection! https://t.co/fntDJUrHna

— Chris Long (@Centurion) November 9, 2017

Congratulations to OSQuery, the winner of the 2017 Project Defender Award at #OReillySecurity!

— O'Reilly Security (@OReillySecurity) November 1, 2017

Slides will be made available over the next few weeks

— Matt Swann (@MSwannMSFT) November 10, 2017

[…]This marks the start of a four-part blog series that sheds light on the current state of osquery, its shortcomings and opportunities for improvement.[…]

How are teams currently using osquery?

https://github.com/facebook/osquery

https://osquery.io/

Many vulnerabilities found in Linux kernel USB subsystem by syzkaller

November 11, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/kayseesee/status/927923337543655424

Nobody! The whole point of @QubesOS is that we don't need to trust the USB drivers 🙂#SecurityThroughDistrusting https://t.co/xOJP6vK0ZP

— Joanna Rutkowska (@rootkovska) November 9, 2017

Andrey Konovalov posted a bunch of Linux USB vulnerabilities to the OSS-Security list, found using the syzkaller Linux system call fuzzer.

Hi! Below are the details for 14 vulnerabilities found with syzkaller in the Linux kernel USB subsystem. All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine. There’s quite a lot more similar bugs reported [1] but not yet fixed.[…]

The first message had 14 vulns:
http://www.openwall.com/lists/oss-security/2017/11/06/8
This second message has 8 more:
http://www.openwall.com/lists/oss-security/2017/11/08/2

https://github.com/google/syzkaller/blob/master/docs/linux/found_bugs_usb.md
https://github.com/google/syzkaller

Google syzkaller – Linux syscall fuzzer

LAVA 2017.11 released

November 11, 2017 ~ hucktech ~ Leave a comment

Neil Williams of Linaro announced the 2017.11 release of LAVA.

2017.11 is the second release on the roadmap to the removal of V1. This is the single largest change ever made to the LAVA packages.
* All dashboard URLs are permanently disabled in lava-server.
* All devices which were not enabled for V2 are now hidden and unusable.
* All V1 code has been removed from lava-dispatcher.
* All V1 documentation has been removed from lava-server-doc.

2017.11 also includes large changes to the packaging of both lava-server and lava-dispatcher. The prompts formerly used to configure a V1 remote worker have been removed.

https://lists.linaro.org/pipermail/lava-announce/2017-November/000040.html
https://lists.linaro.org/pipermail/lava-announce/2017-September/000037.html
https://github.com/Linaro/pkg-lava-server
https://github.com/Linaro/pkg-lava-dispatcher
https://www.linaro.org/initiatives/lava/
https://validation.linaro.org/
https://wiki.linaro.org/LAVA
https://wiki.linaro.org/QA/AutomatedTestingFramework
https://wiki.debian.org/LAVA

Linux/Windows usage of new Intel instructions

November 10, 2017 ~ hucktech ~ Leave a comment

Jakob Engblom of Intel has 2 blog posts that talk about how modern operating systems use new Intel instructions.

https://software.intel.com/en-us/blogs/2017/10/17/does-software-actually-use-new-instruction-sets

https://software.intel.com/en-us/blogs/2017/11/09/follow-up-how-does-microsoft-windows-10-use-new-instruction-sets

Instrumentation Windows 10 Instructions Total

Dynamic ISA Linux Source

UEFI-Bootkit docs updated

November 10, 2017 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2016/11/04/uefi-bootkit/

Aidan Khoury of Quarkslab has updated UEFI-Bootkit. Only change to the project in the last year was update to readme, with more info. It is worth reading the USRT review of this bootkit, in the above URL.

https://github.com/dude719/UEFI-Bootkit

UEFI-Bootkit: A small bootkit designed to use zero assembly. Make sure to compile the driver as an EFI Runtime driver (EFI_RUNTIME_DRIVER) or else the bootkit will be freed once winload.efi calls ExitBootServices! Thanks to pyro666, dreamboot, and VisualUEFI.

alt text