nothing more on Bloomberg SuperMicro story

October 7, 2018 ~ hucktech ~ Leave a comment

The numbers of on this twitter poll are interesting:

Do you believe that it is possible that the Bloomberg Chinese chip implant story is 100% false (psyops, incompetence, other reasons) and is not based on facts?

— Dr. Anton Chuvakin (@anton_chuvakin) October 5, 2018

I’ll be trying to avoid info on the Bloomberg story until something of substance shows up, there’s lots of mainstream media coverage of that story…

Hypervisor From Scratch – Part 4: Address Translation Using Extended Page Table (EPT)

October 7, 2018 ~ hucktech ~ Leave a comment

I published the 4th part of the tutorial “Hypervisor From Scratch” about Second Level Address Translation (SLAT) and Implementing Extended Page Table (EPT).

I should give my thanks to @PetrBenes as this part would never be completed without his help.https://t.co/TZKhUY859T

— Sinaei (@Intel80x86) October 5, 2018

https://rayanfam.com/topics/hypervisor-from-scratch-part-4/

ebcvm: EFI Byte Code Virtual Machine

October 7, 2018 ~ hucktech ~ Leave a comment

Appears to be new implementation of a UEFI bytecode VM. Builds with a simple Makefile, for C11 *nix systems. No other docs, except: EFI Byte Code Virtual Machine

https://github.com/retrage/ebcvm

Microsoft Ephemeral OS: limited public preview

October 5, 2018 ~ hucktech ~ Leave a comment

Check out the limited preview of #Azure Ephemeral OS Disk, a new type of OS disk providing local disk performance and faster boot and reset time: https://t.co/rSF9gO523p pic.twitter.com/j46TBnLxCF

— Microsoft Azure (@Azure) October 5, 2018

Last week at Microsoft Ignite, we launched Ultra SSD, a new industry leading high-performance disk type for IO intensive workloads. Adding to that, today we are delighted to share the limited preview of Ephemeral OS Disk, a new type of OS disk created directly on the host node, providing local disk performance and faster boot/reset time. Ephemeral OS Disk is supported for all virtual machines (VM) and virtual machine scale sets (VMSS). This offering is based on your feedback to provide a lower cost, higher performant OS disk for stateless applications, which enable them to quickly deploy the VMs and reset them to its original state.[…]

https://azure.microsoft.com/en-us/blog/ephemeral-os-disk-limited-public-preview/

Announcing Ultra SSD – the next generation of Azure Disks technology (preview)

New Apple MacBook Pros prevented from non-Apple Independent Repair

October 5, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/jason_koebler/status/1047980723293093890

https://motherboard.vice.com/en_us/article/yw9qk7/macbook-pro-software-locks-prevent-independent-repair

Failure to run Apple’s proprietary diagnostic software after a repair “will result in an inoperative system and an incomplete repair.”

more on SuperMicro Bloomberg story

October 5, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/10/04/bloomberg-the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-u-s-companies/

SuperMicro response:
https://www.supermicro.com/newsroom/pressreleases/2018/press181004_Bloomberg.cfm

Apple response:
https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/

Amazon.com response:
https://aws.amazon.com/blogs/security/setting-the-record-straight-on-bloomberg-businessweeks-erroneous-article/

More info:

Making sense of the Supermicro motherboard attack

https://blog.senr.io/blog/impervious-implants-splintery-supply-chains
https://motherboard.vice.com/en_us/article/gye8w4/chinese-supply-chain-hack-apple-bloomberg

There’s recent news about some really interesting hardware implants. I wanted to take a bit to share more technical thoughts and details that can’t be reduced to a mainstream article on the topic.
threaded: https://t.co/7VdmaDaQNr

— Joe Fitz (@securelyfitz) October 4, 2018

CHIPSEC adds LoJax to UEFI module blacklist

October 5, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/09/27/apt28-malware-lojax-uses-uefi-rootkit/

the CHIPSEC tool has added this new UEFI malware to it’s blacklist.

https://github.com/chipsec/chipsec/commit/1ea5ea3c04f462201971160ca795e87511d65da8

https://github.com/chipsec/chipsec/commit/1ea5ea3c04f462201971160ca795e87511d65da8#diff-0e85babdc272abb21e8fdbe4aab522f6

Bloomberg: The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

October 4, 2018 ~ hucktech ~ 1 Comment

The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.

[…]There are two ways for spies to alter the guts of computer equipment.
One, known as interdiction, consists of manipulating devices as they’re in transit from manufacturer to customer. This approach is favored by U.S. spy agencies, according to documents leaked by former National Security Agency contractor Edward Snowden.
The other method involves seeding changes from the very beginning.[…]

https://twitter.com/qrs/status/1047788385425940480

This story is something. https://t.co/tTctvvFrrH

— Matthew Green (@matthew_d_green) October 4, 2018

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

Complementary question to ask yourselves after the BMC hardware hack: who has the signing CA for the firmware upgrades of <enter your device> and how do you know there aren’t several “other” intermediate CAs?

“Dormi preoccupato”™¹
__
¹ sleep in fear, Italian conscript classic.

— Arrigo Triulzi (@cynicalsecurity) October 4, 2018

https://twitter.com/qrs/status/1047788391939682309

All hope is lost pic.twitter.com/CoI3eIhFdf

— Taiki (@taiki@mastodon.social) (@Taiki__San) October 4, 2018

Positive Technologies researcher finds vulnerability enabling disclosure of Intel ME encryption keys

October 3, 2018 ~ hucktech ~ Leave a comment

Our new paper "Intel ME Manufacturing Mode: obscured dangers" about SPI write-protection bypass in Apple MacBook. https://t.co/PTswfwJBZA [ru]https://t.co/G2l3nzuhSD [en]

— Maxim Goryachy (@h0t_max) October 2, 2018

Intel ME Manufacturing Mode: obscured dangers and their relationship to Apple MacBook vulnerability CVE-2018-4251 https://t.co/lJ8XTN6sKs #MacBook #Intel #IntelME

— PT Security (@PTsecurity_EN) October 2, 2018

http://blog.ptsecurity.com/2018/10/intel-me-manufacturing-mode-macbook.html

One of the interesting things about https://t.co/SHusekPfJn is the reference to ExitBootServices() – it sounds like there's an expected contract between the OS boot environment and the firmware, but that contract is entirely undocumented

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) October 3, 2018

https://twitter.com/qrs/status/1047380728428806145

Eclypsium on LoJax UEFI malware

October 3, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/09/27/apt28-malware-lojax-uses-uefi-rootkit/, Eclypsium has a new blog post on this malware:

New blog by Eclypsium research team:

UEFI Attacks in the Wildhttps://t.co/wzVsZqRQhw #UEFI #firmware #LoJax #CHIPSEC pic.twitter.com/TBbrU1nDb0

— Eclypsium (@eclypsium) October 1, 2018

We have been tracking firmware vulnerabilities for years. Now there is proof of them being used in the wild: https://t.co/nsxTN4JjLG #uefi #firmware #LoJax @chipsec

— Alex Bazhaniuk (@ABazhaniuk) October 1, 2018

https://blog.eclypsium.com/2018/10/01/uefi-attacks-in-the-wild/

Brian on open source firmware

October 3, 2018 ~ hucktech ~ Leave a comment

Brian Richardson of Intel has a new blog post, after the Open Source Firmware Conference, on open source firmware issues:

New @IntelSoftware
blog: "Open Source Firmware: Two Ends of the Spectrum"https://t.co/pd5vWHkZZl pic.twitter.com/zRgQr9Jns7

— Brian Richardson (on LinkedIn) (@BrianOnChips) October 2, 2018

https://software.intel.com/en-us/blogs/2018/10/01/open-source-firmware-two-ends-of-the-spectrum

Open Source Firmware Conference: videos uploaded

October 3, 2018 ~ hucktech ~ Leave a comment

The recordings from @osfc_io are now online! Thanks again everyone for attending and the speakers and vendors for sharing their knowledge and experiences. You all made the event a great success. 🙂 https://t.co/lEyXGXUdev

— Daniel Maslowski aka CyReVolt 🐢 (@OrangeCMS) October 2, 2018

Finally we've uploaded the main gigs from our awesome @osfc_io speakers, including some quality issues in the first 5 videos – so sorry! Thanks again for attending our very first #opensource #firmware Conference! #OSFC2018 https://t.co/Ni4rCUFMwy …

fb: https://t.co/666maSMW1u

— Open Source Firmware Conference (@osfc_io) October 2, 2018

UEFI workshops at BSidesPDX!

October 2, 2018 ~ hucktech ~ Leave a comment

Exciting, there are two workshops at BSidesPDX in Portland Oregon next month:

Detecting Evil Maid Firmware Attacks
https://bsidespdx.org/events/2018/workshops.html#Evil%20Maid

UEFI and CHIPSEC development for Security Researchers
https://bsidespdx.org/events/2018/workshops.html#Chipsec

PS: If you’re in town, there’s also the Portland Retro Gaming Expo, starting a few days earlier:
https://www.oregoncc.org/events/2018/10/portland-retro-gaming-expo-2018
http://www.retrogamingexpo.com/

ACM SIG Arch: Reflections on trusting SGX

October 1, 2018 ~ hucktech ~ Leave a comment

Reflections on trusting SGX
by Mark Silberstein
Sep 25, 2018

The security community will remember the year of 2018 as the year of speculative execution attacks. Meltdown and Spectre, the recent Foreshadow (L1TF in Intel’s terminology), and their variants demonstrate how the immense processor design complexity, perpetual drive for higher performance, and subtle hardware-software interactions — all collude to create a major system security earthquake that is shaking the whole industry. Foreshadow stands out in that it wreaks havoc on Intel SGX, Intel’s recent instruction set extension for building trusted execution environments, which has been envisioned as a stronghold of security in future computing systems. In this blog I highlight the important differences between Foreshadow and other speculative execution attacks, and raise a few questions that require much more than just a technical solution.[…]

Reflections on trusting SGX

GNU/HardenedLinux translates ‘Platform Firmware Security Defense…’ ebook to Chinese

September 30, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/07/28/new-ebook-platform-firmware-security-defense-for-enterprise-system-administrators-and-blue-teams/

The book “Platform Firmware Security Defense for Enterprise System Administrators and Blue Teams“, which Paul English of PreOS security wrote, introducing the concept of firmware security for the system administrator audience:

https://preossec.com/Newsletter-Q3-2018/
https://preossec.com/products/ebook-download

has been translated to Chinese, by the GNU Hardened Linux project!

https://github.com/hardenedlinux/hardenedlinux_translations/tree/master/platform_firmware_security_defense

more info:

https://hardenedlinux.github.io/

lojax_uefi_rootkit_checker: detect LoJax UEFI malware (on some HP ProLiant DLxxx systems)

September 30, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/09/27/apt28-malware-lojax-uses-uefi-rootkit/

A new detection tool in Python3:

#Yalnizca ProLiant DL180 ve ProLiant DL360 tipi sunucular icin firmware kontrolune uygundur.
#This script performs firmware checks for only ProLiant DL180 and ProLiant DL360.

https://github.com/evgind/lojax_uefi_rootkit_checker

Vincent on recent UEFI presentations

September 28, 2018 ~ hucktech ~ Leave a comment

Vincent has a new blog post, covering some of his recent tour of speaking engagements, with a bit on UEFI, and even some FSP humor.

http://vzimmer.blogspot.com/2018/09/east-and-further-east.html

HowToForge: Building and flashing a secured AOSP build with verified boot and separate lockscreen password for the Nexus 5X

September 27, 2018 ~ hucktech ~ Leave a comment

[…]This tutorial aims to provide detailed instructions on how to solve these caveats, building and flashing AOSP for the Nexus 5X with verified boot and using separate lockscreen/encryption secrets.

https://www.howtoforge.com/tutorial/building-and-flashing-a-secured-aosp-build-with-verified-boot-and-separate-lockscreen-password-for-the-nexus-5x/

APT28 malware LoJax uses UEFI rootkit

September 27, 2018 ~ hucktech ~ 4 Comments

https://thehackernews.com/2018/09/uefi-rootkit-malware.html?m=1

https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/

https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/

Note that UEFI Secure Boot would NOT stop implants like #LoJax. DXE drivers loaded from SPI are generally not verified by the Secure Boot (slide 38 in https://t.co/dcHC1NsM3u [pdf]) https://t.co/Wuz3LcKjR3

— Yuriy Bulygin (@c7zero) September 27, 2018