> Among the measures taken, Boss wrote that the Momentive is giving some employees new email accounts because their old ones are still inaccessible. The company notes that it is using a new domain—momentiveco.com for new email addresses rather than momentive.com.
Guessing they're not competent enough to purge their email systems of the original malware attachments nor have procedures sufficient to keep new computers from being re-encrypted.
New email domain means old emails aren't accessible.
Anecdote: In the 90s California, there was a chemical science research company, perhaps formed in the late 70s. Many scientists there had PhDs or quality Master in Chemistry, and they set out to write software to support the drug discovery, pesticide and industrial chemicals industry. The company was well-managed, and it grew. Into the 90s, the Macintosh computer got a lot of attention for graphics, while Windows was stuck at 3.x, and many of the scientists had DEC associations.
So the company had a plural, cross-platform code base in C for some of its core IP. Scientists may not write the best code, but they can write a lot of it, so the core libraries grew and grew.
In the 1997 or so time, Internet grows, VAX declines, Windows improves and pushes hard. The senior management are being tempted by the huge (at the time) money for valuation. Someone decides to take the Microsoft point of view.
There was a "global rollout" effort conceived and implemented, to switch every working piece of code to Windows , backed by fanfare and the sort of content-less cheerleading you find at an ordinary school.. matching t-shirts and good looking people there to "help" you with the transition (!) to port the code ! There was tons of it, there were build chains, there was network code. But it was the MONEY at the top, and the relentless pressure from Microsoft and affiliates, directly, at golf courses and at hotels and at the airport and in the money meetings, that greased the wheels to decide for everyone, that Windows was the standard, end of story.
Many working, carefully built products, were retired, and the team management was required to change over or else be retired also. The change happened. Within a few years (before 2000) the entire company was sold to Elsivier for three-digit millions.
postscript - a small few senior scientists did find Java when it was released, and led an effort to port certain things to Java. The web was a cacophony, and Java might have over-represented itself as far as a web-GUI and also backend. No news about the fate of that, but it was a minority effort, amongst a few who had discretionary budgets to allocate for that.
Depends on the level of trust you place into the compromised systems and your threat model.
Basically they are going down the "nuke it from orbit" route, lets say they miss a system that reinfects the rest somehow.
As for formatting windows, sadly these days that is no longer enough to be sure with a "well crafted" malware. Lets take the industry favourite laptop tracking platform CompuTrace (now named Lo-Jack iirc).
The BIOS/UEFI Module that is its heart is a small EXE that gets executed by windows on every boot (Just like the Superfish incident, though that did use a diff way to get executed on windows launch, lo-jack gets executed by windows, superfish replaced a file that would get executed).
In Lo-Jack case its a small dropper exe that then fetches the real tracking payload once the laptop connects to the internet but it can be (iirc) tricked into downloading and running any exe it likes with system priv's. A BIOS flash of a fixed BIOS is the only "fix".
But in my past I've had fun injecting stuff into and modifying BIOS's (Mainly just to unlock extra options or remove whitelists for wifi cards) and most BIOS/UEFI's these days can be flashed from within Windows. Sure to save bricking the machine you would need to get the correct BIOS for that machine but if a company puts in a purchase order for 100 office machines they are not going to differ too much.
If you have a payload running on a machine you could call home with its motherboard make, model and revision. Download the bios from the vendor, inject a payload into it, send it back to the machine, have the machine flash it in the background and using the same methods Superfish / Jo-Jack use have malware that persists though a format or even a replacement of the drive.
I'm sure we have already seen malware using these techniques already in the wild. Signed BIOS updates will protect to some degree but their have been a fair few cases of being able to bypass the sig check (which is often only done during the the read of the bios before the flash takes place).
Is it overkill? is it paranoia? Probably. It might just be simply the case that the machines were due to be replaced at some point in the near future anyway so 2 birds, one stone.
EDIT: It might of not been Lenovo's use of superfish that was installed via bios on reinstall of Windows, but their own bloatware. It replaced Microsoft's copy of autochk.exe with its own that installs other pieces of Lenovo software. After the shit hit the fan in that case, Lenovo quickly issued BIOS Updates to remove the "feature". But it goes to show how abusing the Windows Platform Binary Table can be used to inject unwanted software into a system.
Is flashing the BIOS and reformatting the machine sufficient to remove any virus that we know of currently? Or are there other hidden components that need to be cleared?
The NSA have been using Hard Drive Firmware exploits for years. Such an attack could hide malware that also survives a format[0] (Which is why I brought up a drive replacement in my prev post). I wouldn't be surprised if the same can't be done with SSD Firmware too (we have already seen people do "bad things" with USB Memory sticks [1])
Also if a full BIOS flash has been performed you might be SOL as after a power cycle the modified BIOS is now the first thing loaded by your system (Or it might be the VBIOS, its been a while.) which could prevent future flashing of the BIOS or fake the flashing process but not actually flash anything. If you have a board that can recovery flash you might be able to recover but how do you trust the system afterwards?
As the BIOS is usually stored on a SPI Flash you could use an external programmer to dump the content of the flash and do a diff on the firmware file.
You have to think about who is your attacker. Are the Kiddies going to go to such lengths to stay persistent on a consumers laptop they use as a facebook machine? Prob not. But is it outside the scope of a determined attacker (or nation state) who managed to get a first stage attack malware inside a large company? IMO it would depend on how valuable they determine access to your network / data is.
EDIT: I've not spoke about VBIOS infections as the GPU Vendors on at least modern cards have been really locking down their GPUS and as far as I've seen, I've yet to see any credible claims of attacks on GPU's in the wild (They could be out there, I've just not come across any.). But such an attack would be scary as hell (imo) as its a black box that has DMA access to the CPU (think like the Mac Thunderbolt attacks of old) and other devices on the PCI-e bus. Its one of the places I would be spending my time researching.
(at least on intel, I’ve no looked into it on AMD’s side)
Intel ME can be neutered. On newer gen’s doing so can be as simple as setting of a single flag. On older systems you can rip so much of it out that all it can do is bring up the CPU.
I would say you can still be concerned by IntelME (as it has been shown to be exploitable) but still purchase Intel/AMD. I mean who else you going to purchase from if you want an affordable x86 system?
ARM is getting more mainstream (in the laptop/desktop/server world.) and we now have fairly decently powerfully desktop/laptop arm powered machines we could actually dev on but the ARM world is still filled with binary blobs needed to get the cpu started.
Power9 has a ton of open source but the CPU’s are not. RISC-V is promising but still pricey as hell atm.
Just saying, you can be worried about ME but in a place where you are stuck with it.
Harddrive firmwares have been reverse-engineered, often are ARM-based and flashable. In principle it can be used for similar payload delivery as lo-jack.
Any PCIe device that has flashable firmware could also be used to perform DMA attacks on systems that don't use the IOMMU for memory isolation.
This is an honest question: The vast majority of malware targets Windows, so how is it acceptable security practice to run Windows as your company's main operating system?
There is a second question as to whether Windows is still inherently more susceptible to these kinds of attacks (I would guess the answer is yes), but that's kind of irrelevant. The threat exists, why wouldn't you just use Macs or Chromebooks or whatever else? Basically _anything_ other than Windows? Even in the case where you have Windows-only business critical software, just run it in a VM on something else.
This equation is lacking, since he doesn't account for the cost of ownership.
I'm moving all my people to macs from windows because the amount of lost work on windows and the amount of IT help needed is much greater for windows.
Also, the anti-virus solutions on windows, which are much more needed there[1], have gotten really terrible recently. AVG was basically making the machines useless.
[1] The standard I use for new mac users is they are not administrators, like everyone is on Windows. That prompt on windows to ask to install something that all users get numb to and say "yes"? Doesn't exist for my mac users, since they aren't admins. That alone helps in so many ways.
I feel like the people who work in this space see the post and it doesn't pass the smell test. For everyone else, I do not mind them learning the hard way why most businesses run a certain way.
The obvious answer is the tools fit their needs best. It's not like OSX is some big secret.
You don't have to be an admin on Windows, but you can't do anything if you aren't. At every company that hires me where I have to use their PC, one of the first steps is always to request admin rights, because I need to be able to install dev tools. On Linux, you can have a special user account that can only install apps, without requiring root access. I think that would go a long way to preventing this sort of ransomware.
Although losing data on a user machine should of course never be crippling to a company in the first place. Make sure everything is committed to a central location, as well as backed up at regular times.
No sane System or Windows Admin gives anyone admin rights on Windows without a very, very good reason (e.g. they are a developer and admin on their machine is a good thing). There also are very few computer uses that require local storage of any sort.
Debuggers were one one, but also some other development tools just wouldn't run unless the developer had admin. Virtualization does mitigate some stuff.
Honest question, have you tried upgrading the hardware (mainly by adding an SSD) for windows users? An SSD can make a night and day difference in performance that may invalidate your decision to move everyone to Mac.
I'd say desktop Linux is more insecure than Windows, and the only reason we don't see malware is that nobody uses it. So if high profile targets, like energy companies, started using Linux on the desktop, it may end up being worse than Windows.
> I'd say desktop Linux is more insecure than Windows, and the only reason we don't see malware is that nobody uses it. So if high profile targets, like energy companies, started using Linux on the desktop, it may end up being worse than Windows.
What's the basis for your assertion?
At the level of systems we're discussing, a Windows installation would be operated by experienced Windows administrator. Thus the appropriate comparison group for Linux would be something like a university-run supercomputing cluster. We don't often hear of these being taken over for ransom.
You do know that "desktop linux" and "server linux" are the same thing, just with different default programs and configuration styles?
I'd agree that yes, distros meant for desktop usage have less secure defaults, but that's not necessarily to say they're "less secure" if you understand how you're using them.
But Gnome runs as the currently logged in user, right? So the worst damage it can do would be to files that that user has write permissions on (ie, not system files).
Unless your entirely hypothetical scenario involves privilege escalation vulnerabilities, which I'll admit aren't unheard of in Linux but are fairly rare and usually patched within hours when they are discovered.
This is the case with the vast majority of Windows malware as well. System files aren't important; sure, you need them to run the system, but it's not like you can't reinstall. The issue is damage to user-owned files, no matter which OS you're talking about.
Imagine you're making a game that targets desktop and you can only target one platform. Do you launch on Windows, Mac, Linux, or something else? If you put personal ideology aside, it'd be Windows every time because that's where the users are. Exact same thing for malware devs.
Malware targets Windows because that's where the users are. If the majority of people swapped to e.g. Mac or whatever else, then you'd see the majority of malware start to target Mac. You even see this as smaller players increase marketshare. E.g. in 2015 Macs ran into more malware than in the 5 previous years combined. [1] There was no major discovery or anything happening. The only thing that happened was that Macs gained a decent clip of marketshare, and so became more worthwhile to target.
> Malware targets Windows because that's where the users are. If the majority of people swapped to e.g. Mac or whatever else, then you'd see the majority of malware start to target Mac.
Even if this is true, it doesn't change the calculus for the individual company. If they switched to something else while everyone else is still on Windows, now they're using something with less malware targeting it.
If everybody did that then maybe more malware would target the other thing, but that only matters if they mostly actually do and that actually causes there to be more malware than there is on Windows.
There are many reasons why companies decide to buy/stay with a certain operating system, I will list a few:
* Industry norm - In some cases, certain operating systems become a norm. Requesting someone to implement X solutions to a different operating system can cost more, have unexpected risks, etc.
* Adaptability - It is easier to hire someone to do a job in X operating system/tool if that person has a similar system at home or used it in a previous company.
* False sense of security - Transitioning to based on your rationale can mean that the business and its users will feel overconfident of their security. This can lead to increased careless mistakes.
45 comments
[ 3.7 ms ] story [ 89.5 ms ] threadThat seems excessive.
New email domain means old emails aren't accessible.
Makes me think that heterogeneity is a natural mitigator to issues like this and maybe should be embraced where possible.
So the company had a plural, cross-platform code base in C for some of its core IP. Scientists may not write the best code, but they can write a lot of it, so the core libraries grew and grew.
In the 1997 or so time, Internet grows, VAX declines, Windows improves and pushes hard. The senior management are being tempted by the huge (at the time) money for valuation. Someone decides to take the Microsoft point of view.
There was a "global rollout" effort conceived and implemented, to switch every working piece of code to Windows , backed by fanfare and the sort of content-less cheerleading you find at an ordinary school.. matching t-shirts and good looking people there to "help" you with the transition (!) to port the code ! There was tons of it, there were build chains, there was network code. But it was the MONEY at the top, and the relentless pressure from Microsoft and affiliates, directly, at golf courses and at hotels and at the airport and in the money meetings, that greased the wheels to decide for everyone, that Windows was the standard, end of story.
Many working, carefully built products, were retired, and the team management was required to change over or else be retired also. The change happened. Within a few years (before 2000) the entire company was sold to Elsivier for three-digit millions.
postscript - a small few senior scientists did find Java when it was released, and led an effort to port certain things to Java. The web was a cacophony, and Java might have over-represented itself as far as a web-GUI and also backend. No news about the fate of that, but it was a minority effort, amongst a few who had discretionary budgets to allocate for that.
Basically they are going down the "nuke it from orbit" route, lets say they miss a system that reinfects the rest somehow.
As for formatting windows, sadly these days that is no longer enough to be sure with a "well crafted" malware. Lets take the industry favourite laptop tracking platform CompuTrace (now named Lo-Jack iirc).
The BIOS/UEFI Module that is its heart is a small EXE that gets executed by windows on every boot (Just like the Superfish incident, though that did use a diff way to get executed on windows launch, lo-jack gets executed by windows, superfish replaced a file that would get executed).
In Lo-Jack case its a small dropper exe that then fetches the real tracking payload once the laptop connects to the internet but it can be (iirc) tricked into downloading and running any exe it likes with system priv's. A BIOS flash of a fixed BIOS is the only "fix".
But in my past I've had fun injecting stuff into and modifying BIOS's (Mainly just to unlock extra options or remove whitelists for wifi cards) and most BIOS/UEFI's these days can be flashed from within Windows. Sure to save bricking the machine you would need to get the correct BIOS for that machine but if a company puts in a purchase order for 100 office machines they are not going to differ too much.
If you have a payload running on a machine you could call home with its motherboard make, model and revision. Download the bios from the vendor, inject a payload into it, send it back to the machine, have the machine flash it in the background and using the same methods Superfish / Jo-Jack use have malware that persists though a format or even a replacement of the drive.
I'm sure we have already seen malware using these techniques already in the wild. Signed BIOS updates will protect to some degree but their have been a fair few cases of being able to bypass the sig check (which is often only done during the the read of the bios before the flash takes place).
Is it overkill? is it paranoia? Probably. It might just be simply the case that the machines were due to be replaced at some point in the near future anyway so 2 birds, one stone.
EDIT: It might of not been Lenovo's use of superfish that was installed via bios on reinstall of Windows, but their own bloatware. It replaced Microsoft's copy of autochk.exe with its own that installs other pieces of Lenovo software. After the shit hit the fan in that case, Lenovo quickly issued BIOS Updates to remove the "feature". But it goes to show how abusing the Windows Platform Binary Table can be used to inject unwanted software into a system.
Also if a full BIOS flash has been performed you might be SOL as after a power cycle the modified BIOS is now the first thing loaded by your system (Or it might be the VBIOS, its been a while.) which could prevent future flashing of the BIOS or fake the flashing process but not actually flash anything. If you have a board that can recovery flash you might be able to recover but how do you trust the system afterwards?
As the BIOS is usually stored on a SPI Flash you could use an external programmer to dump the content of the flash and do a diff on the firmware file.
You have to think about who is your attacker. Are the Kiddies going to go to such lengths to stay persistent on a consumers laptop they use as a facebook machine? Prob not. But is it outside the scope of a determined attacker (or nation state) who managed to get a first stage attack malware inside a large company? IMO it would depend on how valuable they determine access to your network / data is.
[0] https://www.theregister.co.uk/2015/02/17/kaspersky_labs_equa...
[1] https://www.youtube.com/watch?v=nuruzFqMgIw
EDIT: I've not spoke about VBIOS infections as the GPU Vendors on at least modern cards have been really locking down their GPUS and as far as I've seen, I've yet to see any credible claims of attacks on GPU's in the wild (They could be out there, I've just not come across any.). But such an attack would be scary as hell (imo) as its a black box that has DMA access to the CPU (think like the Mac Thunderbolt attacks of old) and other devices on the PCI-e bus. Its one of the places I would be spending my time researching.
I would say you can still be concerned by IntelME (as it has been shown to be exploitable) but still purchase Intel/AMD. I mean who else you going to purchase from if you want an affordable x86 system?
ARM is getting more mainstream (in the laptop/desktop/server world.) and we now have fairly decently powerfully desktop/laptop arm powered machines we could actually dev on but the ARM world is still filled with binary blobs needed to get the cpu started.
Power9 has a ton of open source but the CPU’s are not. RISC-V is promising but still pricey as hell atm.
Just saying, you can be worried about ME but in a place where you are stuck with it.
Any PCIe device that has flashable firmware could also be used to perform DMA attacks on systems that don't use the IOMMU for memory isolation.
There is a second question as to whether Windows is still inherently more susceptible to these kinds of attacks (I would guess the answer is yes), but that's kind of irrelevant. The threat exists, why wouldn't you just use Macs or Chromebooks or whatever else? Basically _anything_ other than Windows? Even in the case where you have Windows-only business critical software, just run it in a VM on something else.
I'm moving all my people to macs from windows because the amount of lost work on windows and the amount of IT help needed is much greater for windows.
Also, the anti-virus solutions on windows, which are much more needed there[1], have gotten really terrible recently. AVG was basically making the machines useless.
[1] The standard I use for new mac users is they are not administrators, like everyone is on Windows. That prompt on windows to ask to install something that all users get numb to and say "yes"? Doesn't exist for my mac users, since they aren't admins. That alone helps in so many ways.
How do users lose work on Windows? Just by installing garbage all over the place?
The obvious answer is the tools fit their needs best. It's not like OSX is some big secret.
Although losing data on a user machine should of course never be crippling to a company in the first place. Make sure everything is committed to a central location, as well as backed up at regular times.
I worked in bank for a while without admin. In many years, the only tool that needed admin rights to run was the Visual Studio C++ Debugger.
What's the basis for your assertion?
At the level of systems we're discussing, a Windows installation would be operated by experienced Windows administrator. Thus the appropriate comparison group for Linux would be something like a university-run supercomputing cluster. We don't often hear of these being taken over for ransom.
I don't have any basis, just what I expect. Windows has been fuzzed and reverse engineered to the moon and back. Desktop Linux? I doubt it.
I'd agree that yes, distros meant for desktop usage have less secure defaults, but that's not necessarily to say they're "less secure" if you understand how you're using them.
I trust nginx, sshd, postgres, postfix, etc. much more than I trust the gnome file manager, evince, dbus, pulse.
For every exploit that nginx currently has, there probably are a thousand lurking in gnome's file roller.
Unless your entirely hypothetical scenario involves privilege escalation vulnerabilities, which I'll admit aren't unheard of in Linux but are fairly rare and usually patched within hours when they are discovered.
https://xkcd.com/1200/
Malware targets Windows because that's where the users are. If the majority of people swapped to e.g. Mac or whatever else, then you'd see the majority of malware start to target Mac. You even see this as smaller players increase marketshare. E.g. in 2015 Macs ran into more malware than in the 5 previous years combined. [1] There was no major discovery or anything happening. The only thing that happened was that Macs gained a decent clip of marketshare, and so became more worthwhile to target.
[1] - https://www.documentcloud.org/documents/2459197-bit9-carbon-...
Even if this is true, it doesn't change the calculus for the individual company. If they switched to something else while everyone else is still on Windows, now they're using something with less malware targeting it.
If everybody did that then maybe more malware would target the other thing, but that only matters if they mostly actually do and that actually causes there to be more malware than there is on Windows.
Linux has a big ransomware problem and with inexperienced users running it, it can be easy to attack.
See: https://www.scmagazine.com/home/security-news/new-b0r0nt0k-r...
and
https://www.bleepingcomputer.com/news/security/b0r0nt0k-rans...
And Mac is certainly not immune:
https://www.cultofmac.com/416299/stealthy-malware-will-hold-...
* Industry norm - In some cases, certain operating systems become a norm. Requesting someone to implement X solutions to a different operating system can cost more, have unexpected risks, etc.
* Adaptability - It is easier to hire someone to do a job in X operating system/tool if that person has a similar system at home or used it in a previous company.
* False sense of security - Transitioning to based on your rationale can mean that the business and its users will feel overconfident of their security. This can lead to increased careless mistakes.
Talk about your nominative determinism.
Sell them on ebay after an insufficient wipe?
Rise and repeat.