Reply to post: Re: The real solution

Detailed: How Russian government's Fancy Bear UEFI rootkit sneaks onto Windows PCs

Jellied Eel Silver badge

Re: The real solution

If I were really paranoid, I would suspect that this has been in the wild since maybe 2010 but only used on highly targeted, high value targets. From the description, there's no telling how long it's been out there and there's no real fix except as the article mentioned.

Hey, this is IT security. If you're not paranoid, you're a target! But I think there are several aspects to the story.

UEFI security, or lack thereof. That allowed LoJack to do things arguably it shouldn't have done. But the challenge with security is being able to trust it.

The threat escaped into the wild in 2009 at one of the big 50SoG conventions. I don't know when LoJack was released, but given it's role, suspect people would have been looking at how that worked as well. Again the challenge with security is being able to trust it. Which sometimes means being asked to hand over source code to TLAs or FLAs for certification. Then assuming the have the resources to identify vulnerabilities. Oh, and paranoia.. And not exploit them. Otherwise we're left to independent security researchers finding the problems and publicising them. But black hats would be doing that as well for exploitation.

Then there's the political angle. Kremlin hackers. Really? Or just HVTs. Infection route seems to have been simple spearfishing. We hear about high profile incidents, but not all, so we don't know how widely the net has been cast. Hackers would go after targets for profile/publicity as well as financial gain.. Then there's the state actors. I really doubt it's just the Russians doing this. What we could probably do with is more state level intervention to lean on software developers so they prioritise security. Again a trust issue. There can also be other attribution problems, ie the current 9/11 hack. That's been described by one victim as 'cyber terrorism', when it's clear from the demands that it's simple cyber extortion*.

I guess the good news from watching the presentation is discovering this-

https://github.com/chipsec/chipsec?language=en_US

Tools to peek into your chips. Less good news is if you discover you're infected, the fix is to try and reflash, with assosciated risk of brickage. I like the idea of having a 'secure' backup image on mobos to reflash from, but other parts of the rootkit would need to be removed first to avoid reinfection.

*More bad news. More grist for the truthers.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon