Linked to Schneier’s writeup, because it has a summary, links to the exploit in the NSA catalog, and the comments are illuminating.
Linked to Schneier’s writeup, because it has a summary, links to the exploit in the NSA catalog, and the comments are illuminating.
This is one the biggest concerns I have over all this; while the NSA almost certainly has the largest budget for exploiting systems, there are plenty of others with the skills and large enough budgets to find and utilise these types of exploits. In this case, the NSA’s mandate to protect US national security systems (which increasingly rely on COTS systems) is being thoroughly damaged by a focus on their other mandate, producing foreign SIGINT.
(from the NSA homepage)
I agree and it is a concern, but so far I haven’t seen many examples of backdoors that could be exploited by people other than the NSA. To pick a few examples:
There’s tapping into undersea cables. Anybody with a submarine could do that, but the fact that the NSA did it doesn’t appear to make it easier for anyone else.
There’s predictable ECRNG numbers. Anybody with the master key can predict random numbers, but afaik discovering that master key is equivalent to breaking EC crypto in general. Presumably the NSA keeps the master key locked up nice and tight, but… maybe not. On the bright side, it’s not a general weakness like every third number is 42.
There’s bios backdoors, such as the featured item. This sounds like it has to be installed, it’s not baked into every dell in the world. Of course, if the NSA has targeted you, now you’re vulnerable to somebody piggybacking on that exploit. I notice though that the delivery seems to be via USB stick. I wouldn’t put it past the capabilities of a crime syndicate to get somebody with a USB stick in physical proximity to your server, either, though.
There’s whatever disputed “send us all of this user’s gmail” mechanism exists. There’s probably the potential to socially engineer Google into divulging info via fake court orders, but subpoenas have been around longer than the NSA.
The potential for abuse mostly seems limited to the NSA and bad actors within the NSA (LOVEINT).
Having just written all that and rereading your comment, I think what you are saying is not that the NSA is opening the door to other bad actors, but rather that the NSA should be informing vendors about the exploits it has found to prevent their use by others. I agree they have compromised their protection mission in order to assure the continued success of offensive operations.
Agreed, and I would certainly hope the security on these is such that it would be noticed.
DEITYBOUNCE specifically mentions remote access. I’m not sure whether to read into that as being a remote vulnerability or some other means, but it is discomfiting.
It’s not unheard for government employees to be compromised for foreign intelligence or crime, so this is still worrisome to me.
That is really the point of my comment.
So I think DB is just the persistent malware. AS is the exploit tool they use to deliver it? Or AS is just a remote control tool? I’m amazed they can keep it all straight.
Maybe they use the HAMMEROFZEUS to exploit a system and load the ARKSTREAM vnc server onto it, and then via ARKSTREAM implant the bios malware DEITYBOUNCE. DEITYBOUNCE in turn reinstalls ARKSTREAM every boot to prevent disinfection. As always, it’s the HAMMEROFZEUS you really have to watch out for…
(your comment is unfortunately formatted to look like nothing but a fullquote of mine.)
I just noticed that, which is probably why it was flagged as spam. Must have been something with the email reply, markdown can be a bit touchy sometimes.
It’s amazing they can keep it all straight (assuming they also keep a straight face while throwing all these names out there).
Markdown requires a full empty line between a quoted paragraph and your reply line, or it merges it into the quote. I’ve fixed the formatting of your comment (and doubled the time allowed to edit comments to 90 minutes).
There will be many HAMMEROFZEUS vectors until reliable (solved, kind of) and performant(the hard part) total address space invariant enforcement is in widespread use. We can still build cost-effective software and hardware that significantly reduce the implications of that issue. One interesting debate that occurred on this subject followed Joanna Rutkowska’s 2007 Black Hat talk introducing the Blue Pill rootkit developed by her and others at the Invisible Things Lab. The rootkit functions by taking a non-virtualized OS, gaining root access through some means, and “hoisting” the OS into a virtualized state with Blue Pill as the hypervisor.
This sparked a long back-and-forth between people claiming that it would still be easy to detect the malicious hypervisor’s presence by measuring the time certain syscalls take to execute, among other things, and Joanna replying by demonstrating how Blue Pill could simply forge the information that the now-guest OS has. Basically, the OS becomes Truman in the Truman show, with the malicious hypervisor determining everything that the OS could possibly observe, know or think about the outside world. Like the Truman show, however, it is not easy to ensure that everything observed by the OS is consistent with an expected view of the world. Technically, she was right. But practically? I think it’s pretty hard to create a program that complicated that accounts for all possible inputs :)
Anyway, the rootkits that the NSA is employing can be detected. People are just starting to look harder for them, and I think we are going to be safer due to the work that comes out of this. There are a lot of invariants to check, but a huge number of those can be checked inexpensively - both economically and computationally.
Dell has responded to this news. It’s a short, almost content-free post, but they do make the claim