Re: NSA BIOS bug: anyone know how to find it?

while i can't speak about the NSA claims specifically (heh, you know, i'd get fired from my super sekret .gov job) i will tell you that most "bios" sort of packages are handled simply by means of forcing their way into your O/S after it has been installed, etc For example, a popular utility for schools and companies to use is CompUTrace... this relies on there being a windows installation present, and it simply adds itself as an executable, etc.

so, if and when any NSA executable is identified, it would be rather trivial to kill the process, then nuke the exe (then replace it with a blank file that prevents re-install)

Re: NSA BIOS bug: anyone know how to find it?

Thanks Deviant. CompUTrace I've heard quite a lot of for their lojacking. I've been ransacking Google for more info on the whole story. Seems to have been found in Dell servers with RAID BIOS configs. So, with the media reporting that the NSA "preloaded" laptops with "hardware/spyware" (guess they're not sure which), it could be anywhere. NICs, MBRs on HDD's with the OS preloaded. My best guess would still be a BIOS modification (since the Dell server issue was from BIOS) like a rootkit/bootkit, but cleverly hidden and nearly undetectable.

I'm looking at a VMware BIOS extractor to play around with like Resource Hacker. This is all according to info on EXFiLTRATED using Resource Hacker and IDA Pro to modify BIOS. Still, if it extracts the BIOS image, the .exe is an unknown and surely the NSA would bury it deep. Also, if the NSA is doing this, I would think it would use a port, and I nmap myself all the time . But that doesn't mean much. Wireshark should show some sort of anomaly if it was, but I don't sit there and follow every stream.

I might try extracting the BIOS copy to see what it comes up with. Just have way too many machines and not enough time to modify each one.

Edit: Just saw this: http://arstechnica.com/information-t...eillance-magic



Sorry, my "train of thought" is a wreck when written.

Re: NSA BIOS bug: anyone know how to find it?


Are you asking about "BadBIOS" or about this http://www.spiegel.de/international/...-a-940969.html

If about "BadBIOS" most people are on the side of "evidence is probably valid, but conclusions are probably not." Keyword search with google, or news.google.com "BadBios" or hashtag on twitter. I'm in a minority, of those that have spoken on this, accepting the possibility of things claimed (technically) accept a complex combination of all is unlikely, but am open to hard evidence and testing of these claims by many more people in parallel.

As for Der Spiegel, if you can't read German, consider using: http://translate.google.com
You can paste the Der Spiegel URL into the form and ask to translate, and get a link to a page through google that will attempt to translate it to English.
Also, related: http://www.spiegel.de/netzwelt/netzp...-a-941153.html and http://www.youtube.com/watch?v=vILAlhwUgIU

Re: NSA BIOS bug: anyone know how to find it?

Thanks Cotman. I'm starting to rethink the BadBIOS, especially since the recent RSA acoustical cryptanalysis. Makes me wonder.

I'm going off this report: http://www.youtube.com/watch?v=PeHUDfe5oIU and the correlation with those finding NSA BIOS bugs in Dell/HP servers (sucks cause I have 2 Proliants). I suppose it's the Der Speigel TAO report, and the Dec 31st Snowden release.
I see tweets of more findings on servers (i.e. Daveaitel and DT's tweets), but the "preloaded laptops" and the Dell server issue, may have some similarity and I'm thinking BIOS. It could be two separate issues and I'm confusing the two. The Ars Tech article mentions mobo taps, so there is no telling
Preloading laptops/desktops prior to retail sale, it would make sense to me that they would have done the same by adding a bug in the BIOS. But could it be similar as those found in the Dell servers? This is what I'm trying to find. It could be the HDDs, but BIOS bugging would make more sense to me.

Missed Hamburg for the 30c3 this year, but hopefully I can get some answers at Schmoo. Thankfully I spent two years as a German exchange student in HS, so I do well with German. Almost got killed by the Turkish mafia there, but long story:-)

Had 2 work today. Two crackheads (in the literal sense) bought some laptop I rebuilt. Claimed it came with the malware when they bought it. Was funny when I rattled off the IE History, dates and their passwords and login data they set up :-) Priceless reaction.

Sorry, My "train of thought" is a wreck when written.

Re: NSA BIOS bug: anyone know how to find it?

It also looked like they were going after the remote management port on the Dell systems. That makes sense because of who would be targeted.

DEF CON is so small we don't use the management more, and on some supermicro servers you can set a jumper to disable it entirely.

While I haven't tested this next bit, I don't have the time right now, if your BIOS supports it you could try to "Enable boot sector virus protection". I've got that option on some SuperMicro system, but not others, as well as on some Tyan motherboards, but not others. Anyway the deal is you turn it off to install operating systems, and turn it on after you don't want any more modifications to the boot sector.

From what I can gather that would help on some of the attacks, but I don't think it would on the hard drive bios reflash ones - that has nothing to do with the boot sector but instead with the reserved portions - and the only way to wipe them out is with the "Enhanced Secure Erase" ATA command - assuming it hasn't been tampered with.