recentpopularlog in

charlesarthur : backdoor   7

Hacker finds hidden 'God mode' on old x86 CPUs • Tom's Hardware
Paul Wagenseil:
<p>The backdoor completely breaks the protection-ring model of operating-system security, in which the OS kernel runs in ring 0, device drivers run in rings 1 and 2, and user applications and interfaces ("userland") run in ring 3, furthest from the kernel and with the least privileges. To put it simply, Domas' God Mode takes you from the outermost to the innermost ring in four bytes.

"We have direct ring 3 to ring 0 hardware privilege escalation," Domas said. "This has never been done."

That's because of the hidden RISC chip, which lives so far down on the bare metal that Domas half-joked that it ought to be thought of as a new, deeper ring of privilege, following the theory that hypervisors and chip-management systems can be considered ring -1 or ring -2.

"This is really ring -4," he said. "It's a secret, co-located core buried alongside the x86 chip. It has unrestricted access to the x86."

The good news is that, as far as Domas knows, this backdoor exists only on VIA C3 Nehemiah chips made in 2003 and used in embedded systems and thin clients. The bad news is that it's entirely possible that such hidden backdoors exist on many other chipsets.

"These black boxes that we're trusting are things that we have no way to look into," he said. "These backdoors probably exist elsewhere."</p>


It's almost certain, isn't it? If it's not the software or the firmware or the hardware, it's the software/firmware/hardware that <em>controls</em> the hardware.
security  hacking  intel  cpu  backdoor  hardware 
august 2018 by charlesarthur
Ding, ding, seconds out: It’s Law v Math • Medium
Professor Bill Buchanan:
<p>Within new laws, his government will thus force social media and cloud service providers to hand-over encrypted messages.

When asked how this could be achieved, he said: “Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia."

He then went on to say that cryptographers were the problem, and that we needed them to face up to their responsibilities, and that they just can’t wash their hands of it…

…Last year, as the UK Home Secretary outlined her plans around restrictions on end-to-end encryption, I was called by the BBC about back-doors in cryptography. As it is a subject I know well, and had even presented to a select committee in the House of Commons [here], I said I would be interested in debating the issue. They then they asked if I could put forward the concept of backdoors in encryption, and I said:
"I can’t do that!"

And they said, “Well, we are really struggling to get someone to put that point, couldn’t you just outline the advantages and how it would be possible?”, and I said, “Well, most people with any technical knowledge knows that it is a bad thing, and to provide an academic point-of-view I would have to be critical of it. In fact if I put forward the concept of backdoors in cryptography, I would have no credibility in my field”, and the conversation finished and they didn’t invite me on. Basically I was there to back up a politician who was on the show.</p>


Another version of "we've had enough of experts". Love the idea of the law of the country outranking the laws of maths.
backdoor  encryption 
august 2018 by charlesarthur
Hidden backdoor found in Chinese-made equipment. Nothing new! Move along! • Bleeping Computer
Catalin Cimpanu:
<p>DblTek stands for DBL Technology, a Hong Kong-based company that manufactures IP phones, SIM servers, various types of VoIP equipment and cross-network gateways. According to <a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/Undocumented-Backdoor-Account-in-DBLTek-GoIP/">a report from cyber-security firm Trustware</a>, GoIP GSM gateways allows hidden remote Telnet access via an account named "dbladm" that provides root-level access to the device.

Unlike the default "ctlcmd" and "limitsh" Telnet accounts, the "dbladm" account is not included in the product's documentation.

While the first two use user-set passwords, the backdoor account uses a challenge-response authentication scheme. This scheme presents users with a string, on which they can perform various operations and deduce the password.

Backdoor password can be easily computed
Trustwave researchers said this scheme is very easy to reverse engineer. An attacker can create automated scripts that read the challenge, compute the response, and authenticate on the device.

Once they log in, because users have root privileges, they can take full control of the device, listen to ongoing traffic, or use the equipment for other actions, such as DDoS attacks or for relaying malicious traffic.

Researchers say they tested GoIP 8-port GSM gateways, but they suspect that GoIP 1, 4, 16 and 32-port devices are affected as well since they use the same login binary in their firmware images.</p>


Also linked in the story: 2012 report from a former Pentagon analyst <a href="http://www.zdnet.com/article/former-pentagon-analyst-china-has-backdoors-to-80-of-telecoms/">saying China had backdoors in the equipment of 80% of the world's telecoms</a>.
china  backdoor  telnet 
march 2017 by charlesarthur
Chinese ISPs caught injecting ads and malware into web pages » The Hacker News
Rakesh Krishnan:
<p>Chinese Internet Service Providers (ISPs) have been caught red-handed injecting advertisements as well as malware through their network traffic.

Three Israeli researchers <a href="http://arxiv.org/pdf/1602.07128v1.pdf">uncovered</a> that the major Chinese-based ISPs named China Telecom and China Unicom, two of Asia's largest network operators, have been engaged in an illegal practice of content injection in network traffic.

Chinese ISPs had set up many proxy servers to pollute the client's network traffic not only with insignificant advertisements but also malware links, in some cases, inside the websites they visit.
If an Internet user tries to access a domain that resides under these Chinese ISPs, the forged packet redirects the user's browser to parse the rogue network routes. As a result, the client's legitimate traffic will be redirected to malicious sites/ads, benefiting the ISPs.</p>
backdoor  china 
march 2016 by charlesarthur
The three-prong backdoor test » Zdziarski's Blog of Things
Jonathan Zdziarski on the suggestions (by some) that hey, Apple's and Microsoft's and Google's "software updates" are really backdoors because, hey, they can change stuff:
<p>Any kind of automated update task on a computer is capable of introducing new code into the environment, but that is not what constitutes a backdoor. I’ve thought about this at length, and come up with a three-prong test to determine whether or not a mechanism is a backdoor. There has thus far not been a widely accepted definition of what a backdoor is, and so I hope you’ll consider its adoption into best practices for making such determinations, and welcome your input. The three prongs I propose are “consent”, “intent”, and “authenticity” (or: control).</p>


In the hydra-headed debate around Farook's damn iPhone 5C, Zdziarski has posed and answered some of the best questions. If you're interested in security topics, I highly recommend his blog.
apple  fbi  encryption  backdoor 
february 2016 by charlesarthur
'Unauthorized code' that decrypts VPNs found in Juniper's ScreenOS » The Register
Simon Sharwood:
<p>Juniper Networks has admitted that “unauthorized code” has been found in ScreenOS, the operating system for its NetScreen firewalls.

The code “could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections.”

And on The Register's reading of the situation, the unauthorised code may have been present since 2008, an assertion we make because Juniper's <a href="http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554">notice</a> about the problem says it impacts ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. ScreenOS 6.2 was released in 2008. Screen OS 6.3 came out in 2009.

We've asked Juniper if it has any theories about the origin of the code and have been told the company has nothing to say on the matter beyond the post we've linked to above and canned statements from its PR team.

Just what happened is therefore obscure for now, but the obvious scenarios aren't good news for Juniper.</p>


Or, indeed, its customers. Two views on this: (1) shows terrible effects of having backdoors because it means those "knowledgeable attackers" can read everything; (2) what effects has it had, exactly?
juniper  firewall  backdoor 
december 2015 by charlesarthur
CoolReaper revealed: a backdoor in Coolpad Android devices >> Palo Alto Networks Blog
Claud Xiao and Ryan Olson:
Coolpad is the sixth largest manufacturer of smartphones in the world, and the third largest in China. We recently discovered that the software installed on many of Coolpad’s high-end Android phones includes a backdoor which was installed and operated by Coolpad itself. Today we released a <a href="https://www.paloaltonetworks.com/resources/research/cool-reaper.html">new report</a> detailing the backdoor, which we’ve named “CoolReaper.”
After reviewing Coolpad complaints on message boards about suspicious activities on Coolpad devices, we downloaded multiple copies of the stock ROMs used by Coolpad phones sold in China. We found the majority of the ROMs contained the CoolReaper backdoor.

CoolReaper can perform the following tasks:<br />• Download, install, or activate any Android application without user consent or notification<br />• Clear user data, uninstall existing applications, or disable system applications<br />• Notify users of a fake over-the-air (OTA) update that doesn’t update the device, but installs unwanted applications<br />• Send or insert arbitrary SMS or MMS messages into the phone.<br />• Dial arbitrary phone numbers<br />• Upload information about device, its location, application usage, calling and SMS history to a Coolpad server.


Fabulous! All that extra software for no charge! (Coolpad is on sale in the west, by the way.)

They say it's specifically tailored to hide what it does, and that Coolpad has ignored customer complaints about unwanted app installs. Their conclusion:
CoolReaper is the first malware we have seen that was built and operated by an Android manufacturer. The changes Coolpad made to the Android OS to hide the backdoor from users and antivirus programs are unique and should make people think twice about the integrity of their mobile devices.
coolpad  backdoor  android 
december 2014 by charlesarthur

Copy this bookmark:





to read