Fixing bad Intel NIC settings from UEFI

Today, a storm coming through the Dallas area managed to cause a power surge.  Most of my electronics are fine, but the router, a repurposed McAfee S1104 firewall running pfSense, wouldn’t come up properly.  Interfaces em0 and em1 came up mostly OK, but em2 and em3 wouldn’t.

A little checking using dmesg showed an error thrown for each interface (EEPROM checksum is not valid), so pfSense wouldn’t load the interfaces.  After some searching online (painfully slow over tethered LTE), I found someone who tried to fix their issues by using an Intel utility called bootutil.  (It didn’t work for them, but it was still a lead.)

I found the Intel page for it, and downloaded the Windows/EFI utility pack, preboot.exe.  I extracted this to a USB drive, and went through approximately the following steps.  There may be some things a little off as I didn’t actively record it, but something like this should work in the future.

  1. Boot into the EFI shell.  In my case, this involved bringing up the Boot Menu by pressing F7 and selecting from the list, but some motherboards look for F12 or other keys and some enter it from within Setup.
  2. Change to the USB device.  This will vary based on your system.
  3. Move to the appropriate directory.  You’ll want to end up in EFIx64 if you’re on an x86_64 processor or EFI64 if you’re on an Itanium CPU.
    cd APPS
    cd BootUtil
    cd EFIx64
  4. Run the utility to list the NICs.
  5. For each listed NIC, reset it to the default configuration.  I had four, so I ran the following commands.
  6. Reboot the system.

Unfortunately, pfSense didn’t get everything quite right.  I still had to configure the LAN NIC (em3) to get some remote access level.  Fortunately, after each configuration change, pfSense saves a config backup, so I was able to restore from that from within the interface itself (option 15, Restore recent configuration).  After one more reboot, everything was working as it should.  I got up and running much faster than if I had to completely rebuild things (there’s a lesson about backups in here, I’m sure).

Still, resetting the NIC saved me the cost and time of buying a new 4-port Intel NIC, which aren’t cheap.  Here’s to digging around in the parts we don’t usually see.

FCC Posts Net Neutrality Report and Order

On 26 February 2015, the FCC adopted by a 3-2 vote new network neutrality rules.  At the time, as is normal for FCC rule adoption, the rules were secret, available only to the commissioners and a few aides.

Two weeks later, the rules have been published.  They include 305 pages of history, explanation, rulings, forbearance orders, constitutional considerations, and regulatory flexibility analysis; 87 pages of commission statements (including 80 pages of dissent, 64 from one commissioner); and a mere 8 pages of regulation.  Fewer than two pages of that involves the actual net neutrality rules; the rest covers definitions requirements for filing pleas and complaints, for confidentiality of proprietary information, and requesting advisory opinions.

To emphasize this point, I’m putting the text of the new rules below.  It’s very simple, and very easy to read and understand.

Read More …

GPG Replacement Just Needs to Be “Good Enough” For Now

A few days ago, Moxie Marlinspike wrote something that got the InfoSec community into a open debate.  His contention is that GPG has failed philosophically and technologically in building up 20 years of cruft.  He essentially calls for a restart, and calls GPG’s small installation base a blessing in disguise because it makes for an easier time starting from scratch.

This, not surprisingly, resulted in a lot of very strong responses, with some for, others against, and many looking for clarification.  I understand his point, and I agree with him in some parts (mostly the philosophical) but am hesitant on other parts (mostly the technical).  What follows is based on a couple of posts I made on Slashdot. Read More …

Lenovo completely undermines user-vendor trust

Looking for a computer? Thinking about a Lenovo?

I strongly advise that you reconsider your choice due to an issue that has just come to the general attention of the InfoSec community. A couple of months ago, Lenovo was caught allowing VisualSearch, one of the companies that provides adware for the consumer line of its computers, to install an update to a program called Superfish. This update installed an unrestricted root certificate authority (CA) into the certificate store.

Before I get to the explanation, if you have a Lenovo system, please check to see if you have Superfish installed. If so, remove it. It will reportedly take this bad root CA with it.  But it will not restore trust in Lenovo.  Update 1: The certificate stays behind, and it’s the same private key on every installation, meaning that someone who gets hold of it from one compromised system can use it on another.  No trust left in Lenovo whatsoever.  Update 2: To see if you have the cert installed, go to  If you don’t get a warning, then you are vulnerable.

Back to the issue. It is almost impossible to understate how bad this is. Lenovo essentially allowed flat-out attack software to be installed on a huge number of systems. With this root CA, the Superfish program replaced real certificates (like on banks, shopping sites, health sites, and anything else protected by HTTPS) with its own certificates so it could see every piece of data that you sent or received. If you went to a site in a browser, it showed a perfectly normal(-looking), perfectly secure(-looking) green lettering or bar, even though Superfish could see everything that transpired.  It is a fundamental violation of the trust between purchaser and vendor.

That’s not hyperbole. This is attack software, even if their stated purpose (to allow comparison shopping) is benign. But it does so using what’s called a man-in-the-middle attack, one of the holy grails of attack methods. Further, the certificate can be used to sign software, applets, or documents, allowing them to be recognized by Windows as safe. Anything can be run, and it will look perfectly legitimate.

That also means that anything that could subvert it could completely subvert the system, and do so with you trusting it.  It could point you to a site under an attacker’s control and convince you it was your bank.  It could ask you to install a software update and convince you that it was issued by the software vendor.  It could see everything you do, everything that left and entered your system, and report it back to somewhere else with no alerts because it would all appear completely legitimate.

I understand that sometimes companies make mistakes. They even sometimes make security mistakes. Security is hard. But this is an unfathomably bad decision by a company that should know better, especially given the attention and fear generated by their purchase of IBM’s computer lines. I was not fond of them before, and now what little doubt I had has been shattered.

Update 3: I should have included removal instructions. Here they are for Vista/7/8:

1. Open the Start Menu/Screen and type “certmgr.msc” to find the Certificate Manager. Click on it or press Enter to open it.
2. In the left pane, open the Trusted Root Certification Authorities folder.
3. In the right pane, open the Certificates folder.
4. Look for “Superfish, Inc.” in the list of certificates.
5. If it’s present, right-click on it and select Delete.
6. Click Yes to the prompt that appears.

At this point, the risk for this certificate has been removed.

Safer browsing without too much annoyance

One of the biggest challenges right now comes in keeping secure while we’re constantly connecting to systems of unknown trustworthiness.  Even when I connect to this site, on a server that I built and administer myself, which I pay for entirely from my own pocket, there’s still that little doubt in my mind.

Most other sites provide much stronger reasons to doubt them, least of all because I have zero clue how good or bad they may be.  There are companies that I trust more to maintain secure networks, and some I trust less.  My experience as a pen tester has informed this a bit further, such that about a year ago I changed how I handle my browsing.

Read More …

More SANS Mentor Training in DFW

I’m on the schedule for at least two Mentor classes in 2015.  The first will be SEC504 that I’ve led a couple of times before, and the second is SEC560, the SANS Penetration Testing course.  Here are the details.

SEC504: Hacker Techniques, Exploits, and Incident Handling
Tuesday nights starting 20 Jan 2015

Your chance to learn:

  • Preparing for an incident: Not if, but when
  • Legal issues and when to involve outside entities
  • Common tactics used by attackers
  • Vulnerabilities in operating systems, applications, and networks
  • How to look for, respond to, and recover from attacks

Sign up by 23 Dec 2014 for discounted rates!

When registering, please enter “MENTOR RECRUIT” in the Comments section of the registration.


SEC560: Network Penetration Testing and Ethical Hacking
Tuesday nights starting 21 Apr 2015

Your chance to learn:

  • How to properly scope a pen test
  • Writing an effective report for the client
  • Finding and exploiting weaknesses in the target
  • Pivoting to inaccessible targets
  • Cracking passwords
  • Why getting root/SYSTEM isn’t enough

Sign up by 24 Mar 2015 for discounted rates!

When registering, please enter “MENTOR RECRUIT” in the Comments section of the registration.

Net Neutrality Submission

I just sent this in to the FCC via

Anything that legally justifies a fast lane is unacceptable. When I pay my ISP for a certain amount of bandwidth, that places a burden on the ISP to provide acceptable service to me. If, through my connection, I’m seeking streaming from Netflix or YouTube, or downloading games from Steam or Good Old Games, or installing patches from Microsoft or Red Hat, I have paid for an expectation of acceptable connectivity to these services.

Several of the ISPs don’t seem to understand this. They seem to believe that their only requirement is that some rudimentary access is supplied despite what the customer pays for bandwidth. While right now the focus is on Netflix and other single providers, what happens if the ISPs decide to go after CDNs like Akamai? Suddenly, huge swaths of the Internet are targeted. Hundreds of thousands, even millions of sites become subject to bandwidth limitations because they choose to use more efficient CDNs.

It is up to the FCC right now to reclassify the ISPs as common carriers under Title II. We are in the midst of an upheaval at least as big as the industrial revolution, and the ISPs are led by people who really don’t seem that different from Gordon Gekko in their pursuit of ever-higher profit margins. Don’t let the Internet devolve into haves and have-nots. Don’t let the ISPs even have a chance of picking favorites. That’s not what they’re for. They’re for delivering content at the speeds that I’ve paid for. If their costs for delivering that speed goes up, that’s not the problem of Netflix or Google or Akamai. That’s between my ISP and me. Don’t let that change.

Tips for writing effective reports

In the IT world, and especially in security, we write a lot of reports.  We often get the technical information right but the presentation can be a little dry, which can limit the impact.  The following began as suggestions for writing penetration test reports (roughly along the lines of the SANS SEC560 template), but they can apply to other reports as well.

Read More …

Getting Started in Security

I get a lot of people asking me how they can get involved in security.  Some of them are IT pros who have been in their careers for many years while others are new, like a help desk novice.  But they all want to get involved because security is the exciting place to be.  It’s the hot place that isn’t going away, unlike the rest of IT that, it seems, management seeks to automate out of existence.

Well, they’re right.  Or some of them are, at least.  It’s currently the sector least likely to be automated out of existence, but that’s largely because it’s currently too complex to do.  I remember when a lot of IT was like that.  We did much of our work by hand, as scripting was a luxury, especially on Windows.  Security will come to that point, too, but it will probably be a little while.  There are simply too many legacy systems around for it to be otherwise.

Anyway, here are some tips for getting involved in security.  These are based on my own experiences coming up from informal desktop support through servers and then into security.

  1. Start thinking like security people.  Security people by and large think…differently.  The hacker ethos is there, and it’s not just about breaking into systems.  It’s about changing things to get the desired outcome.  This applies to offense, defense, and things that have nothing to do with either.
    Here’s the hard part: If you don’t know how to do this, by all means, ask.  We’re usually happy to explain how we approach our work.  Have lunch with security people you know.  Read papers, books, and weblogs.  Watch videos from past conferences.  Even better, attend conferences like DerbyCon and your local BSides, places that are welcoming to people who are new to the field.
    Once there, ask to join a conversation.  There’s a good chance you’ll be able to join, even if just to listen.  Don’t pretend you’re better at something than you are, because you’ll be found out in about nine seconds and shunned.  And they will remember you if they see you again, like across the table in an interview.  Security is a much smaller field than people think.
  2. Integrate security into your daily work.  If you work on the help desk, start asking yourself how the callers’ actions could cause security problems, taking notes about your thoughts and running them by your security staff (another reason to have lunch with them).  If you’re further along, learn how to harden the systems you maintain.  Don’t change anything without permission, of course, but read about others’ experiences, and realize that one size does not fit all.  Just because a respected guide recommends wiping the page file on reboot doesn’t mean it’s a good idea for your environment.  The more you do this, the more you start thinking like security, the better you’ll get on with them, and the better chance you have at joining them one day.
  3. Integrate security into your daily life.  This isn’t just hardening your home systems.  Learn to spot security issues as you go through life.  I have some friends who think it’s sad and/or paranoid, but when I walk into a building, the first thing I do is start looking for ways to subvert the security in case of an emergency.  This develops mental reflexes that are necessary in any security role, as the ability to spot something amiss and react to it is critical regardless which side you’re on.
  4. Set up a lab and tinker.  Scrape together a system at home and install a free hypervisor like VMWare ESXi, KVM, or Xen.  Or get a copy of VMWare Workstation (or Player if you can’t afford it) or VirtualBox and install it on your workstation.  Download ISOs of older software like CentOS 5.0 and start looking up exploits against them.  Once you find them, look for ways to mitigate them without patching because patching is not always a solution for a number of reasons.
  5. Learn multiple operating systems.  You’re going to be interacting with a lot of different gear from different times.  If you’re most comfortable on Windows, start learning Linux.  When you do, it’s best to dive in, spending  at least a week using it as your sole operating system to force yourself to learn how it works.  Then find other environments that you don’t know and learn how they work.  You’re not necessarily going for mastery, but some familiarity with how they work goes a long way.
  6. Learn a scripting language.  Even if you’re not a developer, you need to learn something about automation.  You have two primary choices based on default installations: Python for Linux and PowerShell for Windows.  A third option, primarily for Linux, is Ruby, which is in some ways easier and more compact (and Metasploit is written in it).  Regardless, you need not be an expert (though it helps), but you should be able to read a script and describe its flow.  Find an idea and start writing it yourself.  You’ll likely do it badly, but if it’s yours, you’ll have more passion and drive to finish it, and that will help you learn.
  7. Keep your eyes open.  Security opportunities won’t always be as obvious as position postings.  Have lunch with security people.  Volunteer to work on security projects (even if security people aren’t involved).  Volunteer your time with non-profits: the smaller ones, especially, can use some help.  Go to conferences (the point bears repeating).  There’s value in who knows you as they might pass word of a new opportunity along.
  8. Don’t whine.  Very few people got into security purely by luck.  Many of those who did failed to get anywhere.  Getting into security usually takes work.  Getting ahead in security takes more work.  What will irritate security people is when someone whines incessantly that they can’t do something but clearly haven’t put forth any real effort.  Show you’ve put forth the effort and you stand a chance of getting in and/or getting ahead.

That’s what I usually tell people, though this is (amazingly) a much shorter version of the discussions I usually have.  I’m happy to talk with anyone who wants to get into security.  We still need all the help we can get.

Fix for Wireshark locking up in Windows 8.1

I’ve been puzzling over why Wireshark seems to lock up when launching on Windows 8.1 and dumpcap.exe sits in the background even after Wireshark is forced to close.  Some experiments from the command line showed that any time dumpcap.exe tries to use some aspect of its capture behavior (including just listing interfaces), it locks up.  Various tools suggested that it was waiting for some external event to allow it to close.

I finally learned from an Ask Wireshark post that it was due to WinPCAP not starting on demand.  The solution is simple:

  • Change HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF\Start to value 0x03 (SERVICE_DEMAND_START).
  • Reboot.
  • Enjoy packet capturing goodness.

I believe this is an issue with WinPCAP and not Wireshark.  There’s an alternate solution of running Wireshark in Windows 7 compatibility mode, but I try not to run things in compatibility mode unless there’s really no other way to do it.