Re: [qubes-users] Anything else to wipe other than HDD and BIOS..?
On Tuesday, September 27, 2016 at 2:56:27 PM UTC-4, johny...@sigaint.org wrote: > > I forget which blackhat event, they showed how you can think you are > > flashing a bios. But the malware will remain. > > That's creepy. Don't most BIOS flashing utilities do a verification? Or > perhaps the flashing utility itself is what was compromised in the > blackhat demo. > > Another reason why doing a flashrom under Tails, and then reading it back, > is a good idea of your motherboard supports it. Pretty hard for malware > to fake that (at least without some additional flash storage to do its > tricks). > > At the very least, using a slightly "unexpected" utility like flashrom > helps dodge the obvious hacks. > > (Similar to someone's post in reply to the Laptop internet sharing thread, > that using a *different* VM isolation on the laptop, KVM/Qemu or whatever, > might be a good idea. For an attacker to have to compromise Xen *and* > Qemu, makes for a busy project to say the least. It'd very likely stop > any automated virus in its tracks.) > > JJ regarding kvm/qemu, you probably need to use an hvm and its probably diffucult to set up. Probably would also run very slow. Not worth it imo. If your bios or dom0 gets compromised its already game over. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bb847c48-8f39-4c73-ac7d-59cb5feace57%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Anything else to wipe other than HDD and BIOS..?
On Tuesday, September 27, 2016 at 2:56:27 PM UTC-4, johny...@sigaint.org wrote: > > I forget which blackhat event, they showed how you can think you are > > flashing a bios. But the malware will remain. > > That's creepy. Don't most BIOS flashing utilities do a verification? Or > perhaps the flashing utility itself is what was compromised in the > blackhat demo. > > Another reason why doing a flashrom under Tails, and then reading it back, > is a good idea of your motherboard supports it. Pretty hard for malware > to fake that (at least without some additional flash storage to do its > tricks). > > At the very least, using a slightly "unexpected" utility like flashrom > helps dodge the obvious hacks. > > (Similar to someone's post in reply to the Laptop internet sharing thread, > that using a *different* VM isolation on the laptop, KVM/Qemu or whatever, > might be a good idea. For an attacker to have to compromise Xen *and* > Qemu, makes for a busy project to say the least. It'd very likely stop > any automated virus in its tracks.) > > JJ Here is interesting thread on reddit i Just found. https://www.reddit.com/r/badBIOS/comments/319qlf/spi_programmers_to_flash_bios_rootkits_bios/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/453b8817-8e0d-4f1c-9add-9271444eeaf7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Anything else to wipe other than HDD and BIOS..?
> I forget which blackhat event, they showed how you can think you are > flashing a bios. But the malware will remain. That's creepy. Don't most BIOS flashing utilities do a verification? Or perhaps the flashing utility itself is what was compromised in the blackhat demo. Another reason why doing a flashrom under Tails, and then reading it back, is a good idea of your motherboard supports it. Pretty hard for malware to fake that (at least without some additional flash storage to do its tricks). At the very least, using a slightly "unexpected" utility like flashrom helps dodge the obvious hacks. (Similar to someone's post in reply to the Laptop internet sharing thread, that using a *different* VM isolation on the laptop, KVM/Qemu or whatever, might be a good idea. For an attacker to have to compromise Xen *and* Qemu, makes for a busy project to say the least. It'd very likely stop any automated virus in its tracks.) JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ffcae9624e249cbad5d63a261173cf47.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Anything else to wipe other than HDD and BIOS..?
On Tuesday, September 27, 2016 at 2:31:33 PM UTC-4, johny...@sigaint.org wrote: > > If I think a computer has been infected, is there anything else I should > > wipe/re-install other than > > > > 1. Hard Drive / Operating System > > > > 2. BIOS > > > > Is there anything else that a hacker could possibly infect that needs to > > be wiped/re-installed..? > > Lol, don't get me started... > > - Any PCI card (esp Network/Video/Sound) that has any kind of flashable > firmware > > - Similarly, probably any PCMCIA cards > > - Any USB peripheral, especially flash drives; sadly, I don't think > there's any way to verify your HD firmware hasn't been tampered with > (write only, typically), and flash drives vary so much, it's not > particularly practical to check/clean them. Some flash drive vendors have > repair tools that can redo the BIOS (handy when the drive appears to get > pooched), but it's fairly rare to find, I think. > > - SMB/DMI Bios Tables (as shown by dmidecode) - Related to the BIOS, and I > think cleansed when you reflash your BIOS. Even so, it's good to maybe > pop your motherboard battery or short out any BIOS-reset jumper to make > sure you're starting with clean settings. > > - Basically, anything that can carry state needs to be looked at (although > your RTC probably doesn't have an attack vector :) ) > > - I've heard that rogue printers can even keep copies of what you print. > I'm not sure if this can happen from an infection, or if it needs to be a > factory/interdiction implant. Doubtful if such a thing could be cleansed. > > I feel like I'm missing something else, but I might be thinking of more > hardware-based attacks (fake chokes on video cables that broadcast, etc.) > > On-board peripherals (sound, network, video) typically have their firmware > as chunks in the main motherboard BIOS, I believe, so re-flashing a fresh > BIOS takes care of those. > > A major oddity and frustration is that so many motherboard manufacturers > only provide their BIOS's via FTP/HTTP (and don't provide hashes!), just > begging to be MITM'd with dodgy firmware during download. So careful with > any downloads. > > It's a good idea to run the BIOS (and any firmware you download) through > virustotal.com, which supposedly supports BIOSes now. You will typically > see that it's already been checked in the past by someone else, and is > clean. > > Similarly, if you have to boot DOS to run a firmware flash utility, be > careful. I've used FreeDOS successfully in the past, but the motherboards > I use thankfully support the Linux utility "flashrom" which seems to be > able to successfully burn (and read) the BIOS on a lot of motherboards and > other devices. > > (Of course, you always run the risk of bricking your system, but I think > it's generally pretty safe, and won't go ahead if it isn't capable on your > system.) > > I occasionally use FlashROM (installable with apt under Tails, and I use > it while offline) to read and compare my BIOS against the original fresh > burn. (I'll see the DMI tables at the beginning change as I make any BIOS > changes, but so far, no mods to the code. :) ) > > I'd like to see FlashROM available in dom0 for the ability to do this > under tails. But I guess that would be a super-dangerous utility to have > floating around dom0, so rebooting to Tails now and then to check my BIOS > is an acceptable inconvenience. > > Oh, and before you do reflash your BIOS, boot into Tails (or Debian, > Redhat, whatever) install FlashROM, and do a "flashrom -r" to read the > existing BIOS for posterity. Run the resulting file through VirusTotal. > It's interesting to compare with another "flashrom -r" after re-flashing > the new BIOS. > > It'd be good to catch any corrupt BIOS before you overwrite it, to know if > you've been compromised that way, and to share the particular hack with > the security community. > > Related: > http://www.businessinsider.com/nsa-says-foiled-china-cyber-plot-2013-12 > > (Hey, thanks for looking out for us, NSA!) > > Note that any contents of a .ROM file you download to burn, won't > necessarily compare exactly to the results of a "flashrom -r". But if you > "flashrom -r oldbios.rom", burn a fresh BIOS, and do another "flashrom -r > newbios.rom", you should have a good base for comparison. I do a "hexdump > -C" on each .rom file, and then diff them to see what's different. > > If you end up upgrading your ROM in the process, obviously there will be a > number of differences. The more interesting thing is if VirusTotal shows > anything, or if, down the road, you notice changes in subsequent "flashrom > -r"'s. If anything other than the SMB/DMI tables at the beginning change, > you need to assume you've been compromised (again). > > (flashrom needs a "--programmer internal" option, which I left out for > clarity above.) > > Obviously, any hard drive's boot sector should be examined as well. If > you're worried about compromise, you're
Re: [qubes-users] Anything else to wipe other than HDD and BIOS..?
> If I think a computer has been infected, is there anything else I should > wipe/re-install other than > > 1. Hard Drive / Operating System > > 2. BIOS > > Is there anything else that a hacker could possibly infect that needs to > be wiped/re-installed..? Lol, don't get me started... - Any PCI card (esp Network/Video/Sound) that has any kind of flashable firmware - Similarly, probably any PCMCIA cards - Any USB peripheral, especially flash drives; sadly, I don't think there's any way to verify your HD firmware hasn't been tampered with (write only, typically), and flash drives vary so much, it's not particularly practical to check/clean them. Some flash drive vendors have repair tools that can redo the BIOS (handy when the drive appears to get pooched), but it's fairly rare to find, I think. - SMB/DMI Bios Tables (as shown by dmidecode) - Related to the BIOS, and I think cleansed when you reflash your BIOS. Even so, it's good to maybe pop your motherboard battery or short out any BIOS-reset jumper to make sure you're starting with clean settings. - Basically, anything that can carry state needs to be looked at (although your RTC probably doesn't have an attack vector :) ) - I've heard that rogue printers can even keep copies of what you print. I'm not sure if this can happen from an infection, or if it needs to be a factory/interdiction implant. Doubtful if such a thing could be cleansed. I feel like I'm missing something else, but I might be thinking of more hardware-based attacks (fake chokes on video cables that broadcast, etc.) On-board peripherals (sound, network, video) typically have their firmware as chunks in the main motherboard BIOS, I believe, so re-flashing a fresh BIOS takes care of those. A major oddity and frustration is that so many motherboard manufacturers only provide their BIOS's via FTP/HTTP (and don't provide hashes!), just begging to be MITM'd with dodgy firmware during download. So careful with any downloads. It's a good idea to run the BIOS (and any firmware you download) through virustotal.com, which supposedly supports BIOSes now. You will typically see that it's already been checked in the past by someone else, and is clean. Similarly, if you have to boot DOS to run a firmware flash utility, be careful. I've used FreeDOS successfully in the past, but the motherboards I use thankfully support the Linux utility "flashrom" which seems to be able to successfully burn (and read) the BIOS on a lot of motherboards and other devices. (Of course, you always run the risk of bricking your system, but I think it's generally pretty safe, and won't go ahead if it isn't capable on your system.) I occasionally use FlashROM (installable with apt under Tails, and I use it while offline) to read and compare my BIOS against the original fresh burn. (I'll see the DMI tables at the beginning change as I make any BIOS changes, but so far, no mods to the code. :) ) I'd like to see FlashROM available in dom0 for the ability to do this under tails. But I guess that would be a super-dangerous utility to have floating around dom0, so rebooting to Tails now and then to check my BIOS is an acceptable inconvenience. Oh, and before you do reflash your BIOS, boot into Tails (or Debian, Redhat, whatever) install FlashROM, and do a "flashrom -r" to read the existing BIOS for posterity. Run the resulting file through VirusTotal. It's interesting to compare with another "flashrom -r" after re-flashing the new BIOS. It'd be good to catch any corrupt BIOS before you overwrite it, to know if you've been compromised that way, and to share the particular hack with the security community. Related: http://www.businessinsider.com/nsa-says-foiled-china-cyber-plot-2013-12 (Hey, thanks for looking out for us, NSA!) Note that any contents of a .ROM file you download to burn, won't necessarily compare exactly to the results of a "flashrom -r". But if you "flashrom -r oldbios.rom", burn a fresh BIOS, and do another "flashrom -r newbios.rom", you should have a good base for comparison. I do a "hexdump -C" on each .rom file, and then diff them to see what's different. If you end up upgrading your ROM in the process, obviously there will be a number of differences. The more interesting thing is if VirusTotal shows anything, or if, down the road, you notice changes in subsequent "flashrom -r"'s. If anything other than the SMB/DMI tables at the beginning change, you need to assume you've been compromised (again). (flashrom needs a "--programmer internal" option, which I left out for clarity above.) Obviously, any hard drive's boot sector should be examined as well. If you're worried about compromise, you're going to scrub your disks anyway. I usually do a regular "dd if=/dev/sda of=latest.img bs=512 count=2048", and compare against a saved baseline image that I grabbed after a fresh install. Any changes to the MBR, Grub stage 2 will be noticed with a comparison against the original. Any
[qubes-users] Anything else to wipe other than HDD and BIOS..?
If I think a computer has been infected, is there anything else I should wipe/re-install other than 1. Hard Drive / Operating System 2. BIOS Is there anything else that a hacker could possibly infect that needs to be wiped/re-installed..? Thanks -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/43647750-ce02-45db-b745-865ffee84df3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
