cooper Posted February 18, 2015 Posted February 18, 2015 http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/ Kaspersky identified some rather advanced malware, some if it going so far as to infect the firmware of a number of harddisks (!) to both prevent detection and negate erasure efforts. Official response from the NSA, who are suspected of creating this: We admit only that the things we do aren't illegal. Quote
Rkiver Posted February 18, 2015 Posted February 18, 2015 Surprised, not really. The NSA is what it is, and using any and all means doesn't surprise me. Of course the next question is how the hell do we remove it from our firmware? If it can get on, it can be taken off. Quote
overwraith Posted February 18, 2015 Posted February 18, 2015 (edited) If it's in the firmware, then you would need some kind of firmware re-flashing procedure. The company who makes the hard disk may have something on their site for this, but even if they have it it won't be easy, and who knows, the company may be the only one who can do this. That's the thing about our planned obsolescence hardware these days, usually needs a specialist to fix it, and is usually just cheaper to buy a new one. P.S. My dad says that he has re-flashed server hard drives before, but the hardware has to support it. Some desktop computers support it, but not that many. He also says to buy a new hard drive. Edited February 18, 2015 by overwraith Quote
cooper Posted February 18, 2015 Author Posted February 18, 2015 I think this kinda shows that the concept of completely desintegrating a harddisk isn't so idiotic as it may once have seemed. Quote
overwraith Posted February 18, 2015 Posted February 18, 2015 I think this kinda shows that the concept of completely desintegrating a harddisk isn't so idiotic as it may once have seemed. Right, how do you know you actually wiped the drive? The firmware told you so. Quote
digininja Posted February 18, 2015 Posted February 18, 2015 Before anyone comes in asking if the Pineapple firmware can be hacked in transit, yes it can but you reflash it when it arrives anyway. Can the hardware be modified, yes it can, realistically though, the NSA have much more important things to be thinking about. Quote
overwraith Posted February 18, 2015 Posted February 18, 2015 Before anyone comes in asking if the Pineapple firmware can be hacked in transit, yes it can but you reflash it when it arrives anyway. Can the hardware be modified, yes it can, realistically though, the NSA have much more important things to be thinking about. That is actually reassuring, thanks digininja. Quote
killergeek Posted February 18, 2015 Posted February 18, 2015 http://hackaday.com/2013/08/02/sprite_tm-ohm2013-talk-hacking-hard-drive-controller-chips/ hardware or software its stil a litle computer in the harddrive that can be hacked to. Quote
sud0nick Posted February 19, 2015 Posted February 19, 2015 From http://hackaday.com/...ntroller-chips/ Using JTAG he was able to inject a jump into the code (along with a filler word to keep the checksum valid) and run his own code. This doesn't make sense to me. Shouldn't any little change to the data change the value of the checksum? Quote
cooper Posted February 19, 2015 Author Posted February 19, 2015 If you have control over a section of memory over which a checksum is computed, you know what the final checksum needs to be and you want to change a byte or two within that section then you can try to modify additional bytes such that the final checksum still matches. How difficult this is depends greatly on the checksum algorithm, which in this case is probably closer to XOR than to AES. Quote
overwraith Posted February 19, 2015 Posted February 19, 2015 (edited) If you have control over a section of memory over which a checksum is computed, you know what the final checksum needs to be and you want to change a byte or two within that section then you can try to modify additional bytes such that the final checksum still matches. How difficult this is depends greatly on the checksum algorithm, which in this case is probably closer to XOR than to AES. This might be a complicated process however. Not saying it's not possible, but you would essentially need a copy of the original data somewhere. If you are checksuming or hashing the whole drive you would essentially need another whole drive in order to do so, or a network socket. I was thinking more along the lines of not zeroing the drive when the OS asks the drive to zero it's self. Perhaps I need to read the article and see exactly what's going on with this malware. Saying again, I could be wrong. Edited February 19, 2015 by overwraith Quote
cooper Posted February 19, 2015 Author Posted February 19, 2015 The section sud0nick was quoting was about firmware controller code. As far as the controller was concerned, it's ROM. The guy changed this data such that it would jump to somewhere he had more control over while retaining the original checksum that's computed over this code and thus verified before the controller is willing to run it. Quote
barry99705 Posted February 19, 2015 Posted February 19, 2015 I think this kinda shows that the concept of completely desintegrating a harddisk isn't so idiotic as it may once have seemed. http://youtu.be/v-t0ZNylhkg Quote
cooper Posted February 19, 2015 Author Posted February 19, 2015 Over on Ars someone mentioned that their harddisk destruction process involves them being used for target practise for high-caliber rounds, resulting in impacts that occur with such force the harddisk platters fuse together. In other news, when was the last time you went to the dump with a screwdriver and asked if you could carefully remove the harddisks from any computer turned in for recycling? If you ask nicely and especially if you provide some sort of cover story (wanting to show kids at the local school what you can do with the chips on them worked well for me), they'll allow it more often than not. You'd be amazed of the shit you dig up. And the best part? This information will be on locals. Find the SSID and password in the registry, drive around scanning for it and sure enough, you're going to find it. What happens next... is up to you. Quote
barry99705 Posted February 20, 2015 Posted February 20, 2015 I know a guy that used to shop ebay for used cf and sd cards. Some things should be left unseen... Quote
Mr-Protocol Posted February 20, 2015 Posted February 20, 2015 Agreed on the things should be left unseen. Better yet, not created. But if you think the old malware of the hard disks is bad. What do you think is lurking in your UEFI? I've been saying since the beginning that UEFI is so bad, will be rootkit heaven, etc. I predict in a few years we will see malware in UEFI that does similar. I can almost guarantee it's already there. Quote
barry99705 Posted February 20, 2015 Posted February 20, 2015 Agreed on the things should be left unseen. Better yet, not created. But if you think the old malware of the hard disks is bad. What do you think is lurking in your UEFI? I've been saying since the beginning that UEFI is so bad, will be rootkit heaven, etc. I predict in a few years we will see malware in UEFI that does similar. I can almost guarantee it's already there. I noticed on a new Dell UEFI that it has the settings to netboot over the internet, which is kinda cool. Still waiting for someone to make a small useable os to replace UEFI. Quote
digip Posted February 20, 2015 Posted February 20, 2015 (edited) I noticed on a new Dell UEFI that it has the settings to netboot over the internet, which is kinda cool. Still waiting for someone to make a small useable os to replace UEFI.Not an OS, but 3 years ago they bypassed UEFI to load whatever you wanted to get windows to run unsigned drivers, so you should be able to pretty much pre-boot UEFI to whatever you want done - http://www.theregister.co.uk/2012/09/19/win8_rootkit/ edit: Also this Chaos Computer Club article from this year - https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=25&ved=0CNcBEBYwGA&url=http%3A%2F%2Fevents.ccc.de%2Fcongress%2F2014%2FFahrplan%2Fsystem%2Fattachments%2F2566%2Foriginal%2Fvenamis_whitepaper.pdf&ei=iajmVLbCPNLlsAStpoD4CQ&usg=AFQjCNHnQwsQh_okOJz2J9yaGc0qDXHSmw Edited February 20, 2015 by digip Quote
overwraith Posted February 21, 2015 Posted February 21, 2015 I know a guy that used to shop ebay for used cf and sd cards. Some things should be left unseen... Had an intro to computer forensics class recently, and used Autopsy on one of my flash drives. Was surprised what I could still recover. Flash drives always give out after a certain number of writes, have wear leveling algorithms and such to prevent them from wearing out too fast, but as a rule you should never resell your flash drives. Even zeroing them out will cause the number of writes per sector to be increased, at worst would fry the flash drive. Quote
barry99705 Posted February 21, 2015 Posted February 21, 2015 (edited) Had an intro to computer forensics class recently, and used Autopsy on one of my flash drives. Was surprised what I could still recover. Flash drives always give out after a certain number of writes, have wear leveling algorithms and such to prevent them from wearing out too fast, but as a rule you should never resell your flash drives. Even zeroing them out will cause the number of writes per sector to be increased, at worst would fry the flash drive. That's why it's so hard to actually wipe flash media. I keep it till it dies, then smash it up before throwing it out. One of the thumb drives in my pocket is 512mb. It has gparted loaded on it. Edited February 21, 2015 by barry99705 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.