Wednesday, July 29, 2020

A couple of firmware stats to think about.

So, anyway, just for fun, I grabbed about 1,500 firmware blobs, randomly, from our collection, and ran a few Yara scans over them... just to see... this is what I found.

Total firmware blobs under test: 1520
Number containing overt update capabilities: 581
Number containing overt email capabilities: 117
Number containing some password reset capabilities:1287
Number containing the word 'backdoor': 260

I am still not seeing why firmware should send email, and some even use EHLO, but, oh well...I'm sure there is a good reason.

And, on one hand it's good that firmware has update capabilities, but I still feel nervous about firmware updating over the Internet, using HTTP or FTP. What could go wrong? Oh, that's right ... ShadowHammer already showed what could go wrong.

These updaters, by the way, are the obvious ones... firmware has its own network stack, so there could be other updaters that are a bit obfuscated. No one knows.

And, it's understandable that firmware would need some password reset capabilities, but it's a bit awkward that some contain the word "backdoor".

Now, I have no reason to think any of these are actually malicious, but ... without looking closely, we have no way to be sure. Some could be, and we just don't know, without looking really closely, and I believe that most organizations _are not_ looking at firmware at all, let alone closely. This stuff is immensely powerful, and always remember, functionality and security tend to exist in an inverse relationship.

We may be confident that nation-states are looking hard at firmware attacks, and we may be equally confident that the ransomware players are also trying.

Everyone is using the Hope Method, and this has to change.

If they can get into the firmware of computers, tablets, phones, or IoT, they can persist indefintely, and can either move sideways from there, or simply surveil the network. This would be a Bad Thing(tm).

To keep our critical infrastructure, financial institutions, and medical institutions, safe, everyone in those industries needs to start capturing their firmware, and monitoring it, and if they don't, they're going to regret it.

Stay tuned, folks.

Thursday, April 23, 2020

I might have been wr..wro... wron... can't say the word...

So, anyway, yesterday I smacked poor FaceBook for being creepy, and adding Alt Text to my image, which only showed up because I added it to a Word document, and Word kindly, albeit briefly, showed me the Alt Text.

I was then extra suspicious that something was going on, because I couldn't find the text in the jpg, and figured that it must be compressed, or obfuscated somehow, which lead me to wonder what else might be hidden in the jpg. When you are in my line of business, it's good to be suspicious

But then... a friend commented on my post, saying that he'd had a similar problem with Word a couple of years ago... wait ...what? Word?

Long story made short. Yes, Word adds its own Alt Text to images, and FaceBook was not hiding Alt Text in the images.

Here is Word's Alt Text..

And here is FaceBook's on the same image ...

I was wr... wro... wron.... still can't say the word. :)

The FaceBook Alt Text was just a tag in the html. Yes, it's storing it somewhere, but it's not as creepy as I thought, and Word is doing it too, and probably so is just about any other browser, search engine, word processor, pdf maker... the list goes on.

We can all relax, and go back to worrying about more important things, like firmware issues. Oh... yes... we found some interesting Android firmware stuff yesterday, so stay tuned.

Wednesday, April 22, 2020

That's a bit creepy again, FaceBook!

So, anyway, reasoning that life is too short to be completely serious all the time, I like to tell Dad Jokes. I'm really funny... or at least I think I am.

One of my recent jokes involved a picture, and it went like this...

This is my jar of jars. I call him JarJar. When I shake JarJar, he clinks...

I crack myself up, and as I usually do, I put it on FaceBook.

I am collecting my best (imho) jokes into a document called Grandad Jokes, for my unsuspecting grand kids to read one day, so the easiest way to get the photo onto the right pc was to simply save it from FaceBook.

I then imported it into Word, and this is where it got a bit creepy.

I saw this text appear on the bottom of the imported photo, just for a few seconds...

Wait ... what?.. Alt text? Where did that come from?

It said, "Alt text: A picture containing table, indoor, sitting, food"

Then I remembered reading a few months ago, that FaceBook automatically analysed all photo uploads, so that visually impaired people could have a photo described to them by a robot. While that, on the face of it, sounds very noble, I can't imagine it's terribly effective, because the description just isn't very accurate. I'm not saying FaceBook did anything wrong... it was just hidden and subtle. I may be being cynical, but I suspect that the real benefit is more along the lines of simple statistics for marketing.

Thank goodness that Word showed me, or I wouldn't have known.

One good thing was that I was able to confirm that, by default, FaceBook removes geo location data from the jpg.

A bit more poking around, and I found that I could right click the picture in Word, and one of the options was to edit the Alt Text. That meant that the Alt Text was in the jpg somewhere, but another slightly disquieting thing was that the text was not visible in the jpg, as plain text, so that means it is compressed, or obfuscated somehow, and that leads me to wonder what else might be in there?

I will keep poking.

Chalk up another score for the Privacy Revolution.

Monday, April 20, 2020

Dell agrees that BIOS is the next malware battleground

So, anyway, I recently heard that Dell had released a BIOS testing tool, so I grabbed it and ran it over my trusty Dell Optiplex 7070. The tool was pretty hard to find, but I did find it, and installed it, and it ran, and it pronounced that my BIOS was fine.

That was cool, and expected, but there were a couple of shortcomings.

The first was that it did not tell me that there was an Intel Management Engine upgrade, marked as urgent, and also a BIOS upgrade marked as urgent, which, as a Dell product, I would have thought it should have known about, and told me.

The second was that it doesn't see the sort of things that we see, such as components that seem to have similar functionality to the so-called Lenovo rootkit of 2015.

This makes sense, as this functionality is in there by design, but, in my opinion, is a desirable target for the Bad Guys(tm)

All security pros know that security and functionality tend to exist in an inverse relationship, which is to say that the more functional you make something, the less secure it tends to be.

We think people need to know what (and who) is in their firmware.

To me, the most important aspect of this tool is simply the fact that Dell is acknowledging that the BIOS is the next malware battleground. While poking around for the tool, I also found this report, with the title, "BIOS Security - The Next Frontier For Endpoint Protection".

Folks, all organizations need to start paying attention to what's in their firmware, because it's going to take time to fix.

Tuesday, January 28, 2020

Not cool, Edge.

So, anyway, Windows 10 likes to show me notifications from apps, and stuff, and mostly, that's ok, because I can turn them off from the Chatty Cathy things, and it's handy for the few important ones... and, mostly, they tell you which app it's coming from, so it's easy to turn it off if you don't want it... but ...

There was one that kept coming in, several times a day, and it was annoying, because it would frequently cover up something I was trying to read, or click on... and it wouldn't say what was putting it up.

The only clue I had was that it was from an Asian/English website, devoted to computer security and news, so I thought, "It must be a browser extension."

I have Edge, Chrome and Firefox on this box, so I started searching each of them for extensions.



Then, I got another notification, and no browsers were running.

Hmmmmmmmm again.

I was starting to believe my machine might be compromised, but given that I knew the name of the website, I decided to search the registry for that name, just to see if anything gave me a hint, and sure enough, I found a key associated with MicrosoftEdge\Notifications\Domains. There were about six domains there, including the Chatty Cathy one.

But then I thought, "Wait ... Edge is not running ... how can it be sending me notifications?", so I ran Task Manager, and sure enough, even though the Edge User Interface was not running, Edge _was_ running.

Armed with that knowledge, I was able to go into Edge Advanced Settings, and remove those domains. I don't remember doing it, but I guess I must have clicked on something that allowed those websites to send me notifications. A refresh of the registry showed they were indeed gone, and my laptop is appropriately quiet again, but the disquieting thing is that Edge is still running in the background, and is presumably quietly sharing information, and accepting requests from websites I don't know about.

I don't think there is much I can do about it, although the other browsers don't _seem_ to be running in the background, so I'll see. Maybe this was common knowledge, but I didn't know, so I'm sharing.

At an absolute minimum, this is the Privacy Revolution in action, or mis-action, and to paraphrase Bill Shakespeare and Macbeth, "I hope nothing malicious this way comes."

Tuesday, December 17, 2019

Firmware backdoors?

So, anyway, recently our colleagues at Eset published a paper that showed that a number of manufacturers had firmware modules with the word "AsusBackDoor" as part of the filename.

Armed with that very helpful name, we found some samples pretty quickly, and while the name was a bit alarming, it seems to be a legitimate function for resetting lost firmware passwords, so all is fine and well.

This, however, lead us to wonder how many other modules might exist, with similar functionality, but without the helpful name portion, and guess what? There are quite a few. We seem to have identified at least five manufacturers with similar modules.

Again, they are probably all legit, but it does make one wonder.

We did find one sample with the word "infected" in it, but that _seems_ to be an experiment, from someone who is maybe a hobbyist.

The marines (I think) came up the idea of getting Left Of Bang. ("Bang" roughly refers to some incident such as an IED exploding.Right of Bang refers to responding after the event. Left of Bang refers to preventing the Bang in the first place, which is clearly the desired action)

All corporates, government bodies, and utilities, need to start auditing their firmware, before the Bang.

If you would like some help, please let us know. You can contact us at roger AT

Security and functionality have always existed in an inverse relationship, and modern firmware (UEFI) is immensely functional.

We will continue to look for similar backdoor functionality. Stay tuned.

Wednesday, October 23, 2019

Check your firmware, folks.

So, anyway, a few days ago, I noticed a tweet about a Dell Optiplex 7070 bios upgrade that announced an enhancement of "Added BiosConnect feature which enables connection to without an operating system. This feature also enables downloading a recovery image from the cloud through wired or wireless connection."

I thought that sounded interesting, so I decided to take a look, and sure enough, I quickly found the BiosConnect stuff, but then I found that Computrace had also been added.

Now, Computrace is a good, and helpful program, and if your computer is ever lost, or stolen, you'll be glad you have it, and the ability to download a recovery image to a computer with a broken OS is also useful, but ... one of the truths about computer security is that functionality and security tend to exist in an inverse relationship. In other words, the more functional, or powerful, you make something the less secure it tends to be, and we may be confident that the Bad Guys (tm) will always try to take advantage of such features.

Not only that, but some organizations don't want that sort of functionality in their computers... just in case.

The other interesting thing here is that the previous version of this firmware was 8mb long, and had about 320 exes in it, and the new version is 16mb, and has about 575 exes, so one wonders what other functionality has been added. We're still looking at that.

Again, I'm not saying that Dell or Computrace did anything bad. They just added a lot of functionality.

One of the big problems with firmware security is that most people don't flash their firmware because, (1) they don't know that there's a new version available (unlike monthly OS patches which is a well understood, albeit sometimes problematic, mechanism), and (2) they don't know how to flash their firmware. As an example of that, about every two weeks, we get a fresh upload of the supposedly extinct-since-2016 so-called Lenovo rootkit.

Obviously, you have to patch your firmware, because there will be bugs and vulnerabilities that need fixing, but this shows that you also need to examine what new things are coming in.

We have been conducting audits of "before and after" firmware for some of our customers, and it is proving instructive.

More to follow.

Stay tuned.