Show notes: Risky Business #251

Links! PDFs! Papers!
By Patrick Gray
Join the discussion 4 Comments
August 23, 2012 -- 

Here are the news items discussed at the top of episode 251 of the Risky Business podcast.

I've also included some items that didn't make the final cut that you may find interesting anyway.

Google to Hold Pwnium 2 Contest, Offers $2M in Rewards | threatpost
http://threatpost.com/en_us/blogs/google-hold-pwnium-2-contest-offers-2m...

Google Building Privacy Red Team | threatpost
http://threatpost.com/en_us/blogs/google-building-privacy-red-team-082212

Assange Calls on U.S. to End 'Witchhunt' Against WikiLeaks | Threat Level | Wired.com
http://www.wired.com/threatlevel/2012/08/assange-speech-at-embassy/

WikiLeaks Back Online after Sustained DDoS Attack | threatpost
http://threatpost.com/en_us/blogs/wikileaks-back-online-after-sustained-...

Paydirt: Vulnerabilities found to foil popular DDoS toolkit - Networks - SC Magazine Australia - Secure Business Intelligence
http://www.scmagazine.com.au/News/312341,paydirt-vulnerabilities-found-t...

Sabu Gets 6-Month Sentencing Delay for Continuing to Help Feds | Threat Level | Wired.com
http://www.wired.com/threatlevel/2012/08/sabu-delay/

New law to control cyber data
http://www.theage.com.au/technology/technology-news/new-law-to-control-c...

Half a million credit cards stolen from Aussie business - Networks - SC Magazine Australia - Secure Business Intelligence
http://www.scmagazine.com.au/News/312025,half-a-million-credit-cards-sto...

Melbourne IT: we didn't lose one customer over AAPT hack | ZDNet
http://www.zdnet.com/au/melbourne-it-we-didnt-lose-one-customer-over-aap...

DarkComet RAT Used in New Attack on Syrian Activists | threatpost
http://threatpost.com/en_us/blogs/darkcomet-rat-used-new-attack-syrian-a...

Some Signs Point to Shamoon as Malware in Aramco Attack | threatpost
http://threatpost.com/en_us/blogs/some-signs-point-shamoon-malware-aramc...

Crisis Trojan Makes Its Way onto Virtual Machines | threatpost
http://threatpost.com/en_us/blogs/crisis-trojan-makes-its-way-virtual-ma...

Phishing for Fanboys with Phony iPhone 5 Images | threatpost
http://threatpost.com/en_us/blogs/phishing-fanboys-phony-iphone-5-images...

Researcher Finds iPhone Bug Allows SMS Spoofing | threatpost
http://threatpost.com/en_us/blogs/researcher-finds-iphone-bug-allows-sms...

Microsoft Warns Users About ChapCrack Tool Availability | threatpost
http://threatpost.com/en_us/blogs/microsoft-warns-users-about-chapcrack-...

Twitter to Update API to Require Authentication | threatpost
http://threatpost.com/en_us/blogs/twitter-update-api-require-authenticat...

BBC News - Tesco web security 'flaw' probed by UK data watchdog
http://www.bbc.co.uk/news/technology-19316825

Hotel Lock Firm's Security Fix Requires Hardware Changes For Millions Of Keycard Locks - Forbes
http://www.forbes.com/sites/andygreenberg/2012/08/17/hotel-lock-firms-fi...

Seeing Through Walls With a Wireless Router | Australian Popular Science
http://www.popsci.com.au/technology/seeing-through-walls-with-a-wireless...

RuggedCom Devices Have Hard-Coded SSL Keys | threatpost
http://threatpost.com/en_us/blogs/ruggedcom-devices-have-hard-coded-ssl-...

Apple Patches Remote Desktop Flaw | threatpost
http://threatpost.com/en_us/blogs/apple-patches-remote-desktop-flaw-082112

Serious Vulnerabilities Remain in Reader After Huge Patch Release, Researchers Say | threatpost
http://threatpost.com/en_us/blogs/serious-vulnerabilities-remain-reader-...

Adobe Releases Critical Flash, AIR Update | threatpost
http://threatpost.com/en_us/blogs/adobe-releases-critical-flash-air-upda...

Flash Player vulnerable again a week after patching | ZDNet
http://www.zdnet.com/au/flash-player-vulnerable-again-a-week-after-patch...

ICS-CERT Warns of Serious Flaws in Tridium Niagara Software | threatpost
http://threatpost.com/en_us/blogs/ics-cert-warns-serious-flaws-tridium-n...

Melbourne researchers hide crypto keys on terabyte disc - Crypto - SC Magazine Australia - Secure Business Intelligence
http://www.scmagazine.com.au/News/312300,melbourne-researchers-hide-cryp...

ho.ax/downloads/De_Mysteriis_Dom_Jobsivs_Black_Hat_Paper.pdf
http://ho.ax/downloads/De_Mysteriis_Dom_Jobsivs_Black_Hat_Paper.pdf

ho.ax/downloads/De_Mysteriis_Dom_Jobsivs_Black_Hat_Slides.pdf
http://ho.ax/downloads/De_Mysteriis_Dom_Jobsivs_Black_Hat_Slides.pdf

The hunting of the snark, or the martyrdom of St Julian
http://www.theage.com.au/opinion/politics/the-hunting-of-the-snark-or-th...

Comments

snare's picture
Submitted by snare on Mon, 08/27/2012 - 13:40.

Hey Dan,

Yeah, what you're suggesting would require that EFI use a full virtual memory implementation. EFI uses a flat 32-bit memory model without any paging or memory protection, so there is no real separation or access control between the memory and I/O address space that is accessible by each EFI application and driver. So there'd have to be quite a bit of OS kernel-like functionality added to the EFI core to pull it off.

A problem with this scenario is that malicious code loaded from an option ROM driver could still interfere with communications between the firmware and that specific piece of hardware. For example, an ethernet driver could modify traffic entering and exiting the system, or pass back maliciously-crafted data structures to the firmware. I guess this would mean a lot of the EFI code would have to be updated to take this type of behaviour into consideration. Another, probably more useful (from an attacker's perspective), example is a malicious disk controller driver which could modify disk reads and writes, allowing it to patch the bootloader/kernel/etc as it was read from the disk by EFI.

I guess the point is a lot of other scenarios would have to be considered, and restricting what is executed in the first place is probably a lot easier than restricting what driver code can do once it's loaded.

I'm certainly not an expert in firmware/kernel design, so it's possible that there are other problems and other solutions that I'm not seeing, but I hope this answers your question.

Cheers,
Loukas

dan's picture
Submitted by dan (not verified) on Wed, 08/29/2012 - 17:03.

It certainly answers most of the questions. A virtualised EFI loader environment was what I was getting at. It would be a lot of work for the developers of EFI. I could be missing where the option rom and firmware origins are when I was thinking about this however I will look it up.

Nice thought on using EFI to maintain malware persistence.

Really liked the research you've done here.

Thanks for the detailed response Loukas.

dan's picture
Submitted by dan (not verified) on Mon, 08/27/2012 - 09:28.

with EFI drivers, can the boot process restrict the drivers to just interfacing to the hardware where they were obtained and perhaps exposing an API? This would mean a whole set of preboot isolation techniques but if possible would void the main need for PKI based secure boot.

snare's picture
Submitted by snare on Mon, 08/27/2012 - 13:44.

Woops, reply above!

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.