Category: Uncategorized

ISSA Ottawa: intro to UEFI and why you should care

~ hucktech ~ Leave a comment

If you are in the Ottowa area, the ISSA event in 2 days sounds interesting:

An Introduction to UEFI and Why We Should Care

An introduction to UEFI (Unified Extensible Framework Interface) and the supported security controls framework. We will discuss how these UEFI security controls may be bypassed or where firmware implementations have failed, with the goal of compromising the integrity of the boot process and the running Operating System.

Speaker:  Mr. Sues, CEO of Rigel Kent Security, Cryptid Labs and co-CEO of Invariant Security is an experienced Penetration Tester, Vulnerability Researcher and Security Trainer with an extensive background in both operational penetration testing and the identification of new vulnerabilities in applications and operating systems. Mr. Sues develops tools and exploits, specializing in the development buffer overflow technology for use in assessing client systems. In doing so, he has reverse engineered many commercial and custom UNIX and Windows-based applications, protocols and Operating Systems to locate and analyze vulnerabilities or understand the software’s operation. As well, he has evaluated many vendor products, commercial and proprietary encryption algorithms, operating systems, network services, SANs, routers, and firewalls such as Checkpoint and CISCO PIX/ASA firewalls and has performed local host vulnerability assessments of firewalls, routers/switches, Windows Servers and Solaris/UNIX/Linux systems. Mr. Sues is also co-founder of the COUNTERMEASURE series of security conferences and training events held in Ottawa, Canada with the most recent, COUNTERMEASURE 2015, held November 16-20, 2015.

http://events.r20.constantcontact.com/register/event?llr=i4mkfneab&oeidk=a07ebs3188hc4ff8736

securely managing IoT gateways

~ hucktech ~ Leave a comment

Russel Doty of  Red Hat has an article in Mil-Embedded entitled “IoT: Embedded and Secure”:

“Last time I wrote about how the Internet of Things (IoT) is impacting the design of military embedded systems; this month, I’d like to address IoT and security. Specifically, I want to address the security processes involved in managing IoT gateways, which are vital to the successful operation of critical applications. […]”

Full article:

http://mil-embedded.com/guest-blogs/iot-embedded-and-secure/

PANDA VM

~ hucktech ~ 1 Comment

I just noticed PANDA, a VM for malware analysis:

PANDA is an open-source Platform for Architecture-Neutral Dynamic Analysis. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion instruction boot of FreeBSD, e.g., is represented by only a few hundred MB. PANDA leverages QEMU’s support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugin architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development. It is currently being developed in collaboration with MIT Lincoln Laboratory, Georgia Tech, and Northeastern University.

http://moyix.blogspot.com/2015/10/panda-vm-update-october-2015.html

https://github.com/moyix/panda

FBI recommendations on consumer IoT security

~ hucktech ~ Leave a comment

Back in September, the FBI issued a security warning for the IoT, how it brings opportunties for criminals:

http://news.softpedia.com/news/fbi-issues-alert-on-the-security-of-internet-of-things-iot-devices-491566.shtml

Excerpt of their recommendations:

Consumer Protection and Defense Recommendations

* Isolate IoT devices on their own protected networks;
* Disable UPnP on routers;
* Consider whether IoT devices are ideal for their intended purpose;
* Purchase IoT devices from manufacturers with a track record of providing secure devices;
* When available, update IoT devices with security patches;
* Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it operate on a home network with a secured Wi-Fi router;
* Use current best practices when connecting IoT devices to wireless networks, and when connecting remotely to an IoT device;
* Patients should be informed about the capabilities of any medical devices prescribed for at-home use. If the device is capable of remote operation or transmission of data, it could be a target for a malicious actor;
* Ensure all default passwords are changed to strong passwords. Do not use the default password determined by the device manufacturer. Many default passwords can be easily located on the Internet. Do not use common words and simple phrases or passwords containing easily obtainable personal information, such as important dates or names of children or pets. If the device does not allow the capability to change the access password, ensure the device providing wireless Internet service has a strong password and uses strong encryption.

Full article:

http://www.ic3.gov/media/2015/150910.aspx

 

UEFI SMM hello world

~ hucktech ~ Leave a comment

https://docs.google.com/file/d/0B3M7WqiAoyr_NWI2NjdhYWUtMjE1NS00Njc2LThmZjItNWExZDZkYzUzMjJk/edit?authkey=CM6a8JYE&ddrp=1&hl=en&pli=1

This is also a useful blog post on the topic of beginning SMM drivers:

http://blog.cr4.sh/2015/07/building-reliable-smm-backdoor-for-uefi.html

as is this:

http://blogs.phoenix.com/phoenix_technologies_bios/2008/12/bios-undercover-writing-a-software-smi-handler.html

LUV updated to include CHIPSEC 1.2.2

~ hucktech ~ Leave a comment

Ricardo Neri of Intel has updated LUV to include the latest CHIPSEC, version 1.2.2!  Excerpt from checkin patch message:

A new version of CHIPSEC has been released. Bump LUV to use such version.

Updating CHIPSEC requires to also update the patches that we apply on top of it. Changes to these patches are not functional; only rebased to 1.2.2.

Finally, take this opportunity to add a PV variable to the recipe.

Full message:
https://lists.01.org/pipermail/luv/2015-November/000687.html

Derusbi codesigning bypass analysis

~ hucktech ~ Leave a comment

Windows driver signing bypass by Derusbi has a post on Sekoia.Fr analyzing the Derusbi malware and it’s code signing bypass. Detailed analysis.

http://www.sekoia.fr/blog/windows-driver-signing-bypass-by-derusbi/

(The above article is for Windows OS-level security. Note that UEFI also uses code signing very similar to Windows as it’s main form of security. Some of UEFI’s files are stored on a FAT-based file system, which — depending on your OS and how it is configured — lets anyone modify files on FAT volumes, no ACLs.)

7-Zip adds UEFI support

~ hucktech ~ Leave a comment

Interesting, I just noticed that 7-Zip can read UEFI containers. Excerpt from today’s announcement on BetaNews:

After five years of stop-start development, 7-Zip has just released a new stable version 15.2. It’s been a long wait, but if you’re still using the latest stable build — 9.20 — then there are plenty of reasons to upgrade. There’s support for unpacking many more containers: UEFI BIOS files, WIM files, RAR5 archives, ext2/ ext3/ ext4 images, GPT, VMDK, and single file QCOW2 and VDI images. […]

(I think this support has been in 7-Zip since 2011, but I am just noticing it, and they are announcing it like it is new…)

http://www.7-zip.org/history.txt

7-Zip gets a major update at last

http://sourceforge.net/p/sevenzip/discussion/45797/thread/7b27c6ac

http://sourceforge.net/p/sevenzip/discussion/45797/thread/8eb27f98

http://www.7-zip.org/

crowdfunding campaign begins for Nitrokey Storage

~ hucktech ~ Leave a comment

Jan Suhr of Nitrokey announced the crowdfunding campaign for their new Nitrokey Storage device, based on open hardware and open source software. Excerpt from announcement:

Nitrokey Storage is a USB device which operates as a “digital latchkey” to protect your data and user accounts. It allows for the secure encryption of emails, files and hard drives, secure login on the web and contains encrypted mass storage. The encryption keys are stored securely in the hardware at all times. Nitrokey is made entirely in Germany and stands out on the market because it is 100% open-source and uses 100% open hardware, which in the times of NSA, hacker attacks and Trojans is the only option that allows users to keep control of their data and to rule out dangerous backdoors. It is also the first hardware worldwide with hidden storage, which enables users to plausibly deny the existence of additional encrypted data. This can be useful during border controls or similar threatening situation. Use Cases:
* Encryption of emails, hard drives, and other data via a highly secure smart card. Secure keys are protected by the hardware.
* Secure login on the web and protection against identity theft via one-time passwords.
* Secure transport and exchange of sensitive files via encrypted mass storage (up to 64 GB).
* The first hardware worldwide with hidden storage, which allows users to plausibly deny the existence of encrypted data (e.g. during border controls).
* 100% open-source and open hardware. No backdoors for intelligence services.

Full announcement:
http://igg.me/at/nitrokey
https://www.nitrokey.com/news/2015/crowdfunding-nitrokey-storage-started-just-now

After reading the above, I emailed Jan asking for pointers to the source to the firmware, and the URLs are below, along with this paragraph response:

https://github.com/Nitrokey/nitrokey-storage-firmware
https://github.com/Nitrokey/nitrokey-storage-hardware

All are our own custom developments. The firmware is pretty barebone and doesn’t use a full OS (e.g. Linux) to minimize the attack vector. What we use is FreeRTOS which provides minimal abstraction such as interrupts and memory management.

 

Intel Platform QoS tool for Linux

~ hucktech ~ Leave a comment

Colin King of Canonical has a new blog post on Intel’s Cache Monitoring Tool, and Intel’s Ubuntu implementation:

The Intel Platform Shared Resource Monitoring features were introduced in the Intel Xeon E5v3 processor family. These new features provide a mechanism to measure platform shared resources, such as L3 cache occupancy via Cache Monitoring Technology (CMT) and memory bandwidth utilisation via Memory Bandwidth Monitoring (MBM). Intel have written a Platform Quality of Service Tool (pqos) to use these monitoring features and I’ve packaged this up for Ubuntu 16.04 Xenial Xerus.” […]

http://smackerelofopinion.blogspot.com/2015/11/intel-platform-shared-resource.html

https://software.intel.com/en-us/blogs/2014/12/11/intels-cache-monitoring-technology-use-models-and-data

https://github.com/01org/intel-cmt-cat

Intel Security Center announce list still broken

~ hucktech ~ Leave a comment

Intel has a Security Center web site, for firmware updates of their products, with a listing of new advisories and a mailing list to be notified of new advisories.

https://security-center.intel.com/SearchResults.aspx

https://security-center.intel.com/MailingList.aspx

The mailing list does not work. I’ve told them about this for the last few months, no reply. Don’t trust Intel’s list to keep up-to-date on Intel security. You have to visit the web site every few days to find out about new advisories. Like the below one which came out earlier this week:


Potential vulnerability of Intel SSD 750 Series and Intel® SSD DC P3500 Series
Intel ID:      INTEL-SA-00047
Product family:      Intel® SSD 750 Series, Intel® SSD DC P3500 Series
Impact of vulnerability:      Denial of Service
Severity rating:      Important
Original release:      Nov 17, 2015

Intel discovered an issue with certain Intel Solid State Drives (SSDs) that could potentially result in an inability to access user data or, in rare cases, potential data loss. Intel is releasing software updates to mitigate this issue. Intel discovered an issue with certain Intel Solid State Drives (SSDs) that could potentially result in an inability to access user data or, in rare cases, potential data loss.  The drives affected by this issue are the Intel SSD 750 Series and Intel SSD DC P3500 Series that were produced between January 2015 and June 2015.  Intel is offering a firmware upgrade to address the issue. Intel has not received any reports of Intel SSD products having experienced this issue.
 

Full announcement:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00047&languageid=en-fr

Determining Windows partition information

~ hucktech ~ Leave a comment

Patrik Suzzi has an article on GPT partitions, and how to determine if you have MBR or GPT:

The article is written for Windows users, and has lots of screenshots, looks to be informative!

http://www.multibooters.com/guides/determine-if-hard-drive-is-mbr-or-gpt.html

 

EU regulations on hardware disposition

~ hucktech ~ Leave a comment

Complex IT London has a story about the last phase of the hardware lifecycle, disposition, and how to deal with PII in your firmware:

http://www.computerweekly.com/feature/Avoiding-security-issues-when-recycling-hardware

Actually, the story doesn’t mention firmware. But please consider firmware-based PII when you read it. 🙂