barbos
Contributor
Unless flashing part of the firmware was infected as well (to prevent you from killing by flashing)The answer to all this is assume all drives that can be infected are, and flash them.
Unless flashing part of the firmware was infected as well (to prevent you from killing by flashing)The answer to all this is assume all drives that can be infected are, and flash them.
NSA exploits are not directed at people with your level of sophistication. They are directed at ordinary people and islamic terrorists. People who can defeat NSA are already working for them, are you working for NSA?While you can't disinfect the drive you can see the infection--the drive itself can't do any evil, it has to infect a file. AV software can see that infected file.
Think there's malware in that drive that's dropping <x> into the filesystem?
Set up a virtual machine, encrypt the drive image. From within the virtual machine copy that drive image to the suspect drive. Now compare them.
Different (other than a few bytes that will change), you've got an evil drive. Same? I couldn't have done what you suspect.
Somebody would have blown the whistle.
The thing I noticed is how unimaginative and dumb some of their methods were in this particular case.If NSA can do it, so can Russia, or China, or Iran, or ...
Whether it was illegal or not, or if some number of terrorists were caught, this news is good enough reason to take security seriously and build measures against this type of attack. I'd be very interested to know how Kaspersky lab actually figured it out, and were the hard drive manufacturers aware of it.
They apparently thought there were 2 actual users which were worthy enough to be ignored.
They had spent shitload of CPU to run through dictionary to find out that the word is "unegistered"
Then they continued for the second hash instead of trying "unegistered" in different languages, that's pretty dumb if you ask me.
Anyhow, nothing is new here. US admitted using it against Iran, and in this particular case targeted certain high value individuals only, not every single person in the world. I can't really trash NSA for that. On the other hand they knew that if they start infecting every hard drive then it would be discovered in a week or so.
Hard drive manufacturers were probably not aware of it.
Equation Group are definitely the masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame.
...
Their incredible skills and high tech abilities, such as infecting hard drive firmware on a dozen different brands, are unique across all the actors we have seen and second to none. As we discover more and more advanced threat actors, we understand just how little we know. It also makes us reflect about how many other things remain hidden or unknown.
I was talking about Kaspersky lab, not about NSA hackers.http://arstechnica.com/security/201...-nsa-hid-for-14-years-and-were-found-at-last/
barbos says some of their methods are unimaginative and dumb. Hmm, whose opinion do I trust in these matters?
I was talking about Kaspersky lab, not about NSA hackers.http://arstechnica.com/security/201...-nsa-hid-for-14-years-and-were-found-at-last/
barbos says some of their methods are unimaginative and dumb. Hmm, whose opinion do I trust in these matters?
And I provided arguments for that opinion. So stop attacking me personally and start attacking my arguments.
Unless flashing part of the firmware was infected as well (to prevent you from killing by flashing)The answer to all this is assume all drives that can be infected are, and flash them.
How ironic that the NSA is pushing us towards open source
NSA exploits are not directed at people with your level of sophistication. They are directed at ordinary people and islamic terrorists. People who can defeat NSA are already working for them, are you working for NSA?While you can't disinfect the drive you can see the infection--the drive itself can't do any evil, it has to infect a file. AV software can see that infected file.
Think there's malware in that drive that's dropping <x> into the filesystem?
Set up a virtual machine, encrypt the drive image. From within the virtual machine copy that drive image to the suspect drive. Now compare them.
Different (other than a few bytes that will change), you've got an evil drive. Same? I couldn't have done what you suspect.
Somebody would have blown the whistle.
Yes, that's what the article appears to be saying. Selling infected drives at BestBuy to everybody would not have gone unnoticed for more than a couple of months.NSA exploits are not directed at people with your level of sophistication. They are directed at ordinary people and islamic terrorists. People who can defeat NSA are already working for them, are you working for NSA?
Unless they had some way of ensuring the infected drives only went to the guys they wanted to spy on one sooner or later would end up in the hands of someone with the skill to figure it out and who would catch it in a security sweep.
What I meant is that precautionary flashing of the new drive may be pointless.Unless flashing part of the firmware was infected as well (to prevent you from killing by flashing)
It would still reveal that the drive is infected. The point isn't necessarily to fix the problem, the point is to reveal the infection, Recover the data to a non-vulnerable media, and then scrap the evil drive, if it can't be cleaned.
In the grand scheme of things, storage is cheap.
What I meant is that precautionary flashing of the new drive may be pointless.It would still reveal that the drive is infected. The point isn't necessarily to fix the problem, the point is to reveal the infection, Recover the data to a non-vulnerable media, and then scrap the evil drive, if it can't be cleaned.
In the grand scheme of things, storage is cheap.
As for revealing then HD malware could lay dormant for a few months before activating itself.
It will flash and perform the task fine, But virus would still be copied on a new version as well.What I meant is that precautionary flashing of the new drive may be pointless.
As for revealing then HD malware could lay dormant for a few months before activating itself.
No. Embedded systems by definition do something on the system. It's trivial to flash the drive with a firmware that does a task that proves it was flashed away successfully. If no report, then drive is evil. If report, flash with benign non-vulnerable firmware and disable future flashing.
What I meant is that precautionary flashing of the new drive may be pointless.It would still reveal that the drive is infected. The point isn't necessarily to fix the problem, the point is to reveal the infection, Recover the data to a non-vulnerable media, and then scrap the evil drive, if it can't be cleaned.
In the grand scheme of things, storage is cheap.
As for revealing then HD malware could lay dormant for a few months before activating itself.
No, it wouldn't. Viruses aren't magic; there needs to be somewhere for a virus to be copied to, and drive firmware doesn't execute on the main CPU. It can proffer itself if requested by the boot loader, but if the drive isn't loaded by the boot loader, it's SOL. All it takes in flashing the firmware is putting a firmware that has a Goldberg machine of code on it. No nsa virus can possibly analyze code, and replicate an action whose intent is unknown and unknowable, without stepping on the mass of code that it's trying to inject to. Once the firmware is flashed, you just nuke the contents of the drive. the beauty of all this is that it can be accomplished entirely from other media, or even a portable image like a bootable CD. There's literally nothing the drive can do to keep itself from getting douched out, save block firmware flashes, and that isn't an option.It will flash and perform the task fine, But virus would still be copied on a new version as well.No. Embedded systems by definition do something on the system. It's trivial to flash the drive with a firmware that does a task that proves it was flashed away successfully. If no report, then drive is evil. If report, flash with benign non-vulnerable firmware and disable future flashing.
I doubt NSA bugs were flashproof but it can be done.
Actually it does have such perception, OS tells it time.What I meant is that precautionary flashing of the new drive may be pointless.
As for revealing then HD malware could lay dormant for a few months before activating itself.
And how do you propose it lie dormant for a few months? The closest thing it has to the ability to tell time is the time-used information in the SMART status--it has no perception of time turned off and no means of obtaining the actual time.
I would not bet on it.No, it wouldn't. Viruses aren't magic; there needs to be somewhere for a virus to be copied to, and drive firmware doesn't execute on the main CPU. It can proffer itself if requested by the boot loader, but if the drive isn't loaded by the boot loader, it's SOL. All it takes in flashing the firmware is putting a firmware that has a Goldberg machine of code on it. No nsa virus can possibly analyze code, and replicate an action whose intent is unknown and unknowable, without stepping on the mass of code that it's trying to inject to. Once the firmware is flashed, you just nuke the contents of the drive. the beauty of all this is that it can be accomplished entirely from other media, or even a portable image like a bootable CD. There's literally nothing the drive can do to keep itself from getting douched out, save block firmware flashes, and that isn't an option.It will flash and perform the task fine, But virus would still be copied on a new version as well.
I doubt NSA bugs were flashproof but it can be done.
I would not bet on it.No, it wouldn't. Viruses aren't magic; there needs to be somewhere for a virus to be copied to, and drive firmware doesn't execute on the main CPU. It can proffer itself if requested by the boot loader, but if the drive isn't loaded by the boot loader, it's SOL. All it takes in flashing the firmware is putting a firmware that has a Goldberg machine of code on it. No nsa virus can possibly analyze code, and replicate an action whose intent is unknown and unknowable, without stepping on the mass of code that it's trying to inject to. Once the firmware is flashed, you just nuke the contents of the drive. the beauty of all this is that it can be accomplished entirely from other media, or even a portable image like a bootable CD. There's literally nothing the drive can do to keep itself from getting douched out, save block firmware flashes, and that isn't an option.
Flashing is done by previous firmware itself. And there is not much need for a virus to analyze anything.
New firmware is usually pretty much the same as old one.