Thunderstrike Mac Attack Achieves Persistence

An attack on MacBooks, called Thunderstrike, has been uncovered that makes use of the laptops’ physical Thunderbolt interface to achieve persistent boot rootkits.

Security researcher Trammell Hudson is prepping a demonstration of the attack for the 31st Chaos Communication Congress in Hamburg. It’s based on a two-year old vulnerability, and will show how hackers can use malicious code to infect a MacBook's boot read-only memory (ROM), which is stored in a chip on the motherboard.

This results in the installation of persistent firmware modifications into the EFI boot ROM of Apple's popular MacBooks. The ROM is executed before the OS is loaded, so that it can simply hijack the OS kernel and take over the system. That also means that updating Mac OS X and/or replacing the hard disk drive will have no effect on the malware.

The bootkit can be easily installed by an evil-maid via the externally accessible Thunderbolt ports. Once installed, it can prevent software attempts to remove it and could spread virally across air-gaps by infecting additional Thunderbolt devices.

"It is possible to use a Thunderbolt Option ROM to circumvent the cryptographic signature checks in Apple's EFI firmware update routines," Hudson said, describing his presentation. "This allows an attacker with physical access to the machine to write untrusted code to the SPI flash ROM on the motherboard and creates a new class of firmware bootkits for the MacBook systems."

Thunderstrike also has a clever replication technique. "Additionally, other Thunderbolt devices' Option ROMs are writable from code that runs during the early boot and the bootkit could write copies of itself to new Thunderbolt devices," he said. "The devices remain functional, which would allow a stealthy bootkit to spread across air-gap security perimeters through shared Thunderbolt devices."

--Tara Seals US/North America News Reporter, Infosecurity Magazine

Microsoft OneDrive - Encryption Keys Uploaded?

Microsoft OneDrive in NSA PRISM

A sends:

1) Bitlocker keys are uploaded to OneDrive by 'device encryption'.

"Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected.


If the device is not domain-joined a Microsoft Account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to online Microsoft account and TPM protector is created."

2) Device encryption is supported by Bitlocker for all SKUs that support connected standby. This would include Windows phones.

"BitLocker provides support for device encryption on x86 and x64-based computers with a TPM that supports connected stand-by. Previously this form of encryption was only available on Windows RT devices."

3) The tech media and feature articles recognise this.

"... because the recovery key is automatically stored in SkyDrive for you."

4) Here's how to recover your key from Sky/OneDrive.

"Your Microsoft account online. This option is only available on non-domain-joined PCs. To get your recovery key, go to"

5) SkyDrive (now named OneDrive) is onboarded to PRISM. (pg 26/27)


We Should All Jump to the ‘Erasable Internet’

This month’s news provides yet another occasion for a friendly public-service reminder to anyone who uses a digital device to say anything to anyone, ever. Don’t do it. Don’t email, don’t text, don’t update, don’t send photos.

At least, don’t do it if you have any expectation that what you say will remain private — a sentiment that’s usually taken for granted in human communication, but that we should all throw to the winds, at least until we figure out a way to completely rethink how we store and manage our digital data.

Because here’s the thing about the digital world that we must remember. Nothing you say in any form mediated through digital technology — absolutely nothing at all — is guaranteed to stay private. Before you type anything, just think: How will this look when it gets out? What will Angelina Jolie think if she finds out about this? If Angelina won’t like it, don’t send it. Because Angelina will find out. So will the rest of the world.

This might seem like an extreme, perhaps jaded response to the hack at Sony Pictures Entertainment, which has resulted in the disclosure of thousands of private documents ranging from trivial to merely embarrassing to grossly serious.

The disclosures make the case for creating what I’ve called “the erasable Internet.” Last year, after the stunning rise of Snapchat, an app that sends pictures and messages that disappear after the recipient receives them, I argued that we were witnessing the birth of a new attitude toward data online.

Snapchat showed that saving everything — the default assumption of digital communication since its birth — wasn’t the only way to navigate the digital world. “Erasing all the digital effluvia generated by our phones and computers can be just as popular a concept as saving it,” I argued — and if we moved toward that model, the Internet might be a more private, and less dangerous and damaging place.

The Snapchat Internet is now being built. A range of start-ups across the world, including Snapchat itself, are working to create communications systems that are not based on saving as a default. Someday, perhaps someday soon, it may be possible to quickly and easily send messages that you can be fairly confident are secure.

But the erasable Internet is not really here today. And we should start acting like it. Despite the increasing popularity of programs that don’t store all of our data by default, almost everything we do on computers today is recorded and stored somewhere, often in places over which we don’t have any control.

Even Snapchat itself has been too loose on privacy. In May, it settled charges with the Federal Trade Commission, which had accused the company of collecting more data about users than it had disclosed, and of leaving users’ messages vulnerable to being captured using simple workarounds.

This suggests two ways to respond to the Sony attack. First, assume everything is public. Go about your business as if all you do on a computer is vulnerable to intrusion and exposure. Second, agitate for a world in which saving is not the default.

“Everyone is so excited about the cloud, but the cloud is really a drunken Xerox machine making copies of pretty much everything that everyone has said anywhere and spewing it all over the place,” said Howard Lerman, the co-creator of Confide, a messaging app that works like the corporate version of Snapchat.

Messages on Confide are deleted as soon as they are read. The app even includes a clever user-interface trick that requires scrolling a finger across the screen to read text, a measure that reduces the chance of someone capturing and distributing a screen image of a message. According to Mr. Lerman and his partner, Jon Brod, the Sony attack has prompted a surge of interest in Confide. “This was our biggest week ever,” Mr. Lerman said.

He sees Confide as a replacement for the business phone call.

“For you to be truly secure, the stuff that you say shouldn’t be lying around in places you have no control over,” Mr. Lerman said. “It used to be, 20 years ago, that the stuff you said in a conversation would be gone. That’s not true anymore.”

But the problem with Confide, Snapchat and every other ephemeral app is that not everyone uses them. To communicate with much of the world today, we’ve got to rely on insecure systems like email. That means we’ve got to remember to watch what we say and how we say it.

It’s a telling point that one victim in the Sony attack was Snapchat itself, whose secret business dealings were uncovered.

In an email to employees after the hack— an email he later tweeted — Evan Spiegel, Snapchat’s chief executive, wrote that he was saddened and angered by the attack, but that it underscored the urgency of Snapchat’s vision for the future of online life.

The central motivation of that vision, he wrote, was to bring a measure of secrecy back into our social lives. Secrets “bring us together,” Mr. Spiegel wrote, launching into an elegiac defense of privacy. He added: “It’s not O.K. that people steal our secrets and make public that which we desire to remain private.”




The Best Thing We Can Do About the Sony Attack Calm Down


First we thought North Korea was behind the Sony cyberattacks. Then we thought it was a couple of hacker guys with an axe to grind. Now we think North Korea is behind it again, but the connection is still tenuous. There have been accusations of cyberterrorism, and even cyberwar. I've heard calls for us to strike back, with actual missiles and bombs. We're collectively pegging the hype meter, and the best thing we can do is calm down and take a deep breath.

First, this is not an act of terrorism. There has been no senseless violence. No innocents are coming home in body bags. Yes, a company is seriously embarrassed—and financially hurt—by all of its information leaking to the public. But posting unreleased movies online is not terrorism. It's not even close.

Nor is this an act of war. Stealing and publishing a company's proprietary information is not an act of war. We wouldn't be talking about going to war if someone snuck in and photocopied everything, and it makes equally little sense to talk about it when someone does it over the internet. The threshold of war is much, much higher, and we're not going to respond to this militarily. Over the years, North Korea has performed far more aggressive acts against US and South Korean soldiers. We didn't go to war then, and we're not going to war now.

Finally, we don't know these attacks were sanctioned by the North Korean government. The US government has made statements linking the attacks to North Korea, but hasn't officially blamed the government, nor have officials provided any evidence of the linkage. We've known about North Korea's cyberattack capabilities long before thisattack, but it might not be the government at all. This wouldn't be the first time a nationalistic cyberattack was launched without government sanction. We have lots of examples of these sorts of attacks being conducted by regular hackers with nationalistic pride. Kids playing politics, I call them. This may be that, and it could also be a random hacker who just has it out for Sony.

Remember, the attackers didn't start talking about The Interview until the press did. Maybe the NSA has some secret information pinning this attack on the North Korean government, but unless the agency comes forward with the evidence, we should remain skeptical. We don't know who did this, and we may never find out. I personally think it is a disgruntled ex-employee, but I don't have any more evidence than anyone else does.

What we have is a very extreme case of attacking. By "extreme" I mean the quantity of the information stolen from Sony's networks, not the quality of the attack. The attackers seem to have been good, but no more than that. Sony made its situation worse by having substandard security.

Sony's reaction has all the markings of a company without any sort of coherent plan. Near as I can tell, every Sony executive is in full panic mode. They're certainly facing dozens of lawsuits: from shareholders, from companies who invested in those movies, from employees who had their medical and financial data exposed, from everyone who was affected. They're probably facing government fines, for leaking financial and medical information, and possibly for colluding with other studios to attack Google.

If previous major hacks are any guide, there will be multiple senior executives fired over this; everyone at Sony is probably scared for their jobs. In this sort of situation, the interests of the corporation are not the same as the interests of the people running the corporation. This might go a long way to explain some of the reactions we've seen.

Pulling The Interview was exactly the wrong thing to do, as there was no credible threat and it just emboldens the hackers. But it's the kind of response you get when you don't have a plan.

Politically motivated hacking isn't new, and the Sony attack is not unprecedented. In 2011 the hacker group Anonymous did something similar to the internet-security company HBGary Federal, exposing corporate secrets and internal emails. This sort of thing has been possible for decades, although it's gotten increasingly damaging as more corporate information goes online. It will happen again; there's no doubt about that.

But it hasn't happened very often, and that's not likely to change. Most hackers are garden-variety criminals, less interested in internal emails and corporate secrets and more interested in personal information and credit card numbers that they can monetize. Their attacks are opportunistic, and very different from the targeted attack Sony fell victim to.

When a hacker releases personal data on an individual, it's called doxing. We don't have a name for it when it happens to a company, but it's what happened to Sony. Companies need to wake up to the possibility that a whistleblower, a civic-minded hacker, or just someone who is out to embarrass them will hack their networks and publish their proprietary data. They need to recognize that their chatty private emails and their internal memos might be front-page news.

In a world where everything happens online, including what we think of as ephemeral conversation, everything is potentially subject to public scrutiny. Companies need to make sure their computer and network security is up to snuff, and their incident response and crisis management plans can handle this sort of thing. But they should also remember how rare this sort of attack is, and not panic.

    Bruce Schneier

Attackers Can Read Your Private SMS and Listen to Phone Calls

Security researchers have discovered a massive security flaw that could let attackers and cybercriminals listen to private phone calls and read text messages on a potentially vast scale – no matter if the cellular networks use the latest and most advanced encryption available.

The critical flaw lies in the global telecom network known as Signal System 7 that powers multiple phone carriers across the world, including AT&T and Verizon, to route calls, texts and other services to each other. The vulnerability has been discovered by the German researchers who will present their findings at a hacker conference in Hamburg later this month.

    "Experts say it's increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world's billions of cellular customers," said The Washington Post, which first uncovered flaws in the system earlier this year.

SS7 or Signaling System Number 7 is a protocol suite used by most telecommunications operators throughout the world to communicate with one another when directing calls, texts and Internet data. It allows cell phone carriers to collect location information from cell phone towers and share it with each other. A United States carrier will find its customer, no matter if he or she travels to any other country.

According to the security researchers, the outdated infrastructure of the SS7 makes it very easy for attackers to hack, as it is loaded with some serious security vulnerabilities which can lead to huge invasions of privacy of the billions of cellular customers worldwide.

    "The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that attackers can repurpose for surveillance because of the lax security on the network," the report reads.

So far, the extent of flaws exploited by attackers have not been revealed, but it is believed that using the flaws attackers can locate or redirect users' calls to themselves or anywhere in the world before forwarding to the intended recipient, listen to calls as they happen, and record hundreds of encrypted calls and texts at a time for later decryption.

No matter how much strong or advanced encryption the carriers are using, for example AT&T and Verizon use 3G and 4G networks for calls, messages, and texts sent from people within the same network, but the use of that old and insecure SS7 for sending data across networks the backdoor open for attackers.

Not just this, use of SS7 protocol also makes the potential to defraud users and cellular carriers, according to the researchers.

The American Civil Liberties Union (ACLU) has also warned people against using their handset in light of the breaches.

    "Don't use the telephone service provided by the phone company for voice. The voice channel they offer is not secure," principle technologist Christopher Soghoian told Gizmodo. "If you want to make phone calls to loved ones or colleagues and you want them to be secure, use third-party tools. You can use FaceTime, which is built into any iPhone, or Signal, which you can download from the app store. These allow you to have secure communication on an insecure channel."

Soghoian also believes that security agencies – like the United states' NSA and British security agency GCHQ – could be using these flaws. "Many of the big intelligence agencies probably have teams that do nothing but SS7 research and exploitation. They've likely sat on these things and quietly exploited them," he said.

However, the poor security capabilities of SS7 protocol is not hidden from the people and its not at all a new, just three months ago we reported How a Cell Phone User Can be Secretly Tracked Across the Globe. But the era where each and every person care about privacy and security of their data, things like this really publicize exactly how big this threat really is and make many worried of its consequences.


Critical Flaw Hits Millions of Home Routers

Security researchers are warning of a critical vulnerability in several different home router models that could put at risk the data of millions of consumers and small businesses worldwide.

Check Point’s Malware and Vulnerability Research Group uncovered Misfortune Cookie, a flaw which could allow attackers to remotely take over an affected router with admin privileges.

CVE-2014-9222 is found in popular routers made by D-Link, Edimax, Huawei, TP-Link, ZTE, ZyXEL and others.

Specifically, it affects RomPager from AllegroSoft – web server software embedded in the firmware which comes with the above gateway devices, Check Point said.

The vendor continued:

“An attacker with administrative access to your gateway holds an alarming control over your wired and/or wireless network (local area network) infrastructure. Such control puts devices at risk of Man-in-The-Middle attacks, greatly increases the attack surface for LAN-side vulnerabilities, and gives attackers the ability to directly monitor connections and identifiers belonging to your devices.

The implications of these risks mean more than just a privacy violation – they also set the stage for further attacks, such as installing malware on devices and making permanent configuration changes. This WAN-to-LAN free-crossing is also bypassing any firewall or isolation functionality previously provided by your gateway and breaks common threat models. For example, an attacker can try to access your home webcam (potentially using default credentials) or extract data from your business NAS backup drive.”

Although there have thus far been no reported incidents of attackers exploiting the flaw in the wild, there are at least 12 million such devices in 189 countries across the globe, the vendor added.

In some countries, as many as one in two used IP addresses are affected, it said.

Check Point urged the affected device makers to release updated firmware which addresses the problem – RomPager version 4.34 or higher.

It branded the threat “a wake-up call for the embedded device industry and consumers alike.”

UK / EMEA News Reporter , Infosecurity Magazine

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed


US-CERT Latest Warnings

Latest US-CERT Released Warnings

Posted Articles