FSF Certifies Another Batch Of Old Hardware For Respecting Your Freedom

The Free Software Foundation has endorsed fifteen “new” devices under their Respects Your Freedom (RYF) certification. These new devices though amount to another supplier ,Technoethical, selling old, refurbished ThinkPad laptops shipping with Libreboot and using the FSF-approved Trisquel Gnu/Linux distribution. The ThinkPad X200, X200T, X200s, T400, T400s, and T500 are among the models being spun by this company, Technoethical, which is a Romanian-based firm. The X200T is the first “tablet” receiving the FSF RYF blessing.

— source phoronix.com, fsf.org

CIA malware BothanSpy and Gyrfalcon targeting Windows and Linux

WikiLeaks has dumped its newest Vault 7 documents, detailing the capabilities of two alleged CIA hacking tools dubbed BothanSpy and Gyrfalcon. The malware payloads have allegedly been designed to steal SSH credentials from systems running both Windows and Linux operating systems (OS).

According to WikiLeaks, while BothanSpy targets Windows computers, Gyrfalcon goes after Linux platforms. SSH credentials or Secure Shell credentials are cryptographic keys designed to securely access a remote computer or server. In other words, the two alleged CIA malware strains would allow spies to remotely hack into systems, likely without being detected.

— source ibtimes.co.uk

Backdoor built in to widely used tax app seeded NotPetya outbreak

The third-party software updater used to seed last week’s NotPetya worm that shut down computers around the world was compromised more than a month before the outbreak. This is yet another sign the attack was carefully planned and executed. malware was spread through a legitimate update module of M.E.Doc, a tax-accounting application that’s widely used in Ukraine.

— source arstechnica.com

To avoid this kind of situation all softwares must be Free Software.

CIA’s “Pandemic” turns Windows servers to attack machine

WikiLeaks just published details of a purported CIA operation that turns Windows file servers into covert attack machines that surreptitiously infect computers of interest inside a targeted network.

“Pandemic,” as the implant is codenamed, turns file servers into a secret carrier of whatever malware CIA operatives want to install, according to documents published Thursday by WikiLeaks. When targeted computers attempt to access a file on the compromised server, Pandemic uses a clever bait-and-switch tactic to surreptitiously deliver malicious version of the requested file. The Trojan is then executed by the targeted computers. A user manual said Pandemic takes only 15 seconds to be installed.

— source arstechnica.com

Intel x86s hide another CPU that can take over your machine

Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they’ll expose all affected systems to nearly unkillable, undetectable rootkit attacks. I’ve made it my mission to open up this system and make free, open replacements, before it’s too late.

The Intel Management Engine (ME) is a subsystem composed of a special 32-bit ARC microprocessor that’s physically located inside the chipset. It is an extra general purpose computer running a firmware blob that is sold as a management system for big enterprise deployments.

When you purchase your system with a mainboard and Intel x86 CPU, you are also buying this hardware add-on: an extra computer that controls the main CPU. This extra computer runs completely out-of-band with the main x86 CPU meaning that it can function totally independently even when your main CPU is in a low power state like S3 (suspend).

On some chipsets, the firmware running on the ME implements a system called Intel’s Active Management Technology (AMT). This is entirely transparent to the operating system, which means that this extra computer can do its job regardless of which operating system is installed and running on the main CPU.

The purpose of AMT is to provide a way to manage computers remotely (this is similar to an older system called “Intelligent Platform Management Interface” or IPMI, but more powerful). To achieve this task, the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system.

While AMT can be a great value-add, it has several troubling disadvantages. ME is classified by security researchers as “Ring -3”. Rings of security can be defined as layers of security that affect particular parts of a system, with a smaller ring number corresponding to an area closer to the hardware. For example, Ring 3 threats are defined as security threats that manifest in “userspace” mode. Ring 0 threats occur in “kernel” level, Ring -1 threats occur in a “hypervisor” level, one level lower than the kernel, while Ring -2 threats occur in a special CPU mode called “SMM” mode. SMM stands for System-Management-Mode, a special mode that Intel CPUs can be put into that runs a separately defined chunk of code. If attackers can modify the SMM code and trigger the mode, they can get arbitrary execution of code on a CPU.

Although the ME firmware is cryptographically protected with RSA 2048, researchers have been able to exploit weaknesses in the ME firmware and take partial control of the ME on early models. This makes ME a huge security loophole, and it has been called a very powerful rootkit mechanism. Once a system is compromised by a rootkit, attackers can gain administration access and undetectably attack the computer.

On systems newer than the Core2 series, the ME cannot be disabled. Intel systems that are designed to have ME but lack ME firmware (or whose ME firmware is corrupted) will refuse to boot, or will shut-down shortly after booting.

There is no way for the x86 firmware or operating system to disable ME permanently. Intel keeps most details about ME absolutely secret. There is absolutely no way for the main CPU to tell if the ME on a system has been compromised, and no way to “heal” a compromised ME. There is also no way to know if malicious entities have been able to compromise ME and infect systems.

A large portion of ME’s security model is “security through obscurity”, a practice that many researchers view as the worst type of security. If ME’s secrets are compromised (and they will eventually be compromised by either researchers or malicious entities), then the entire ME security model will crumble, exposing every recent Intel system to the worst rootkits imaginable.

Around 2013, we figured out some of the nitty-gritty details regarding how the ME firmware was packaged up into a blob. The ME firmware is verified by a secret boot ROM embedded in the chipset that first checks that the SHA256 checksum of the public key matches the one from the factory, and then verifies the RSA signature of the firmware payload by recalculating it and comparing to the stored signature. This means that there is no obvious way to bypass the signature checking, since the checking is done by code stored in a ROM buried in silicon, even though we have the public key and signature. However, there still might be an exploitable bug in the ROM bootloader.

We also discovered that the critical parts of the ME firmware are stored in a non-standard compressed format, which gets decompressed by a special hardware decompressor. My initial attempts to brute-force the decompression scheme failed miserably. Another group had better success and they have now completed a working decompression routine for all versions of ME up to but not including version 11. Kudos to them!

Our goal is to implement a completely libre software replacement for ME. When the implementation of such a security-critical component is available for scrutiny, it will be peer-reviewed and audited by persons around the world. This generally results in stronger security.

Our goal isn’t to replace Intel’s ME, but to provide a minimal libre alternative firmware for users who choose to use it. Unfortunately, since the firmware is protected by RSA 2048, we currently have no way to execute our own code on the ME hardware because it fails validation. We have no way to move forward, even if we wanted to.

This is scary. Most digital handcuffs are so easy to break that it’s not an issue how to break it, more so an issue of the penalty one might face for actually breaking it. In this case, it is impossible to break unless you have a way to factorize semi-primes with approximately 600 decimal digits in a reasonable time. (At the time of writing this article, pretty much impossible in one human lifetime for anyone with the biggest supercomputer).

So in conclusion, Intel has so far stopped anyone from tinkering with ME firmware in practice, and there is no way to trust the code running on your ME because it’s proprietary. So we are back to the days of the Sony Playstation, but for general purpose computers based on Intel x86. Matters only get worse now that Intel has squeezed a whole system into a chip, SoCs. We have no physical separation between the components that we can trust and the untrusted ME components, so we can’t even cut them off the mainboard anymore.

Below is a highly simplified diagram describing how some of the older ME hardware fits into a system:

Personally, I would like if my ME only did the most basic task it was designed for, set up the bus clocks, and then shut off. This way, it would never be able to talk out of the network card with some of my personal data. I refer to the ME as the Damagement Engine, since it is a hardware add-on that damages your security.

— source boingboing.net by Damien Zammit

If Gnu/Linux won’t install on your laptop, blame Intel not Microsoft

Why won’t Linux install on modern Lenovo laptops? The discovery of this problem set off a recent firestorm. But contrary to initial speculation, it’s not that Microsoft is forcing Lenovo to block the installation of Linux on its laptops. It’s that Intel isn’t making modern hardware compatible with Linux.
Intel needs to provide better Linux support

The reason Linux won’t install on Lenovo’s laptops is a technical one. As Lenovo explained: “To improve system performance, Lenovo is leading an industry trend of adopting RAID on the SSDs in certain product configurations… Unsupported models will rely on Linux operating system vendors releasing new kernel and drivers to support features such as RAID on SSD.”

Here’s the problem: Linux doesn’t support internal solid-state drives in RAID (Intel RST) mode. Linux can see the drive in AHCI (Advanced Host Controller Interface) mode. However, certain Lenovo laptops don’t allow the mode to be changed in the BIOS. You can boot Linux from a USB drive, but not install it on the laptop’s SSD.

As Lenovo explained, Linux developers need to make the Linux kernel compatible with this new feature. Only then will Linux work with the Lenovo Yoga 900 and other laptops that require this feature.

The real question is, why doesn’t Lenovo’s BIOS let you disable RAID mode and use the Linux-compatible AHCI mode on certain laptops, as you can on most other laptops. As Linux developer Matthew Garrett points out, Intel is likely to blame:

“Why would Lenovo do this? I don’t know for sure, but it’s potentially related to something I’ve written about before—recent Intel hardware needs special setup for good power management. The storage driver that Microsoft ships doesn’t do that setup. The Intel-provided driver does. “RAID” mode prevents the Microsoft driver from binding and forces the user to use the Intel driver, which means they get the correct power management configuration, battery life is better and the machine doesn’t melt.”

The problem isn’t, as some commenters suspected, due to Microsoft’s Signature PC program. There are also valid concerns that Secure Boot could eventually block Linux from being installed, but that isn’t happening yet. The fact is, Intel just isn’t helping Linux developers, as it should:

“The real problem here is that Intel does very little to ensure that free operating systems work well on their consumer hardware—we still have no information from Intel on how to configure systems to ensure good power management, we have no support for storage devices in ‘RAID’ mode, and we have no indication that this is going to get better in future. If Intel had provided that support, this issue would never have occurred. Rather than be angry at Lenovo, let’s put pressure on Intel to provide support for their hardware,” Garret says.

If you’re going to take up your pitchfork, at least put Intel in your sights rather than Microsoft.

— source pcworld.com

But Lenovo could ask Intel to provide Gnu/linux support. But they did not. So that left for us one thing. Boycott Intel and Lenovo.

Juniper confirms leaked “NSA exploits” affect its firewalls, no patch released yet

Juniper confirmed exploits leaked by the Shadow Brokers group appear to affect its firewalls, but has not yet patched the vulnerabilities.

The firewall manufacturer is “investigating the recent release of files reported to have been taken from the so-called Equation Group,” Juniper’s security incident response manager Derrick Scholl wrote in a corporate blog post.

Juniper identified an exploit affecting its NetScreen firewall devices that run on the ScreenOS operating system. Initial analysis of the exploit “indicates it targets the boot loader and does not exploit a vulnerability on ScreenOS devices,” Scholl wrote in the post.

On Tuesday, Ixia’s application and threat intelligence unit discovered an exploit that targets Watchguard Firewalls, according to Steve McGregory, senior director of the ATI group said in emailed comments to SCMagazine.com. Four of the exploits affect TopSec firewalls, primarily used in China, he added.

A week ago, Cisco and Fortinet confirmed that exploits affect their firewall products. Both companies issued patches last Wednesday. The files posted by Shadow Brokers “included exploit code that can be used against multi-vendor devices, including the Cisco ASA and legacy Cisco PIX firewalls,” Cisco wrote last Wednesday. The exploits have been linked to the Equation Group, a group that has been linked to the National Security Agency (NSA).

— source scmagazine.com