Peer to Peer Future | Office Hours 6

Lenovo & HP are caught injecting malware even after you format the drive, Ubiquiti Networks is socially engineered out of 46 million & are we entering the era of Security Research Prohibition? We debate.

Plus a great batch of your questions, our answers, a rocking round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Lenovo and HP caught injecting Malware even after your wipe the machine

A user on the Ars Technica forums discovered the malware being installed on his freshly re-formatted computer
How is that possible, the entire disk was erased…
Well, it turns out Microsoft has a solution for that, the “Windows Platform Binary Table
Details on Microsoft’s “Windows Platform Binary Table”
An area in the bios where you can stick some files, and they will be run with ‘SYSTEM’ privileges, after Windows (8+) starts
They have access to the file system, even if the disk is encrypted with bitlocker, because the code is run after the file system is mounted
“Microsoft’s Windows Platform Binary Table WPBT feature allows PC manufacturers and corporate IT to inject drivers, programs and other files into the Windows operating system from the motherboard firmware. The WPBT is stored in the firmware, and tells Windows where in memory it can find an executable called a platform binary to run. Said executable will take care of the job of installing files before the operating system starts.”
“During operating system initialization, Windows will read the WPBT to obtain the physical memory location of the platform binary,” Microsoft’s documentation states. “The binary is required to be a native, user-mode application that is executed by the Windows Session Manager during operating system initialization. Windows will write the flat image to disk, and the Session Manager will launch the process.”
“The LSE (Lenovo Service Engine) makes sure C:\Windows\system32\autochk.exe is Lenovo’s variant of the autochk.exe file; if Microsoft’s official version is there, it is moved out of the way and replaced. The executable is run during startup, and is supposed to check the computer’s file system to make sure it’s free of any corruption.”
“Lenovo’s variant of this system file ensures LenovoUpdate.exe and LenovoCheck.exe are present in the operating system’s system32 directory, and if not, it will copy the executables into that directory during boot up. So if you uninstall or delete these programs, the LSE in the firmware will bring them back during the next power-on or reboot.”
In the Microsoft documentation, they try to make it clear:
“The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a “clean” configuration … Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions.”
Which is funny, because the entire WPBT feature, “exposes Windows users to exploitable conditions”
“Secure as possible? Not in this case: security researcher Roel Schouwenberg found and reported a buffer-overflow vulnerability in the LSE that can be exploited to gain administrator-level privileges.”
“After Lenovo learned of this bug in April, it dawned on the company that its LSE was falling foul of Microsoft’s security guidelines for using the powerful WPBT feature. Two months later, in June, it pulled the whole thing: the LSE software is no longer included in new laptops.”
Luckily, if you are not running Windows 8 or higher, your computer is not affected
Note: This has been observed on desktop computers too, not just laptops
Note Well: This is a “feature” of Windows, so every computer with Windows 8 or higher is actually vulnerable to having malicious code injected, there just might not be any code in your firmware, currently.
Microsoft say: “If partners intentionally or unintentionally introduce malware or unwanted software though the WPBT, Microsoft may remove such software through the use of anti-malware software. Software that is determined to be malicious may be subject to immediate removal without notice.”
However, since the file that gets executed only ever exists in memory, Microsoft’s malware scanner won’t find the WPBT binary, only the malware it drops into your system
Lenovo used Windows anti-theft feature to install persistent crapware
Lenovo Busted For Stealthily Installing Crapware Via BIOS On Fresh Windows Installs

Ubiquiti Networks loses 46 million in cyber bank heist

“Networking firm Ubiquiti Networks Inc. disclosed this week that cyber thieves recently stole $46.7 million using an increasingly common scam in which crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international wire transfers”
So, pretend to be the boss, and get a secretary, or the finance department to approve expenses or transfers
The attack was disclosed as part of the company’s quarterly filings with the SEC
“This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties,” Ubiquiti wrote. “As soon as the Company became aware of this fraudulent activity it initiated contact with its Hong Kong subsidiary’s bank and promptly initiated legal proceedings in various foreign jurisdictions. As a result of these efforts, the Company has recovered $8.1 million of the amounts transferred.”
“The swindle that hit Ubiquiti is a sophisticated and increasingly common one targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments”
“Ubiquiti didn’t disclose precisely how it was scammed, but CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name. For example, if the target company’s domain was “example.com” the thieves might register “examp1e.com” (substituting the letter “L” for the numeral 1) or “example.co,” and send messages from that domain.”
“The FBI’s advisory on these scams urges businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media, as attackers perpetrating these schemes often will try to discover information about when executives at the targeted organization will be traveling or otherwise out of the office.”
“Unlike traditional phishing scams, spoofed emails used in CEO fraud schemes are unlikely to set off spam traps, because these are targeted phishing scams that are not mass e-mailed. Also, the crooks behind them take the time to understand the target organization’s relationships, activities, interests and travel and/or purchasing plans.”
These won’t be your typical phishing emails for of broken english and bad punctuation
These will be highly researched scams designed to make you think you are communicating with the real person
“On the surface, business email compromise scams may seem unsophisticated relative to moneymaking schemes that involve complex malicious software, such as Dyre and ZeuS. But in many ways, the BEC attack is more versatile and adept at sidestepping basic security strategies used by banks and their customers to minimize risks associated with account takeovers. In traditional phishing scams, the attackers interact with the victim’s bank directly, but in the BEC scam the crooks trick the victim into doing that for them.”
Even two factor auth can be defeated here, because you are tricking someone into doing the transfer for you

We may be entering the era of Security Research Prohibition

As if the Oracle nonsense last week was not bad enough, the Wassenaar Arrangement threatens to send us into the dark ages
“The U.S. implementation of the rules, which govern the export of so-called intrusion software among other things, has been criticized sharply by lawyers, security researchers, and software vendors, who say that the proposed rules are too vague and threaten to chill legitimate security research and other activities.”
“The rules that we got on May 20 are confusing to say the least. The Commerce Department didn’t have any experience with these kind of rules,” Nate Cardozo, a staff attorney at the EFF, said during a panel on Wassenaar at the Black Hat conference here Thursday. “They are really horrendously vague.”
“The Bureau of Industry and Security at the Commerce Department proposed the rules in May and opened up a 60-day comment period. Many security researchers and attorneys submitted comments, and the BIS has said it will revise the rules and open them up for public comment again, a somewhat unusual move.“
“The Wassenaar rules have been compared in many circles to the export controls on encryption software that came into effect in the 1990s in the U.S. There is an important lesson to be drawn from the way the crypto controls were handled.“ “We should learn how much those controls did the opposite of what was intended, which is weakening the security of the Internet as a whole”
“Because the BIS rules as currently written are so vague about what constitutes intrusion software, things such as Metasploit and other common offensive tools could be regulated. And even sharing information about your own security research with a co-worker in another country could cause issues. Researchers are quite wary of these vagaries and worry that their day-to-day work may be restricted.“

Feedback:

Round Up:

The post Export Grade Vulnerabilities | TechSNAP 228 first appeared on Jupiter Broadcasting.

Ubiquiti – Jupiter Broadcasting

Peer to Peer Future | Office Hours 6

Don’t Panic | Self-Hosted 42

Compromised Networking | Self-Hosted 16

Self-Hosted: Fixing Brent’s WiFi | Jupiter Extras 45

Machine Learning Magic | TechSNAP 417

I.T. Phone Home | TechSNAP 416

Should I Buy a Chromebook? | Ask Noah Show 64