Mac Boot Hacked via Thunderbolt Port

January 14, 2015

Too many of us still have to deal with members of our workforce who hold groundless beliefs about the freedom from risk they enjoy while using their Macs.

Trammell Hudson described his most recent project at the last Chaos Communication Congress in Germany. It is called Thunderstrike and it can infect any modern Mac boot ROM via the Thunderbolt port — ultimately giving the attacker control of the endpoint. This “evil maid” attack gives us all another reason for concern. Anyone with physical access to a worker’s Mac could use this technique (or one of its predecessors) as a foothold into your network, as well as gaining “direct” access into any operations to which that user has been permitted. Traveling executives seem like obvious targets, but virtually any member of the workforce is a candidate.

Mr. Hudson describes the impact of his attack as:

“There are neither hardware nor software cryptographic checks at boot time of firmware validity, so once the malicious code has been flashed to the ROM, it controls the system from the very first instruction. It could use SMM, virtualization and other techniques to hide from attempts to detect it.

Our proof of concept bootkit also replaces Apple’s public RSA key in the ROM and prevents software attempts to replace it that are not signed by the attacker’s private key. Since the boot ROM is independent of the operating system, reinstallation of OS X will not remove it. Nor does it depend on anything stored on the disk, so replacing the hard drive has no effect.”

At a minimum, this should be used as input for traveler’s security awareness training.

It should also be injected into risk analyses of all BYOD scenarios.

REFERENCES
“Thunderstrike.” By Trammell Hudson.
https://trmm.net/EFI

“De Mysteriis Dom Jobsivs: Mac EFI Rootkits.” By Snare (Blackhat 2012)
http://ho.ax/downloads/De_Mysteriis_Dom_Jobsivs_Black_Hat_Slides.pdf

“Apple’s Mac EFI found vulnerable to bootkit attack via rogue Thunderbolt devices.” By Sam Oliver, Dec 22, 2014
http://appleinsider.com/articles/14/12/22/apples-mac-efi-found-vulnerable-to-bootkit-attack-via-rogue-thunderbolt-devices

“Thunderstrike: The scary vulnerability in your Mac’s Thunderbolt port.” By Christina Warren, Jan 02, 2015
http://mashable.com/2015/01/02/thunderstrike-mac/

Macs vulnerable to virtually undetectable virus that “can’t be removed” By Adrian Kingsley-Hughes, Jan 12, 2015
http://www.zdnet.com/article/macs-vulnerable-to-virtually-undetectable-virus-that-cant-be-removed/


Will Governments Increase Their Involvement in Incident Response?

January 10, 2015

Time (and others) reported that NSA Director Admiral Michael Rogers told the International Conference on Cyber Security (ICCS) at Fordham University in New York:
“Sony is important to me because the entire world is watching how we as a nation are going to respond to [the attack on Sony].” “If we don’t name names here, it will only encourage others to decide, ‘Well this must not be a red line for the United States.'”
The attacks against Sony had begun in September, he said, with a flurry of tightly focused phishing attacks against key individuals. This was then used to gain full access to the company’s servers and to steal data.
Rogers stated, “I remain very confident: this was North Korea.”

Some cyber security experts seem less sure that accurately described what happened.

Rogers also said that hacks against private companies may require economic sanctions.

How did terabytes of data get stolen from Sony’s private network? Did Sony invest enough in attack resistance, identification, & response? Should there be more objective criteria upon which to help frame decision-making on this topic?

Since November I have been hearing a lot of discussion about “Sony” and “The Sony Hack.”   Should we in Financial Services begin including NSA monitoring, forensic assistance, and consulting in our incident response planing?
How will the U.S. (along with other nations in this global business environment) decide which hacks against private companies deserve a governmental response, and which will not?  And what if your company has business in both the source and target countries of a given attack?  It seems like each of our organizations need to work through these issues before the day they become critically important — and a small herd of corporate officers on an incident response call are waiting for your direction.

What do you think?

REFERENCES:
“NSA Director on Sony Hack: ‘The Entire World is Watching’.”
http://time.com/3660757/nsa-michael-rogers-sony-hack/
By Sam Frizell, 01-08-2015

“FBI fingering Norks for Sony hack: The Truth – by the NSA’s spyboss.”
http://www.theregister.co.uk/2015/01/09/fbi_nsa_sony_pictures_north_korea/
By Iain Thomson, 01-09-2015

“Are We Asking the Right Questions in the Wake of the Sony Pictures Breach?”
http://www.wired.com/2015/01/right-questions-sony-pictures-breach/
By Paul Martini, 01-09-2015


New In-Flight Data Leakage Channel — Gogo.

January 9, 2015

Commercial aircraft WiFi network provider Gogo appears to have been issuing SSL certificates for Google sites accessed via their in-flight service. Technically, the Gogo Inflight Internet service acts as an SSL Man-in-the-middle (MITM) attack. Most of us in Financial Services are familiar with analogous HTTP proxy infrastructure to allow our organizations to inspect and control web traffic, even traffic to secure web sites.

Assuming that many of your traveling workforce also use and communicate highly sensitive information, the kind that must be controlled to meet regulatory obligations and/or customer & investor expectations, the Gogo service appears to present a potentially material risk management issue. There is also the issue of losing any (more) of your workforce credentials. Under a range of common scenarios, Gogo appears to have them. Does Gogo protect that information to the degree required by Financial Services enterprises?  I assume not.

At a minimum, this seems like another topic to be included in our traveler’s security awareness training.
REFERENCES:

“Gogo Inflight Internet is intentionally issuing fake SSL certificates.” http://www.techworm.net/2015/01/gogo-inflight-internet-intentionally-issuing-fake-ssl-certificates.html
BY Dwulf, 01-05-2015

“Gogo Inflight Internet is Intentionally Issuing Fake SSL Certificates.”
http://www.symantec.com/connect/blogs/gogo-inflight-internet-intentionally-issuing-fake-ssl-certificates
By Rick Andrews, 01-07-2015


%d bloggers like this: