> Computrace/Lo Jack is a legitimate application that is factory installed into the firmware of nearly every laptop in the world, of all varieties. The idea is that if your laptop gets stolen, you can find it, and/or wipe it remotely. This is obviously good, and useful.
How is this so? No one's ever mentioned this when talking about stolen laptops. They talk about high level software like Prey or whatever Apple uses. How would you use this to find your laptop? There's a central server that almost every laptop on earth talks to? Seems highly doubtful.
You’d hope that’s unlikely, but unfortunately it is not. Microsoft left a backdoor in UEFI/Bootlocker to specifically support this.
It’s also had a history of major security issues, and a vendor who does not understand how to deal with vulnerability reports.
They aren’t on Apple laptops though, just most OEMs.
Personally, I think it’s absolutely fantastic that this has finally been publicly exploited in the wild and repurposed for malicious purposes, because this was called out as an obvious threat almost 10 years ago now, and none of the vendors took it seriously or cared. Now they can’t ignore it with the “we have no reports of any customers being attacked” deflection and they will likely face far more scrutiny. It’s just like what happened with the Intel ME staying under the radar for so long, but at least to Intel’s credit, they actually attempted to build security in.
- Put secure software in the lowest ring possible to make it more secure
- "The good can use it against the bad" but not the other way round
- Proof of ownership based on "I said it first"
- Of course, closed source, because security
Sorry for the tinfoil interpretation, but I believe it's hard to convince every company to (most likely) pay for this stuff without some sort of coercion.
Looks to me like Intel ME, secure platform processors, mandatory backdoors for devices, and the likes.
> The software agent behaves like rootkit (bootkit), reinstalling a small installer agent into the Windows OS at boot time. This installer later downloads the full agent from Absolute's servers via the internet. This installer (small agent) is vulnerable to certain local attacks
At these levels Linux doesn't need to include the functionality. This operates below the kernel and can include its own functionality without the Kernel ever seeing it present.
Where this code lives they can sit passively by until you've decrypted your hard drive (capturing your key in the process), patch the kernel with a rootkit, and start processes or drop files that will be invisible and inaccessible to even other kernel processes.
This isn't a vulnerability in Windows, or Linux. This is drinking from a polluted pool before they come into existence and poisoning the system.
You are describing some sort of firmware modification attack. That is not what this is. If the software stub is not actively downloaded by the OS then it can't run. This exploit is very specific to a bonehead thing Windows does. No other OS (e.g. Linux) would be vulnerable.
You're talking about an attack against the agent this is designed to download, or you don't understand what a UEFI attack is. This is an attack against the UEFI part, not the agent. This isn't firmware, but it is pre-bootloader. UEFI is the bootloader that loads your bootloader and is stored not on your hard drive.
If software at this level is malicious, it has equal privileges as your BIOS before any kernel gets loaded. It doesn't matter what the operating system is, it just has to be designed for it. It can return TPM approved checksums to your kernel and continue a secure boot as long as it knew what those checksums were before it modified them. Oh you use an external drive for your unencrypted boot partition? That can be modified as it is read off disk, before you're ever prompted for a disk passphrase, and it will report the correct checksum before it gets loaded.
This is a vicious level of access for malicious software, and it is OS agnostic as far as the attack goes. THIS instance is Windows only because that is what it was targeted at.
Use full disk encryption - unlike Microsoft Bitlocker which left backdoors for LoJack, linux vulnerabilities are publicized and you can update as soon as the patch appears on the internet.
Switch to a filesystem that the UEFI malware does not understand. Or move fields and magic numbers around in an existing filesystem to create a "custom" filesystem.
What's stopping firmware from patching GRUB to patch the kernel to do things it's not supposed to do? There is nothing inherent to Linux that makes it invulnerable to this kind of thing.
If you can't trust the underlying hardware or firmware, you cannot trust the machine.
But there's no technical reason this behavior must be Windows-only; it's just that way now because Linux isn't a business priority. The fundamental architecture, where UEFI software can write to a filesystem on the disk, applies to Linux installs just as much as Windows.
Using Linux is likely a good move, and encrypting your filesystem even better. But both of these could be defeated by an appropriately targeted UEFI program. I get the appeal for an enterprise that wants a chance at remotely tracking a stolen laptop, but now we can see how much power can be misappropriated when the system is compromised.
The problem here is not UEFI software being able to do nasty things to your OS disk.
Anything launched prior to your OS can do that, like boot-sector viruses of the old days.
What’s different here is how someone (with luck) can infect your firmware stealthily and deploy a UEFI payload (typically intended to provide base HW drivers with a machine) which Windows will actively detect and install and run without question.
And thus the initial agent gets deployed and installed.
Windows installs the root kit into its own FS, all by itself.
But only on Windows, because Linux does NOT look for or use that UEFI driver payload.
Linux is immune to this attack. Really.
If your entire firmware gets corrupted and replaced by a hostile material, obviously you’re screwed, but what is the chances of that happening and your machine booting?
Is there anything that prevents the FW from writing to the disk directly? Or patching the OS kernel in memory? Unless there are actually security mechanisms in place to assure that firmware can only politly request the OS to do something, then it is only a matter of best practices and ease that that is the mechanism used.
There is not just a single explanation, but I'll give it a go. 1) Many industry titans such as MS, Apple and Monsanto, just as examples, have encouraged employees to participate in forums like this in order to affect conversations and influence debates, so real users of a strong bias against uncomfortable truths/facts use down votes in a way not intended. 2) from those same types of companies, sockpuppetry has become a pervasive and powerful item in their toolbelt, accomplishing the same as above but with inorganic users and on a large scale. 3) HN has some extremely good commentators, some who have been around for a long time, but I have noticed a large careening away from the type of hackeristic dogged pursuit of truth and lack of fear of attacking power that seemed to be the core of HN in its earlier days. in particular, since the user protested and ignored rule change to "don't be negative" , where heated debates between truth to power speakers and status quo speakers tend to bring the hammer down on those against the status quo. Hence why I say HN seems to me to have become much More than ever before, MBAs who pretend to be hackers, instead of the other way around. 4) As a greybeard sysadmin type, I think many users suffer from Stockholm syndrome, and will blindly downvote (usually with no comment) attacks against their kidnappers, even if truthful.
I don’t know about Monsanto, but I have knowledge of the social media policies of both Apple and MS and you couldn’t be more wrong. Don’t mistake personal bias/company pride for an organized sock puppet campaign.
MS allows its employees to comment on matters in a personal capacity with a disclaimer indicating such.
Apple employees are not supposed to comment at all, and can be terminated for doing so.
Both explicity forbid shilling, and there is no encouragement by the company to do anything like what you’re describing. This should be obvious if one considers how many lawyers they employ whose sole job it is to prevent them from being sued, charged, or investigated.
I know folks at both companies, and while everyone is unique, I noticed that many have a lot of pride in their employer, have a strong dislike for competitors, and would likely engage in expressing their disagreement voluntarily.
1. Are there any probable/plausible examples of such manipulation? I say this from a 100% naive standpoint - literally: I've never seen it myself, so it unfortunately does work. Not to say I doubt it exists; I've read about the concept enough times that I accept that it exists.
2. Regarding (3), do you think it would be possible to cultivate that mindset again, in a different setting/environment, or are these trends influenced by the contemporary status quo? :/
2a. If you _do_ think it might be possible, I'm very interested to absorb ideas on how to create constructive discussions online. People have had more than enough interactions with the current mainstream (twitter, facebook, reddit, here, etc) to probably have _some_ idea on how to massively improve tooling/UX/etc.
2) I do think it is possible, but it is much more difficult to gain those users back who have fled due to those issues. It would require a public shift in forum management style that openly acknowledges it's issues, which especially in a place like this would be hard because for the most part dang et al actually do a great job and the issues we are talking about are very nuanced...
2a) If you come to some conclusions on this I'd like to hear them too. Its something I think about often, and I'm yet to find some silver bullet. I tend to gravitate towards some mishmash of past techniques, for example, I really liked Slashdot mod system, where random users were given mod ability, and instead of just points, you could label something informative, funny, etc. I also think exclusivity can be a boon, so for example invite-only forums or some other exclusion method can naturally curate conversations, but on the flip side you will tend to keep otherwise good commentators silent that way. steemit's idea of monetization via crypto of good content is another approach... none of them alone seems to be enough...
One idea I've had that's technically challenging would be some sort of AI comment judge with preselected criteria, so let's say a commentor makes many logically fallacious comments, then that person gets a temp-ban.
Another has been just purely based on comment depth/length. If a user often goes in depth, a few one sentence quips would reduce their score-weight but they could still post, but another user who only does one line quips would get a temp-ban.
in short, I don't know, but whoever figures this out is going to be a big deal
I started spending more time here specifically because these problems became more pervasive on reddit. Seems like the same thing is happening here now.
Unfortunately I don't. one thing to keep in mind is that More specialized and specific forums tend to maintain that vibe, so instead of more generalized forums find the niche ones and watch em on RSS.
I also still enjoy irc, usenet, and deepnet sites (such as onion sites, etc) for the less mainstream, old school hacker vibe.
Your comment is incorrect as applied to the actual rootkit being discussed. It's (arguably) factually correct in isolation, but misleading.
> UEFI let’s the FW signal to the OS upon boot “please install this driver blindly”, but it can’t force the OS.
> Only Windows obliges to this request. Linux is immune.
UEFI firmware runs before the OS and with greater privileges – e.g. it has control over System Management Mode (SMM), which is hidden from the OS. It can force the OS to do whatever it wants. For example, it can modify system files on disk, which should be enough to compromise most Linux installations. If that isn't possible (because something verifies the files), it could, e.g., patch the next stage bootloader it loads (which could be GRUB or the kernel itself via EFISTUB), in memory before executing it. Or, as an easier approach, it could just add a SMI handler that patches the kernel later on.
It is true that Windows 8 and later exposes a way for UEFI to "ask it nicely" to load a given driver, without having to patch anything, namely the WPBT (Windows Platform Binary Table). As you note, this is the mechanism Lenovo used to persist Superfish. The reason it exists, however, is for anti-theft software such as Computrace/LoJack. Earlier versions of Computrace took a "brute force" route to installing its persistence driver, patching system files on disk, and there wasn't really anything Microsoft could do to stop it. So instead they decided to give them a sanctioned route to accomplish the same thing, which at least is less likely to break something in the process.
However, at least according to the white paper, the LoJax UEFI rootkit does not use WPBT at all. Instead it uses an approach that seems to be inspired by older (pre-WPBT) versions of Computrace. [1] Specifically, it drops a binary "autoche.exe" into the filesystem, then modifies the registry to execute autoche.exe on boot instead of the normal autochk.exe (note that the last letter is different).
Thus, WPBT is irrelevant in this case. The malware hijacks Windows by modifying its filesystem, and if the authors cared enough to target Linux, they could hijack most Linux installations the same way (and all installations with a somewhat more difficult approach). But then, even if some piece of malware did decide to use WPBT when targeting Windows, it could still use the more elaborate methods to target Linux. At most, WPBT makes it slightly easier for UEFI malware to target Windows than it would otherwise be. But it really doesn't make much difference.
[1] To clarify: As the white paper describes, a later stage of the bootstrap, rpcnetp.exe, is actually copied from an older version of Computrace and merely patched to change the C&C server address. However, the UEFI part of the malware is custom, and merely uses a similar (but slightly different) overall approach. Computrace's own UEFI driver worked by actually modifying autochk.exe, whereas the malware modifies the registry to execute a different filename instead.
You probably shouldn't be. All this "fanboying" annoys the hell out of people because faboys are constantly trying to sell linux as the solution to all problems, and then when people give them reasons why linux isn't a solution to their problems they get really defensive and start using canned excuses like "well it works for me", "you didn't pick the right distro", "normal users don't need that", "you need to research your hardware", "you have the source so you could fix it yourself", or even "Windows/MacOS have problems too!".
The community alone is enough reason to avoid linux.
note: in this instance, "linux" is being used as shorthad for "the GNU/Linux Desktop".
> You probably shouldn't be. All this "fanboying" annoys the hell out of people because faboys are constantly trying to sell linux as the solution to all problems ...
This is true for nearly anything imaginable, not just Linux.
> The community alone is enough reason to avoid linux.
If you selectively pick the worst of any given (tech related) community, you'd probably be using nothing.
That's definitely why you're hanging out on a website built for armchair intellectuals. There's definitely no bias on the selection of people who visit and comment here. /s
Clearly you've had some frustrations using GNU/Linux, and I'm sorry you've had to deal with that. It must be really upsetting to have your problems disregarded like that by other people, and not being listened to.
However, it's also quite inappropriate to completely ignore the main point of someone else's comment and vent all these frustrations on them for using the informal term "fanboying", and I don't think that doing so contributes anything to the current discussion about whether GNU/Linux is vulnerable to this rootkit.
Maybe against this specific vulnerability, but with firmware (e.g. Intel ME) running in ring -3, it could in principle inject itself into any (ring 0) kernel.
ekianjo's wikipedia link describes how it works: tracking is still done by a high-level software agent, the firmware part is there to make sure that it is present on the filesystem each time the machine boots, making it survive Windows reinstalls.
You might be in the clear, but make sure you've traversed every menu and sub-menu in the BIOS configuration. One of my laptops -- I don't recall which, sorry -- has the settings located a few levels deep with some very unsuspecting terminology. Even when I was looking specifically for it (I knew it was in there!), it took me a few minutes to actually find it.
Also, WRT turning it off, there are typically two options: deactivate and disable. One is just "temporary" (in that it can be turned back on later), the other is (supposedly) permanent and "impossible" to revert. Make sure you choose the right one (for you).
How is this so? No one's ever mentioned this when talking about stolen laptops. They talk about high level software like Prey or whatever Apple uses. How would you use this to find your laptop? There's a central server that almost every laptop on earth talks to? Seems highly doubtful.