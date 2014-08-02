(Repeats to more subscribers, with no change to text)
By Joseph Menn
SAN FRANCISCO Aug 1 A multi-year effort to
prevent hackers from altering computers while they boot up has
largely failed because of lax application of preventive steps,
researchers say, despite disclosures that flaws are being
exploited.
In the latest sign that the problem persists, researchers at
the federally funded MITRE lab said this week that many
customers of Intel Corp still had not adopted revised
security designs Intel distributed in March after the MITRE team
found new vulnerabilities in the start-up process.
That could mean many newer Windows computers remain exposed,
the MITRE team told Reuters ahead of a presentation at the Black
Hat security conference in Las Vegas next week.
Intel's point person on the issue, Bruce Monroe, said he did
not know how many suppliers and computer makers had followed
Intel's recommendations.
"We're not privy to whether they've fixed it or not," Monroe
said. "We asked them to let us know."
The stubborn glitches illustrates how such well-funded
spying programs as those exposed by former National Security
Agency contractor Edward Snowden can continue to succeed against
targets that depend on a complex supply chain.
Long before Snowden's documents began appearing the media,
professional technicians and U.S. officials were concerned about
the vulnerabilities that left computers severely exposed as they
are turned on.
Years ago, then-U.S. National Security Agency Director Keith
Alexander privately urged the chief executives of major American
technology companies to do something about the boot-up procedure
known as the Basic Input/Output System, or BIOS. BIOS relies on
firmware, or permanent software that ships with computers.
Because the start-up code is given more authority than the
operating system, hackers who break into that code can make
major changes to programs and hide evidence of their presence.
Lodging there also all but guarantees what the security industry
calls persistence - the ability to remain inside even after a
computer is turned off and rebooted.
Intel, Microsoft Corp and other companies promoted
a successor system known as the Unified Extensible Firmware
Interface that includes a feature called "secure boot," which
checks for digital signatures before running code. Microsoft's
Windows 8 operating system has embraced UEFI and secure boot,
bringing the hardened approach to more than 60 million new
computers.
Even as that rollout was accelerating, though, evidence
accumulated that attacks similar to those theorized by
researchers were actually under way.
In 2011, several research firms identified one such piece of
malicious software, called Mebromi, that primarily attacked
Chinese computers with a type of BIOS from leading supplier
Phoenix Technologies Ltd.
Early last year, Reuters saw a catalogue from a U.S. defense
contractor that included a product, offered at more than
$100,000, for incapacitating target computers by attacking BIOS
and other critical elements.
And in December, Der Spiegel reported that a leaked internal
NSA catalogue described a tool called DeityBounce that attacked
the BIOS of Dell Inc servers.
That came months after a presentation at last year's Black
Hat security conference in which MITRE researchers including
Corey Kallenberg and Xeno Kovah broke into Dell's boot-up
process.
In a joint interview, Kallenberg and Kovah said that in the
year since that talk, they had deployed sensors to about 10,000
computers to determine whether boot-ups were still vulnerable to
that flaw or related issues. As of last month, 55 percent of
them still were.
But the actual percentage of vulnerable machines in the
world is even higher, because the MITRE group has not been
checking for flaws stemming from the issues it found more
recently with Intel's old UEFI guidelines, which permitted an
attack through memory corruption.
"That number is going to go up a lot," Kovah said of the
percent of affected computers.
Intel's Monroe said that although his company, the BIOS
makers and most of their customers were not used to distributing
and installing fixes, improvements were coming, starting with a
fledgling industry-wide incident response team led by Phoenix.
Kallenberg and Kovah said it would help if the National
Institute of Standards and Technology moved beyond general
warnings and provided links to verified fixes.
(Reporting by Joseph Menn; Editing by Ken Wills)