[nylug-talk] Free Rootkit with Every New Intel Machine (fwd)

H. G. tekronis at gmail.com
Sat Jun 9 19:47:01 EDT 2007 

On 6/9/07, Jay Sulzberger <jays at panix.com> wrote:
>
>
>
> ---------- Forwarded message ----------
>   Date: Mon, 28 May 2007 14:08:45 +1200
>   From: Peter Gutmann <pgut001 at cs.auckland.ac.nz>
>   To: cryptography at metzdowd.com
>   Subject: Free Rootkit with Every New Intel Machine
>
>   (Forwarded with permission from a NZ security mailing list, some
> portions
>    anonymised)
>
>   -- Snip --
>
>   [...] a register article saying Intel released its new platform Centrino
> Pro
>   which includes Intel Active Management 2.5. An article with some more
> info is
>   here:
>
>
> http://www.newsfactor.com/news/Intel-Debuts-Fourth-Gen-Centrino-Tech/story.xhtml?story_id=0210025GSEV9
>
>   It got me interested, so I started taking a look around. Intel has some
> good
>   info here:
>
>   http://softwarecommunity.intel.com/articles/eng/1032.htm
>
>   And for all of you in the Web 2.0 generation with short attention spans
> for
>   reading the doc, here is video that explains it all, I found myself
> getting
>   more and more concerned the further it went:
>
>   http://softwarecommunity.intel.com/videos/home.aspx?fn=3D1066
>
>   Essentially, all new Intel machines (and a number of current Intel
> servers)
>   come with free hardware rootkit functionality, which is operational and
>   accessible when the machine is powered off, and in the case of laptops,
> even
>   when they are unplugged and powered off.
>
>   There is the mention of code signing, TLS and PKI magic to allay your
> security
>   concerns however...
>
>   There are a few new things with this that go beyond generic remote IP
> KVM:
>
>   - NIC based TCP/IP filters configurable remotely
>   - Handy magic bypass for TCP/IP filters [1]
>   - Remote BIOS updates over the network
>   - Remote IDE redirection, as in boot off CDROM over the network
>   - Persistent storage even if you change hard disks
>   - It doesn't appear to have a method for disabling it (well, I can't
> find
>     anything about it, seems crazy if there isn't)
>   - Built-in, on chip. I can understand a decent size company wanting
> IP-KVM.
>     But I don't want my personal laptop with IP-KVM.
>   - Authentication can be done on Kerberos. We're talking AD.
>   - Built in web interface on every machine (port 16994)
>   - handy well documented SDK for building whatever you need to interact
> with
>     this
>   - ...
>
>   This is clearly an awesome management tool. Being able to update your
>   antivirus while your machine is disconnected from the network is
> helpful.
>   Being able to id all your assets even though they are powered off is
> great. My
>   concerns are around doomsday scenarios like the below:
>
>   Worm is released that gets a domain admin account, worm sets up floppy
> booting
>   across the network, floppy is boot-and-nuke [2]. Worm reboots every
> server in
>   the company and securely wipes them with single pass. Worm then updates
> bios
>   on every machine to broken state, enables TCP/IP filters to prevent the
> NIC
>   from being used to talk to the OS ever again, then disables the AMT.
>
>   Note, this is OS agnostic, will take out your OSX, Windows and Linux
> boxen.
>   The hardware would probably be rendered useless, barring opening up the
> box
>   and flipping some jumpers or replacing something. A smart user noticing
> the
>   reboot and noticing the disk was being wiped (assuming you didn't change
> dban
>   to say "now making your computer faster by optimizing the cache flux
>   capacitor") would have to unplug power and network to stop it, which is
> harder
>   if you're a laptop user with wireless.
>
>   </end is nigh rant>
>
>   While parts of this are possible now, its just not nearly as powerful or
>   ubiquitous.
>
>   [1] TCP-over-Serial-over-LAN
>       http://softwarecommunity.intel.com/articles/eng/1222.htm
>   [2] http://dban.sourceforge.net/
>
>   -- Snip --


I've been advocating a return to the abacus for a while now, but no one
would listen to me.
Perhaps now they will!

The Abacus!  The most secure computer ever, and the *only* one you'll ever
need!

Oh, look at the time!  Its high time for me to go compile the latest
kernel.  I'll see you 6 months.

More information about the nylug-talk mailing list