Dell Inspiron 20-3052 BIOS update concerns

May 18, 2017 ~ hucktech ~ Leave a comment

If you have this Dell, be careful about the current update, multiple users have the problem. Quoting the Register article:

As one forum wag noted: “Some send out ‘WannaCry’, others send out BIOS upgrades”.

https://www.theregister.co.uk/2017/05/18/dell_bios_update_borks_pcs/

http://en.community.dell.com/support-forums/desktop/f/3514/t/20012309?pi21953=1

http://en.community.dell.com/support-forums/desktop/f/3514/p/19435778/20050222

PS: These are nice references from Dell’s support wiki:

http://en.community.dell.com/support-forums/desktop/w/desktop/3624.beep-codes-and-psa-diagnostic-chart

http://en.community.dell.com/support-forums/desktop/w/desktop/3634.extremely-long-psa-code-chart

5 BIOS/UEFI security tips

May 18, 2017 ~ hucktech ~ Leave a comment

5 Tips to Help Tighten your Security Using BIOS/UEFI https://t.co/qAJ1PKvdlG

— Alex Fields (@vanvfields) May 18, 2017

Spoiler alert:
1. Updates
2. Disable unneeded stuff
3. Enable TPM
4. Pre-boot password
5. SecureBoot

https://www.itpromentor.com/uefi-security/

Twitter-based links in posts

May 18, 2017 ~ hucktech ~ Leave a comment

Many of the URLs in these posts are twitter posts, since many security researchers prefer Twitter these days.

Twitter just updated their privacy policy.

Surveillance capitalism: Twitter will now track you across the web unless you opt out, but it’s a default, so most people will forget. pic.twitter.com/lBkrDn5pJn

— John Adams (@netik) May 17, 2017

https://support.twitter.com/articles/20174594#

SiFive Coreplex IP for RISC-V

May 17, 2017 ~ hucktech ~ Leave a comment

@SiFiveInc Making it easy to study, evaluate & buy supported RISC-V IP https://t.co/2kxyM8vYzj

— Krste Asanovic (@kasanovic) May 4, 2017

RISC-V is a free and open instruction set architecture based on modern design techniques and decades of computer architecture research. With over 60 member companies and a robust software ecosystem, RISC-V is set to be the standard architecture in all modern computing devices, from 32-bit embedded microcontrollers to 64-bit application processors and datacenter accelerators and beyond. SiFive Coreplex IP are the most widely deployed RISC-V cores in the world and are the lowest risk, easiest path to RISC-V. SiFive Coreplex IP are fully synthesizable and verified soft IP implementations that scale across multiple design nodes, making them ideal for your next SoC design.

https://www.sifive.com/products/coreplex-risc-v-ip/

Textplained

May 17, 2017 ~ hucktech ~ Leave a comment

“On its brand new online store, French start-up Texplained (Valbonne, France) presents itself as the leading expert in the reverse engineering and security analysis of integrated circuits. The company aims to review every major IC on the market to create a library of detailed information and analysis about IC hardware from leading chip manufacturers.[…]”

http://www.smart2zero.com/news/hacking-secure-chips-common-good

http://www.texplained.com/texplained

PCIe Option ROMs on AArch64

May 17, 2017May 17, 2017 ~ hucktech ~ Leave a comment

Revolutionizing ARM Technology: x86_64 Option ROM on AArch64 – https://t.co/JTxGqmRKmG

— vincent zimmer (@vincentzimmer) April 7, 2017

https://www.suse.com/communities/blog/revolutionizing-arm-technology-x86_64-option-rom-aarch64/

MemoryMonRWX: Windows hypervisor to detect rootkits

May 17, 2017 ~ hucktech ~ Leave a comment

Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access with @standa_t. Demos & src – https://t.co/KwBO48r7mW #ADFSL

— Igor Korkin (@IgorKorkin) May 16, 2017

Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation.

http://igorkorkin.blogspot.com/2017/03/memorymonrwx-detect-kernel-mode.html

RootKits-List-Download

May 17, 2017 ~ hucktech ~ Leave a comment

RootKits-List-Download : This is the list of all rootkits found so far on github and other sites : https://t.co/c4Yrh0kxuw

— Binni Shah (@binitamshah) May 17, 2017

https://github.com/d30sa1/RootKits-List-Download

Nice list. I see at least 2 that aren’t listed, so I guess I need to submit a patch.

RPMB

May 16, 2017 ~ hucktech ~ Leave a comment

I learned a new word today: “RPMB” (Replay Protected Memory Block). 🙂

did you know all phones, flash sticks and SSDs have a special encrypted TPM-like area called RPMB, with a program-once unresettable key. pic.twitter.com/oi1PPw415Y

— dragosr (@dragosr) May 16, 2017

JEDEC also gives us TWO "enhanced" boot areas also inacessible to normal os and user code. Sounds perfect for stealthy malware.

— dragosr (@dragosr) May 16, 2017

https://github.com/OP-TEE/optee_os/blob/master/documentation/secure_storage_rpmb.md

https://lwn.net/Articles/694798/

https://lwn.net/Articles/682276/

Leviathan Framework

May 16, 2017 ~ hucktech ~ Leave a comment

Ladies and gentlemen, for your consideration: leviathan framework https://t.co/0xQLvKW8lW

— Utku Şen (@utkusen) April 26, 2017

Leviathan is a mass audit toolkit which has wide range service discovery, brute force, SQL injection detection and running custom exploit capabilities. It consists open source tools such masscan, ncrack, dsss and gives you the flexibility of using them with a combination. The main goal of this project is auditing as many system as possible in country-wide or in a wide IP range.[…]

https://github.com/leviathan-framework/leviathan
https://leviathan-framework.org/

Not to be confused with Leviathan Security’s Lotan.

http://www.leviathansecurity.com/lotan

sniffROM

May 16, 2017 ~ hucktech ~ Leave a comment

sniffROM – A tool for passive data capture and reconnaissance of serial flash chips. https://t.co/NzK1BNVpQN

— Nicolas Krassas (@Dinosn) May 16, 2017

sniffROM: A tool for passive data capture and reconnaissance of serial flash chips. It is used in conjunction with a Saleae logic analyzer to reconstruct flash memory contents and extract contextual information about device operations. Supports SPI and I²C flash chips. Recognizes most flash commands across different chip vendors. Preserves actual memory addresses of captured data. Binary visualization of reconstructed image.

usage: sniffROM.py [-h] [–addrlen [{2,3,4}]] [–endian [{msb,lsb}]] [–filter [{r,w}]] [-o [O]] [–summary] [–graph] [-v] input_file

https://github.com/alainiamburg/sniffROM

UEFI-SecureBoot-SignTool

May 15, 2017 ~ hucktech ~ Leave a comment

Aneesh Neelam has written UEFI-SecureBoot-SignTool, a script to sign external Linux kernel modules for UEFI Secure Boot.

UEFI Secure Boot sign tool
The default signed Linux kernel on Ubuntu (>=16.04.x), Fedora (>=18) and perhaps on other distributions as well, won’t load unsigned external kernel modules if Secure Boot is enabled on UEFI systems. Hence, any external kernel modules like the proprietary Nvidia kernel driver, Oracle VM VirtualBox’s host/guest kernel driver etc. won’t work. External kernel modules must be signed for UEFI Secure Boot using a Machine Owner Key (MOK). You can use the UEFI Secure Boot Sign Tool to sign kernel modules. This is useful if you can’t or don’t wish to disable Secure Boot on your UEFI-enabled system.[…]

https://github.com/aneesh-neelam/UEFI-SecureBoot-SignTool

Colin on FWTS

May 15, 2017May 15, 2017 ~ hucktech ~ Leave a comment

Colin King has a new blog post that gives an introduction to the FirmWare Test Suite’s UI.

http://smackerelofopinion.blogspot.com/2017/05/firmware-test-suite-text-based-front-end.html

https://wiki.ubuntu.com/FirmwareTestSuite/Reference

UEFI HTTPS Boot whitepaper moves

May 15, 2017 ~ hucktech ~ Leave a comment

The EDK II UEFI HTTPS Boot whitepaper, originally contributed by Intel, has been migrated to our GitBook account. https://t.co/60PSBGrjb1

— tianocore (@tianocore) May 13, 2017

https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White%20papers

https://edk2-docs.gitbooks.io/getting-started-with-uefi-https-boot-on-edk-ii/content/

European Coreboot Conference: tickets available

May 15, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/coreboot_org/status/864143625684475907

https://ecc2017.coreboot.org/tickets

Reversing Intel ME’s ROMP module

May 15, 2017 ~ hucktech ~ Leave a comment

We continue working on the Intel ME by reverse-engineering the Intel Management Engine’s ROMP module
cc @KaKaRoToKS https://t.co/SivZvOTrfg

— Purism (@Puri_sm) May 10, 2017

Reverse-engineering the Intel Management Engine’s ROMP module
Youness Alaoui, Hardware enablement developer

Last month, while I was waiting for hardware to arrive and undergo troubleshooting, I had some spare time to begin some Intel ME reverse engineering work. First, I need to give some shout out to Igor Skochinsky, a Hex-Rays developer, who had been working on reverse engineering the Intel ME for a while, and who has been very generous in sharing his notes and research on the ME with us, which is going to be a huge help and cut down months of reverse engineering and guesswork. Igor was very helpful in getting me to understand the bits that didn’t make sense to me. The first thing I wanted to try and reverse was the ROMP module. It is one of the two modules that me_cleaner doesn’t remove, and given how small it is (less than 1KB of code+data), I thought it would be a good starting point. Turns out my hunch was right, as I finished reverse engineering that module after only a couple of days.[…]

https://puri.sm/posts/reverse-engineering-the-intel-management-engine-romp-module/

https://github.com/kakaroto/purism-playground

Xeno updates Low Level PC Attack Papers list

May 15, 2017 ~ hucktech ~ 2 Comments

This is the *BEST* index to hardware/firmware attacks for Intel systems. And it has been updated for recent research!!

Alright, from newest to oldest, here's the talks which I've added to the timeline: https://t.co/Jfm64Syceb …

— Xeno Kovah (@XenoKovah) May 15, 2017

Low level PC attack papers by Xeno Kovah

http://timeglider.com/timeline/5ca2daa6078caaf4

Intel AMT, continued

May 13, 2017 ~ hucktech ~ Leave a comment

Matthew Garrett has a new tool to check for AMT on Linux:

I modified Intel's sample AMT code to tell you whether AMT is provisioned on Linux systems: https://t.co/dlE1D7Rmei

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) May 13, 2017

If AMT is enabled and provisioned and the AMT version is between 6.0 and 11.2, and you have not upgraded your firmware, you are vulnerable to CVE-2017-5689. Disable AMT in your system firmware.

https://github.com/mjg59/mei-amt-check

A little bird told me some info about Intel AMT and Linux:

* Some BMC/IPMI devices also listen on port 623 because they support the same asf-rmcp protocol. So if you are using nmap to scan networks you may see false positives from these devices.

* The Intel OpenAMT tool can be used on Linux to determine if AMT is enabled. The procedure is something like:
* build with: ./configure;make
* on the system to test, load the mei modules with: modprobe mei-me
* run the src/lms binary (only uses standard libraries, no need to ‘make install’)
* check daemon.log, not enabled should be something like “LMS: Cannot connect to Intel AMT via MEI driver”
* clean up by killing the running lms process, removing the lms binary, and unloading the mei modules: rmmod mei-me mei
https://sourceforge.net/projects/openamt/

* On Linux, blacklisting the mei-me/mei modules will prevent local access to AMT, but doesn’t help if it’s already enabled.

Absolute seeks OEM Business Development Director

May 13, 2017 ~ hucktech ~ Leave a comment

It is an exciting time for the Absolute and Microsoft partnership! Absolute’s placement in Windows device firmware provides a truly unique position within the Microsoft partner ecosystem. We continue to strengthen this relationship by opening new doors of engagement through our recent product integration announcements. To further support the relationship, we are looking for a tenured Business Development Director[…]

http://jobs.jobvite.com/absolute/job/oarf5fwF

Intel AMT story, continued

May 12, 2017 ~ hucktech ~ Leave a comment

A little bit more (warning: a few of these are related to Intel ME hardware, not Intel AMT firmware):

Rumor has it that OpenAMT can also be used for AMT detection:
https://sourceforge.net/p/openamt/wiki/Home/

AMT advisory from ASUS:
https://www.asus.com/News/uztEkib4zFMHCn5r

http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-may-8-2017/

https://community.rapid7.com/community/nexpose/blog/2017/05/11/on-the-lookout-for-intel-amt-cve-2017-5689

http://www.govinfosecurity.com/intels-amt-flaw-worse-than-feared-a-9901

Is Intel’s Management Engine Broken?

Cool a command you can send to AMT over WSMan (authenticated with the same broken HTTP digest) is https://t.co/BzIV9RssUC

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) May 10, 2017

So my CPU has a webserver in it and my SYSTEM account has a JavaScript engine in it. I think we've lost the complexity battle.

— Chris Evans (@scarybeasts) May 10, 2017

https://twitter.com/4Dgifts/status/862326241659150336

BTW, the ME has a JVM inside 🙂 https://t.co/hDqEdUJTYA

— Igor Skochinsky (@IgorSkochinsky@infosec.exchange) (@IgorSkochinsky) May 10, 2017

AMT has a web server inside to serve the administration UI.

— Igor Skochinsky (@IgorSkochinsky@infosec.exchange) (@IgorSkochinsky) May 10, 2017