Olympus-OM
[Top] [All Lists]

Re: [OM] The scariest computer security problem I've ever seen

Subject: Re: [OM] The scariest computer security problem I've ever seen
From: Scott Gomez <sgomez.baja@xxxxxxxxx>
Date: Mon, 6 Oct 2014 16:35:22 -0700
Agreed, Chuck. That's where the most serious danger ultimately resides: in
gaining boot control before the OS is loaded.

I've been doing further reading of discussion of the issue today, and
apparently how the chip controller is implemented does vary among
manufacturers. Some use devices that do not have rewrite-able firmware,
especially where the device is not intended to have capabilities beyond
that designed in (as in USB keyboards, or mice), for the simple reason that
it's less expensive to do.

What's really needed is for manufacturers to be up-front about devices
currently in the wild, and to state whether (or not) their particular
device implementation includes vulnerable controller/firmware combinations.
And I think that it's fair to assume that any design that can be
reprogrammed 'in the field' is vulnerable. At least, at that point, people
can be proactive and use those devices which are susceptible to such a hack
wisely (or not at all).

On Mon, Oct 6, 2014 at 3:00 PM, Chuck Norcutt <chucknorcutt@xxxxxxxxxxxxxxxx
> wrote:

> I believe all of the devices that were tested proved to be updatable.  I
> think we should assume that most of them are as it's very difficult to
> prove otherwise.  A very large number of them are made by the same company.
>
> I understand your point about Linux and iOS security being better than
> that of Windows but your point is only valid if the OS is running.  An
> infected USB device that's controlled initially by the BIOS may be up and
> running before the machine is booted.  That USB device may replace the boot
> sector on the boot device before the OS ever starts.  So I'm not so sure
> that Linux and Mac users should be confident they're free and clear.  I
> hope your view is correct but I'm not at all sure that it is.
>
> Chuck Norcutt
>
>
>
> On 10/6/2014 11:43 AM, Scott Gomez wrote:
>
>> The question for end users of the devices--of any USB device--is whether
>> the device is updatable. If it is, it is unsafe to use unless it has been
>> used only on your own machine AND you know that your own machine has never
>> been compromised with code that rewrites USB.
>>
>> One of the things mentioned in the video was that for Linux systems, they
>> were unable to infect anything other than user space. The attack would be
>> considerably more difficult there, as an attacker would have to install
>> executables to act on logged keystrokes, then attempt to elevate
>> privileges
>> once the password is known. (A determination I think would be difficult to
>> make automatically)
>>
>> The same should be true of Macintosh machines, for the most part, as both
>> Linux and Macintosh use the more robust security model descended from
>> Unix.
>>
>> In the Linux and OS/X worlds, a USB exploit would have to somehow install
>> a
>> keylogger, and compromise the network (change DNS, add a controller, etc),
>> and then communicate back to a human to examine the key logs in order to
>> escape user space. On my system, for example, the network cannot be
>> changed
>> without elevated privileges. So while the keylogger injection would likely
>> succeed, how would data from that logged session get sent back? Security
>> software would not allow creation of a network session that is not
>> attached
>> to an existing process, nor could the malware modify existing software
>> without already having determined how to elevate privileges.
>>
>> Windows, as ever, is an easier nut to crack.
>> On Oct 6, 2014 6:37 AM, "Chris Trask" <christrask@xxxxxxxxxxxxx> wrote:
>>
>>
>>>> And now, having watched it, I agree with the conclusion of the
>>>> presenters:
>>>> the only way to prevent this is to provide a hardware fuse that is
>>>> opened
>>>> in manufacturing, before the device is shipped, to prevent
>>>> reprogramming.
>>>> Of course, that simply shifts the burden of security to the
>>>>
>>> manufacturers...
>>>
>>>>
>>>>
>>>       I'm surprised that they don't do this already.
>>>
>>>       Is this problem true for ALL USB flash drives, or is it something
>>> new?  I only use the older USB 1.0 Memorex flash drives so I can go
>>> between
>>> the WinXP laptop, the office Win98/SE machines, and the continunally
>>> updated ASU library computers.
>>>
>>>
>>> Chris
>>>
>>> When the going gets weird, the weird turn pro
>>>       - Hunter S. Thompson
>>> --
>>> _________________________________________________________________
>>> Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
>>> Archives: http://lists.thomasclausen.net/mailman/private/olympus/
>>> Themed Olympus Photo Exhibition: http://www.tope.nl/
>>>
>>>
>>>  --
> _________________________________________________________________
> Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
> Archives: http://lists.thomasclausen.net/mailman/private/olympus/
> Themed Olympus Photo Exhibition: http://www.tope.nl/
>
>
-- 
_________________________________________________________________
Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
Archives: http://lists.thomasclausen.net/mailman/private/olympus/
Themed Olympus Photo Exhibition: http://www.tope.nl/

<Prev in Thread] Current Thread [Next in Thread>
Sponsored by Tako
Impressum | Datenschutz