Reuters: Kaspersky discovered spying software in hard drives firmware
Linux - NewsThis forum is for original Linux News. If you'd like to write content for LQ, feel free to contact us.
All threads in the forum need to be approved before they will appear.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've just disassembled one of my HDD's. You can also read the firmware directly from the SPI Flash chip
Could you access it with software alone, or did you have to connect directly to the chip? The SpriteMods fellow said the contents of his flash chip were compressed in a way he couldn't decompress: was yours uncompressed or did you figure out how to decompress it?
Quote:
Originally Posted by displace
a lot of HDD's come with an external SOIC8 SPI flash chips, I wonder if it is possible to physically write-protect these chips by soldering the WP pin of the chip directly to GND.
Ground it? It enables WP; I would think one would want to put a voltage on it.
Would there be a market for controller cards with real ROMs?
I take that back, according to some scientiffic articles I've read it would seem that the tiny soic8 chip only stores a small portion of the firmware that is designed to initialize the disk. The full firmware is actually stored on an unaccessable region on the disk itself. This makes it impossible to access with a classic SPI reader, so a jtag interface might be the best way after all.
Quote:
Originally Posted by RandomTroll
Could you access it with software alone, or did you have to connect directly to the chip? The SpriteMods fellow said the contents of his flash chip were compressed in a way he couldn't decompress: was yours uncompressed or did you figure out how to decompress it?
You need to connect the SPI (bus pirate) directly to the soic8 chip to bypass all hardware restrictions (personally I use soic8 clips). Then use a tool like flashrom to dump the full contents of the chip. I have not yet tried to dump the contents, so I do not know about the compression.
Quote:
Originally Posted by RandomTroll
Ground it? It enables WP; I would think one would want to put a voltage on it.
Would there be a market for controller cards with real ROMs?
Sorry, I should have written it as a "/WP" pin. According to a winbond datasheet, a low signal (GND) will enable the write-protect, but before doing so, a connection to a high voltage must first be severed (i.e. remove a pull-up resistor).
Distribution: Mint, Devuan, MX, Ubuntu, ArcoLinux on hardware; vboxes of varying flavors
Posts: 42
Rep:
If the only way, these days, to guarantee security from snoopware is to disassemble hardware and re-solder at the chip level, the war has already been lost. The folks skillful enough to do this sort of "hacking" mostly have jobs working for the NSA/CIA, etc., already. Good guys with these skills are generally not the folks being targeted by the blackhats, and the few who have been - Assange and Snowden, et al - are either under house arrest or in refugee status. We live in interesting times.
I remember posting in a similar thread, but I can't find it.
Basically, unless you are a person of interest and work for a gov't or at a power plant you shouldn't worry yourself, as this bootkit it extremely rare.
So, stop disassembling your HDDs, take off your tin foil hats and relax a bit.
With all due respect, I heartily disagree with most of your post.
Quote:
unless you are a person of interest and work for a gov't or at a power plant you shouldn't worry yourself,
This is a point that most folks don't get. They say "Well, I don't care if they tap my computer or phone. All they'd get is me chatting with my friends. The twist that folks do not get is that 'they' can and will if they need to, retroactively and selectively 'connect the dots' - the facts of your life - to paint a picture of someone that is most disparaging. As we have all seen in the past, the 'person of interest' gets tried by the media (and not the courts) and thus deflects the real issues because they have him/her painted as some sort of pariah. If the messenger is ugly, so is his message ? I can name incidents were this happened, and in the end the 'perp' was found to be right - but his / her life was over. Kind of has a chilling effect on the next guy.
So you may not be a person of interest now, but in the future? No problem, they have the data stored in Utah or some place. I agree with you that for most of us this is unlikely, but why are we even playing this stupid game ?
And again, I do not want to be rude but
Quote:
this bootkit it extremely rare
How would you know ? Got any numbers to back that up ? You are probably right, but your assurances are weak.
If anyone said to me in 2010 that the spooks were able to tap into most anything including google and yahoo AT WILL, I would have said 'yeah right, take off your tinfoil hat and relax '.
So without disassembling a hard disk to see what is going on, look to the past to see if there are precedents to this kind of behaviour from those who are suppossed to be 'protecting us'. Indeed there are many precedents; the latest being the Gemalto sim card hack.
And just using common sense, the storyline is faulty. It goes like this : Spooks waylay a shipment of a hard disk or computer to a 'person of interest'. Norton in NSA shipping phones up to Ralph and says "Hey Ralph, whip me up a rootkit for a Seagate Model XYZ and make it snappy." And Ralph, being the wonderkind that he is, responds in time for the shipment to go out and arrive at the target's drop point, who suspects nothing.
I don't think it would work like that. Betcha there is a library somewhere of this type of rootkit, and if they could they WOULD put it on everyones HD. Why not ? And just the fact that anyone ( me ) could even suspect that this could be happening is damning enough. There are so many examples of this in the past it is beyond belief.
Thanks for the opportunity to bounce these thoughts around. I am not wearing a tinfoil hat, nor disassembling my HDs, and I am quite relaxed. I am likely to pass on into oblivion quite anonymously, but I must agree with odiseo77 :
this is outrageous.
Quote:
Ben Franklin: Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.
Last edited by ceyx; 03-01-2015 at 12:14 AM.
Reason: spelling
Beginning in 2001, and possibly as early as 1996, the Equation Group began conducting highly targeted and complex exploitation and espionage operations against victims in countries around the world. The group’s toolkit includes components for infection, a self-propagating worm that gathers data from air-gapped targets, a full-featured bootkit that maintains control of a compromised machine and a “validator” module that determines whether infected PCs are interesting enough to install the full attack platform on.
...
The group’s toolkit includes components for infection, a self-propagating worm that gathers data from air-gapped targets, a full-featured bootkit that maintains control of a compromised machine and a “validator” module that determines whether infected PCs are interesting enough to install the full attack platform on.
...
“The CD-ROM uses ‘autorun.inf’ to execute an installer that will first attempt to escalate privileges using two known EQUATION group exploits. Next, it attempts to run the group’s DOUBLEFANTASY implant and install it into the victim’s machine. The exact method by which these CDs were interdicted is unknown. However, we do not believe the conference organizers did this on purpose, considering the super-rare DOUBLEFANTASY malware, together with its installer with two zero-day exploits, doesn’t end up on a CD by accident,” the report says.
...
Kaspersky researchers have sinkholed several of the C&C domains used by the Equation Group attackers and have so far counted more than 500 victims, but the total over the lifetime of the campaign is likely far higher. The C&C infrastructure includes hundreds of domains in a number of countries, including the United States, the UK, Italy and Germany.
Nearly all of the C&C domains and servers were shut down by the attackers last year, but some were still active as late as last month. But Raiu said that there are no samples of the Equation Group’s tools from 2014.
“The scariest thing about them is that we don’t have any samples from 2014. So somewhere in 2013 these guys went off the radar,” he said. “We have no idea what they did in 2014, which is very, very scary.”
Pretty much all the info I have been able to find on this suggests that this is a highly targeted operation and that the malware is rare or very rare (doublefantasy). Think of this as a tool used by a secret service to monitor and attack specific targets. I think that keeping it rare also decreased its chance of being detected. If you were one of the victims, it is likely you have more to worry about than this malware.
I have already been taking precautions, but not specifically against this bootkit. I don't use USB sticks or optical media or HDDs that I did not purchase myself at random from a store. I'm not saying not to take precautions, I'm saying stop freaking out about this specific malware. There is plenty of other malware out there that is much more likely to affect you than this one.
[url]Pretty much all the info I have been able to find on this suggests that this is a highly targeted operation and that the malware is rare or very rare (doublefantasy). Think of this as a tool used by a secret service to monitor and attack specific targets. I think that keeping it rare also decreased its chance of being detected. If you were one of the victims, it is likely you have more to worry about than this malware.
I have already been taking precautions, but not specifically against this bootkit. I don't use USB sticks or optical media or HDDs that I did not purchase myself at random from a store. I'm not saying not to take precautions, I'm saying stop freaking out about this specific malware. There is plenty of other malware out there that is much more likely to affect you than this one.
It didnt seem so highly targeted to me. Did you see the map and the story at arstechnia? The arstechnia coverage was the most complete and to me impartial that i have read: How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last
Some news outlets pitched the story with the equivalent of "NSA hunts bad guys".
The official spin on this one started immediately, some versions of the story are barely recognizable.
That's a very in-depth article, but it adds more evidence that the bootkit is highly targeted and has ties to the NSA, Stuxnet, and Flame. It was also developed by an agency with "nearly unlimited resources". The fact that the malware checks to see if it is worth infecting a target means that it is highly targeted, it is not for mass surveillance, and it is designed to minimize risk of being detected.
The most interesting thing about the article is who it targets. Based upon this and its relation to Stuxnet and Flame, you can probably guess who created it.
That's a very in-depth article, but it adds more evidence that the bootkit is highly targeted and has ties to the NSA, Stuxnet, and Flame. It was also developed by an agency with "nearly unlimited resources". The fact that the malware checks to see if it is worth infecting a target means that it is highly targeted, it is not for mass surveillance, and it is designed to minimize risk of being detected.
The most interesting thing about the article is who it targets. Based upon this and its relation to Stuxnet and Flame, you can probably guess who created it.
You seem to be assuming something about a target worth infecting.
What if the criteria were just devices running an alternate os as evidence that the owner cares about security, or what if the criteria were just visiting technical and programming forums. I dont think given the data we have we can make any assumptions about what looks like a good target to the nsa.If the malware is already on the device or already on a server and is checking the device to see if its a worthy target the computer is as good as infected anyway.
As you pointed out, we are dealing with a class of criminal that has access to unlimited resources and likely capable of surveilling nearly unlimited targets.
What do you think this is for?
Quote:
A project of immense secrecy, it is the final piece in a complex puzzle assembled over the past decade. Its purpose: to intercept, decipher, analyze, and store vast swaths of the world’s communications as they zap down from satellites and zip through the underground and undersea cables of international, foreign, and domestic networks. The heavily fortified $2 billion center should be up and running in September 2013. Flowing through its servers and routers and stored in near-bottomless databases will be all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails—parking receipts, travel itineraries, bookstore purchases, and other digital “pocket litter.”
The question is not are you paranoid the question is, are you paranoid enough?
By virtue of this thread alone, i bet all its participants have, or will have, at least some private data in that nsa collection center and may have qualified as likely targets for infection.
In this particular case the bootkit only runs on Windoze.
I think the real question is, will you let the NSA's boasts and bluffs intimidate you into becoming excessively paranoid and attracting attention to yourself as having something to hide that they should know about.
In this particular case the bootkit only runs on Windoze.
I dont think id be betting on that if i had something to hide.
Quote:
Originally Posted by metaschima
I think the real question is, will you let the NSA's boasts and bluffs intimidate you into becoming excessively paranoid and attracting attention to yourself as having something to hide that they should know about.
I liked the way hans solo put it "Just fly casual!" Whistling in the dark? Whatever metaphor you use this has a chilling effect on communication and the exchange of ideas.
I think its good to be aware of and a factor in what ever security precautions one already takes. Any thing can be misused and even if one is crazy enough to trust the government, there is no telling whose hands this technology may end up in.
What we can do about it is to elect politicians who will investigate and cut the budget allowances for these kinds of programs. We cant trust any government agency with unlimited resources and no accountability.
However, I also think that the NSA is deliberately trying to make people paranoid. I'm actually a good example of that. They are the ones that have driven me to learn more about cryptography, because I don't feel safe from them. I am also much more conscious about security updates than before. I even run libressl instead of openssl because I don't trust the openssl developer. So, yeah I am actually much more paranoid than before, but I also realize that this is what they want. They want to make people paranoid so that they attract attention to themselves.
The truth is that the NSA does NOT have the ability to monitor everyone everywhere, even with their huge data centers and mass surveillance capabilities and backdoors and weakening cryptography, they still lack the computing power and manpower. They are forced to focus on people that attract attention. So, if you attract attention you can be sure that they are watching you. Instead, try to stay under the radar as much as possible. I am actually much more interested in steganography than cryptography because it attracts less attention, but you can combine the two and you always should.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.