I've seen reports that new NSA 'leaks' are forthcoming.

http://www.businessinsider.com/r-russian-researchers-expose-breakthrough-us-spying-program-2015-2


SAN FRANCISCO (Reuters) - The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.

much more at link

If you arent Paranoid, then you arent Paying Attention.

The big question here, is how do you find and remove it? The smaller question is when exactly did they start doing this? Drives older than that date would have that "feature", although they'd be awfully small by today's standards.

You beat me to it... I was about to post this story... :p

Here's another link about Kasperny's detailed research into it.

http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

I assume ever new device post 2000 has been compromised from the bios level. I'm sure many aren't but how to know? You can't, as those fascist companies which will deny up and down they work with the gov, but work with the gov to "protect" you against terrorism and are protected from any liability. Barf.

That really imo is the biggest threat to cryptocurrencies, you literally can not secure it, if the firmware of the hard drive has been compromised, do whatever you want it doesn't matter, and it looks like all of them are compromised. So, thanks, we have no means of working in private. Government owns everything. The only way in the future to avoid that, is a custom made device, where "EVERY" piece of hardware and code is made in house (firmware to, not just the os). Then it'd be "Safe". That doesn't really exist at the moment.

Fictional or just by another name?


Telescreens are fictional devices which operate as both televisions and security cameras. They feature in George Orwell's novel Nineteen Eighty-Four as well as all film adaptations of the novel. In the novel and its adaptations, telescreens are used by the ruling Party in Oceania to keep its subjects under constant surveillance, thus eliminating the chance of secret conspiracies against Oceania.

All members of the Inner Party (upper-class) and Outer Party (middle-class) have telescreens in their homes, but the proles (lower-class) are not typically monitored as they are unimportant to the Party. As later explained in Emmanuel Goldstein's book of which Smith reads some excerpts, the Party does not feel threatened by the Proles, assuming that they would never rebel on their own, and therefore does not find a need to monitor their daily lives.

The character O'Brien claims that he, as a member of the Inner Party, can turn off his telescreen (although etiquette dictates only for half an hour at a time). While the programmes could no longer be seen or heard, the screen still functioned as a surveillance device, as after Winston is taken into the Ministry of Love, the audio of his meeting with O'Brien with the telescreen "off" is played back to Winston. The screens are monitored by the Thought Police. However, it is not clear how many screens are monitored at once, or what the precise criteria (if any) for monitoring a given screen are (although it is seen that during an exercise programme that Winston takes part in every morning, the instructor can see him, meaning telescreens are possibly an early variant of videophones). Telescreen cameras do not have night vision technology, thus, they cannot monitor in the dark. This is compensated by the fact that their microphones are incredibly sensitive, and they are said to pick up a heartbeat. As Winston describes, "...even a back can be revealing..."[1]

In addition to being surveillance devices, telescreens are also televisions (hence the name). It broadcasts propaganda about Oceania's military victories, economic production figures, spirited renditions of the national anthem to heighten patriotism, and Two Minutes Hate, which is a two-minute film of Emmanuel Goldstein's wishes for freedom of speech and press, which the citizens have been trained to disagree with through doublethink. Many of the telescreen programmes are transmitted in Newspeak.
...
http://en.wikipedia.org/wiki/Telescreen

Wow! This is a big deal. I hope this story gets tons of coverage. Hard drive makers need to be outraged. Hopefully this will convince them to never share their source code with the government again. Even more I hope that this will make absolutely everyone more "paranoid" as Damian put it, in general.

The time for serious encryption is now. The time for serious security is now. It's time to lock down our computers from the government.

This why I don't use computers.

Wow! This is a big deal. I hope this story gets tons of coverage. Hard drive makers need to be outraged. Hopefully this will convince them to never share their source code with the government again. Even more I hope that this will make absolutely everyone more "paranoid" as Damian put it, in general.

The time for serious encryption is now. The time for serious security is now. It's time to lock down our computers from the government.

Definitely, Total Internet Encryption. The only problem with that, is that they already have their noses in on the bottom line there, too.... oh wait, I'm paranoid. :toady:

Fascinating stuff. I only started reading it but it seems like Kapersky just released a shit load of info on a variety of different malware exploits from some ultra sophisticated attack group they dubbed "Equation group." They didn't come out and say it, but strongly implied that the equation group is the NSA. Hopefully further Snowden leaks will corroborate this.

It's possible encryption wouldn't even protect you from this disk drive malware. If the unencrypted data ever ends up on your drive for any reason then it's too late. It's pretty tricky and difficult to tell when exactly your computer is saving your work to your storage. For example, if you start writing an email or forum post or whatever, then get distracted and allow your PC to hibernate - it's too late. It's all been flushed to your drive and saved for eternity.

This shit just makes me sick, i am at a loss for words....

This why I don't use computers.

:D

You beat me to it... I was about to post this story... :p

Here's another link about Kasperny's detailed research into it.

http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

Other than the two of you that actually read the article, you need to.

It's not every hard drive. It's systems that are targeted, but now that the cat's out of the bag, they might start targeting all of them.

It re-writes the firmware of 6 different manufacturers hard drives.

A different branch hides in the registry, is encrypted, can't be detected or removed and takes over the operation of your OS.

It attacks macs and smartphones too.

seriously, read the article and maybe even the full presentation. Just the article is looooong...

:mad:

-t

So far, it looks like the hard drive stuff was targeting OEM stuff (like when you buy a whole system already built) in China. If this was NSA, technically, they did what we pay them to do. But it is always good practice to treat any drive as a potential target.

What you will need to do (assuming you have a compromised drive) is to flash it with known good firmware that is verified by checksum. I might make a thread about checksums later if I'm up for it.

The other part of this is someone would still need to get some code running on your system to make use of the hard drive exploit, so if you like installing malware on your machine, you may want to prepare to format the drive (after flashing new firmware) and start over.

So far, it looks like the hard drive stuff was targeting OEM stuff (like when you buy a whole system already built) in China. If this was NSA, technically, they did what we pay them to do. But it is always good practice to treat any drive as a potential target.

What you will need to do (assuming you have a compromised drive) is to flash it with known good firmware that is verified by checksum. I might make a thread about checksums later if I'm up for it.

The other part of this is someone would still need to get some code running on your system to make use of the hard drive exploit, so if you like installing malware on your machine, you may want to prepare to format the drive (after flashing new firmware) and start over.

Unfortunately, that won't help.

Go read.

-t

The malicious firmware created a secret storage vault that survived military-grade disk wiping and reformatting, making sensitive data stolen from victims available even after reformatting the drive and reinstalling the operating system. The firmware also provided programming interfaces that other code in Equation Group's sprawling malware library could access. Once a hard drive was compromised, the infection was impossible to detect or remove.

-t

Unfortunately, that won't help.

Go read.

-t

It happens at boot time, so if you format the drive, you could remove it by also wiping the MBR.


The malicious firmware created a secret storage vault that survived military-grade disk wiping and reformatting, making sensitive data stolen from victims available even after reformatting the drive and reinstalling the operating system. The firmware also provided programming interfaces that other code in Equation Group's sprawling malware library could access. Once a hard drive was compromised, the infection was impossible to detect or remove.

-t

Not sure what to do about the vault, except destroying the drive, or doing 100's of passes writing random data. DoD does around 7 passes.

Not for TS stuff. Magnesium lined pits and thermite.

-t

https://en.wikipedia.org/wiki/National_Industrial_Security_Program#Data_sanitiza tion

The Defense Security Service provides a Clearing and Sanitization Matrix (C&SM) which does specify methods.[5] As of the June 2007 edition of the DSS C&SM, overwriting is no longer acceptable for sanitization of magnetic media; only degaussing or physical destruction is acceptable.

http://www.dss.mil/isp/fac_clear/download_nispom.html

Unrelated to NISP or NISPOM, National Institute of Standards and Technology (NIST) Computer Security Division Released Special Publication 800-88 Revision 1, Guidelines for Media Sanitization December 18, 2014 http://csrc.nist.gov/news_events/news_archive/news_archive_2014.html#dec18

-t

Yeah, I always crush the platters when I'm done with a disk. Also, there is at least 1 EEPROM on the circuit board I pull off.

This applies to electronics in general. Especially cordless phones, cause your call history is stored in these:

http://i.imgur.com/jY5AVk5.jpg

"The very encryption used to secure transports is used to hide data
exfiltration."

3790

http://blog.kaspersky.com/kaspersky-security-analyst-summit-2015-the-live-blog/

Kaspersky Q and A for Equation Group multiple malware program, in use early
as 1996. NSA implicated. (43 pages)

https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf

I guess we know why the Nuclear Command Computers haven't been upgraded.

The malicious firmware created a secret storage vault that survived military-grade disk wiping and reformatting, making sensitive data stolen from victims available even after reformatting the drive and reinstalling the operating system. The firmware also provided programming interfaces that other code in Equation Group's sprawling malware library could access. Once a hard drive was compromised, the infection was impossible to detect or remove.

-t

Okay, for the slower members of the class, if the infection is impossible to detect, how do they know it was impossible to remove?

http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216


(Reuters) - The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.

Kaspersky Q and A for Equation Group multiple malware program, in use early
as 1996. NSA implicated. (43 pages)

https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf

Bummer. I think the earliest ones I have sitting in the pile are circa 1996-7. I would have thought this came in around a year or two later, when they placed the backdoor into windoze 98 (and all microshaft OS's that followed).

Okay, for the slower members of the class, if the infection is impossible to detect, how do they know it was impossible to remove?

That's what I was wondering! If someone discovered it, then how could it be impossible to detect?
Guess t's recommendation to read the article is a good one, I'll take it in the morning.

Okay, for the slower members of the class, if the infection is impossible to detect, how do they know it was impossible to remove?

They are assuming a running machine that has at some point run malicious code that had access to flash the drive firmware. After it is compromised, it could be caught prior to booting the OS, but you would have to know what you were looking for and where to look for it, because firmwares are proprietary and most people would have to decipher the machine code by stepping through the instructions in a disassembler. Even then, they don't really know for sure if it is doing what it is supposed to be doing unless they work with the drive manufacturers and have access to a good firmware source.


Suppose a sector on a disk has address 100, and after many failures trying to write to that address, the firmware on the drive decides it is a bad sector. What it will do is map that address to another one. So on the disk level, 100->900, the OS will still be able to write to address 100 as if it never happened.

A compromised firmware could do this to a good sector and keep its own filesystem in there. So if you boot to the OS, there could be a keylogger saving your data on the drive, the compromised firmware could copy the data from that location to the secret location, then delete the original file.

It could also respond to requests from the OS like SMART data, MBR with a seemingly normal response, so once you are booted into the OS, you won't be able to see the real ones. See: http://en.wikipedia.org/wiki/Rootkit#Bootkits

The article is thick, baby steps. I have not read the full report yet (the 43 page pdf) yet. Read the article and then the report. It's technical. It's a slow read. It's worth the time.

Just WOW!

-t

Well, this will just be more bad news for any American Technology. NSA has their hands so deep into everything that NO ONE will buy ANYTHING Made in America in 10 years, if not sooner. Not that we exactly produce anything anyway...

The report says that the NSA used this to spy on countries like Iran and China, especially government officials and diplomats.
I don't think we can say conclusively that they are using this within the US.

Take a cue from Ed Snowden: Always use an airgapped (offline) computer for sensitive stuff. It doesn't matter what spyware is on it...if it's not connected to a network, nobody can get to it.

They are assuming a running machine that has at some point run malicious code that had access to flash the drive firmware.

I'm trying to figure out if it's even possible for the cpu to flash the firmware - and if so... why? I would think that drive firmware would be flashed in production of the drive using something other than the main bus interconnect. Jtag or some other out-of-band connection. And if it is possible at all surely the code needs to be signed, right? Googling has turned up a few results for reflashing USB flash controllers but nothing about disk drives. Have any more info on this?


I'm leaning towards thinking that the infected firmware was actually installed in the factory and not by a user running malicious code.

I'm trying to figure out if it's even possible for the cpu to flash the firmware - and if so... why? I would think that drive firmware would be flashed in production of the drive using something other than the main bus interconnect. Jtag or some other out-of-band connection. And if it is possible at all surely the code needs to be signed, right? Googling has turned up a few results for reflashing USB flash controllers but nothing about disk drives. Have any more info on this?


I'm leaning towards thinking that the infected firmware was actually installed in the factory and not by a user running malicious code.


There were several different methods discussed in the paper. The most common was some type of CDROM driver, so in those cases, the access to the disk controller happened through there.

You can flash a disk firmware through the OS. Go to the manufacturer's site and they all have utilities to do so.

It wasn't being done at the factories. They were only doing it to machines that fit a specific criteria, unlike the misleading thread title.

"How do they know a machine is infected?" Please read the article at the link provided... The Kaspersky people managed to get some expired domain names from the 300 or so targeted domains of the virus writers (yes, they made mistakes-everyone does even the goons). Once they "owned" the domains they monitored hits to the domain coming from infected computers. They then managed to inspect the computers to determine the degree of infection...

Also: The goons have a whole toolbox full of infections and the hard drive flash is only one of those tools. It's a very complex issue and I sure don't claim to understand it all but I do know this much, they can infect your machine if they want to and they perhaps have compromised all phones and operating systems in existence...

http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

" when people have endured many abuses for a long time, it is their duty to overthrow the government and set up a better one."


We are way past this point, this is just more evidence. Lets take all of these cases and stand together, refuse to pay and use this as our reasoning. The gov is completely gone and we cannot get it back with "the right guy in place"

they can infect your machine if they want to and they perhaps have compromised all phones and operating systems in existence...


These are 2 separate problems. The first is good practice to assume your machine can be compromised, especially if someone is going after you specifically. It is easier to play offense than defense, and your best defense is to do what you can to reduce the number of attack vectors. I have watched people go after my systems over the years, while it is quite possible someone was able to get through without me noticing, the majority of them give up pretty quickly if they don't see something they like. This is because their time is better spent going after low-hanging fruit.

It is reasonable to assume that all machines are vulnerable to some type of attack. Although there are a lot out there running wide open, it is not reasonable to assume all machines are compromised. More like a magic percentage of all machines are compromised at any given moment.

" when people have endured many abuses for a long time, it is their duty to overthrow the government and set up a better one."


We are way past this point, this is just more evidence. Lets take all of these cases and stand together, refuse to pay and use this as our reasoning. The gov is completely gone and we cannot get it back with "the right guy in place"
A select few have been saying this on RPFs for many moons, only to be shouted down, ignored, banned, etc. Hope you get through to people. ~hugs~

Other than the two of you that actually read the article, you need to.

It's not every hard drive. It's systems that are targeted, but now that the cat's out of the bag, they might start targeting all of them.

It re-writes the firmware of 6 different manufacturers hard drives.

A different branch hides in the registry, is encrypted, can't be detected or removed and takes over the operation of your OS.

It attacks macs and smartphones too.

seriously, read the article and maybe even the full presentation. Just the article is looooong...

:mad:

-t

Regardless of what is claimed by the articles, I think it's naive to think it's just a few targeted systems. They didn't call it the "Total Information Awareness" program for nuthin'. This is also the sort of stuff that limited the Snowden releases to around 5% of his total haul. EVERYTHING is compromised. All of it.

http://en.wikipedia.org/wiki/Total_Information_Awareness


https://www.youtube.com/watch?v=eIA1lQBqH1s

If you arent Paranoid, then you arent Paying Attention.

hahaha ain't that the truth.

" when people have endured many abuses for a long time, it is their duty to overthrow the government and set up a better one."


We are way past this point, this is just more evidence. Lets take all of these cases and stand together, refuse to pay and use this as our reasoning. The gov is completely gone and we cannot get it back with "the right guy in place"

This one speaks the truth.

" when people have endured many abuses for a long time, it is their duty to overthrow the government and set up a better one."


We are way past this point, this is just more evidence. Lets take all of these cases and stand together, refuse to pay and use this as our reasoning. The gov is completely gone and we cannot get it back with "the right guy in place"

YESSS!

I think concentrating in a small town or county would be an effective way to get this overthrow going.

YESSS!

I think concentrating in a small town or county would be an effective way to get this overthrow going.

Sounds like a good way to get drone striked. There is no way I'm completely isolating myself with like-minded folk. All it would take is for one person to snap, and that's the end of it.

Yeah, I always crush the platters when I'm done with a disk. Also, there is at least 1 EEPROM on the circuit board I pull off.

This applies to electronics in general. Especially cordless phones, cause your call history is stored in these:

http://i.imgur.com/jY5AVk5.jpg


An EPROM (http://en.wikipedia.org/wiki/EEPROM)usually must be removed from the device for erasing and programming, whereas EEPROMs can be programmed. Why wouldn't the industry use EPROMS (that cannot be erased) for firmware?

This is a really stupid question (sorry), but if you do a chkdsk and you have no bad sectors, would that prove you are not infected with the malware?

An EPROM (http://en.wikipedia.org/wiki/EEPROM)usually must be removed from the device for erasing and programming, whereas EEPROMs can be programmed. Why wouldn't the industry use EPROMS (that cannot be erased) for firmware?

This is a really stupid question (sorry), but if you do a chkdsk and you have no bad sectors, would that prove you are not infected with the malware?

No, chkdsk has no idea what kind of programs your hard drive has, at best, whether the data is readable and useable. Chcdsk is not a malware detection program

Guess the safest method would be a live cd, and boot like that I suppose, and then use a usb stick (If those aren't compromised as well) for storage. Behind 5 firewalls, and 10 proxies, using encryption, and write your messages in a code you and the receiver created for typing messages.

Not to hard.

Guess the safest method would be a live cd, and boot like that I suppose, and then use a usb stick (If those aren't compromised as well) for storage. Behind 5 firewalls, and 10 proxies, using encryption, and write your messages in a code you and the receiver created for typing messages.

Not to hard.

Yeah, been there, it only adds about $100 to your electric bill and slows your internet speed down to dial up. Sure as hell beats living in a cave or Amish off the grid.

No, chkdsk has no idea what kind of programs your hard drive has, at best, whether the data is readable and useable. Chcdsk is not a malware detection program

I don't understand. tangent4ronpaul wrote that: The malicious firmware created a secret storage vault [on your harddrive]. cpu'd wrote that: the secret storage vault would be incorrectly labelled a bad sector by the software because it was unable to read or write to it.

So if the firmware creates what the OS thinks is a bad sector, and chkdsk checks for bad sectors, why wouldn't a successful running of chkdsk (that shows you have no bad sectors) prove your firmware is not infected by this malware?

I don't understand. tangent4ronpaul wrote that: The malicious firmware created a secret storage vault [on your harddrive]. cpu'd wrote that: the secret storage vault would be incorrectly labelled a bad sector by the software because it was unable to read or write to it.

So if the firmware creates what the OS thinks is a bad sector, and chkdsk checks for bad sectors, why wouldn't a successful running of chkdsk (that shows you have no bad sectors) prove your firmware is not infected by this malware?

Ok, so you have some context, let me explain.

Lack of evidence is not evidence of lacking.

This may be true for THIS particular malware that creates bad sectors, so yes, chkdsk may be helpful to detect THIS malware, but not likely any other malware that doesn't create secret vaults or bad sectors. My guess is that, chkdsk is so rarely done these days they count on people not catching them, and it's almost never used for malware detection. So yes, you're right, sorry I misunderstood your question.

I don't have the knowledge and I'm too old to acquire it, but if I ever have the money, I'm going to launch a computer engineering academy for libertarians to dismantle/neutralize as much of this stuff as possible, at least on personal devices.

The report says that the NSA used this to spy on countries like Iran and China, especially government officials and diplomats.
I don't think we can say conclusively that they are using this within the US.

Take a cue from Ed Snowden: Always use an airgapped (offline) computer for sensitive stuff. It doesn't matter what spyware is on it...if it's not connected to a network, nobody can get to it.

I wouldn't be so sure about that airgapped computer...

http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/

I don't have the knowledge and I'm too old to acquire it, but if I ever have the money, I'm going to launch a computer engineering academy for libertarians to dismantle/neutralize as much of this stuff as possible, at least on personal devices.

that's pretty much what bitcoin and cryptoanarchy is about.

I don't have the knowledge and I'm too old to acquire it, but if I ever have the money, I'm going to launch a computer engineering academy for libertarians to dismantle/neutralize as much of this stuff as possible, at least on personal devices.

If its connected to the interwebs, it's compromised. That's all your academy needs to teach! And hammers; big hammers and how to swing!

that's pretty much what bitcoin and cryptoanarchy is about.

Is there a "Cryptoanarchy scholarship" one can donate to?

Ok, so you have some context, let me explain.

Lack of evidence is not evidence of lacking.

This may be true for THIS particular malware that creates bad sectors, so yes, chkdsk may be helpful to detect THIS malware, but not likely any other malware that doesn't create secret vaults or bad sectors. My guess is that, chkdsk is so rarely done these days they count on people not catching them, and it's almost never used for malware detection. So yes, you're right, sorry I misunderstood your question.

Thanks.

So malware affecting your OS can be detected and fixed by anti-virus software. Malware affecting your drivers should be able to be detected and fixed by anti-virus software (and if not, easily downloaded from the vendor's website). But anti-virus software doesn't look at firmware I guess. And that's where the problem is? And if true, what would be the disadvantage of using nonprogrammable eproms for their firmware as a solution to stop malware from infecting firmware?

Thanks.

So malware affecting your OS can be detected and fixed by anti-virus software. Malware affecting your drivers should be able to be detected and fixed by anti-virus software (and if not, easily downloaded from the vendor's website). But anti-virus software doesn't look at firmware I guess. And that's where the problem is? And if true, what would be the disadvantage of using nonprogrammable eproms for their firmware as a solution to stop malware from infecting firmware?

Actually, good question, I don't know if anti-virus software looks at firmware

This why I don't use computers.

LOL

....wondering if the timing of this HDD spying release is related to Obama's executive order on 'cybersecurity information sharing'.

http://www.nbcnews.com/tech/security/obama-signs-executive-order-cybersecurity-information-sharing-n305796


Obama closed the speech by signing the executive order, which the White House previewed in a briefing to reporters on Thursday. The order is a "framework," the White House said, that aims to:

Push for the development of "Information Sharing and Analysis Organizations," (ISAOs), that will serve as the central point for collaboration between private and federal entities
Develop standards for those ISAOs
Clarify the Department of Homeland Security's authority to work with ISAOs
Streamline the access private companies have to classified cyber-threat information
Ensure that information sharing will include strong protections for privacy and civil liberties

The Obama administration has steadily ratcheted up its focus on cybersecurity over the past year. On Tuesday, the White House announced the creation of a Cyber Threat Intelligence Integration Center that will collect threat information and disseminate analysis.

Fascinating stuff. I only started reading it but it seems like Kapersky just released a shit load of info on a variety of different malware exploits from some ultra sophisticated attack group they dubbed "Equation group." They didn't come out and say it, but strongly implied that the equation group is the NSA. Hopefully further Snowden leaks will corroborate this.

Kaspersky being located in Russia, leads me to ponder if perhaps Snowden helped them discover some of this information/gave them some hints as to what to look for....

....wondering if the timing of this HDD spying release is related to Obama's executive order on 'cybersecurity information sharing'.

http://www.nbcnews.com/tech/security/obama-signs-executive-order-cybersecurity-information-sharing-n305796

It slightly misses the mark. TPTB do not care if a law exists or not to justify their actions. They pass laws after the fact. The laws they pass are merely an illusion that TPTB can be reigned in with Rules and Laws. They can not. They will do exactly as they wish, regardless if it violates any Rights or Laws, but the one thing they are not ready to violate yet is the existence of the Illusions they cast.

Thanks.

So malware affecting your OS can be detected and fixed by anti-virus software. Malware affecting your drivers should be able to be detected and fixed by anti-virus software (and if not, easily downloaded from the vendor's website). But anti-virus software doesn't look at firmware I guess. And that's where the problem is? And if true, what would be the disadvantage of using nonprogrammable eproms for their firmware as a solution to stop malware from infecting firmware?

They often need to be able to save and modify variables locally, especially diagnostic data. Also, the manufacturer needs a way to make future updates if necessary.

Antivirus programs could look at firmware, but with something like the stuffs described in the article, it would not find anything wrong if you're running it from the OS. With a special utility, you can test if the firmware checksum matches the checksum provided by the manufacturer, and you can flash a new one, so it's kinda all or nothing at this level. This is because it can't otherwise look directly at hardware like that, it is like if you message someone (assuming no encryption) and your messsaging app is compromised. A 3rd party could be watching both ends of the conversation. The 3rd party could suppress the other person's message and insert their own, if they do it carefully, you would never know you were talking to a 3rd party. There are 2 problems here:

1.) finding out you are not talking to the person you think you are
2.) stopping it

If your 3rd party is clever enough, it is nearly impossible for you to detect something is wrong. It gets easier if you are aware beforehand that this has been happening to others. To address #2, you reinstall with a known clean version of the messaging app.



I don't understand. tangent4ronpaul wrote that: The malicious firmware created a secret storage vault [on your harddrive]. cpu'd wrote that: the secret storage vault would be incorrectly labelled a bad sector by the software because it was unable to read or write to it.

So if the firmware creates what the OS thinks is a bad sector, and chkdsk checks for bad sectors, why wouldn't a successful running of chkdsk (that shows you have no bad sectors) prove your firmware is not infected by this malware?


I was just using the bad sector thing as an example, there are other ways, like moving it around on unallocated space.

If the drive is reporting no bad sectors, then no, there is no secret storage vault masquerading as a bad sector. Drives older than a year are probably going to have bad sectors.

The way it was described in the article, this is a sophisticated group of programs that can act like a Swiss army knife; if one attack vector is not feasible, it can use another. An example: your AV program might be able to detect/remove part of it in the regular file system, or running in memory but when you reboot, before the OS even loads the drive firmware could copy stuff back to the file system, including infected system files that are made to appear OK to the OS and AV programs. You could reflash the firmware, but if you miss something in the OS, it could reflash again with their firmware.

It is a vicious cycle with a lot of moving parts that aren't fully understood yet. The researchers are still working out exactly what is happening, and might take a few weeks before they start releasing tools for removal.

This why I don't use computers.

This is why I only use others .LOL

//

What about Rootkit Removal?

What about Rootkit Removal?

Wont work. Firmware virus cant be erased. The difference is EPROMS or PROMS - EPROMS are Erasable Programmable Read Only Memory, and PROMS are Programmable Read Only Memory. PROMS can be programmed once, and once programmed, can not be programmed again, even by the machines that load the programs. EPROMS can be erased and rewritten over and over. The NSA will probably do everything in their power to put the viruses in the PROMS on ALL HARDWARE in your computer, not just your Hard Drive. For example, on your computer, you'll most likely have a Networking Chip. If the NSA has the ability to control what is put onto these Networking Chips, there is no way any Anti Virus on the planet can scan for it. Your Operating System will never ever see it. The hijack occurs that the Transport Layer of the OSI Network Model. The virus will never interact with your OS, thus, it is totally invisible.

It gets worse

Viruses on your Hard Drive is a waste of time for the NSA. A better target will be your Routers. Pick up EVERY bit of data that exists your computer that is either received or transmitted. If a Router virus can be combined with a Hard Drive virus, they can bypass every measure of security you can take at the Transport Layer, and see everything you do on your computer, depending on how the virus is set up. These things arent usually observed by humans, but just categorized. Non human interaction with your data doesnt make it less dangerous, in fact, it makes it MORE dangerous. This data and meta data on you can be analyzed by algorhythms can be used to either further distract you, as most people do, or other measures of control, like a computer generated psychological analasys of "crazy" and require you to be put on pills, at your own expense, because a computer found that you watched more than one Alex Jones Show.

The goal is to enslave both your Mind and Body. You are the product that is for sale.

Wont work. Firmware virus cant be erased. The difference is EPROMS or PROMS - EPROMS are Erasable Programmable Read Only Memory, and PROMS are Programmable Read Only Memory. PROMS can be programmed once, and once programmed, can not be programmed again, even by the machines that load the programs. EPROMS can be erased and rewritten over and over. The NSA will probably do everything in their power to put the viruses in the PROMS on ALL HARDWARE in your computer, not just your Hard Drive. .....


To be clear, this is not what we are talking about here. The only way something like this could occur in the context of the Kapersky article is through interdiction, where someone opens a package and physically replaces the chips.

To be clear, this is not what we are talking about here. The only way something like this could occur in the context of the Kapersky article is through interdiction, where someone opens a package and physically replaces the chips.

The NSA can come in and demand, intimidate and coerce chip manufacturers to putting NSA code on normal chips, then slap them with a gag order. I'll suggest that there are a lot of different ways that computer security can be comprimised, and not all of which are detectable, especially as you said in the OP, checksum of the firmware matches manufacturer checksum. NSA code is already in when the checksum is determined, and checksums are not foolproof either. I was able to modify Dead or Alive Xtreme Beach Volleyball and bypass XBox checksums to inject custom content into an expected unmodifiable package. Once the content was injected, I had to run another tool to bloat some of the content for the checksum to match the original. Came out with the exact same checksum despite having different content. Hell, the old XBox was cracked wide open by simply exploiting Fonts. XBox wouldnt run unsigned code, so it wouldnt run custom .xbe files (.xbox executables), but there was nothing built in as far as security goes to check Fonts. Sorry, that was off topic. I have heard other stories of NSA taking computer equipment off of store shelves, making modifications to the firmware, putting stuff back together, and then rewrapping said packages. Not sure of the scale of those operations or even if said spy ops are actually performed, but really, what wouldnt we put beyond our Govt today?

NSA has spies that get hired by the companies of interest. The Project Manager is the most powerful person in the department doing R&D. The companies never know.

They also hack shipping systems and get stuff delivered to modding areas and then re-enter the shipping routes so it looks normal. Some people that watch their tracking closely have caught this when they screwed up.

How does NSA keep this from happening to them? Was talking to one of their cryptographers a few years ago, and he said they sourced stuff by going into a warehouse and selecting stuff at total random. Like if you were buying 5 motherboards, you'd pick the first 5 on the shelf. They are more like ok, 3rd box back, and selecting randomly from that box, then a different box, etc.

-t

Hacking HD firmware:

How hackers could attack hard drives to create a pervasive backdoor
http://arstechnica.com/information-technology/2015/02/how-hackers-could-attack-hard-drives-to-create-a-pervasive-backdoor/

Not Only the NSA Knows How to Make Unerasable Malware
http://www.technologyreview.com/view/535226/not-only-the-nsa-knows-how-to-make-unerasable-malware/

Hard disk hacking - Intro
http://spritesmods.com/?art=hddhack&page=1


https://www.youtube.com/watch?v=HitPEFU7EVY

-t

Hacking HD firmware:

How hackers could attack hard drives to create a pervasive backdoor
http://arstechnica.com/information-technology/2015/02/how-hackers-could-attack-hard-drives-to-create-a-pervasive-backdoor/

Not Only the NSA Knows How to Make Unerasable Malware
http://www.technologyreview.com/view/535226/not-only-the-nsa-knows-how-to-make-unerasable-malware/

Hard disk hacking - Intro
http://spritesmods.com/?art=hddhack&page=1


https://www.youtube.com/watch?v=HitPEFU7EVY

-t

A very excellent video and demonstration as to how these kinds of HD hacks can be developed and executed. If you have an hour to spare this video will answer most of the questions surrounding how it can be done and why you would have no way of knowing...

Cpu’d thanks so much for your detailed answer. What limequat says really does make sense: for people to have security for private stuff, the best thing to do is have an offline computer for private stuff, and a networked computer for everything else. I remember originally reading from, I think it was the New York Times, about the stuxnet virus and how the hardest thing for them was to get the worm to the computers that were physically attached to the Iranian centrifuges (Iran had kept them all offline all the time). And the Times said at the time they were able to figure out how to put worms on offline computers. And I kept thinking how in the world could they do that? But having this in the firmware and hard drive makes sense.


They often need to be able to save and modify variables locally, especially diagnostic data. Also, the manufacturer needs a way to make future updates if necessary.

Thanks. The second part is what I was looking for and thought probably why. However I never knew the eproms saved and modified variables locally; things at that level are fascinating—wish I knew more.


Antivirus programs could look at firmware, but with something like the stuffs described in the article, it would not find anything wrong if you're running it from the OS. With a special utility, you can test if the firmware checksum matches the checksum provided by the manufacturer, and you can flash a new one, so it's kinda all or nothing at this level. This is because it can't otherwise look directly at hardware like that.

Thanks. And ‘flashing’ firmware means to install new firmware into the chip?


------------------------------------------------------------------------


I was just using the bad sector thing as an example; there are other ways, like moving it around on unallocated space.
If the drive is reporting no bad sectors, then no, there is no secret storage vault masquerading as a bad sector. Drives older than a year are probably going to have bad sectors.

Thanks. I was just thinking it might be a quick way of proving, particularly a new hard drive, doesn’t contain this storage vault. But you’re saying it could also be placed in unallocated space: again this would be on the hard drive until the hard drive would be full, and it’s location would only be known by the firmware?


The way it was described in the article, this is a sophisticated group of programs that can act like a Swiss army knife; if one attack vector is not feasible, it can use another. An example: your AV program might be able to detect/remove part of it in the regular file system, or running in memory but when you reboot, before the OS even loads, the drive firmware could copy stuff back to the file system, including infected system files that are made to appear OK to the OS and AV programs. You could reflash the firmware, but if you miss something in the OS, it could reflash again with their firmware.

I didn’t read the article but just skimmed really quickly. It looked like the OS registry was compromised. If the infected system files are made to appear okay to the OS, the person doing this would need access to the source code of the OS (or at least i/o between that file and other system files)? So they either work for Microsoft or somehow got hold of their source code?


It is a vicious cycle with a lot of moving parts that aren't fully understood yet. The researchers are still working out exactly what is happening, and might take a few weeks before they start releasing tools for removal.

Thanks for your description. Hard to believe our government does all this stuff. They say NSA has the best mathematicians and scientists in the world. Just hoping they’ve studied the Constitution as much as their science.

The NSA can come in and demand, intimidate and coerce chip manufacturers to putting NSA code on normal chips, then slap them with a gag order.

They can't do this to other countries though...Russia is in the process of making NSA hackproof phones, cpu's, harddrives, and so on. So the only secure computer/smartphone in the future maybe a Russkie one.

As someone who grew up during the real cold war in the 1980's, looking to Russia for "safety" is quite bizarre to say the least, but we have gone through the looking glass, and what was, is not what is.

To be clear, this is not what we are talking about here. The only way something like this could occur in the context of the Kapersky article is through interdiction, where someone opens a package and physically replaces the chips.

...such as possibly on a shipping dock, where products are imported from overseas? I can't believe the U.S. Post Office or UPS could be involved in this. But how about in other countries (I think it said this malware was detected in 30 countries)? That would mean CIA assets in other countries being paid to do this?

It also looked like other software was used to either flash the hard drive firmware or infect system files: is that even possible to do? -just skimmed the article but somewhere it said something about getting new Oracle installation disks and they apparently were compromised and installed this malware.

They can't do this to other countries though...Russia is in the process of making NSA hackproof phones, cpu's, harddrives, and so on. So the only secure computer/smartphone in the future maybe a Russkie one.

As someone who grew up during the real cold war in the 1980's, looking to Russia for "safety" is quite bizarre to say the least, but we have gone through the looking glass, and what was, is not what is.

source?

-t

Thanks. The second part is what I was looking for and thought probably why. However I never knew the eproms saved and modified variables locally; things at that level are fascinating—wish I knew more.

Technically I think what happens with EPROMs is it stores an image of itself with the new values in volatile memory until you are ready to save them, then it writes the whole image back to the chip during the save operation. There is a small time window during this process where you can create some real problems if you disconnect the power source. On HDDs there is a way to password protect them that is independent of the system. Sometimes, it is called a "platter lock", because there is not a lot you can do with the drive without the password. Data forensics people don't really try to brute-force it- sometimes you can dump the firmware and read the password in plaintext. Otherwise, it is faster to just replace the PCB on the drive case with another one from the same model.




Thanks. And ‘flashing’ firmware means to install new firmware into the chip?

Yes, because it is stored on flash memory, where you have to write the entire block, as opposed to individual bytes here and there. It is all or nothing, so if the write process in interrupted, it will be nothing (useful). Some older devices could be rendered permanently unusable without replacing the ROM chip, because the mechanism to write the firmware is on the firmware itself. It is what they mean when someone says the device is 'bricked', because it is an expensive paperweight or thingy to hold the door open. Devices are harder to brick nowadays, because manufacturers provide multiple methods for recovery, and the write process is faster due to better chips.




Thanks. I was just thinking it might be a quick way of proving, particularly a new hard drive, doesn’t contain this storage vault. But you’re saying it could also be placed in unallocated space: again this would be on the hard drive until the hard drive would be full, and it’s location would only be known by the firmware?

Yes. And as long as the hacked firmware is on there, the drive will never really be full. In the context of the original article, what makes this a big deal is that even if you clean out the spyware and put a factory firmware back onto the drive, someone could possibly get to the hidden data many months later by knowing where to look.



I didn’t read the article but just skimmed really quickly. It looked like the OS registry was compromised. If the infected system files are made to appear okay to the OS, the person doing this would need access to the source code of the OS (or at least i/o between that file and other system files)? So they either work for Microsoft or somehow got hold of their source code?

Not necessarily. There are plenty of other ways to defeat that protection; there is a pretty good flowchart in the article about different ways this is done. It is not so much about what is being done, but when.




Thanks for your description. Hard to believe our government does all this stuff. They say NSA has the best mathematicians and scientists in the world. Just hoping they’ve studied the Constitution as much as their science.

They would like to have the best, but the best get paid a lot more working in Silicon Valley or even academia.



...such as possibly on a shipping dock, where products are imported from overseas? I can't believe the U.S. Post Office or UPS could be involved in this. But how about in other countries (I think it said this malware was detected in 30 countries)? That would mean CIA assets in other countries being paid to do this?

Docks and airports are actually the best places to do this, because they have highly-restricted areas where a small group can set up shop, and govt screeners taking a package to a back room is not really going to be questioned. They need specialized equipment and they need to do it quickly.



It also looked like other software was used to either flash the hard drive firmware or infect system files: is that even possible to do? -just skimmed the article but somewhere it said something about getting new Oracle installation disks and they apparently were compromised and installed this malware.

Yes, they could do it via driver files that interact with the disk controller, because they have the level of access required to do it. Manufacturers provide utilities to upgrade firmware via the OS, but these are generally proprietary. To be able to write a driver file to gain control over the process, they would need to disassemble these utilities to analyze and find a weak spot.

The report says that the NSA used this to spy on countries like Iran and China, especially government officials and diplomats.
I don't think we can say conclusively that they are using this within the US.

Take a cue from Ed Snowden: Always use an airgapped (offline) computer for sensitive stuff. It doesn't matter what spyware is on it...if it's not connected to a network, nobody can get to it.

If you airgap it you can't even use a USB to transfer information as that may infect you. Stuxnet hit airgapped computers. The article also mentions how specialized firmware to cisco routers was added while in transit in the mail. Only a government could hijack a computer in route.