Schneier on Security

Clive Robinson • January 26, 2022 1:34 PM

@ ALL,

… the DeadBolt attacks only affect devices accessible to the Internet.

As I keep saying, my first question is,

“What is the VALID business case for that device to be connected to external communications?”

And I’ve still yet to receive one not primarily based on “MBA Mantra” via the “Chicago School” that originates from the “stupidity of neo-cons” (also why we have such significant supply chain vulnerabilities).

But even with a “valid business case” there are many ways you can protect systems. Heck we knew that back last century with certain types of “data wherehousing”…

But this is an interesting angle,

“The ransomware gang further states that there is no way to contact them other than through Bitcoin payments.”

With the Ransomers telling the victims,

“… they should pay 0.03 bitcoins (approximately $1,100) to an enclosed Bitcoin address unique to each victim.“

It’s an interesting “secure communications” use of the public ledger (not unlike the idea of getting bots to communicate through Google Cache searches of posting to random blogs).

But one wry smile, anyone else spot the irony in,

“The attacks started today, January 25th,”

After all IT’s “Burns Night”[1]… So a little further irony,

https://m.youtube.com/watch?v=RJ7f0HUk8OU

For those who took the wrong path with their QNAP NAS boxes, thus suffered the “low road” fate.

[1] oh and happy Australia Day to our readers who are enjoying some summer weather. Oh and if you are Scots-Australian, hopefully your memory will come back for the weekend 😉

Clive Robinson • January 26, 2022 3:11 PM

@ Andrew, ALL,

Keeping your data out of the cloud, and still accessible remotely and out of 3rd parties’ hands, isn’t easy.

No but it gets a lot easier if you start out with two basic assumptions,

1, You can not stop an externaly connected system being attacked.

2, Make the system such that it is effectively read only data.

3, If confidentiality is a requirement then you need to seriously think about alternatives as Data Bases and Encryption do not realy work[1].

The solution is a server behind a data diode, that pushes data to a second server that is externaly visable.

If the second server gets attacked, you effectively “bin it”[2] or do a full restore (preferably both).

It’s not perfect and it has a downside for many as it’s “read only” but with a little care and thought you can build on it.

[1] Currently you can not for instance effectively “range search” a database of encrypted record fields, without having the field encryption key on the server, which means it’s not just vulnerable but probably gone if you have been APT attacked.

[2] I’m of the “APT view” in that if any externally connected system gets breached there is a finite probability that it’s Flash Memory in drives, IO cards and Motherboard has had some form of malware installed so that “easy access” for the attackers remains even after what most consider a full restor. Actually doing Flash ROM restors are possible, if and only if you know where all the Flash ROM is, and you have original copies to restor from. As the odds of you knowing where all the Flash ROM is, then the probability you won’t get it all is somewhat increased, so just “burn the hardware” is what I would suggest increasingly is the best course of action. Obviously you need to be aware of this choice prior to purchasing systems as you can save a lot of pain and cost right from the start.

Clive Robinson • January 26, 2022 6:08 PM

@ JonKnowsNothing, ALL,

What’s wrong with you? No one has ever complained about that before!

I’m generally as passive as a welcom mat and generaly genial and try to be nice to people.

One reason for this is that once or twice in the past when I was a lot lot younger, I was not and the clean up was an abulance and bucket and mop. And that sort of thing weighs on your conciounce for half a century or so, so far.

Well when in my much much fitter days when picking up a couple of full beer kegs was no more of a problem than picking up a pencil. I got an almost identical question and statement from a new boss sitting behind his desk. He asked it on the wrong day at the wrong time. There were clear warning signs in that I had stoped smiling and had stood right up. But no, he had to be a twit. As I told him “they are now” being around 6’2″ and 200lbs he discovered that being bodily lifted across his desk by his lapels and having half his body stuffed out the window on the fourth floor not just a new experience but one that was a little disconcerting by the damp patch that appeared on his sand coloured trousers. I explained to him politely whilst he was half out the window that I disagreed with him and that I was sure on reflection he would come to see it my way… I yanked him back in, stood him on his feet dusted him down and straitened his tie, and said that I was busy so if he’d excuse me I was going to go and get on with things, which I did.

A little while later several people turned up at my desk wanting to know what the heck had happened. I gave them my best innocent look and said I realy did not know what they were going on about and they should explain. As they went on I innocently said things like “how extrodinary”, “are you sure you’ve been told that correctly?”, “surely he’s to big for somenew to do that” then “does that sound like something I or anyone could do?”, “How long have I been working here and have I ever done anything like that?” when asked “are you denying it” I said “are you kidding me?” etc and again said “it sounds impossible”[1].

Yes I got away with it, but the new boss was there after very careful to stay away from me… And yes he did see it my way after reflection. However I decided it was time to move on… In my resignation letter to HR I said that the reason I was leaving was the odd behaviour of the new boss and the fantastical story he had told, and that I thought it nolonger safe to work there…

I heard some months later that the new boss had also left suddenly and very quietly and he’d been replaced by an internal promotion of a rather smart young lady, who I’d got on with quite well[2]

[1] It’s actually easier than it sounds, it requires bracing yourself against the desk then using leverage and to tip them into an unbalanced position where their inertia does the initial bit. Theres several “martial arts” that will teach you the basics judo being one. I unfortunately learnt the hard way, back in the 70’s the “sports master” at my school,

https://judoinside.com/judoka/4933/George_Glass/judo-career

Who was a lot shorter than me, and used to throw me around easily as a demonstration to others… Mind you it did come in handy for “rugby” but that as they say is a story for another day.

[2] I’m one of these people that whilst social at work, I regard my place of work as just that “a place of work”, not one where you make life long friends or have romantic relationships. I did the latter once and it did not end at all well, so lesson learned.

Clive Robinson • January 27, 2022 7:07 AM

@ John,

I still wonder why there are essentially no soft loadable micros as opposed to flash controlled micros for device control?

There used to be micros like that, if memory serves correctly Linus Torvalds of Linux fame worked for, for a while. Transmeta had a “Very Long Instruction Word”(VLIW) core the architecture of which was the same sort that gave Cray Supercomputers the performance they had. In the Transmeta hardware there was a loadable interpreter where “Complex Instruction Set Computer”(CISC) binary level instructions were converted into an optomised VLIW “Reduced Instruction Set Computer”(RISC) format which gave substantial other speed benifits.

The first target they worked on was for x86 that whe they started was actually hoplessly slow and power hungry. Unfortunately by the time Transmeta went to market Intel had woken up and addressed some but by no means all of their x86 product speed and power issues (all x86 designs these days use the same interpreter-RISC Core that Transmeta originated).

Whilst the Transmeta chip did x86 it could also do I think it was three other CPU instruction set emulations better than the actual CPU chips of the time.

But the speed and power savings margin whilst still good was nolonger enough by then, and the product became first niche then unavailable. Though both Intel and Nvida got perpetual licencing on the patents and some other of Transmeta’s IP.

Transmeta is now defunct and but a memory to a few. They got taken over by another company that hived off the IP portfolio to a venture capatalist firm about a decade to decade and a half back.

Before Transmeta there were other chip sets like that of the Transputer that could do similar.

The modern way is more generic but as about as customisable as you would want, and that is with the use of “Field Programable Gate Arrays”(FPGA). Have a look at nearly any “Software Defind Radio”(SDR) of any worth and you will find a large FPGA or three sitting in their doing the bulk of the work. Whilst you may never get to see one, Intel are putting large FPGAs in some of their server CPUs for cloud providers. In essence they form Co-Processors where algorithms can be “made in silicon”(in silico) for a five to fifty times performance boost over highly optomised software. Such chips would make ideal cores for cryptanalysis and similar activities requiring massively parallel single algorithm processing (hence they are in effect “controled” technology).

As for,

Apparently real RAM die size is much bigger than flash?

It’s a bit complicated. In essence there are three “bit storage” technologies,

1, Capacitor and FET.
2, SR NOR or NAND gate latches.
3, D-Type and similar registers.

With the size sort of increasing thus also cost as you go down the list. Oh and importantly speed and stability also increasing as you go down the list.

Flash ROM falls in the first group, however unlike DRAM which needs all sorts of extra support circuitry due to the fast discharge rate of the capacitors, F-ROM uses traped charge wells with discharge times measured in decades. But in both cases they are considered “unreliable” and slow due to having to have extra circuitry etc. The fastest and most reliable but consequently much larger storage is in “register devices” inside CPUs and in SRAM some of which have timings down in pico-seconds these days, the real big limitation on their usage is actually “the speed of light”, where 1cm of track limits things to below 10Ghz clock speed so puts significant constraints on CPU die size.

And so onto what a friend calls “The Robinson lament”,

The original IBM PCs had socketed UVROM for boot and more UVROM sockets for customization. So things just worked and kept working. The rest was booted from floppy disk so the whole device could be easily backed up and restored.

It held true for motherboards, IO boards, and onboard Hard-drive controlers untill the mid 1990s. If you look back on this blog you will find I said “95 max” but @Nick P went with “05 max” as it turns out we now know pre 05 hardware had issues. I still use 95 and earlier computers, and lament the passing of such securable technology.

The problem is large amounts of Flash ROM get in in all sorts of places you would realy not expect such as “Battery Managment Systems”(BMS). If you think back you may remember there were issues found with the “hidden BMS / controler” built into Apple’s batteries to maintain a tight grip over the very profitable upgrade&repair market. Somebody had found out you could hide sufficient data there to make malware from it a reality…

For years Russian crooks changed the hidden flash in the likes of “Memory Cards” so they appeared to be not just of greater capacity but faster speed than the manufacturer had specified[1]. Others would buy up hard drives that had been pulled due to increasing track/sector errors being reported for pennies, clear out the track defect list from the flash ROM on the controler and sell them as “discount / bankrupt” stock for upto half the price of a new drive…

Back in 2013 you may remember there were two events, firstly the Ed Snowden affair and secondly the BadBIOS and related Lenovo affair of unremovable factory installed malware for ad-ware profit on consumer grade laptops.

The Ed Snowden revelations led to a “pissing contest” between David Cameron UK Prime Minister and his “cabinet office advisors” and the UK Guardian Newspaper under Alan Rusbruger.

The result was “teedle dee and tweedle dummer” came upto London on a shopping trip from GCHQ in Cheltenham, and whilst their dropped into the Guardian basement to oversee where Apple computers were subjected to “Mass Destruction by Dremmle”. The resulting photos showed just how many onboard chips probably had Flash or similar mutable memory hidden in them.

Oh as for other Apple products, like the iPhone, it’s riddled with hidden flash, to stop people doing “service and repair” and so alowing Apple to charge three to twenty times the open market repair rate, which is a nice extra profit maker for them as it makes it effectively a “monopoly tied market” which is frowned on in many jurisdictions.

As for Lenovo they used a “hole” in the way systems boot that was a known security issue long before the IBM PC of the 1980’s and may have been what gave rise to BadBIOS (it’s certainly the way I’d prototyped “proof of concept” APT in silico).

It was actually identified as a known issue back in the decade before the first IBM PC with Apple ][ IO/Expansion slots. The same hole still exisys with UFEI, and is what Moonbounce is all about…

I guess old dogs don’t need to learn new tricks, just dress them up differently…

That said in all honesty, there is no effective way to close the hole, without major issues and very bad things arising. We know this because they were seen in the early days of commercial computing with the likes of IBM etc designing IO so that you had to buy even printers from them at vastly over inflated prices… Such “tied markets” are a compleate disaster as the latest version via “walled garden” Closed Application markets shows.

[1] In part the manufacturers were to blaim for this “Russian behaviour” because they only manufactured “premium parts” as it made inventory control easier and a lot less costly over all. But not everyone wants premium parts and certainly not at the prices asked for them. So to supply to this lower profit but substantial mass market manufacturers just downgraded the info stored in the hidden flash ROM to lower capacity and slower speed. But… it also alowed them to sell what were “manufacturing rejects” that is parts that were not upto spec or had hard defects could be turned from scrap to not just marketable but very profitable product on the “Muck to Brass” principle.