Thursday, August 15, 2019

Uh... why does firmware need to send EHLO?

So, anyway, a little while ago, we stumbled across a program in firmware that seems to be sending an EHLO. The program in question also seems to have a UID and PW in plaintext.

It also _seems_ to have the capability of starting a TLS connection.

Now, I’m not saying the vendor is doing anything wrong, but it is just a bit of a surprise to find.

Also, it is not yet clear if communications are hidden from the OS, but they could easily be.

The program in question is about 27k in length, of compiled C, so it takes some time to study. Analysis continues.

Oh, but this caused us to look for other examples of EHLO in firmware, and, lo and behold, we found another vendor, who seems to have that capability. This particular program is over 600k, so will take a little while to analyze properly.

Again, I’m not suggesting that they are doing anything malicious. It’s just a surprise, and it makes one wonder what else might be found. There do seem to be other firmware programs that are capable of starting TLS. Oh, and it also makes us wonder if it is exploitable.

Watch this space.

Wednesday, July 31, 2019

Uh ... secure boot might be trying to tell you something.

So, anyway, today this popped up on my google alerts...

Apparently, some people see a message that says "Secure boot violation. The system found unauthorized changes on the firmware, operating system or UEFI drivers.", and the article suggests that the answer is to (1) Turn off secure boot, and (2) Use a system restore point.

The article explains how to do those steps, and the upside is that turning off secure boot will stop you seeing the message, but the downside is that Secure Boot might be trying to tell you something. ;-)

The danger here is that malware is increasingly targeting firmware.

And, I might be wrong, but I don't think that using a system restore point will restore firmware.

If you do see such a message, you are better off to seek very professional help.

Just sayin'

Wednesday, July 3, 2019

Ok, that's kind of creepy, FaceBook

So, anyway, for some reason today, pictures on FaceBook are not rendering. In the overall scheme of things, this is neither here, nor there, and I'm sure it will soon be corrected.


In place of pictures, I see things like this "image may contain three people, including xxxxxxxxx"

It seems highly unlikely that a human sat there, and added all these "may contain" messages, so therefore, some AI did.

That probably means that all pictures uploaded to FaceBook have had similar AI estimations applied to them.

One one hand, it's innocent, but on the other hand (the suspicious, cynical hand), one wonders how this might play out long term, especially in places like China.

Sigh. Privacy Revolution again, folks.

Thursday, June 6, 2019

Firmware dumper

Hi all,

We've made our Win10x64 firmware dumper available for download here, if anyone wants to give it a try. It's much easier than turning off secure boot, and booting off a thumb drive. It's probably not perfect, but it seems pretty good. If you get a firmware dump, you are also welcome to upload it to us at the same URL, for analysis.

Saturday, January 26, 2019

Privacy revolution again

So, anyway, I won’t mention Sandra’s name, but a friend of mine, who used to be a security geek, but is now a goat farmer, pinged me with a scary story yesterday.

She got a robo call from PayPal, advertising something, which might be a bit annoying, but that’s not scary.

As you generally do, with an unrecognized number, she let it go to voice mail, and the message asked her to call back a different number. Nothing entirely amazing there.

But here’s the scary bit. The spoofed number pretended to be from a really small town in PA, that she had only ever been to once before... and that was _earlier that day_

Amazing coincidence, right?

Problem is, those of us in the security biz don’t tend to like coincidences, so the alternative is that something was tracking her.

She checked her settings for PayPal, but it showed that it only tracked her while using the app, and as far as she knew, she was not using the app.

So now we are left to wonder ... is something else selling its tracking data?

At this point, we simply don’t know, but there are certainly lots of apps (it is an iPhone) that are capable of tracking you all the time.

It’s either an amazing coincidence, or the Privacy Revolution in action.