Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
What You Need To Know About Nation-State Hacked Hard Drives
Threaded  |  Newest First  |  Oldest First
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/3/2015 | 5:45:45 AM
Infected conference materials
Stories like these make me paranoid to ever again accept a flash drive from a vendor at a conference!
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/3/2015 | 7:04:50 AM
Re: Infected conference materials
Seriously! It's kind of the oldest trick in the book (of course, 6 years ago, it was a relatively new trick). 
aws0513
50%
50%
aws0513,
User Rank: Ninja
3/3/2015 | 10:37:24 AM
Re: Infected conference materials
It is the classic "what is old is new again" scenario.

Moreover, the ubiquity of USB storage devices has made it very difficult to proactively mitigate USB storage device risks.

Even though it is a policy at my current employer to prohibit the use of personal USB devices, we get instances almost daily where someone attempts or asks to use one on company owned devices (classic scenario is a vendor/customer that insists that they provide their files on a USB device). 

We security conscious pros see the problem, but even trained end users still do not comprehend or have concerns regarding USB storage risks.  This is even after our training materials discuss the problem at length.

I compare it to smoking.  For years, doctors have been telling people that smoking is bad, yet there is a large section of people that continue to smoke.  Albeit USB devices do not have addictive chemicals, their utility is highly addictive.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/3/2015 | 11:35:59 AM
Re: Infected conference materials
@aws0513, you hit on a key problem of the inherent challenge of taking technology away from users once the horse has left the barn. And even if you do airgap a system, there are still risks to it, such as an infected CD-ROM or USB.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/3/2015 | 12:31:45 PM
Re: Infected conference materials
Agree . Not only Hard Disk or USB devices, printer hacked in their firmware may give away path to the cover network, same things on CD, and other devices we have in the network such as switches, if you hacked hard disk you most likely hacked Cisco switches too.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/4/2015 | 11:39:58 PM
Re: Infected conference materials
You know air gaps aren't failsafe when the International Space Station gets infected by an astronaut's USB stick.  ;)  (As Kaspersky reported in late 2013.)
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/3/2015 | 12:24:57 PM
Re: Infected conference materials
I hear you. It is not only USB device problem. Any device connected any other decide is a risk to each other one way or another. They both need to be secure. If you have device at the firmware level no need to talk about security form that point forward.
klevkoff117
100%
0%
klevkoff117,
User Rank: Apprentice
3/5/2015 | 10:24:58 AM
Re: Infected conference materials
I think a large part of this is our modern obsession with convenience and looks.

My bank tells me that I should have the latest browser "so I can enjoy the latest features"; if they wanted the best security they would be telling me to disable JavaScript and Active-X - and using pure HTML. Likewise, does anyone here remember when, if you had a bunch of text to deliver, you did so as a plain text file? A pure text file isn't especially pretty, but you can't practically infect it with malware.

The simple reality is that nobody wants to trade away convenience, or the latest whiz-bang features, for real security... and so the endless quest for good security that is also convenient, cheap, and looks pretty... which is probably just not possible.

Obviously the promoters of that conference had no idea that anyone would want to hack their conference materials. Otherwise they could have put all their conference material into an archive on that CD - and then published the MD5 hash for the archive on their website.

Likewise, another reader posted about, while conducting business at a bank, being permitted to print something through their network off a USB stick... and how this was a rather unsecure practice. Am I the only one who remembers when even HAVING a USB drive in a computer that was supposed to be secure was considered a bad idea?

We sacrifice security for convenience at every turn, then we act surprised when we learn that the security isn't there any more....

 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/4/2015 | 11:35:45 PM
Re: Infected conference materials
I remember, during a meeting with a manager at a client's bank, being stuck for a hard copy of a document that we needed.  I asked if we could print it off of my personal USB stick.  The banker was like, "Sure, absolutely."

Of course, it was an innocent request by an innocent actor, there was no malware involved, and everything went uneventfully.  But it occurred to me: What if I had been a hacker?  Or even an innocent person who unknowingly possessed an infected USB stick?

What bank security!
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/5/2015 | 6:55:57 AM
Re: Infected conference materials
A few years ago at DEF CON, there was a scare that the conference proceeding disk given to the press was infected with malware. I can't remember the year, or how it all got resolved (I think it may have been a hoax/rumor), but I can tell you that several reporters opted to view preso slides on DEF CON's webiste after that. =)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/6/2015 | 12:09:30 AM
Re: Infected conference materials
Scan everything.  :)
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/3/2015 | 12:27:01 PM
Re: Infected conference materials
I agree, let's not accept anything from anybody. :--)). Remember nothing is free. I do not think vendors have any incentive for having, unless somebody else forces them to do so.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/6/2015 | 12:08:11 AM
Re: Infected conference materials
They do make good gifts, though.  One Christmas, when I was stuck for a Christmas present for someone, I gave them one of my free mega-storage USB sticks from a conference.  They loved it.

Maybe they're hacked now.  Who knows?  :p
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/3/2015 | 12:20:46 PM
Malware in the firmware
If malware is in the firmware then it is most likely embedded into those ROM devices where it is read only unless you touch the firmware and reprogram it. Malware in firmware is a good way of hacking a system :--))
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
3/3/2015 | 1:01:43 PM
Knock on effects
Although the security concerns people have may not be that valid, the worrying part for me is what his sort of news does to the confidence people have in US businesses. Despite already big impacts on services and sales within the tech industry, the security agencies continue to push for these pretty invasive tactics when it comes to worldwide snooping. 

I don't know if the trade off is going to be worth it. Not only do these schemes cost a lot to implement, but they're costing the American (and arguably the entire Western) tech economy too. 
klevkoff117
100%
0%
klevkoff117,
User Rank: Apprentice
3/5/2015 | 10:11:23 AM
Maybe the problem is too much flexibility
I'm sorry, but maybe it's time that people just plain grow up. There is an easy - and 100% effective - solution that can be implemented for just a few cents that will prevent anyone from hacking the firmware on your hard drive. Simply attach a physical switch to the physical write-enable pin on the BIOS storage medium; this way, it will be impossible to alter the firmware without physical access to the drive. Many years ago we had an antiquated version of "flash" that was 100% un-hackable - it was called a ROM (read-only memory); since a ROM cannot be reprogrammed, the only way to change the code stored on a ROM is to physically replace it with a new one..... so it's totally secure... and securing your hard drives is as simple as locking the server and posting a security guard. Do we really need the ability to field upgrade the BIOS on a hard drive? If not, then a ROM will do just fine.

Now, I realize that people these days are obsessed with convenience, and nobody is willing to accept the possibility that a product should be correct the first time (and so require no updates), but it seems to me that it wouldn't be a hardship to simply ship hard drives which physically cannot have their firmware or BIOS altered after they leave the factory. (Use a ROM, cut off the write-enable pin, or burn a link to disable the program function.)

The vast majority of the security breaches and hacks we're seeing lately are simply the result of our modern obsession with convenience... 

(And let's not even discuss passwords which can be reset after a simple request to do so. Am I the only one who sees the irony of generating a "password reset token", which is secured by a nice long cryptographic hash, then sending that secure link to an unsecured e-mail account, as a plain old unencrypted e-mail. Gee, guys, if you want real security, maybe you really should have to go into the branch and talk to someone in person if you want to recover your lost bank password. )

 

 

 

 

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/5/2015 | 10:26:41 AM
Re: Maybe the problem is too much flexibility
@klevkoff117-- It's  certainly not a new problem. And hats  off to whoever figures out the right balance between user convenience and security .
klevkoff117
50%
50%
klevkoff117,
User Rank: Apprentice
3/5/2015 | 10:36:39 AM
Re: Maybe the problem is too much flexibility
I think a lot of that problem simply comes down to how institutions interact with the public. Most people I know really do care whether their bank account is safe or not - and would probably respond favorably if their bank actually told them "our account summary page isn't especially pretty, but it's much more secure than our competitors". However, that doesn't happen - presumably because somewhere there's a web designer who's worried that their competitors have pretty 3D mouseover buttons and they don't.

Perhaps it would be more useful for them to educate their customers rather than to always play into their least little whims and desires. (I'm imagining a variation of the old Volkswagen commercial... "Our website is ugly, but our security is better, so we can offer you a credit card with a lower interest rate, and pay better interest rates on our accounts; we think the tradeoff is worth it - don't you?" I know I'd move my accounts there tomorrow - if I actually believed the pitch :) )
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/5/2015 | 11:10:50 AM
Re: Maybe the problem is too much flexibility
Great idea  @klevkoff117! You should be in marketing! But seriously, I look forward to the day that strong security is a product differentiatior -- in finance and other industries..
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/7/2015 | 11:34:32 PM
Re: Maybe the problem is too much flexibility
That's beautiful, man.  I agree with Marilyn; you should be in marketing.

Unfortunately, marketing ROI and security ROI are very tricky to determine and justify.  It's all about UX these days -- even though nobody in the room at the UX meetings is a "U."
jamieinmontreal
50%
50%
jamieinmontreal,
User Rank: Strategist
3/12/2015 | 10:36:44 AM
Changing behaviours regarding security
@klevkoff117 I'm not necessarily dating myself with this analogy (I hope) but when I was a kid we left the house doors unlocked at all times... it just never occurred to us that locking them was necessary.   Kids were left in cars, often with the keys hanging from the ignition and car doors also unlocked.

Times changed and we became more aware of terrible and tragic incidents we started to change behaviour "just in case".   Doors started to be locked, security chains were installed, we learned to ask who was there before opening doors.

It feels like the world is slowly learning these same habits in regards to their Valuable Blob Of data (VBOD), now we install AV at home, we are less inclined to plug random USB devices into things (a lesson which will very likely be summarily ignored the first time a "really useful" IoT type device is issued with a USB Charger) and we don't "just click OK" on random messages - at least not all the time.

As far as ROI for security is concerned it's implicit - why do we buy insurance after all?   it's simply a measure of security against the threat of physical or financial harm.   

If all of this is true then the battle is between fear and convenience.   Fear can be created or developed and can be a powerful motivator - parents leverage it all the time (if you don't believe me, read Hansel and Gretel again).  

However, desire for convenience is a really strong mtivator as well; to paraphrase an old saying, necessity is the mother of invention - convenience is the father.   We needed to make things faster, more accessible and we wanted to do it the easy way.   

So the initial fear surrounding something has to be amplified many times to overcome the natural inclination towards inertia - look at campaigns for wearing seatbelts, putting on sunscreen, not smoking in bed (somewhat older reference to be fair), or indeed not smoking at all... Once the inertia has been overcome and action has started, the new habits will form and they will be hard to break - when was the last time you saw a "wear your seatbelt" campaign?

As we read more and more about data breaches and many other concerns look for firms to start locking everything down and managing access even more tightly - once that starts it will be unstoppable and while there will always be exceptions (does everyone always wear a seatbelt?) the habits will be formed and they will define the newer world.   The winners will be those that have developed the means to allay the fear in as easy a manner as possible.

 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/12/2015 | 10:48:43 AM
Re: Changing behaviours regarding security
I like your not-dated analogies, @jamieinmontreal. You are so right about the balancing act between security and convenience, and the ultimate changing of habits. And you're right--some level of fear is a great motivator.


Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.