BadBIOS: Worst fears realized or just fearing the worst?

Last week, word hit about a piece of malware referenced as BadBIOS.  Reported by Dragos Ruiu, founder of the Pwn2Own contest and a respected member of the security community, it’s said to be able to communicate with other infected systems by the sound hardware, similar in some ways to a modem.

There are still a TON of questions about this. As far as I’ve read, few if any other people have seen the hardware, but the researcher himself is considered trustworthy. I’ve seen a lot of reports that get the information wrong, like a report that BIOS was infecting BIOS via the sound capabilities, which is not (so far as I can tell) what is being claimed. It seems that what is present is an incredibly resilient and persistent malware that can communicate to other similarly-infected systems via the sound card, and apparently to affect more than one operating system, having successfully affected Apple’s OS X and Windows, as one might expect, but also Linux and even OpenBSD, the latter of which is a very unusual target.

This is, in some ways, what was feared by many when Intel said it wanted to move from BIOS to EFI/UEFI.  Intel had some very good reasons for this as the capabilities of BIOS were interfering in general computing hardware advancement, but when you put what amounts to an operating system in the firmware with room to expand, there stands a good chance that it’s going to be abused.  UEFI sits under everything, and while it’s not quite a virtual machine host (yet), it has many of those same capabilities as it can read what’s going between hardware easily, giving it the ability to alter data at many points.  It also makes it extremely difficult to pry out as few if any malware detection mechanisms can look into the hardware.

Based on a recent (mediocre) book series I’ve been reading, the thought crossed my mind that it may have been secretly sent to one or more researchers so that they would find it specifically in order to derail some secret capability developed by a state-sponsored agency or group. That’s getting into conspiracy theory, something I don’t tend to do, but those happen online more than they happen in meatspace.

In any case, it’s still something I’m watching, and I’m sure there are researchers working to develop similar capabilities. It’s not something I worry about hitting my systems, because the complexities of doing so are enormous. Most computer hardware is built to handle very specific information, but the microphones still start and speakers still end as analog, and the quality of both diverges significantly from one system to the next, even within the same model of hardware. I can see how data can be delivered via sound–we’ve done it for decades with modems–but aside from targets picked very carefully, I have difficulty believing that this could be used for something widespread, especially since the infection mechanism needs a different entry point.

It’s an interesting piece of targeted malware (if real), but it’s not going to take over the world.

Fedora on the Asus 1015E

For anyone that happens to be struggling with getting Fedora 19 installed on the Asus 1015E, at least with BIOS revision 303, it appears that there’s something in the installer kernel (3.9) that doesn’t agree with the system.  Fedora 20 (kernel version 3.11) does work, though since it’s currently in pre-Alpha state, you’re installing it at your own risk.

Other than that, it’s a great little $200 notebook.

Court rules against Google, makes all infosec people wiretappers

On 10 September 2013, the US Ninth Circuit Court of Appeals ruled in Joffe v. Google that Google’s capture of payload data from unencrypted WiFi networks while it capturing Street View images from its specially-equipped cars.  In some sense, this isn’t surprising, but the way that the decision was worded makes it appear very easy for anyone to accidentally become a wiretapper, and puts in danger those of us who perform captures for a living.

Continue reading “Court rules against Google, makes all infosec people wiretappers”

Recovering root password on Fedora 19

I ran into a problem a few weeks ago with my Linux system.  After performing a kernel update and rebooting, I couldn’t remember the disk encryption password.  I tried for an hour or more, running through all of the passwords I could think of, including with new combinations and possible miskeys, but nothing worked.  Finally, I shut it off in frustration.

Last night, I figured I’d take another crack at it.  After nearly 30 minutes, I finally stumbled across the right password, and it was something that I’d tried before several times both last night and during the previous failure but apparently managed to miskey it a few dozen times.  Success!

Until I tried to log in.

Password for my account?  Wasn’t happening.  Couldn’t remember what it was.  Worse, I couldn’t remember the root password, either.  OK, I figure.  I’ll just reboot into single-user mode and reset the password.

It wasn’t quite that simple.

Continue reading “Recovering root password on Fedora 19”

Google sacrifices privacy in the name of speed

A couple of days ago, I was invited by Google to enable a new mobile Chrome feature. Thinking that perhaps this was the new QUIC protocol, I went ahead and accepted. What I got instead was an offer to run all cleartext traffic through Google’s proxy servers.

Still in extremely limited, invitation-only beta, Google’s claims regarding improved performance are probably accurate.  Being in the middle of the connection, the proxy certainly can compress traffic and convert images to a format better suited for a mobile device, particularly one with low screen resolution, reducing the amount of data to be downloaded and thus improving network performance, especially over slower connections. Exceptions would be made for HTTPS traffic any anything coming from an Incognito session.

But this is at a severe cost in privacy.  Every single unencrypted connection in a normal browser session would run through Google’s servers, allowing not only possible interception of passwords and other sensitive data (remember that not all data is legally protected) but also the possibility of feeding otherwise hidden pages into Google’s index.  Despite the potential (certainly not assured) speed advantages, I fear that Google will at least make this a prominent option for users to enable without understanding the risks.  Most people will choose convenience (in this case speed) over security given the option.

This is one of those things that I’ve long warned against.  I’m fine with home filters, but those are generally under the owner’s control.  A proxy that you don’t control gives ultimate power to whomever does own the proxy.  It could block the traffic for any (or no) reason and the information that the user gets back about the block may or may not be accurate.

It also makes for a central point of monitoring that any government would love to have the opportunity to use.  Looking at things optimistically, I’m sure the FBI would love to tap it in criminal cases, but there are plenty of other countries (like India) that are trying to or have set up monitoring as a fact of life, and I doubt that those countries’ networks will be made exempt from this feature.

I can’t get excited over this at even the most basic level. Usually when I see a new Google feature, I see what they’re trying to do even if the implementation is a little iffy. However, in this case I really can’t see the net good to come from it.

Extraordinary times and measures: How the NSA might justify its injust actions

There’s a long history in the United States of backing the hero doing the wrong thing for the right reason.  We love movies like Dirty Harry, Lethal WeaponBeverly Hills Cop, and Hard Boiled where the good guy (usually a cop) finds no other way to get the bad guy than to break the law.  At the same time, some of the best villains are seen to have done the wrong thing for the right reason: Gen. Hummel in The Rock exemplifies this when he takes hostages to force the government to tell the truth about the deaths of Special Forces soldiers over the years.

While those are fantasy worlds, there’s also a long history of sympathy for those real people who break the law for what society (or parts of it) deem to be the right reason.  From those who resort to cannibalism to survive to those who refuse to disperse while in largely peaceful protest to a president who ignored separation of powers and ordered military trials of civilians, we look upon them with approval or at least forgiveness because we realize that sometimes extraordinary times require extraordinary measures.

But most of these approvals of real actions are in hindsight.  At the time of the action, they are often controversial, even unpopular.  But perhaps there’s another aspect to them that is often overlooked: they’re not happening to us.  When an action doesn’t directly affect a person, they’re less likely to take a strong negative view on it than when they see a real or potential impact in their own lives.

This happens when we hear about the reality of combat, especially if we know someone who has been in the fighting.  Even if we disagree with the war, we tend to give the benefit of the doubt to the individual because we want to trust that they did the right thing at the time even if it was illegal or usually considered immoral or unethical.  But when we specifically are caught in the cross-fire, literally or figuratively, we tend to have a very different view.

And that’s what I think has caused the uproar over the NSA surveillance.  Don’t get me wrong–I have some serious issues with it, too–but when there was reason to believe that it was primarily happening to people in other countries or to potential terrorists in the United States, people didn’t get too worked up over it.

Now that the Snowden documents have revealed ever-increasing surveillance of many millions of Americans–perhaps nearly all of them–it’s suddenly hit home that the average person could come under suspicion for the simple act of making or taking a phone call, visiting a website, or chatting with a friend.  We start to worry that in connecting various dots, we could become a dot, and the known protections against this are nebulous at best.  We have only claims from the government which include a court that has little or no adversarial activity.  And that’s not good enough.

It doesn’t help that for most people, the NSA is a faceless entity.  Most people don’t know anyone who works there, or if they do they don’t realize it as those who draw an NSA paycheck generally don’t advertise it.  When we can’t put a familiar face on an activity, the motives become questionable, even sinister, because we have no one to question.

I’ve known some who have worked for some of these agencies.  One shared trait is not talking about foreign affairs, usually for the same reason.  From the inside, those with a TOP SECRET/SCI clearance see things that change their view of the world.  I’ve been told by someone who would know that the average stay in the NSA’s counter-terrorism group is two years or less; after that, they burn out.  They see so much that the general public not only doesn’t get but doesn’t want to see that they can’t talk even about things not covered by their clearance.  It’s just too frustrating.

And maybe that’s led to scope creep.  The analysts and their bosses are, at least in their minds, dealing with extraordinary times and they require extraordinary measures.  If we had just done this one other thing, maybe we would have caught the attack before it could do damage.

I imagine this happens fairly regularly.  Someone comes up with an idea, someone else expresses discomfort, it gets bounced around the lawyers and perhaps the White House, and then a rationale is provided.  I expect not everything is approved.  Some things are too complex, too expensive, too niche, or just too blatantly unconstitutional.  And sometimes there’s very strong push-back.  But someone, somewhere, comes up with a legal reasoning and those who are not steeped in the law tend to go with it.  It becomes easy to justify: We’re not the legal experts, we need this capability, it will save lives.  Extraordinary times, extraordinary measures.  That’s what they tell themselves.

But in extraordinary times, it takes extraordinary people to stand up against the illegal and unconstitutional.  It’s critical that those protecting us remember what is being protected.  People are being protected, but so is the foundation on which the country was built.  That foundation has served for more than 200 years as an inspiration to people everywhere.  The personal rights enshrined in the United States Constitution have largely become the accepted way that things should be around the world.  When they’re set aside by stretched reasoning, even for extraordinary times,  it undermines the very foundation of our society.  Edward Snowden remembered that, and whatever his personal faults and mistakes, his actions have opened our eyes and caused an international discussion about how much is enough.

Yes, something might slip through.  Another Boston Marathon bombing may happen.  But even in its aftermath the country and–more importantly–its ideals survive.  There are times when the wrong thing is the right thing to do.  But it’s the exception, never the rule.  Extraordinary measures used every time become ordinary–and wrong.  And we must remember that, whether we are an average citizen, a police officer, a soldier, an intelligence analyst, or a president.

Compilation of NIST docs with sensible filenames

For some time, I’ve been collecting NIST SP800 and FIPS documents to have locally, such as when in a meeting and the need comes to reference one of them.  I have some of the older versions around, too.  A few months ago, I started renaming the files themselves with a more normalized format, and recently thought that others could use them.  The format is generally <document number>-<YYMM>-<suffix> – <Description>, though there is some slight variation.  I typically don’t keep drafts around, so you won’t find them here.  The lists themselves are after the break.

Continue reading “Compilation of NIST docs with sensible filenames”

The NSA’s Attention Span: Widely Focused on the Narrow

When the power of a nation-state is directed upon you, they have resources that completely boggle the mind.  This applies even if it’s a minor power: Estonia, Hungary, and Cambodia all have their own capabilities and, while very small compared to some, your ability to hide from a country that makes you Priority One is limited.  They have seasoned pros that are in all likelihood a lot better than you are, and the allies they call in when they need help are even more dangerous to you.

But of all the agencies, the National Security Administration possesses perhaps the most impressive capability for finding information on the planet.  This comes largely from being funded at a level that completely dwarfs every other nation (he NSA’s actual budget is classified, but it is believed to have received at least $10 billion and perhaps as much as $20 billion in the 2012-13 intelligence community budget) and having access to an array of locations and technologies that few if any other nations possess. Many of its listening posts (not including temporary posts on ships, in aircraft, and set up in vehicles or shacks) are known even if exactly what each does is not, and their presence around the world shows the reach the NSA has through US allies.  Their technological edge includes supercomputers, interception methods, and hacking capabilities that render most defenses nearly moot.

The previous article discussed the difficulties associated with encryption, both in getting it right and in circumventing it by accessing the data via other means when it’s not encrypted.  In short, it requires some very careful planning to make sure that your implementation, both from a technical and an operational perspective, are as solid as they can be, and this is where most people fail.

This is not to say that encryption is useless.  Far from it.  If you’re trying to secure information from competitors, random attackers, or other enemies, it’s one of the best tools available.  Even if you’re doing something that a national agency doesn’t want you doing, it’s better to encrypt than to not, if possible and practical.  And there are ways to give even the most powerful adversary a headache.  But if you come under the scrutiny of the NSA, it becomes exceptionally difficult to effectively hide the contents of the message unless you take very specific precautions and you do it without failure every single time.

From this rises the second question from the last article: how do you avoid the NSA if they’re looking for you?  This turns out to be extraordinarily difficult not only because of the NSA’s reach into the world’s communications but also the legal framework in which the NSA operates.  We’ll start by looking at how far and with what difficulty the NSA can actually look.

Continue reading “The NSA’s Attention Span: Widely Focused on the Narrow”

Trust and the NSA: They’re Not Mutually Exclusive

The National Security Administration has, for good reason, been front and center in the news for the last couple of months.  What the NSA is mostly known for is signals intelligence (intercepting someone else’s communications) and cryptography.  It was founded in 1952 out of the ineffectual Armed Forces Security Agency for that specific purpose, in fact.  That mission has led it to tapping communications lines, setting up vast antenna arrays, and putting analysts in frigid shacks on the sterns of destroyers pitching in the stormy North Sea, all dedicated at trying to get The Other Guy’s communications.  And when it does get them, it tries to crack the encryption used (if any) and succeeds a lot.

In addition to that, the NSA has been tasked to ensure that communications for the United States government are secure.  It does this in a number of ways that include preventing leakage of the signals in the first place, but it’s most famous for its work in cryptography.  And if there’s one thing that they know, it’s that crypto is hard.

It knows that for one main reason, and that is its code-breaking section.  One of that section’s first duties, of course, is to break other nations’ codes.  But it also tries to break algorithms in and from the United States.  Any time the agency tasks someone to create or improve an encryption algorithm, another group that specializes in finding weaknesses in crypto algorithms is tasked to break it.  If that happens, it gets sent back to be fixed if possible or scrapped if not.  This is a good thing: if your friend can break your algorithm, there’s a good chance that your enemy can, too.

So take a worldwide coverage and world-renowned crypto capabilities and combine them with the NSA’s mission, which has been eloquently stated, “The ability to understand the secret communications of our foreign adversaries while protecting our own communications–a capability in which the United States leads the world–gives our nation a unique advantage.”  In short, break theirs while protecting ours.  Part of protecting ours is ensuring that the encryption used, particularly by the federal government, is not breakable while taking every available opportunity to break the encryption used by others.

Take this combination, and two questions naturally rise to the top.

  • How much do you trust the NSA?
  • How hard is it to avoid them if they’re looking for you?

It turns out that these are not easy questions to answer.  While there have been a lot of suspicions about whether the NSA has looked at only foreign traffic over the years, at least without a warrant, it was hard to find proof save for the rare leak.  Even the information that has come along in the documents so far released by Edward Snowden hasn’t made the extent of surveillance completely clear, and that makes it even harder to answer the questions.  We’ll look at the first of those questions today, and the second question in the next article.

Continue reading “Trust and the NSA: They’re Not Mutually Exclusive”

Free Microsoft e-books

Here are some links I found a while back to free ebooks from Microsoft on a ton of topics including Windows (desktop and server), SQL Server, SCCM, Sharepoint, and application development.  The selection covers the range from beginners to advanced.

Large collection of Free Microsoft eBooks for you, including: SharePoint, Visual Studio, Windows Phone, Windows 8, Office 365, Office 2010, SQL Server 2012, Azure, and more.

Another large collection of Free Microsoft eBooks and Resource Kits for you, including: SharePoint 2013, Office 2013, Office 365, Duet 2.0, Azure, Cloud, Windows Phone, Lync, Dynamics CRM, and more.

Huge collection of Free Microsoft eBooks for you, including: Office, Office 365, SharePoint, SQL Server, System Center, Visual Studio, Web Development, Windows, Windows Azure, and Windows Server