Tuesday, January 28, 2020

Not cool, Edge.

So, anyway, Windows 10 likes to show me notifications from apps, and stuff, and mostly, that's ok, because I can turn them off from the Chatty Cathy things, and it's handy for the few important ones... and, mostly, they tell you which app it's coming from, so it's easy to turn it off if you don't want it... but ...

There was one that kept coming in, several times a day, and it was annoying, because it would frequently cover up something I was trying to read, or click on... and it wouldn't say what was putting it up.

The only clue I had was that it was from an Asian/English website, devoted to computer security and news, so I thought, "It must be a browser extension."

I have Edge, Chrome and Firefox on this box, so I started searching each of them for extensions.



Then, I got another notification, and no browsers were running.

Hmmmmmmmm again.

I was starting to believe my machine might be compromised, but given that I knew the name of the website, I decided to search the registry for that name, just to see if anything gave me a hint, and sure enough, I found a key associated with MicrosoftEdge\Notifications\Domains. There were about six domains there, including the Chatty Cathy one.

But then I thought, "Wait ... Edge is not running ... how can it be sending me notifications?", so I ran Task Manager, and sure enough, even though the Edge User Interface was not running, Edge _was_ running.

Armed with that knowledge, I was able to go into Edge Advanced Settings, and remove those domains. I don't remember doing it, but I guess I must have clicked on something that allowed those websites to send me notifications. A refresh of the registry showed they were indeed gone, and my laptop is appropriately quiet again, but the disquieting thing is that Edge is still running in the background, and is presumably quietly sharing information, and accepting requests from websites I don't know about.

I don't think there is much I can do about it, although the other browsers don't _seem_ to be running in the background, so I'll see. Maybe this was common knowledge, but I didn't know, so I'm sharing.

At an absolute minimum, this is the Privacy Revolution in action, or mis-action, and to paraphrase Bill Shakespeare and Macbeth, "I hope nothing malicious this way comes."

Tuesday, December 17, 2019

Firmware backdoors?

So, anyway, recently our colleagues at Eset published a paper that showed that a number of manufacturers had firmware modules with the word "AsusBackDoor" as part of the filename.

Armed with that very helpful name, we found some samples pretty quickly, and while the name was a bit alarming, it seems to be a legitimate function for resetting lost firmware passwords, so all is fine and well.

This, however, lead us to wonder how many other modules might exist, with similar functionality, but without the helpful name portion, and guess what? There are quite a few. We seem to have identified at least five manufacturers with similar modules.

Again, they are probably all legit, but it does make one wonder.

We did find one sample with the word "infected" in it, but that _seems_ to be an experiment, from someone who is maybe a hobbyist.

The marines (I think) came up the idea of getting Left Of Bang. ("Bang" roughly refers to some incident such as an IED exploding.Right of Bang refers to responding after the event. Left of Bang refers to preventing the Bang in the first place, which is clearly the desired action)

All corporates, government bodies, and utilities, need to start auditing their firmware, before the Bang.

If you would like some help, please let us know. You can contact us at roger AT armor.ai

Security and functionality have always existed in an inverse relationship, and modern firmware (UEFI) is immensely functional.

We will continue to look for similar backdoor functionality. Stay tuned.

Wednesday, October 23, 2019

Check your firmware, folks.

So, anyway, a few days ago, I noticed a tweet about a Dell Optiplex 7070 bios upgrade that announced an enhancement of "Added BiosConnect feature which enables connection to Dell.com without an operating system. This feature also enables downloading a recovery image from the cloud through wired or wireless connection."

I thought that sounded interesting, so I decided to take a look, and sure enough, I quickly found the BiosConnect stuff, but then I found that Computrace had also been added.

Now, Computrace is a good, and helpful program, and if your computer is ever lost, or stolen, you'll be glad you have it, and the ability to download a recovery image to a computer with a broken OS is also useful, but ... one of the truths about computer security is that functionality and security tend to exist in an inverse relationship. In other words, the more functional, or powerful, you make something the less secure it tends to be, and we may be confident that the Bad Guys (tm) will always try to take advantage of such features.

Not only that, but some organizations don't want that sort of functionality in their computers... just in case.

The other interesting thing here is that the previous version of this firmware was 8mb long, and had about 320 exes in it, and the new version is 16mb, and has about 575 exes, so one wonders what other functionality has been added. We're still looking at that.

Again, I'm not saying that Dell or Computrace did anything bad. They just added a lot of functionality.

One of the big problems with firmware security is that most people don't flash their firmware because, (1) they don't know that there's a new version available (unlike monthly OS patches which is a well understood, albeit sometimes problematic, mechanism), and (2) they don't know how to flash their firmware. As an example of that, about every two weeks, we get a fresh upload of the supposedly extinct-since-2016 so-called Lenovo rootkit.

Obviously, you have to patch your firmware, because there will be bugs and vulnerabilities that need fixing, but this shows that you also need to examine what new things are coming in.

We have been conducting audits of "before and after" firmware for some of our customers, and it is proving instructive.

More to follow.

Stay tuned.

Thursday, August 15, 2019

Uh... why does firmware need to send EHLO?

So, anyway, a little while ago, we stumbled across a program in firmware that seems to be sending an EHLO. The program in question also seems to have a UID and PW in plaintext.

It also _seems_ to have the capability of starting a TLS connection.

Now, I’m not saying the vendor is doing anything wrong, but it is just a bit of a surprise to find.

Also, it is not yet clear if communications are hidden from the OS, but they could easily be.

The program in question is about 27k in length, of compiled C, so it takes some time to study. Analysis continues.

Oh, but this caused us to look for other examples of EHLO in firmware, and, lo and behold, we found another vendor, who seems to have that capability. This particular program is over 600k, so will take a little while to analyze properly.

Again, I’m not suggesting that they are doing anything malicious. It’s just a surprise, and it makes one wonder what else might be found. There do seem to be other firmware programs that are capable of starting TLS. Oh, and it also makes us wonder if it is exploitable.

Watch this space.

Wednesday, July 31, 2019

Uh ... secure boot might be trying to tell you something.

So, anyway, today this popped up on my google alerts...

Apparently, some people see a message that says "Secure boot violation. The system found unauthorized changes on the firmware, operating system or UEFI drivers.", and the article suggests that the answer is to (1) Turn off secure boot, and (2) Use a system restore point.

The article explains how to do those steps, and the upside is that turning off secure boot will stop you seeing the message, but the downside is that Secure Boot might be trying to tell you something. ;-)

The danger here is that malware is increasingly targeting firmware.

And, I might be wrong, but I don't think that using a system restore point will restore firmware.

If you do see such a message, you are better off to seek very professional help.

Just sayin'

Wednesday, July 3, 2019

Ok, that's kind of creepy, FaceBook

So, anyway, for some reason today, pictures on FaceBook are not rendering. In the overall scheme of things, this is neither here, nor there, and I'm sure it will soon be corrected.


In place of pictures, I see things like this "image may contain three people, including xxxxxxxxx"

It seems highly unlikely that a human sat there, and added all these "may contain" messages, so therefore, some AI did.

That probably means that all pictures uploaded to FaceBook have had similar AI estimations applied to them.

One one hand, it's innocent, but on the other hand (the suspicious, cynical hand), one wonders how this might play out long term, especially in places like China.

Sigh. Privacy Revolution again, folks.

Thursday, June 6, 2019

Firmware dumper

Hi all,

We've made our Win10x64 firmware dumper available for download here, if anyone wants to give it a try. It's much easier than turning off secure boot, and booting off a thumb drive. It's probably not perfect, but it seems pretty good. If you get a firmware dump, you are also welcome to upload it to us at the same URL, for analysis.