DHS: Imported Consumer Tech Contains Hidden Hacker Attack Tools
David H. Lipman
"A top Department of Homeland Security (DHS) official has admitted on the record that
electronics sold in the U.S. are being preloaded with spyware, malware, and
security-compromising components by unknown foreign parties. In testimony before the House
Oversight and Government Reform Committee, acting deputy undersecretary of the DHS
National Protection and Programs Directorate Greg Schaffer told Rep. Jason Chaffetz (R-UT)
that both Homeland Security and the White House have been aware of the threat for quite
some time.
When asked by Rep. Chaffetz whether Schaffer was aware of any foreign-manufactured
software or hardware components that had been purposely embedded with security risks, the
DHS representative stated that “I am aware of instances where that has happened,” after
some hesitation."
--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp
Shadow
<DLipman~nospam~@Verizon.Net> wrote:
>http://www.fastcompany.com/1765855/dhs-someones-spiking-our-imported-tech-with-attack-tools
////
>as aware of any foreign-manufactured
>software or hardware components that had been purposely embedded with security risks, the
>DHS representative stated that “I am aware of instances where that has happened,” after
>some hesitation."
We say the same here about Microsoft, Google and Facebook,
amongst others.
I suppose it depends where you live.
:)
[]'s
kurt wismer
wrote:
> http://www.fastcompany.com/1765855/dhs-someones-spiking-our-imported-...
>
> "A top Department of Homeland Security (DHS) official has admitted on the record that
> electronics sold in the U.S. are being preloaded with spyware, malware, and
> security-compromising components by unknown foreign parties. In testimony before the House
> Oversight and Government Reform Committee, acting deputy undersecretary of the DHS
> National Protection and Programs Directorate Greg Schaffer told Rep. Jason Chaffetz (R-UT)
> that both Homeland Security and the White House have been aware of the threat for quite
> some time.
>
> When asked by Rep. Chaffetz whether Schaffer was aware of any foreign-manufactured
> software or hardware components that had been purposely embedded with security risks, the
> DHS representative stated that “I am aware of instances where that has happened,” after
> some hesitation."
i'm reminded of the US military completely banning USB flash drives
because some unknown foreign agent was believed to have used one to
infect their systems with an autorun worm.
i suspect what's going on is much more banal than what DHS is
describing.
David H. Lipman
No Kurt. You have it wrong.
A USB Drive was found in a Theatre which was infected with W32/Agent.BTZ. Thought to have
been left in a conspicuous location by a foreign governmental agent. Possibly for sale in
a bazaar to be targeted by US service personnel.
A US miltary person obtained it and broght it back to a FOB or Command Post and infected
the NIPRnet.
That's about all I'll say in that mattter. ;-)
Think back to the time when the NSA banned the Furby because they tought it could be used
in intelligence gathering. The point with the DHS article is many "smart devices" are
being sold trojanized.
kurt wismer
agent.btz is an autorun worm, and leaving USB drives in conspicuous
locations is a way of effecting an infection. it's actually exactly
what i was talking about but with much more specific details than i
bothered to recount.
there have been plenty of examples of people being unwittingly
responsible for confidential data breaches by way of forgetting
storage media in various places (i even remember hearing of one found
on a floor in a night club). the fact is people lose those things all
the time. and since autorun worms don't usually discriminate about
what USB drives they infect it stands to reason that people lose
infected drives on a regular basis too. the idea the particular one in
question was deliberately 'tainted' and 'planted' is almost certainly
specious unless there's further evidence they just don't care to
share. however, their abject failure to deal with the threat of
autorun worms in a reasonable manner makes me suspect them of reading
more into banal malware events than is actually warranted.
> That's about all I'll say in that mattter. ;-)
>
> Think back to the time when the NSA banned the Furby because they tought it could be used
> in intelligence gathering. The point with the DHS article is many "smart devices" are
> being sold trojanized.
sure, but my point is this isn't new, it's not unique to government or
defense. it's been happening to consumer electronics for ages
(cameras, digital picture frames, mp3 players, etc) and it's generally
ridiculous to consider a scenario with a deliberate actor when dealing
with malware that is capable of getting into the masters for these
devices on it's own.
maybe you have more details that you simply can't share, and if so
i'll have to take you at your word.
maybe you simply have more faith in people who couldn't figure out how
to defend against autorun worms even after one rather famously found
it's way onto the international space station earlier that very same
year - in which case i can only leave you to your opinion, it's
definitely not one you'll convince me to share.
David H. Lipman
Dustin
news:ivevb...@news4.newsguy.com:
> http://www.fastcompany.com/1765855/dhs-someones-spiking-our-imported-
> tech-with-attack-tools
>
> "A top Department of Homeland Security (DHS) official has admitted
> on the record that electronics sold in the U.S. are being preloaded
> with spyware, malware, and security-compromising components by
> unknown foreign parties. In testimony before the House Oversight and
> Government Reform Committee, acting deputy undersecretary of the DHS
> National Protection and Programs Directorate Greg Schaffer told Rep.
> Jason Chaffetz (R-UT) that both Homeland Security and the White
> House have been aware of the threat for quite some time.
>
> When asked by Rep. Chaffetz whether Schaffer was aware of any
> foreign-manufactured software or hardware components that had been
> purposely embedded with security risks, the DHS representative
> stated that “I am aware of instances where that has happened,” after
> some hesitation."
>
>
Anyone wanna take bets on some of the systems having altered copies of
lojack present in the system BIOS? Yes, folks, I had a chance to check
one out.. :) It lives in a region in your BIOS; and no, simply
reflashing won't touch her.
--
(Hey) I keep on thinking that it's
(Hey) all done and all over now (whoa)
You keep on thinking you can save me save me
(Hey) My ship is sinking but it's
(Hey) all good and I can go down (whoa)
You've got me thinking that the party's all over
Dustin
news:Xns9F1FB142E1527HHI2948AJD832@no:
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
> news:ivevb...@news4.newsguy.com:
>
>> http://www.fastcompany.com/1765855/dhs-someones-spiking-our-imported
>> - tech-with-attack-tools
>>
>> "A top Department of Homeland Security (DHS) official has admitted
>> on the record that electronics sold in the U.S. are being preloaded
>> with spyware, malware, and security-compromising components by
>> unknown foreign parties. In testimony before the House Oversight
>> and Government Reform Committee, acting deputy undersecretary of
>> the DHS National Protection and Programs Directorate Greg Schaffer
>> told Rep. Jason Chaffetz (R-UT) that both Homeland Security and the
>> White House have been aware of the threat for quite some time.
>>
>> When asked by Rep. Chaffetz whether Schaffer was aware of any
>> foreign-manufactured software or hardware components that had been
>> purposely embedded with security risks, the DHS representative
>> stated that “I am aware of instances where that has happened,”
>> after some hesitation."
>>
>>
>
> Anyone wanna take bets on some of the systems having altered copies
> of lojack present in the system BIOS? Yes, folks, I had a chance to
> check one out.. :) It lives in a region in your BIOS; and no, simply
> reflashing won't touch her.
Best that I elaborate. The url I'm fixing to provide has lots and lots
of posts, the first post is the one you want. It does involve modifying
the system BIOS. if you aren't willing to do this, don't proceed.
http://www.freakyacres.com/remove_computrace_lojack
For those who want to disassemble lojack's BIOS hack, the rom file dump
is available on that url. [g]
Nobody > (Revisited)
I may be off the mark a bit here, but IIRC BestBuy was doing similar in
their "optimization" scam. (later search shows they are/were selling
Absolute's Computrace Lojack in Canada)
Whole loads of info on that FUBAR, just plug
"best buy optimization scam"
into a search engine.
--
"Shit this is it, all the pieces do fit.
We're like that crazy old man jumping
out of the alleyway with a baseball bat,
saying, "Remember me motherfucker?"
Jim “Dandy” Mangrum
David H. Lipman
To me it sounded like "bait and switch" to gain an extra $40.00.
Nobody > (Revisited)
That's pretty much how I read it as well, and that's pretty much what
happened to a friend who was trying to buy a laptop from BurpBuy a few
months ago.
I was going to do a *real* "optimization" for her afterwards anyway;
suck out the restore disks, decrapifier, install AVAST Free, MBAM,
CCleaner, Revo Uninstall, some Win7 tweaks.... the usual.
She called me when they pulled that crap on her, so I met her at the
store. I was primed for confrontation, even had corp BB numbers loaded
in the phone as well as the state AG's consumer help line and some
various things printed off consumer advocate sites in hand.
They didn't have any "unopted" machines in stock for the model she was
looking at.
(There was no "lojack' in the package, thank ghu!)
I don't know if I scared the crap out of both the "desk GeekSquid" and
his manager or if it was the fact that I intentionally made my
"discussion" loud enough to draw a crowd... but...
She ended up getting an "opted" machine, and $40 off the sales price for
it being an "Open Box" item.
It was obvious that both the GeekSquid and manager had no clues about
the rules in this state regarding retail sales, nor much clues about the
"optimizations" involved.
After getting my hands on it, it was a toss-up between "De-BurpBuying"
the drive or restoring from factory. I sucked off the restore disks,
then ran the restore from the F (something) prompt. ~ 1 hour gone there,
about another hour doing the crapware removals and installing the good
(and free) stuff, another hour making it work and look right for her,
and she's now happy.
Part of that was actually getting a fresh (2 week old) BIOS update,
getting updated drivers as needed, and a fair amount of tutorial.
I also set up TeamViewer on it so all sh has to do is call me for help.
That probably never would have happened with the BurpBuy version of
"optimization".
What did I get out of this? Warm fuzzies, a hug and 3 homebaked pies.
I'm good.
G. Morgan
>"A top Department of Homeland Security (DHS) official has admitted on the record that
>electronics sold in the U.S. are being preloaded with spyware, malware, and
>security-compromising components by unknown foreign parties
"unknown foreign parties". What a joke, Rep. Issa won't identify the
enemy? He's afraid to say "C H I N A"???
kurt wismer
> kurt wismer wrote:
>
> >i'm reminded of the US military completely banning USB flash drives
> >because some unknown foreign agent was believed to have used one to
> >infect their systems with an autorun worm.
>
> >i suspect what's going on is much more banal than what DHS is
> >describing.
>
> to try and get an increase in their funding?
the sad truth is, i think it's more a matter of computer security
incompetence. i think those in the halls of power live so far inside
their own little bubble that _viruses_in_space_ wasn't enough of a
wake up call about a fairly straight forward computer threat. i think
they're learning most things from scratch instead of learning from
other people's failures, and i think their quite understandable biases
are leading them to erroneous conclusions.
think 'dunning-kruger effect', with a dash of 'peter principle' and
the hammer&nail mentality for flavour.
David H. Lipman
FromTheRafters
> kurt wismer wrote:
>> dunning-kruger effect
>
> New terminology for me, thanks.
> Had to look it up, but it's so applicable to
> some people encountered on usenet.
I had to look that up too. kurt has always made me learn new things.
Dustin
news:WtNSp.40697$Md1....@newsfe19.iad:
> I may be off the mark a bit here, but IIRC BestBuy was doing similar
> in their "optimization" scam. (later search shows they are/were
> selling Absolute's Computrace Lojack in Canada)
They still are. for $40 dollars, you can let anyone 0wn you too!
Ant
>> Anyone wanna take bets on some of the systems having altered copies
>> of lojack present in the system BIOS? Yes, folks, I had a chance to
>> check one out.. :) It lives in a region in your BIOS; and no, simply
>> reflashing won't touch her.
>
> Best that I elaborate. The url I'm fixing to provide has lots and lots
> of posts, the first post is the one you want. It does involve modifying
> the system BIOS. if you aren't willing to do this, don't proceed.
>
> http://www.freakyacres.com/remove_computrace_lojack
>
> For those who want to disassemble lojack's BIOS hack, the rom file dump
> is available on that url. [g]
I couldn't resist! That file contains a Windows native executable (not
a driver) which presumably runs early in the boot process but not too
early since it uses the native functions from ntdll. It drops the
phone-home module (rpcnetp.exe) in system32 and creates a registry
entry to run it as a service.
Dustin
news:He2dnbFmncoiKoHT...@brightview.co.uk:
So I'm wondering at this point, whats to stop some badguy out there,
using this technology for an embedded rootkit? How much better control
over a machine can you get, than to literally be contained inside the
BIOS code? in an oem region, that you know will not be touched if the
user just reflashes.
Dustin
news:He2dnbFmncoiKoHT...@brightview.co.uk:
> "Dustin" wrote:
I actually found a python script to dump the rom ....
check this out:
http://preview.tinyurl.com/5r5tvau
After some tinkering, I couldn't get the script to work.. so...
I spent some time with fileinsight and a tool I wrote years ago to
modify files. :)
I manually dumped the second UPX file (it's got two), and walla; My
trojan calling home exe, actually, looking inside; it has several of
them....I'll have to do some more extracting to make sure I didn't just
confuse UPX and it went overboard, duplicating.. but it doesn't look to
have done that..
Not too shabby.
Ant
> So I'm wondering at this point, whats to stop some badguy out there,
> using this technology for an embedded rootkit? How much better control
> over a machine can you get, than to literally be contained inside the
> BIOS code? in an oem region, that you know will not be touched if the
> user just reflashes.
Hasn't this subject of infecting a BIOS come up before? How's the bad
guy going to install it? Why bother with such machine specific stuff
when installing rootkits by social engineering is so easy?
Dustin
news:WZOdnYF7kfOaS4HT...@brightview.co.uk:
Pretty easy. Several nice, tiny freebee apps out there to reflash bios.
All one need do, is download current bios, install yourself as an
optionrom; reflash new bios file. Done. You could still be removed... but
it would be much more difficult. You couldn't just boot clean anymore.
When the discussion originally took place, the BIOS varied enough that
you'd have to hit a specific target, no mention was ever made about the
optionrom section of code. Lojack's done something nobody else has.
FromTheRafters
Yep, it's probably not a mobile code problem, but still might be a
malware problem.
FromTheRafters
> "Ant"<n...@home.today> wrote in
> news:WZOdnYF7kfOaS4HT...@brightview.co.uk:
>
>> "Dustin" wrote:
>>
>>> So I'm wondering at this point, whats to stop some badguy out there,
>>> using this technology for an embedded rootkit? How much better control
>>> over a machine can you get, than to literally be contained inside the
>>> BIOS code? in an oem region, that you know will not be touched if the
>>> user just reflashes.
>>
>> Hasn't this subject of infecting a BIOS come up before? How's the bad
>> guy going to install it? Why bother with such machine specific stuff
>> when installing rootkits by social engineering is so easy?
>
> Pretty easy. Several nice, tiny freebee apps out there to reflash bios.
> All one need do, is download current bios, install yourself as an
> optionrom; reflash new bios file. Done. You could still be removed... but
> it would be much more difficult. You couldn't just boot clean anymore.
>
> When the discussion originally took place, the BIOS varied enough that
> you'd have to hit a specific target, no mention was ever made about the
> optionrom section of code. Lojack's done something nobody else has.
>
>
specifically this. I realized it probably had to be done with physical
access to the innards though. Until the option ROM becomes software
flashable, and the userbase more homogeneous we needn't worry about
mobile code using this vector.
Dustin
news:iviuoi$tcf$1...@dont-email.me:
Evidently the optionrom section is software flashable. You willingly
install it, or someone else does from a cdrom. It becomes one with your
system BIOS and provides it's windows/mac executable to the OS.
James Egan
On Tue, 12 Jul 2011 23:16:53 GMT, Dustin <bughunte...@gmail.com>
wrote:
>and walla;
I know you're cleverer than him, but you do a really good sugien
impression on occasions.
Jim :)
GEO
And me too, So, as a reference for anybody else:
'The Dunning-Kruger effect is a cognitive bias in which unskilled
people make poor decisions and reach erroneous
conclusions, but their incompetence denies them the metacognitive
ability to appreciate their mistakes.'
<http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect>
A link to the original publication was found in:
<http://www.guardian.co.uk/science/punctuated-equilibrium/2011/jun/28/1>
Thank Kurt.
Geo