THE COMMON WISDOM when it comes to PCs and Apple computers is that the latter are much more secure. Particularly when it comes to firmware, people have assumed that Apple systems are locked down in ways that PCs aren’t.

It turns out this isn’t true. Two researchers have found that several known vulnerabilities affecting the firmware of all the top PC makers can also hit the firmware of MACs. What’s more, the researchers have designed a proof-of-concept worm for the first time that would allow a firmware attack to spread automatically from MacBook to MacBook, without the need for them to be networked.

The attack raises the stakes considerably for system defenders since it would allow someone to remotely target machines—including air-gapped ones—in a way that wouldn’t be detected by security scanners and would give an attacker a persistent foothold on a system even through firmware and operating system updates. Firmware updates require the assistance of a machine’s existing firmware to install, so any malware in the firmware could block new updates from being installed or simply write itself to a new update as it’s installed.

The only way to eliminate malware embedded in a computer’s main firmware would be to re-flash the chip that contains the firmware.

“[The attack is] really hard to detect, it’s really hard to get rid of, and it’s really hard to protect against something that’s running inside the firmware,” says Xeno Kovah, one of the researchers who designed the worm. “For most users that’s really a throw-your-machine-away kind of situation. Most people and organizations don’t have the wherewithal to physically open up their machine and electrically reprogram the chip.”

It’s the kind of attack intelligence agencies like the NSA covet. In fact, documents released by Edward Snowden, andresearch conducted by Kaspersky Lab, have shown that the NSA has already developed sophisticated techniques for hacking firmware.

The Mac firmware research was conducted by Kovah, owner of LegbaCore, a firmware security consultancy, and Trammell Hudson, a security engineer with Two Sigma Investments. They’ll be discussing their findings on August 6 at the Black Hat security conference in Las Vegas.

Firmware is a particularly valuable place to hide malware on a machine because it operates at a level below the level where antivirus and other security products operate and therefore does not generally get scanned by these products, leaving malware that infects the firmware unmolested. There’s also no easy way for users to manually examine the firmware themselves to determine if it’s been altered. And because firmware remains untouched if the operating system is wiped and re-installed, malware infecting the firmware can maintain a persistent hold on a system throughout attempts to disinfect the computer. If a victim, thinking his or her computer is infected, wipes the computer’s operating system and reinstalls it to eliminate malicious code, the malicious firmware code will remain intact.

5 Firmware Vulnerabilities in Macs

Last year, Kovah and his partner at Legbacore, Corey Kallenberg, uncovered a series of firmware vulnerabilitiesthat affected 80 percent of PCs they examined, including ones from Dell, Lenovo, Samsung and HP. Although hardware makers implement some protections to make it difficult for someone to modify their firmware, the vulnerabilities the researchers found allowed them to bypass these and reflash the BIOS to plant malicious code in it.

Kovah, along with Hudson, then decided to see if the same vulnerabilities applied to Apple firmware and found that untrusted code could indeed be written to the MacBook boot flash firmware. “It turns out almost all of the attacks we found on PCs are also applicable to Macs,”

They looked at six vulnerabilities and found that five of them affected Mac firmware. The vulnerabilities are applicable to so many PCs and Macs because hardware makers tend to all use some of the same firmware code.

“Most of these firmwares are built from the same reference implementations, so when someone finds a bug in one that affects Lenovo laptops, there’s a really good chance it’s going to affect the Dells and HPs,” says Kovah. “What we also found is that there is really a high likelihood that the vulnerability will also affect Macbooks. Because Apple is using a similar EFI firmware.”

In the case of at least one vulnerability, there were specific protections that Apple could have implemented to prevent someone from updating the Mac code but didn’t.

“People hear about attacks on PCs and they assume that Apple firmware is better,” Kovah says. “So we’re trying to make it clear that any time you hear about EFI firmware attacks, it’s pretty much all x86 [computers].”

They notified Apple of the vulnerabilities, and the company has already fully patched one and partially patched another. But three of the vulnerabilities remain unpatched.

Thunderstrike 2: Stealth Firmware Worm for Macs

Using these vulnerabilities, the researchers then designed a worm they dubbed Thunderstrike 2 that can spread between MacBooks undetected. It can remain hidden because it never touches the computer’s operating system or file system. “It only ever lives in firmware, and consequently no [scanners] are actually looking at that level,” says Kovah.

The attack infects the firmware in just seconds and can also be done remotely.

There have been examples of firmware worms in the past—but they spread between things like home office routers and also involved infecting the Linux operating system on the routers. Thunderstrike 2, however, is designed to spread by infecting what’s known as the option ROM on peripheral devices.

An attacker could first remotely compromise the boot flash firmware on a MacBook by delivering the attack code via a phishing email and malicious web site. That malware would then be on the lookout for any peripherals connected to the computer that contain option ROM, such as an AppleThunderbolt Ethernet adapter, and infect the firmware on those. The worm would then spread to any other computer to which the adapter gets connected.

When another machine is booted with this worm-infected device inserted, the machine firmware loads the option ROM from the infected device, triggering the worm to initiate a process that writes its malicious code to the boot flash firmware on the machine. If a new device is subsequently plugged into the computer and contains option ROM, the worm will write itself to that device as well and use it to spread.

One way to randomly infect machines would be to sell infected Ethernet adapters on eBay or infect them in a factory.

“People are unaware that these small cheap devices can actually infect their firmware,” says Kovah. “You could get a worm started all around the world that’s spreading very low and slow. If people don’t have awareness that attacks can be happening at this level then they’re going to have their guard down and an attack will be able to completely subvert their system.”

In a demo video Kovah and Hudson showed WIRED, they used an Apple Thunderbolt to Gigabit Ethernet adapter, but an attacker could also infect the option ROM on an externalSSD or on a RAID controller.

No security products currently check the option ROM on Ethernet adapters and other devices, so attackers could move their worm between machines without fear of being caught. They plan to release some tools at their talk that will allow users to check the option ROM on their devices, but the tools aren’t able to check the boot flash firmware on machines.

The attack scenario they demonstrated is ideal for targeting air-gapped systems that can’t be infected through network connections.

“Let’s say you’re running a uranium refining centrifuge plant and you don’t have it connected to any networks, but people bring laptops into it and perhaps they share Ethernet adapters or external SSDs to bring data in and out,” Kovah notes. “Those SSDs have option ROMs that could potentially carry this sort of infection. Perhaps because it’s a secure environment they don’t use WiFi, so they have Ethernet adapters. Those adapters also have option ROMs that can carry this malicious firmware.”

He likens it to how Stuxnet spread to Iran’s uranium enrichment plant at Natanz via infected USB sticks. But in that case, the attack relied on zero-day attacks against the Windows operating system to spread. As a result, it left traces in the OS where defenders might be able to find them.

“Stuxnet sat around as a kernel driver on Windows file systems most of the time, so basically it existed in very readily available, forensically-inspectable places that everybody knows how to check. And that was its Achille’s heel,” Kovah says. But malware embedded in firmware would be a different story since firmware inspection is a vicious circle: the firmware itself controls the ability of the OS to see what’s in the firmware, thus a firmware-level worm or malware could hide by intercepting the operating system’s attempts to look for it. Kovah and colleagues showed how firmware malware could lie like this at a talk they gave in 2012. “[The malware] could trap those requests and just serve up clean copies [of code]… or hide in system management mode where the OS isn’t even allowed to look,” he says.

Hardware makers could guard against firmware attacks if they cryptographically signed their firmware and firmware updates and added authentication capabilities to hardware devices to verify these signatures. They could also add a write-protect switch to prevent unauthorized parties from flashing the firmware.

Although these measures would guard against low-level hackers subverting the firmware, well-resourced nation-state attackers could still steal a hardware maker’s master key to sign their malicious code and bypass these protections.

Therefore, an additional countermeasure would involve hardware vendors giving users the ability to easily read their machine’s firmware to determine if it has changed since installation. If vendors provided a checksum of the firmware and firmware updates they distribute, users could periodically check to see if what’s installed on their machine differs from the checksums. A checksum is a cryptographic representation of data that is created by running the data through an algorithm to produce a unique identifier composed of letters and numbers. Each checksum is supposed to be unique so that if anything changes in the dataset, it will produce a different checksum.

But hardware makers aren’t implementing these changes because it would require re-architecting systems, and in the absence of users demanding more security for their firmware, hardware makers aren’t likely to make the changes on their own.

“Some vendors like Dell and Lenovo have been very active in trying to rapidly remove vulnerabilities from their firmware,” Kovah notes. “Most other vendors, including Apple as we are showing here, have not. We use our research to help raise awareness of firmware attacks, and show customers that they need to hold their vendors accountable for better firmware security.”

Anonymous affiliate GhostSec has supported US law enforcement and Intelligence agencies in thwarting Isis terror plots in New York and Tunisia.
The popular Anonymous affiliate GhostSec has provided useful information on preventing terrorist attacks on New York and Tunisia planned by the Islamic State (Isis), according to a counterterrorism expert.

According to the Internation Business Times, Michael Smith, an adviser to the US Congress and co-founder of national security firm Kronos Advisory, admitted that information regarding potential attacks provided by the group GhostSec was used by US intelligence and law-enforcement agencies to interfere with IS operations.

"It is my understanding that data collected by the group, and presented to law enforcement and intelligence officials by me, was helpful to authorities in Tunisia, who disrupted a suspected Islamic State cell around 4 July," revealed Smith. "This data was collected pursuant to the group's efforts in monitoring social media accounts managed by suspected Islamic State supporters. As per their assessment, this plot would have been mobilised soon after the recent attack that occurred at a popular resort in Tunisia."

The news is confirmed by one of the members of the collective GhostSec with the pseudonymous DigitaShadow. The man revealed that information gathered by the hacktivists from the social media regarding ISIS activities and potential attacks was shared with Smith that provided it to the US agencies.

The information allowed the identification and the arrest of 17 suspects in Tunisia earlier this month.

"GhostSec is constantly monitoring social media and the internet for threats against governments and its citizens," DigitaShadow told IBTimes UK. "On 2 July, we encountered an Islamic State account engaging in threats against tourists in Tunisia. They made references to a suicide bomber in an area near the Homut Souk market, which is a very populated area. They also made direct threats against British and Jewish tourists, so we began looking for events near areas that those nationalities visited. We located two churches in the direct vicinity that were holding services where British and Jewish tourists frequented. We collected all of the relevant intel and evidence and forwarded it to the FBI through our government contact. Two days later, we were debriefed that arrests had been made as a result of our intelligence."

According to the new revelations, DigitaShadow and GhostSec have done much more, the hacktivists helped the authorities to gather evidence used in foiling a terror attack in New York on 4 July. The FBI reported that more than 10 individuals were arrested because they were organizing terrorist plot planned for the Independence Day.

Neither Smith nor the FBI was able to confirm whether the arrests in New York came as a result of information gathered by GhostSec.

Smith did confirm that data shared by the GhostSec were used in counter-terrorism operations in Tunisia, but he didn't provide information of the arrests in New York.

Emerson Brooking, a research associate at the Council of Foreign Relation, in March explained the importance to fund the efforts of hacktivists in taking down websites and social-media accounts associated with IS and other terrorist organizations.

"How is it that the US government, capable of coordinating a complex air campaign from nearly 6,000 miles away, remains virtually powerless against the Islamic State's online messaging and distribution network?" said Brooking. "If the United States is struggling to counter the Islamic State's dispersed, rapidly regenerative online presence, why not turn to groups native to this digital habitat? Why not embrace the efforts of third-party hackers like Anonymous to dismantle the Islamic State – and even give them the resources to do so?"

In April GhostSec published a list of websites used by the ISIS and expose social media accounts of its members. The members of GhostSec initially leaked a list of 26,000 Twitter accounts that were allegedly linked to the ISIS. The list is available at the URL https://ghostbin.com/paste/ce5jz.

http://securityaffairs.co/wordpress/wp-content/uploads/2015/04/Anonymous-vs-ISIS.jpg

All the websites identified by Anonymous and related social media accounts were used by the ISIS members for propaganda, recruitment and communications.

"To date our operations have met with resounding success," said a spokesperson for GhostSec. "We have terminated over 57,000 Islamic State social media accounts that were used for recruitment purposes and transmission of threats against life and property.

"Our operatives have also detected numerous terror plots and responded accordingly with federal law enforcement agencies. Defending and preserving freedom begins in cyberspace."

While Microsoft is offering its new Windows 10 OS for free, security experts argue that the cost for user privacy is much higher.

Microsoft Windows 10 is the new operating system of the IT giant, the newborn already reached more than 14 million downloads in just two days. The experts who have already analyzed Windows 10 explained that it is quite difficult to change default settings, and these settings represent a threat for the user’s privacy.

In a recent security assessment of ten smartwatches and their iOS and Android companion applications, every single watch had at least one significant security flaw, according to a new report from HP Fortify.

One common problem was that the data that smartwatches collected was typically sent to numerous places -- up to ten locations, in some cases.

"It was going through analytics networks, ad networks, numerous back ends," said Daniel Miessler, head of security research at Palo Alto, Calif.-based HP Fortify. "It's something that consumers probably aren't aware of."

Many of those connections were not encrypted, he added, making a bad situation even worse.

The cloud services that users were aware of, such cloud-based companion apps that had Web-based access, often had security issues themselves.

"We found a few that you could break into with brute force attacks and harvest data," he said.

Another common problem was a lack of a shut-off mechanism.

"If someone picked your watch up off the table, they could get into the watch," he said. And, with that, into whatever apps the watch was currently connected to on your phone, such as email, text messages, and phone calls.

"Half of the watches did not have a pass code," he said.

The security vulnerabilities are only to be expected, said Miessler.

"We're making the same mistakes we've been making for 15 or 20 years, he said. "We're just changing the platforms."

Miessler declined to elaborate on which devices did well or not so well on the test.

"We're in the middle of the disclosure process, so we're not able to comment," he said.

"We're waiting for companies to respond back with patches. Some companies respond quickly, and others don't respond at all. We don't release [vulnerability information] unless they come out with a patch and authorize us to release it."

He warned enterprises to be careful about major roll-outs of smartwatches, and to pay close attention to security vulnerabilities.

He also suggested that if smartwatches are deployed in an corporate setting, that they be restricted to their own networks and not allowed to mingle with enterprise data and services.

He also recommended that enterprises, manufacturers and security testers take a look at the OWASP IoT project page, which lists the 10 most significant IoT security vulnerabilities and suggestions for how to address them.

"It's very early right now," he said. "If someone were to try to use it for authentication, they'd really have to subject it to a strong level of scrutiny. I wouldn't say it's not possible, but in general the state of watch security is very low right now."

End users often choose features and widgets over security, he added, so it might take a while for these issues to be addressed.

In addition to the security problems that smartwatches create unbeknownst to their users, they also offer users more opportunities for inappropriate or even malicious behavior.

Smartwatches are significantly less noticeable than smartphones -- it's easy to forget that people are wearing them.

"It's going to be pretty easy to record a conversation, or snap pictures of slides and bring that data out of the enterprise without being noticed," Miessler said. "We think it's going to be an increasing concern in the future."

The Internet Systems Consortium (ISC) announced on Tuesday the release of BIND 9.10.2-P3 and BIND 9.9.7-P2. The updates for the popular Domain Name System (DNS) software address a critical denial-of-service (DoS) vulnerability that affects almost all BIND servers.

The remotely exploitable vulnerability (CVE-2015-5477) involves an error in the handling of TKEY record queries. An attacker can use a specially crafted DNS request packet to trigger a REQUIRE assertion failure and cause BIND to exit.

The security bug reported by Jonathan Foote affects BIND 9.1.0 through 9.8.x, BIND 9.9.0 through 9.9.7-P1, and BIND 9.10.0 through 9.10.2-P2. The vulnerability affects both recursive and authoritative servers, and it cannot be mitigated by access control lists (ACLs) or configuration options because the vulnerable code is triggered early in the handling of the packet.

The vulnerability has been rated “critical” because it affects almost all BIND servers, not just ones that have been configured in a certain manner. Furthermore. there are no workarounds for this problem.

“The practical effect of this is that this bug is difficult to defend against (except by patching, which is completely effective) and will not be particularly difficult to reverse-engineer,” explained Michael McNally of the ISC. “I have already been told by one expert that they have successfully reverse-engineered an attack kit from what has been divulged and from analyzing the code changes, and while I have complete confidence that the individual who told me this is not intending to use his kit in a malicious manner, there are others who will do so who may not be far behind.”

Users are advised to install BIND 9.10.2-P3 or BIND 9.9.7-P2 as soon as possible. Amazon,Red Hat and others have already taken steps to protect their customers against potential attacks.

ISC has announced that BIND 9.9 (Extended Support Version) will be supported until June 2017. The end of life for BIND 9.10 has not been determined yet but support will not end before BIND 9.12.0 has been released for 6 months.