Anything else to wipe other than HDD and BIOS..?

[neilh...@gmail.com]

If I think a computer has been infected, is there anything else I should wipe/re-install other than

1. Hard Drive / Operating System

2. BIOS

Is there anything else that a hacker could possibly infect that needs to be wiped/re-installed..?

Thanks

[johny...@sigaint.org]

Lol, don't get me started...

- Any PCI card (esp Network/Video/Sound) that has any kind of flashable
firmware

- Similarly, probably any PCMCIA cards

- Any USB peripheral, especially flash drives; sadly, I don't think
there's any way to verify your HD firmware hasn't been tampered with
(write only, typically), and flash drives vary so much, it's not
particularly practical to check/clean them. Some flash drive vendors have
repair tools that can redo the BIOS (handy when the drive appears to get
pooched), but it's fairly rare to find, I think.

- SMB/DMI Bios Tables (as shown by dmidecode) - Related to the BIOS, and I
think cleansed when you reflash your BIOS. Even so, it's good to maybe
pop your motherboard battery or short out any BIOS-reset jumper to make
sure you're starting with clean settings.

- Basically, anything that can carry state needs to be looked at (although
your RTC probably doesn't have an attack vector :) )

- I've heard that rogue printers can even keep copies of what you print.
I'm not sure if this can happen from an infection, or if it needs to be a
factory/interdiction implant. Doubtful if such a thing could be cleansed.

I feel like I'm missing something else, but I might be thinking of more
hardware-based attacks (fake chokes on video cables that broadcast, etc.)

On-board peripherals (sound, network, video) typically have their firmware
as chunks in the main motherboard BIOS, I believe, so re-flashing a fresh
BIOS takes care of those.

A major oddity and frustration is that so many motherboard manufacturers
only provide their BIOS's via FTP/HTTP (and don't provide hashes!), just
begging to be MITM'd with dodgy firmware during download. So careful with
any downloads.

It's a good idea to run the BIOS (and any firmware you download) through
virustotal.com, which supposedly supports BIOSes now. You will typically
see that it's already been checked in the past by someone else, and is
clean.

Similarly, if you have to boot DOS to run a firmware flash utility, be
careful. I've used FreeDOS successfully in the past, but the motherboards
I use thankfully support the Linux utility "flashrom" which seems to be
able to successfully burn (and read) the BIOS on a lot of motherboards and
other devices.

(Of course, you always run the risk of bricking your system, but I think
it's generally pretty safe, and won't go ahead if it isn't capable on your
system.)

I occasionally use FlashROM (installable with apt under Tails, and I use
it while offline) to read and compare my BIOS against the original fresh
burn. (I'll see the DMI tables at the beginning change as I make any BIOS
changes, but so far, no mods to the code. :) )

I'd like to see FlashROM available in dom0 for the ability to do this
under tails. But I guess that would be a super-dangerous utility to have
floating around dom0, so rebooting to Tails now and then to check my BIOS
is an acceptable inconvenience.

Oh, and before you do reflash your BIOS, boot into Tails (or Debian,
Redhat, whatever) install FlashROM, and do a "flashrom -r" to read the
existing BIOS for posterity. Run the resulting file through VirusTotal.
It's interesting to compare with another "flashrom -r" after re-flashing
the new BIOS.

It'd be good to catch any corrupt BIOS before you overwrite it, to know if
you've been compromised that way, and to share the particular hack with
the security community.

Related:
http://www.businessinsider.com/nsa-says-foiled-china-cyber-plot-2013-12

(Hey, thanks for looking out for us, NSA!)

Note that any contents of a .ROM file you download to burn, won't
necessarily compare exactly to the results of a "flashrom -r". But if you
"flashrom -r oldbios.rom", burn a fresh BIOS, and do another "flashrom -r
newbios.rom", you should have a good base for comparison. I do a "hexdump
-C" on each .rom file, and then diff them to see what's different.

If you end up upgrading your ROM in the process, obviously there will be a
number of differences. The more interesting thing is if VirusTotal shows
anything, or if, down the road, you notice changes in subsequent "flashrom
-r"'s. If anything other than the SMB/DMI tables at the beginning change,
you need to assume you've been compromised (again).

(flashrom needs a "--programmer internal" option, which I left out for
clarity above.)

Obviously, any hard drive's boot sector should be examined as well. If
you're worried about compromise, you're going to scrub your disks anyway.

I usually do a regular "dd if=/dev/sda of=latest.img bs=512 count=2048",
and compare against a saved baseline image that I grabbed after a fresh
install. Any changes to the MBR, Grub stage 2 will be noticed with a
comparison against the original. Any re-partitioning or reinstallation of
grub will obviously change things.

Booting/installing Tails/Debian/Fedora/Qubes from a verified, read-only
DVD is another good idea. (It's unfortunate Qubes requires a dual-layer
DVD.) Apparently many BIOS/firmware viruses will prevent booting from
DVD, to keep themselves in the loop. So if your DVD booting starts to
fail, it could be a warning sign.

Hopefully others can fill in anything I might have missed.

Cheers

JJ

[raah...@gmail.com]

any other firmware pci/dma devices attached to the system can be infected. BIOS might not even securely flash properly depending how you are doing it. For example doing it from operating system (DOS) might not be truly removing the malware. Might need a special dedicated device to flash it or ask company to send you a new bios chip to solder on. to be 100% sure you need to buy a new pc unfortunately lol.

[raah...@gmail.com]

I forget which blackhat event, they showed how you can think you are flashing a bios. But the malware will remain.

[johny...@sigaint.org]

> I forget which blackhat event, they showed how you can think you are
> flashing a bios. But the malware will remain.

That's creepy. Don't most BIOS flashing utilities do a verification? Or
perhaps the flashing utility itself is what was compromised in the
blackhat demo.

Another reason why doing a flashrom under Tails, and then reading it back,
is a good idea of your motherboard supports it. Pretty hard for malware
to fake that (at least without some additional flash storage to do its
tricks).

At the very least, using a slightly "unexpected" utility like flashrom
helps dodge the obvious hacks.

(Similar to someone's post in reply to the Laptop internet sharing thread,
that using a *different* VM isolation on the laptop, KVM/Qemu or whatever,
might be a good idea. For an attacker to have to compromise Xen *and*
Qemu, makes for a busy project to say the least. It'd very likely stop
any automated virus in its tracks.)

JJ

[raah...@gmail.com]

Here is interesting thread on reddit i Just found. https://www.reddit.com/r/badBIOS/comments/319qlf/spi_programmers_to_flash_bios_rootkits_bios/

[raah...@gmail.com]

On Tuesday, September 27, 2016 at 2:56:27 PM UTC-4, johny...@sigaint.org wrote:

regarding kvm/qemu, you probably need to use an hvm and its probably diffucult to set up. Probably would also run very slow. Not worth it imo. If your bios or dom0 gets compromised its already game over.

[johny...@sigaint.org]

> On Tuesday, September 27, 2016 at 6:51:31 AM UTC-4, neilh...@gmail.com
> wrote:
>> If I think a computer has been infected, is there anything else I should
>> wipe/re-install other than
>>
>> 1. Hard Drive / Operating System
>>
>> 2. BIOS

This also brings up the question of BIOS vs. EFI, which has some parallels
to the Ethernet vs. WiFi security discussion in that other exciting
thread.

EFI supposedly has more lines of code than the Linux kernel, which can't
be good.

In my opinion, the device drivers should manage the hardware, not the
motherboard's BIOS/EFI. The BIOS should be just enough to get the base
system loaded from disk, and it can do its thing.

The complexity and attack surface of EFI concerns me, which is why I'm
glad to stick with BIOS, until I'm forced to EFI. (Also, I'm broke, lol.
Another reason I'm sticking with my BIOS-based motherboards.)

(will Qubes 4.0 force that as well? Likely the newer hardware required
for Qubes 4.0 will be EFI-only, so the question may be moot.)

I know TPM/Anti-Evil-Maid is an EFI-only thing, and supposedly a useful
(essential?) thing for boot security. But is it worth the massive amount
of extra code involved?

Any opinions on the BIOS vs. EFI thing, from a security standpoint?

JJ

[raah...@gmail.com]

I agree. Just ask hacking team. Its less secure and imo has no benefits to qubes users if not even using secure boot. If using secure boot then its up for debate. Secure boot would be nice addition to go with aem. Although it seems its a controversial subject because people Like Richard Stallman and Joanna have been talking for a while now of the concerns regarding intel ME/amt/vpro in general as an unchecked balance which can lead to potential unknown backdoors.

Richard Stallman actually says he is not against uefi in its current form, only because he considers it a failure for its original intended purpose...lol and secure boot is a reasonalbe use of it. He is against what he calls "restricted boot" which imo is not a warranted concern of mine since I have not run into a retail mobo I could not disable secure boot on or add my own keys to.

[raah...@gmail.com]

I also have one qubes bios machine and another i use legacy boot on. But your right int he future we will be forced to all use uefi.

[neilh...@gmail.com]

How about Google Chromebooks which have a system to auto-restore the OS if it thinks it's been tampered with..?

Or what about a read-only BIOS in the first place..?

Is there any reason BIOS can't be read-only..?

I basically want a computer which is most easy to wipe/reinstall and then it's truly wiped.

[johny...@sigaint.org]

> How about Google Chromebooks which have a system to auto-restore the OS if
> it thinks it's been tampered with..?

Doesn't that imply trust in Google, who is known to cooperate with NSA and
such (as required by US law)?

I have had serious problems with a hacked Android phone, and the
"weirdness" went away when I avoided installing Google Play
Store/Services. The minute I install Google Play, it appears to be
compromised, accessing files and uploading constantly.

(A device should download, not upload, lol.)

Personally, I have little doubt that Google has backdoors in Play Services
for law enforcement, and I also have no doubt that those backdoors have
been misused for inappropriate/nefarious purposes (LOVINT style).

So Chromebooks, no. Unless everything is open source top to bottom, and I
can build it myself. But who has time for that.

> Or what about a read-only BIOS in the first place..?
>
> Is there any reason BIOS can't be read-only..?

Lol, that seems like the most basic, logical, simple answer, that I've
never seen implemented. A simple switch or jumper could disable the write
line on the BIOS flash. In the (very) rare case when you need to flash a
BIOS (especially rare on older machines), flipping the switch or
connecting the jumper would be such a minor inconvenience.

I'm tempted to look up the specs of the flash BIOS chip on my motherboard,
and see if I can hack in that tweak myself.

I've noticed that with my flashrom reading/comparison, that the beginning
of the BIOS area changes when I change BIOS settings, and corresponds to
the stuff dumped by 'dmidecode.'

Does this mean that your BIOS settings are actually stored in the same
flash rom as the BIOS? If so, I'm not necessarily sure that the same
write-line-jumper hack is any worse. Maybe even better. It'd also
protect against any BIOS setting changes.

Are there any BIOS setting changes that *need* to be updated on the fly by
the BIOS without user intervention? (If the settings are indeed typically
stored in the same flash.) Whenever I reboot, I see some "updating nvvm
blah blah blah" thing, which implies that maybe there is some writes to
the BIOS settings upon boot.

One way to find out, lol... (Looks at soldering iron...)

This motherboard is on its last legs (after a poweroff, it's real cranky
to wake up, takes reconnecting the power a dozen times or more before it
fires up), so experimenting with making the BIOS flash chip read-only
isn't a terribly risky project. Will report back with any results if I
try it.

> I basically want a computer which is most easy to wipe/reinstall and then
> it's truly wiped.

Computers should have *zero* state in the first place, as in days of old.

The state should be kept on your storage devices, operating system, etc..
I seem to recall an article on that particular point, maybe even by the
legendary Joanna herself.

Google, Google, Google... (Actually, Duckduckgo, Duckduckgo, Duckduckgo):

Yeah, it was, God love her:

http://blog.invisiblethings.org/2015/12/23/state_harmful.html

JJ

[neilh...@gmail.com]

Yeah, Joanna is seriously epic.

How about Raspberry Pi..? That seems to have very few components.

[raah...@gmail.com]

You can get a motherboard that has a removable bios chip that you can just snap in to replace, Then call the company and have them send you one or two to hold onto for emergency lol. There is also mobos with dualbios, most ly this is for bringing a bricked board back to life.

Also don't forget malware can reside in other firmware also. SO that means all pci devices, like gpu, netcard. etc... most experts will tell you just to replace everything to be sure if you think you are compromised at that level and its important.

[johny...@sigaint.org]

> Yeah, Joanna is seriously epic.

Upon that, we can all agree.

Everything she designs or writes up, seems bang-on (and wonderfully
informative) in this increasingly security-threatened world we're living
in.

She's probably just a fictional character created by the NSA to mesmerize
and lure us Linux geeks into this honeypot known as Qubes. :)

(Even I'm not quite that paranoid. Yet, at least.)

> How about Raspberry Pi..? That seems to have very few components.

That's interesting.

As a side project (one of soooo soooo many), I'm working on a
Arduino-based system that will let me do secure, encrypted note-taking,
email, SMS, messaging, etc., with (similarly secure/encrypted/hack-proof)
mouse/keyboard/storage, as well as even being a platform for further
development of the same system, without dependency upon a vulnerable PC or
laptop.

And also being lower-power and mobile, which helps security further.

Things like secure and encrypted SMS, messaging, email, note taking,
PDA-like functionality (on par with Palm Pilots in days of old) are
certainly possible, without being threatened by hacks from all the
organized (or disorganized) crooks or overly-aggressive governments
pushing, unhindered and beyond reproach, way beyond constitutional and
ethical boundaries.

They will be portable, low power, low cost, open source, transparent tools
that could be used by the oppressed, the abused, whistle-blowers, the
relentlessly hacked, that are afraid to speak out, as well as the general
public.

I've been focused upon Arduino/atmega328 due to the low cost,
accessibility, transparency, etc..

(The harassment I've personally been undergoing has been keeping me, errr,
rather "frugal," so the atmega328 platform is appealing.)

Raspberry is a bit like Arduino/atmega on steroids. I've not gone there
because it draws more power, costs more; but at the end of the day, it's
more powerful and probably has similar security/transparency as the
Arduino/atmega328 if done properly.

And with its additional processing power, it's a more likely candidate for
replacing a PC for things like web browsing, Tor, VPN, PGP, (things a bit
beyond atmega328's capabilities). And in those cases, the extra cost is
still far below even a basic notebook or tablet.

(Not sure how it rates power-consumption-wise as compared to
notebooks/tablets, maybe a bit worse. I see it used a lot for home media
PC's, which I doubt would last long on a couple of CR2032 batteries. :)
But still way better than a PC, as long as we still can rely upon power to
our homes, it'll do. :) )

I am firmly convinced that the only salvation to corrupt surveillance
states and the take-over of the world by the greedy and corrupt, is a
revolution to more simplistic, secure, and (especially) transparent
technology that achieves a lot of the same things as today's hopelessly
complex smartphones, Wifi, broadbands, web browsers.

I'll stop the rant now. :) But progressing/expanding up to the
Raspberry's power while still achieving the same goals, is something I'm
going to seriously ponder.

(There are a number of other processors, like STM32 and others, that can
similarly bring more processing power without blowing security. My
approach is quite portable, so any or all of the platforms should be
viable to include in the solution.)

Thanks for the inspiration. :)

JJ

[johny...@sigaint.org]

> You can get a motherboard that has a removable bios chip that you can just
> snap in to replace, Then call the company and have them send you one or
> two to hold onto for emergency lol. There is also mobos with dualbios,
> most ly this is for bringing a bricked board back to life.

I actually have one of those motherboards here. It sounded like a very
kick-ass feature, the double-bios to restore in case of problems. And the
board has 8 SATA, a dozen USB, some serious video and audio capabilities,
32g memory capabilities, IOMMU, etc.

But it was given to me out of the blue right after I retired a
dodgy/compromised machine, so I'm a little wary. A shame, because it's
one hell of a motherboard.

I might fire it up with Qubes in a non-critical/non-trusted manner. (Or
set it up in a Windows machine, sell it, and buy a known secure
motherboard. :) )

> Also don't forget malware can reside in other firmware also. SO that
> means all pci devices, like gpu, netcard. etc... most experts will
> tell you just to replace everything to be sure if you think you are
> compromised at that level and its important.

Would you say a motherboard that integrates a lot of that (with the dual
recovery BIOS) would be less prone to compromise (or at least easier to
restore from compromise) than a machine that separate PCI cards providing
that sound/video/net?

Presumably, if you can trust the vendor and its BIOS, one flashing of the
BIOS (or recovery from the backup) should restore you to a state that
could be trusted. A lot easier than doing the same (if even possible) for
the net/sound/video add-on cards, no?

Or would it be easier for a threat actor to attack a specific motherboard
and its integrated peripherals, rather than a random set of add-on cards?

JJ

[raah...@gmail.com]

I use a raspberry pi as a print server with a usb printer for my qubes machine. Its great its just like running debian. and chromium running on it for google loud print for android devices. runs great.

[raah...@gmail.com]

I'm not sure if whether its integrated matters to how prone to compromise it is. I would imagine being able to replace a component you think compromised is better then not being able to, for example replacing gpu or netcard you think is compromised. But I don't know of many boards that dont' have some pci devices integrated so we probably have no choice. Again, only way to be 100% is probably to replace the whole system. With a laptop it would be more necessary probably.

Regarding attacking a specific motherboard or firmware, imo, this would all fall under that category of targeted attack. I think it is still very rare nowadays for some random or automated attack to infect your firmwares and bios. At least I hope it is lmao. Especially on a custom machine. But on the same token it is less rare nowadays for someone to be personally targeted by a persistent actor with lots of resources. So I guess it all depends on how paranoid you are and how much you are willing to spend. IMO I don't think there is much any of us can do against a very persistent attacker, especially if its the government.

[raah...@gmail.com]

when I say nothing you can do, I mean if you want to keep doing the things you want to do on a pc that make you vulnerable and out of your control in the first place unfortunately. Like walking down a public street.