Despite warnings, computers still vulnerable to hackers of start-up codes

[Jeffrey Walton <noloader () gmail com>]

This was kind of humorous (in a morbid sort of way)...

http://in.reuters.com/article/2014/08/02/us-cybersecurity-hackers-bootup-idINKBN0G201620140802

(Reuters) - A multi-year effort to prevent hackers from altering
computers while they boot up has largely failed because of lax
application of preventive steps, researchers say, despite disclosures
that flaws are being exploited.

In the latest sign that the problem persists, researchers at the
federally funded MITRE lab said this week that many customers of Intel
Corp still had not adopted revised security designs Intel distributed
in March after the MITRE team found new vulnerabilities in the
start-up process.

That could mean many newer Windows computers remain exposed, the MITRE
team told Reuters ahead of a presentation at the Black Hat security
conference in Las Vegas next week.

Intel’s point person on the issue, Bruce Monroe, said he did not know
how many suppliers and computer makers had followed Intel’s
recommendations.

“We’re not privy to whether they’ve fixed it or not,” Monroe said. “We
asked them to let us know.”

The stubborn glitches illustrates how such well-funded spying programs
as those exposed by former National Security Agency contractor Edward
Snowden can continue to succeed against targets that depend on a
complex supply chain.

Long before Snowden’s documents began appearing the media,
professional technicians and U.S. officials were concerned about the
vulnerabilities that left computers severely exposed as they are
turned on.

Years ago, then-U.S. National Security Agency Director Keith Alexander
privately urged the chief executives of major American technology
companies to do something about the boot-up procedure known as the
Basic Input/Output System, or BIOS. BIOS relies on firmware, or
permanent software that ships with computers.

Because the start-up code is given more authority than the operating
system, hackers who break into that code can make major changes to
programs and hide evidence of their presence. Lodging there also all
but guarantees what the security industry calls persistence - the
ability to remain inside even after a computer is turned off and
rebooted.

Intel, Microsoft Corp and other companies promoted a successor system
known as the Unified Extensible Firmware Interface that includes a
feature called “secure boot,” which checks for digital signatures
before running code. Microsoft’s Windows 8 operating system has
embraced UEFI and secure boot, bringing the hardened approach to more
than 60 million new computers.

Even as that rollout was accelerating, though, evidence accumulated
that attacks similar to those theorized by researchers were actually
under way.

In 2011, several research firms identified one such piece of malicious
software, called Mebromi, that primarily attacked Chinese computers
with a type of BIOS from leading supplier Phoenix Technologies Ltd
[PHQUIP.UL].

Early last year, Reuters saw a catalogue from a U.S. defense
contractor that included a product, offered at more than $100,000, for
incapacitating target computers by attacking BIOS and other critical
elements.

And in December, Der Spiegel reported that a leaked internal NSA
catalogue described a tool called DeityBounce that attacked the BIOS
of Dell Inc servers.

That came months after a presentation at last year’s Black Hat
security conference in which MITRE researchers including Corey
Kallenberg and Xeno Kovah broke into Dell’s boot-up process.

In a joint interview, Kallenberg and Kovah said that in the year since
that talk, they had deployed sensors to about 10,000 computers to
determine whether boot-ups were still vulnerable to that flaw or
related issues. As of last month, 55 percent of them still were.

But the actual percentage of vulnerable machines in the world is even
higher, because the MITRE group has not been checking for flaws
stemming from the issues it found more recently with Intel’s old UEFI
guidelines, which permitted an attack through memory corruption.

“That number is going to go up a lot,” Kovah said of the percent of
affected computers.

Intel’s Monroe said that although his company, the BIOS makers and
most of their customers were not used to distributing and installing
fixes, improvements were coming, starting with a fledgling
industry-wide incident response team led by Phoenix.

Kallenberg and Kovah said it would help if the National Institute of
Standards and Technology moved beyond general warnings and provided
links to verified fixes.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.