Some comments about UEFI.
http://www.networkworld.com/community/blog/perfect-persistant-undetectable-hardware-backdoor?source=NWWNLE_nlt_security_2012-08-02 UEFI is hackable and easily so. Brossard introduced this perfect backdoor, a proof-of-concept malware for the intel architecture called "Rakshasa." Yet he qualified, "We are not terrorists. We won't release our PoC backdoor." What's really scary is that Rakshasa doesn't reside in the disk and therefore leaves zero evidence in the filesystem. It leaves zero network evidence on the LAN. It can "remotely boot from an alternate payload or even OS" like fake Truecrypt/Bitlocker. Rakshasa can even show a fake BIOS menu if necessary. "We use an embedded CMOS image. We can use the real CMOS nvram to store encryption keys/backdoor states between reboots." It is capable of infecting "more than a hundred different motherboards." The research paper states: The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, an Unified Extensible Firmware Interface (UEFI) firmware, or from a PCI firmware, resulting in permanent lowering of the security of the backdoored computer, even after a complete erasing of hard disks and re installation of a new operating system. What it comes down to, in simple terms, is that you cannot get rid of it. Even if you wipe the computer and start over, the undetectable backdoor would remain because it is capable of living on in the BIOS. If you were to flash the firmware, a backdoor such as Rakshasa "can flash the original firmware back remotely." Brossard's demo showed that backdooring the BIOS or PCI firmware "to allow the silent booting a remote payload via an http(s) connection is equally practical and ruins all hope to detect the infection using existing tools such as antivirus or existing forensic tools." Included in the "forensic best practices" was the suggestion to "throw away your computer in case of intrusion." This will hopefully raise awareness so companies can come up with new "best practices" regarding forensics and post intrusion analysis. ------------------ Regards Leslie Mr. Leslie Satenstein 50 years in Information Technology and going strong. Yesterday was a good day, today is a better day, and tomorrow will be even better. mailto:[email protected] alternative: [email protected] www.itbms.biz
_______________________________________________ mlug mailing list [email protected] https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
