Oracle’s CSO wrote a blog (since removed but saved for posterity see link )below lamenting the fact that their customers took the time and effort to discover zero day security
vulnerabilities in their software and embarrassed Oracle by publicly the facts if Oracle did not respond to the information.
Epic Fail
http://seclists.org/isn/2015/Aug/4
Patrick
From: Devon M T Loffreto [mailto:
]
Sent: Wednesday, August 19, 2015 6:46 PM
To: T.Rob
Cc: ProjectVRM list
Subject: Re: [projectvrm] Vendor entitlement run amok
TRob,
Agree with you in full. What can a little acronym do about it?
VRM is not turning into anything... its just a lightning rod.
At the base are people...engineers in some cases... each with personal context and motivations...and increasingly, given the nature of participation in the "market", one must consider whether sharing specific strategies protecting Individual
participation is smart.
My question: when does the "market" begin?
These abuses to some, capabilities to others, have their own origin story wired so deeply into the fabric of Society, how can any business pitch a fix with a straight face...knowing they are building solutions on a foundation that introduces
the problem at a root much more deeply impactful than any business outcome can pursue?
Its 2015... people are just waking up to the fact that they are leveraged data. In retrospect...thats not real positive... forward moving... the question revolves around what people do about it...meaningful or meaningless conversations
may now ensue...
Clue: when do you (human) first become data? What is your root structure?
On Wed, Aug 19, 2015 at 12:02 PM, T.Rob <
" target="_blank">
> wrote:
My main issue with vendors turning us into instrumented data sources isn't
the data so much as the lack of consent. My Fitbit knows a lot about me but
it's an add-on that I self-selected and it provides value to me. The
tracking in my browser is not something I can easily avoid since the browser
is now an integral part of my life. Between those extremes there are lots of
IoT devices that you can currently choose a private version but where that
choice is rapidly disappearing. You can still buy a dumb light switch but
not a dumb car, for example. Your shiny new GT phones home.
Among the vendors who seem to feel an entitlement to our data is Microsoft,
whose Windows 10 is basically a box of spyware disguised as a
user-productivity-gaming-and-cat-video-watching platform. I've already
written about the issues there, how to mitigate them, and the disheartening
number of those "features" that can't be disabled. Yet as bad as all that
is, this latest revelation still managed to surprise me across several
metrics: the lack of consent, the extent of the invasion, the degree of
exposure, the fact that it's already been exploited to infect user devices,
the fact that the entity who exploited it is a "legitimate" vendor, and the
fact that said "legitimate" vendor egregiously exposed the exploit to the
Internet.
Ars Technica is reporting that Microsoft has included in Windows 8 and above
the ability to load executables from the device firmware. This means that
even a clean install of Windows on wiped hard drives will run the
executables from the firmware. This is intended for anti-theft protection
which is generally exposed to the user in the BIOS and can be disabled.
However, Lenovo used it to load software that reports information about the
device, downloads executables over the Internet and installs them into
Windows, overlays some of Microsoft's system files, is riddled with bugs
such as buffer overflow, updates itself unsecurely, and does all this over
plaintext HTTP connections.
http://iopt.us/1LkR5D2
http://arstechnica.com/information-technology/2015/08/lenovo-used-windows-an
t
i-theft-feature-to-install-persistent-crapware/
The design of the firmware executable injection features to support
anti-theft has always been a compromise. We give up some security in the OS
and firmware to get the ability to retrieve/wipe the PC if it is stolen or
lost. However, it opens the possibility of malware taking up residence in
the hardware and there are examples of this being exploited. The delta in
difficulty between stealing a laptop versus exploiting the firmware
bootloader injection results in this feature being a net security benefit
but not by a very big margin. Should it become easier to exploit the
firmware bootloader injection, this could turn very bad, very fast.
Microsoft and Lenovo, in stunning examples of the pervasive attitude of
vendor entitlement, significantly reduced the degree of difficulty for
exploiting firmware bootloader injection to where any script kiddie can root
the device. Worse, it was done without the ability for the user to disable
it. The patch released by Lenovo reportedly disabled the function but even
people comfortable using the BIOS setup will have difficulty disabling it.
Microsoft has effectively weaponized firmware bootloader injection.
Lenovo has not only exploited it, but their code is so incompetent as to
make a new class of vulnerability available remotely, anonymously, and with
almost no skill requirement whatsoever.
In terms of privacy invasion, this is not a difference in degree. It's a
difference in kind. It's a new line that has been crossed and which, due to
the technical complexity of explaining the risk to regular folks, will fly
completely under the radar. It's custom-designed to root your device without
knowledge, consent, or recourse, so functional that "legitimate" vendors
apparently find malicious uses irresistible, and impossible to constrain to
"legitimate" vendors. If you have a Lenovo PC today and haven't disabled
this "feature", all sorts of uninvited guests can come camping out in your
firmware and you won't be able to kick them out. If you have any other brand
of device running Windows, well it's just a matter of time now.
But try telling any vendor - or your representative - that just because we
can doesn't mean we should. Nobody treats this as a privilege. Access to our
data and the internals of our devices is assumed to be an entitlement, even
when the implementations are clearly incompetent and capable of causing
significant emotional, financial, and even physical harm to the owner of the
device or user of the service.
So let's say there's a vendor with retail customers who wants to improve
their profitability. Do they consult with the merry band of VRM minstrels?
Why should any vendor treat unlimited and intimate access to us as a
privilege when the competition sees it as a right, capably exploits it, and
the current regulatory regime fully supports that approach? VRM doesn't
become mainstream until there's a line imposed by the market such that
vendors need a way to remain competitive without crossing it. Not only are
vendors crossing that line today, they are having long jump competitions to
see who can go the furthest, and then advancing the line while we aren't
looking.
Blogged here:
http://iopt.us/1NuI0Y2
https://ioptconsulting.com/vendor-entitlement-run-amok/
Kind regards,
-- T.Rob
T.Robert Wyatt, Managing partner
IoPT Consulting, LLC
+1 704-443-TROB (8762) Voice/Text
https://ioptconsulting.com
https://twitter.com/tdotrob
|