Viewing 15 posts - 81 through 95 (of 95 total)
  • badBIOS – now this is a bit scary…
  • xiphon
    Free Member

    Wired’s stuxnet article was a good example of technical journalism.

    The company I work for deals specifically with the type of kit Stuxnet would have been designed to disrupt. Our engineers were discussing the discovery in quite some detail. 99% of which was way over my head!

    GrahamS
    Full Member

    Couple of quotes struck me in that Wired article about Stuxnet:

    …this time there was no sign that any other researchers were seriously digging into the code.

    “We were talking about blowing stuff up!” Chien recalled recently, still amazed at what appeared to be a lack of interest. Instead there was what Chien called “silence like crickets.”

    “There was silence all around us,” Langner later recalled. “Everybody was thinking, This guy is nuts. We always knew that Ralph is an idiot, and now we have the proof for it.”

    which pretty much sums up why I’m willing to consider what dragos says even if it sounds pretty far-fetched.

    Russell96
    Full Member

    Just watching last weeks BBC Click and Kate Russell was talking about a smartphone app that allows you to transfer files & pics via the speaker&mic in a phone http://chirp.io/

    GrahamS
    Full Member

    UPDATE: A couple of interesting developments:

    (The) Bruce Schneier says:

    “When I first read it, I thought it was a hoax. But enough others are taking it seriously that I think it’s a real story.”

    with some interesting comments from his readers.

    Internet Storm Center is remaining on the fence for now but did say this:

    let me lay some propositional logic on you:

    If Dragos is smart, then #badBIOS is a legitimate malware threat.
    Dragos is smart.
    Therefore, #badBIOS is a legitimate malware threat.

    dragos pops up in the comments to discuss a few points too.

    Personally I’m still on the “interested, prepared to listen, but healthily skeptical” bench.

    Sandwich
    Full Member

    Graham, I can’t find out how much of the base Mac OS you need to boot a machine but the recovery usb sticks I use at work have to be 8GB or larger to boot a Mac. Hence my sceptiscm about the 650MB CDROM boot.

    GrahamS
    Full Member

    It isn’t clear from the article text what exactly they mean by “Ruiu then tried to boot the machine off a CD ROM”:

    It says:

    Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn’t know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours.

    He may well have just been trying a cd-bootable version of Linux so he could investigate what was going on (pretty standard thing to try if you think the main OS may be infected or corrupt).

    As with everything else in the story, the lack of detail is frustrating and unhelpful.

    Sandwich
    Full Member

    Don’t step out of the walled garden m’kay! Penguins and X’s obviously don’t play nice together 😉

    I would be more impressed if someone else had replicated his symptoms. My personal experience is that nearly all software requires a password to install on OSX, Dropbox updates are a notable exception as is one of the old arcane pref panes I used to use in Leopard. Installation of something with an extra “payload” would be my immediate thought.

    I’m not saying it couldn’t happen but it would seem unlikely given the lack of detail in the reporting.

    GrahamS
    Full Member

    Seems there are a growing number of professional skeptics too though. Some of whom have had a look at the data he has provided:

    http://arstechnica.com/security/2013/11/researcher-skepticism-grows-over-badbios-malware-claims/

    GrahamS
    Full Member

    My personal experience is that nearly all software requires a password to install on OSX

    If he is correct on the infection vector, which is vaguely described as an infected microcontroller in a USB stick – then it could well be operating outside of user space.

    i.e. when an OSX system enumerates and negotiates with the controller on a USB device then that could well be done by a system process with system -level privileges. And if there is some buffer-overun or other attack possible there then it could basically do what it wants.

    oldnpastit
    Full Member

    Extraordinary claims require extraordinary proof.

    GrahamS
    Full Member

    Interesting conversation between @dragosr and @taviso (another twitter user that apparently knows his stuff).
    Dragosr does seem a little defensive and evasive when challenged.

    https://twitter.com/taviso/status/397804315361824768

    IanMunro
    Free Member

    let me lay some propositional logic on you:
    If Dragos is smart, then #badBIOS is a legitimate malware threat.
    Dragos is smart.
    Therefore, #badBIOS is a legitimate malware threat.

    Though the propositional logic is missing a caveat that people suffering from paranoid personality or delusional disorders can also be smart.

    molgrips
    Free Member

    Yes or Dragos could be very clever AND perpetrating a hoax.

    GrahamS
    Full Member

    people suffering from paranoid personality or delusional disorders can also be smart.

    Yeah a few people have mentioned this possibility and I have to say, reading through his tweets etc, it seems as likely as anything else, which would be very sad.

    Though he does say at the end of that second ArsTechnica piece:

    “We’ll get some peer review and find out if I’m completely losing it or if we found something significant.” Then, he paused for a moment and added: “By the way, I still don’t think I’m losing it.”

    andytherocketeer
    Full Member

    If indeed it is a privilege escalation, then the “infected” USB device would surely have to be OS specific?
    Sure the BIOS / UEFI bit would or could potentially be platform independent, but there’s still a platform dependent/independent inconsistency.

    Think I mentioned it before, but there are USB protocols which are essentially automatically assumed to be trusted. HID is one for a start, but to do anything there, again it still needs to be tailored for target OS. And one very popular OS is clever enough to give you the (automatically trusted) tools to be able to use HID device to insert administrator privilege executable straight on to the system. Maybe not on a locked down corporate lappy, but almost certainly on a lappy where the normal user is granted more than numpty worker privileges.

Viewing 15 posts - 81 through 95 (of 95 total)

The topic ‘badBIOS – now this is a bit scary…’ is closed to new replies.