Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Comment: Grab some OpenSecurityTraining.info material (Score 1) 223

by BIOS4breakfast (#48391129) Attached to: Ask Slashdot: Programming Education Resources For a Year Offline?
Grab the Creative Commons licensed slides & videos from some OpenSecurityTraining classes. If you're interested in *fundamentals* then you're going to want to take the x86 classes, and learn to see through the abstraction layers to reality.

Introduction to Intel x86: Architecture, Assembly, Applications, and Alliteration
Introduction to Intel x86-64: Architecture, Assembly, Applications, and Alliteration
Intermediate Intel x86: Architecture, Assembly, Applications, and Alliteration
With a bonus that you can also learn about ARM assembly in the same class format, and compare and contrast them (what with x86 and ARM being the 2 major architectures which dominate the world's computing devices currently.)
Introduction to ARM

And once you learn x86, how about rather than learning to forward engineer better, how about learning to *reverse* engineer?
Introduction to Reverse Engineering
Reverse Engineering Malware

Comment: reinventing the wheel (Score 4, Informative) 31

by BIOS4breakfast (#48026163) Attached to: FBI Plans To Open Up Malware Analysis Tool To Outside Researchers

I was at VirusBulletin when this was being discussed.

A lot of the other comments are just typical ignorant FUD. Let me tell you exactly what this is: reinventing the wheel.

The speaker described how they had started working on a malware analysis environment back in 2004 and ultimately abandoned it as a failure in 2010. They then *clearly* didn't just look around and see what already existed, but instead just stubbornly decided to press on in making their own.

I was really cringing as the FBI agent described the system to a room full of malware analysis and AV companies, because the system was just so *basic*.

But he said that it received multiple awards within the government and was seen as being super awesome. Just another example of the government being insular and not realizing how far behind industry they are.

For those who think it's a honey pot, it's really not. Not quite anyway. The agent specifically said that the main value to them to make it open is that they *do* want to collect more malware samples. They're starting with LE (who may not be experienced enough to know they can just use one of many other free malware analysis environments, and thus will use the one the FBI hands to them). But then after LE it's a much smaller lift to just open it to everyone, and thus it's sort of a "why not" sort of thing.

Comment: Re:Duh, what should we do? (Score 1) 94

by BIOS4breakfast (#46525321) Attached to: Security Industry Incapable of Finding Firmware Attackers

It only takes one major manufacturer to publicly announce that "we're publishing our code so that it can be verified, unlike our competitors" for it to spread to the competitors.

OEM1 releases full source
OEM2 fires all BIOS developers and leeches off OEM1
OEM1 has the privilege of maintaining a BIOS development workforce for the benefit of their competitors

Though maybe that would work as a feint to eventually put competitors at a disadvantage ;-)

Also, believe it or not, OEMs and places like AMI, Phoenix, etc do actually try to add features down at the firmware level that their competitors don't have, to differentiate themselves and hopefully get a few more sales. E.g. recall the splashtop OSes that were being pimped as the instant-boot solution to get your browsing quickly a while back. Or I feel like I've seen the ability to check your Outlook from BIOS on HPs :-/

Comment: Re:write protect (Score 1) 94

by BIOS4breakfast (#46525273) Attached to: Security Industry Incapable of Finding Firmware Attackers
While hobbiests who use custom motherboards are familiar with write protect jumpers, they are going the way of the dodo. They've been all but phased out on OEM laptops, and are going that way on desktops too.

The important write protects are whether the BIOS configures itself as locked or not after it's booted far enough to determine there are no BIOS updates pending. You can check if your BIOS is open or closed to attackers by running Copernicus or Chipsec.

Comment: Re:Least interest (Score 2) 94

by BIOS4breakfast (#46525247) Attached to: Security Industry Incapable of Finding Firmware Attackers
Actually most BIOS (legacy or UEFI) have a network stack of some sort in order to support PXE boot. Recall that the PoC BIOS malware Rakshasa (https://media.blackhat.com/bh-us-12/Briefings/Brossard/BH_US_12_Brossard_Backdoor_Hacking_Slides.pdf) used the open source SeaBIOS and iPXE network stacks to perform networking from the BIOS. And here's a talk where some McAfee and Intel folks talked about how keylogging can be done from UEFI thanks to function pointer hooking (http://intelstudios.edgesuite.net/idf/2012/sf/aep/EFIS003/EFIS003.html I couldn't find the slides, just video) And you seem to have missed the point about spammers != state-sponsored attackers who clearly find attacking at this level plenty practical.

+ - Security Industry Incapable of Finding Firmware Attackers->

Submitted by BIOS4breakfast
BIOS4breakfast (3007409) writes "Research presented at CanSecWest has shown that despite the fact that we know that firmware attackers, in the form of the NSA, definitely exists, there is still a wide gap between the attackers' ability to infect firmware, and the industry's ability to detect their presence. The researchers from MITRE and Intel showed attacks on UEFI SecureBoot, the BIOS itself, and BIOS forensics software. Although they also released detection systems for supporting more research and for trustworthy BIOS capture, the real question is, when is this going to stop being the domain of research and when are security companies going to get serious about protecting against attacks at this level?"
Link to Original Source

+ - Scientists 3D Print New Solar Panels Which Work Best When Cloudy->

Submitted by Anonymous Coward
An anonymous reader writes "Solar panels are the future of energy, at least for those living in areas of the world where the majority of days are filled with bright sunshine, like Florida, Arizona, Egypt, etc. Until recently, if you lived in Seattle, or most of Britain, and Northern Europe, than solar power is not something to get all that excited about.

This week, British scientists at the National Physical Laboratory, created special solar panels which function best when it’s gloomy outside. That’s right, they produce more energy when clouds are blocking the sun, than when the sun is out in full force. In fact, scientists have shown that the new solar panels manage only 10% efficiency when placed in direct sunlight, while that number jumps to 13% when placed in cloudy conditions.

These solar cells, called organic photovoltaic, are unlike any other. They are made up of small organic molecules which act as semi conductors when struct with solar radiation. The amazing thing is that the molecules can easily be dissolved into a solution and 3D printed into any shape, size, or color desired.

Dr Fernando Castro, principal research scientists at the National Physical Laboratory in Teddington, said: Organic photovoltaics work much better in low and diffused light conditions. Even if it’s cloudy they still work. It’s not that they are going to produce more power but they are more efficient at generating power from the light that is available. So they would work better than normal soar cells do in cloud.

Read More At Source"

Link to Original Source

+ - Full-Disclosure Email List Suspended Indefinitely

Submitted by Anonymous Coward
An anonymous reader writes "John Cartwright from Full-Disclosure sent out an email this morning. . . Hi When Len and I created the Full-Disclosure list way back in July 2002, we knew that we'd have our fair share of legal troubles along the way. We were right. To date we've had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise. However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to. I never imagined that request might come from a researcher within the 'community' itself (and I use that word loosely in modern times). But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I'm done. The list has had its fair share of trolling, flooding, furry porn, fake exploits and DoS attacks over the years, but none of those things really affected the integrity of the list itself. However, taking a virtual hatchet to the list archives on the whim of an individual just doesn't feel right. That 'one of our own' would undermine the efforts of the last 12 years is really the straw that broke the camel's back. I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry. I'm suspending service indefinitely. Thanks for playing. Cheers — John"

+ - The era of Facebook is an anomaly->

Submitted by Anonymous Coward
An anonymous reader writes "Speaking to The Verge, author and Microsoft Researcher Danah Boyd put words to a feeling I've had about Facebook and other social networking sites for a while, now: 'The era of Facebook is an anomaly.' She continues, 'The idea of everybody going to one site is just weird. Give me one other part of history where everybody shows up to the same social space. Fragmentation is a more natural state of being. Is your social dynamic interest-driven or is it friendship-driven? Are you going there because there’s this place where other folks are really into anime, or is this the place you’re going because it’s where your pals from school are hanging out? That first [question] is a driving function.' Personally, I hope this idea continues to propagate — it's always seemed odd that our social network identities are locked into certain websites. Imagine being a Comcast customer and being unable to email somebody using Time Warner, or a T-Mobile subscriber who can't call somebody who's on Verizon. Why do we allow this with our social networks?"
Link to Original Source

+ - BIOS Attacks and Defenses on Display

Submitted by Anonymous Coward
An anonymous reader writes "In October 2013 Dragos Ruiu published some details about his systems purportedly being infected by a sophisticated airgap-jumping, USB-infecting, BIOS-resident piece of malware called badBIOS. Definitive proof of its existence has yet to be found, but Snowden leaks published in December by Der Spiegel showed that the types of attacks described did already exist in the NSA's offensive toolbox. It makes sense then that this past week at the CanSecWest conference organized by Dragos, there were three talks and a training class related to BIOS security.

Researchers from MITRE presented a proof of concept system management mode man in the middle (SMMMitM) attack, "Smite'em the Stealthy" that could hide an attacker in the BIOS/SMM from MITRE's own Copernicus, the open source Flashrom, and any other software-based BIOS capture or measurement systems. MITRE countered Smite'em with Copernicus 2, which is able to perform more trustworthy BIOS captures by building on the CMU open source Flicker project which uses Intel Trusted Execution Technology. In a separate talk, Intel researchers released a new open source tool Chipsec, which while still vulnerable by Smite'em, is focused instead at helping security researchers find new problems and helping OEMs check that their BIOSes are locked down before shipping. In the final talk Intel and MITRE researchers jointly spoke about problems they have disclosed to vendors that allow bypassing UEFI SecureBoot. They discussed a number of issues discovered by Intel, and one co-discovered by the MITRE team."

+ - Forests Around Chernobyl Aren't Decaying Properly->

Submitted by Anonymous Coward
An anonymous reader writes "Smithsonian Magazine has an article about one of the non-obvious effects of the Chernobyl nuclear meltdown: dead organisms are not decomposing correctly. 'According to a new study (abstract) published in Oecologia, decomposers—organisms such as microbes, fungi and some types of insects that drive the process of decay—have also suffered from the contamination. These creatures are responsible for an essential component of any ecosystem: recycling organic matter back into the soil. Issues with such a basic-level process, the authors of the study think, could have compounding effects for the entire ecosystem.' The scientists took bags of fallen leaves to various areas around Chernobyl and found that locations with more radiation caused the leaves to retain more than half of their original weight after almost a year. They're now beginning to worry that almost three decades of dead brush buildup is contributing to the area's fire risk, and a large fire could distribute radioactive material beyond Chernobyl's exclusion zone."
Link to Original Source

Comment: ACM rights assignment (Score 1) 82

by BIOS4breakfast (#44637409) Attached to: Half of All Research Papers Published In 2011 Already Free To Read
(oops, just posted this as an AC. I thought I was logged in) Your submission, "" was accepted for publication in CCS'13 conference proceedings. You must assign publishing rights to ACM before ACM can proceed to production. There are several ways you may now assign publishing rights to ACM. You may ask ACM to manage your rights for you (including pursuit of plagiarism and clearance of third-party re-use permissions) by transferring the requested rights to ACM using either the traditional ACM Copyright Transfer Agreement or the ACM Publishing License. The community has also asked ACM to offer up-front OA fees should authors wish to make their works permanently open access (OA) in the ACM Digital Library. Should you choose to pay the article fee guaranteeing permanent open access, you may still ask ACM to manage your publishing rights for you by copyright or license. But you will also have a third option: you may choose to manage all rights yourself, by selecting the Permission Form, granting ACM a non-exclusive permission to publish your work. As of April 2013, ACM is offering authors the option of paying an Article Processing Charge in exchange for permanent OA (open access) for your article in the ACM Digital Library. Should you choose to pay the article fee guaranteeing permanent open access, you may still ask ACM to manage your publishing rights for you (including pursuit of plagiarism and allowing ACM to grant re-use permissions) by transferring the requested rights to ACM using either the traditional ACM Copyright Transfer Agreement or the ACM Publishing License. But you also have a third option: you may choose to manage all rights yourself, by selecting the Permission Form, granting ACM a non-exclusive permission to publish your work. The Open Access option requires the payment of the APC (Article Processing Charge). The fee is $1,500 if you are not a member of ACM or $1,100 if you or any of your co-authors are ACM members. If you choose the Open Access option, ACM will invoice you separately. If you are not already a member of ACM, consider joining ACM now to take advantage of the member discount rate http://campus.acm.org/public/qj/quickjoin/interim.cfm?promo=PROSOA. If you do not want to pay the OA fee, you will need to transfer publishing rights to ACM either by using the traditional ACM Copyright Transfer Agreement or choosing the new ACM Publishing License. Please click on the following link to access and complete the required process of choosing publishing rights for your submission. Please take a moment to review the form above for errors in the title and author listing. If corrections are needed, please PROCEED to the selected FORM and use the EDIT/tool function located at top of the form and make any necessary changes before submitting the form. The changes will automatically be sent to the PC or proceedings coordinator upon completion. We request that you attend to and complete the form above within 72 hours of the sending of this email. If the link above does not contain your paper's information, please contact me at your earliest convenience. Deborah Cotton ACM Publications rightsreview@acm.org

Comment: Re:Why? (Score 3, Interesting) 290

Not so much +5 informative as misinformative. Let's begin.

I've studied the entire TPM technical specification. I understand it in minute detail.

I don't doubt you've looked at it. But clearly you've looked at it from the perspective of how you think it impinges on your liberty rather than from the perspective of a security engineer trying to achieve simple properties such as executing code that isn't manipulated by an attacker. That's fine, that's the perspective I expect most slashdotters to be coming at it from. But I'm pretty encouraged by how many people in this thread have pushed back against the normal FUD I expect to see here.

The TPM technical specification is quite explicit that the owner of the computer is FORBIDDEN to ever get his keys

Forbidden from getting them out of the TPM, not forbidden from using them in ways that allow for guaranteeing security properties.If you can just export the key from the TPM onto your normal OS, how would you ever know you were talking to a TPM instead of malware pretending to be a TPM? If you could just ask the TPM to sign something for you with the protected keys, why could the attacker not arbitrarily ask for forged data to be signed?

The owner is forbidden to have his Private Endorsement Key because this key is used to secure the Remote Attestation process against the owner. Remote Attestation is where the chip securely (secure against the owner) securely tracks your hardware and the software you run, and sends that spy-report out to other computers over the internet. If the owner had his Private Endorsement key, these Attestation spy-reports wouldn't be secure against the owner.

An amazingly hyperbolic statement for someone who claims to have read the specs.
1) "The chip" tracks your hardware does it? You understand that the TPM is a completely passive chip waiting for people to come along and send it data, don't you?
2) Same point, again. If you export the EK into the OS, any malware anywhere can forge the attestation state, saying that the system is in a state it is not in. That could mean it's infected when it's not, so it gets reimaged by corporate IT, it can say it's not infected when it is, so the attacker has the run of the network.
3) Only a few large companies are actually using TPMs and remote attestation for things like trusted network connect (just NAC with a TPM-signed configuration), but in reality your FUD-drenched picture of the "spy-reports" (really? wow) being sent out gives the trusted computing folks too much credit. Since no one's using it at the OS level, most all attestation report data is just the BIOS collecting data about itself. And as people showed at BlackHat recently, vendors like Dell don't actually do a very good job of collecting relevant information, collecting just the bare minimum to make bitlocker work - https://media.blackhat.com/us-13/US-13-Butterworth-BIOS-Security-Slides.pdf

TPM is just a secure hardware keystore.

It's more than that, but an important part of it is that it's a "secure hardware keystore". Specifically, it is designed to be SECURE AGAINST THE OWNER. The Trusted Platform Module Technical Specification explicitly refers to the owner of the chip as an attack-threat which the chip MUST be secure against.

Citation needed ;) I'm sure you're misinterpreting some physical tamper-resistence line. I agree with that person, it's really just a keystore (and a really really slow RC4/SHA1 implementation).

The "Master Keys" are held by the Trusted Computing Group. The crucial individual keys are locked inside the Trusted Computing chips, secured against the owners.

.

It's great that you've read the specs and all, and somehow latched on to the imaginary phrase "secure against the owners", but clearly you don't realize that specs != reality, and in reality, 3/4 of the TPMs I've looked at (broadcom, STMicro, infinion) ship *without* endorsement keys, and you just provision it yourself. So I guess given that TPMs predominantly allow you to control the keys, you don't have any problem with TPMs. I look forward to education having changed your opinion. Or not. Probably not.

+ - An attack on TPM measured boot

Submitted by BIOS4breakfast
BIOS4breakfast (3007409) writes "There weren't just Windows 8 secure boot attacks shown at BlackHat this year, but also a more fundamental attack showing how an attacker who gets into the BIOS can lie about measurements stored in a Trusted Platform Module (TPM) (they also showed an exploit to break into the BIOS past signed update enforcement on some Dells). This prompted a press release response from the Trusted Computing Group, and BIOS updates from Dell. In their talk the researchers suggested a defensive technique for more secure BIOS measurement, but also released a tool to check for the sort of vendor-misconfigurations of BIOS flash chip access controls that make it easy to break into the BIOS. Unfortunately it's only Win 7 64 bit right now, but one of the researchers said a Linux program that checks from userspace will be posted soon. In the meantime, people who don't want attackers to trivially write to their BIOS were recommended to update to the latest BIOS, and contact the researchers (so they can contact the vendors) if their latest BIOS is still writable."

Imagination is more important than knowledge. -- Albert Einstein

Working...