Hacking Microprocessor Chip

April 18, 2008

FRONTIER : Hacking Microprocessor Chip

Malicious microprocessor opens new doors for attack

By Robert McMillan,

IDG News Service

April 15, 2008

http://www.networkworld.com/news/2008/041508-malicious-microprocessor-opens-new-doors.html

For years, hackers have focused on finding bugs in computer software that give them unauthorized access to computer systems, but now there's another way to break in: Hack the microprocessor.

On Tuesday, researchers at the University of Illinois at Urbana-Champaign demonstrated how they altered a computer chip to grant attackers back-door access to a computer. It would take a lot of work to make this attack succeed in the real world, but it would be virtually undetectable.

To launch its attack, the team used a special programmable processor running the Linux operating system. The chip was programmed to inject malicious firmware into the chip's memory, which then allows an attacker to log into the machine as if he were a legitimate user. To reprogram the chip, researchers needed to alter only a tiny fraction of the processor circuits. They changed 1,341 logic gates on a chip that has more than 1 million of these gates in total, said Samuel King, an assistant professor in the university's computer science department.

"This is like the ultimate back door," said King. "There were no software bugs exploited."

King demonstrated the attack on Tuesday at the Usenix Workshop on Large-Scale Exploits and Emergent Threats, a conference for security researchers held in San Francisco.

His team was able to add the back door by reprogramming a small number of the circuits on a LEON processor running the Linux operating system. These programmable chips are based on the same Sparc design that is used in Sun's midrange and high-end servers. They are not widely used, but have been deployed in systems used by the International Space Station.

In order to hack into the system, King first sent it a specially crafted network packet that instructed the processor to launch the malicious firmware. Then, using a special login password, King was able to gain access to the Linux system. "From the software's perspective, the packet gets dropped... and yet I have full and complete access to this underlying system that I just compromised," King said.

The researchers are now working on tools that could help detect such a malicious processor, but there's a big problem facing criminals who would try to reproduce this type of attack in the real world. How do you get a malicious CPU onto someone's machine?

This would not be easy, King said, but there are a few possible scenarios. For example, a "mole" developer could add the code while working on the chip's design, or someone at a computer assembly plant could be paid off to install malicious chips instead of legitimate processors. Finally, an attacker could create a counterfeit version of a PC or a router that contained the malicious chip.

"This is not a script kiddie attack," he said. "It's going to require an entity with resources."

Though such a scenario may seem far-fetched, the U.S. Department of Defense (DoD) is taking the issue seriously. In a February 2005 report, the DoD's Defense Science Board warned of the very attack that the University of Illinois researchers have developed, saying that a shift toward offshore integrated circuit manufacturing could present a security problem.

There are already several examples of products that have shipped with malicious software installed. In late 2006, for example, Apple shipped Video iPods that contained the RavMonE.exe virus.

"We're seeing examples of the overall supply chain being compromised," King said. "Whether or not people will modify the overall processor designs remains to be seen."

AWARENESS : Less People Ready to Reveal Their Password

Women 4 times more likely than men to give passwords for chocolate

Infosecurity Europe

16 Apr 2008

http://www.infosec.co.uk/page.cfm/Action=Press/PressID=1071

A survey by Infosecurity Europe (www.infosec.co.uk) of 576 office workers have found that women far more likely to give away their passwords to total strangers than their male counterparts, with 45% of women versus 10% of men prepared to give away their password, to strangers masquerading as market researches with the lure of a chocolate bar as an incentive for filling in the survey. The survey was actually part of a social engineering exercise to raise awareness about information security. The survey was conducted outside Liverpool Street Station in the City of London.

This year's survey results were significantly better than previous years. In 2007 64% of people were prepared to give away their passwords for a chocolate bar, this year it had dropped to just 21% so at last the message is getting through to be more infosecurity savvy. The researchers also asked the office workers for their dates of birth to validate that they had carried out the survey here the workers were very naïve with 61% revealing their date of birth. Another slightly worrying fact discovered by researchers is that over half of people questioned use the same password for everything (e.g. work, banking, web, etc.)

"Our researchers also asked for workers names and telephone numbers so that they could be entered into a draw to go to Paris, with this incentive 60% of men and 62% of women gave us their contact information", said Claire Sellick, Event Director, Infosecurity Europe.

As she revealed her details to our researchers one woman said, "even though I have just been to Paris for the weekend I would love to go again." Sellick continued, "that promise of a trip could cost you dear, as once a criminal has your date of birth, name and phone number they are well on the way to carrying out more sophisticated social engineering attacks on you, such as pretending to be from your bank or phone company and extracting more valuable information that can be used in ID theft or fraud."

Workers were also queried about their use of passwords at work, half said that they knew their colleagues passwords and when asked if they would give their passwords to someone who phoned and said they were from the IT department, 58% said they would. Researchers also asked workers if they thought other people in their company knew their CEO's password. 35% them thought that someone else did with Personal Assistants and IT staff being the most likely suspects.

"This research shows that it's pretty simple for a perpetrator to gain access to information that is restricted by having a chat around the coffee machine, getting a temporary job as a PA or pretending to be from the IT department." Sellick continued, "This type of social engineering technique is often used by hackers targeting a specific organisation with valuable data or assets such as a government department or a bank."

One man said, `I work for a government department, I would never give my password to anyone else, it could cost me my job'.

Most people used only one (31%), two (31%) or three (16%) passwords at work, but a few poor souls had to use as many as 32! It was also found that 43% of people rarely or never change their password which is very poor security practice.

After the survey was completed, each worker was told `We do not really want your personal information this is part of an exercise to raise awareness about information security as part of Information Security Awareness Week which runs from the 21-25 April 2008. We will tabulate results to find out how good people are at securing their information.' At this one man told one of our pretty researchers you look so well dressed and honest I did not think you could be a criminal, which was a sentiment echoed by many others.

Top

SIDE EFFECT : Windows Vista update 'kills' USB devices

By Kelly Fiveash

16th April 2008

http://www.theregister.co.uk/2008/04/16/vista_defender_sp1/

Microsoft has admitted it is investigating reports that a recent Windows Vista security update causes havoc with some USB devices, but the software giant is yet to provide a fix for the cock-up.

The Windows Defender update was released last week, but some unfortunate Vista customers have claimed that their USB mice and keyboards among other devices refuse to work after the update is installed on their computers.

One reader told The Register that he gave up after several frustrating attempts to remove the erroneous update.

Microsoft had released the update to plug a security hole in its spyware blocker Windows Defender. The company said in a statement today:

"We are aware of concerns that a recent Microsoft update may be causing problems with USB devices. We are investigating the matter, and at this time, do not have any information to share."

Yesterday, meanwhile, Microsoft finally pumped out Vista service pack one (SP1) in the remaining 31 languages available as a manual download via its Windows Update site.

However, the automatic version of the download remains missing in action. Redmond had chalked mid-April as the date when SP1 would start downloading onto computers across the world.

Now Microsoft has been forced to admit that it has once again missed a crucial service pack deadline.

The true fun will start when computers begin receiving the automatic SP1 update, so why is Microsoft delaying getting the party started?

A spokesman at the firm told El Reg: "Microsoft wants to ensure customers have the best possible experience with Windows Vista, including installing SP1; this has always been the priority. Until SP1 is automatically distributed via Windows Update, consumers are able to download SP1 manually using Windows Update."

Elsewhere in Microsoft land, rumours are wildly scurrying through the interweb suggesting that Windows XP SP3 could throw its anchor overboard with a release to manufacturers on 21 April followed by a general release a week later.

That's news that is likely to satisfy plenty of people who have decided to swerve Microsoft's unloved Vista in favour of soldiering on with XP until the arrival of Windows 7; the momentous occasion which some, including BillyG himself, hint could come as early as the second half of next year.

WARNING : Government issues threat note on Windows, Apple

17 Apr, 2008

Niranjan Bharati, TNN

http://economictimes.indiatimes.com/articleshow/msid-2957870,prtpage-1.cms

NEW DELHI: Be extremely careful while using latest Microsoft and Apple software as your system could be hacked! The government has issued a high-security threat note against popular applications including Windows Vista, XP, Windows 2000, Windows Server 2003, Windows Server 2008, Microsoft Project Microsoft Visio Internet Explorer and the Quicktime software from Apple as they have been found highly vulnerable to virus attacks.

According to the note prepared by the department of information technology (DIT), hackers may steal any information from systems using these software leading to financial and data frauds.

The vulnerabilities may lead to phishing (financial loss), spoofing (identity theft) and ultimately a crash of the system, the note said. The DIT has asked users to take protective measures against such attacks. An email query on the gravity of the problem sent by ET to Apple Computers did not get a response. Microsoft, on the other hand, has officially acknowledged vulnerability of its Project 2000, 2002 and 2003 applications apart from those of Windows XP, Windows Server 2003, Windows Server 2008 and Windows Vista, according to information available on the company's official website.

It has, however, said that Project server 2003 and Project 2007 are not affected by the attacks.

Interestingly, the computer emergency response system (CERT)—the cyber security department of DIT— has refrained from giving its own technical suggestions to users on tackling the problem. While the CERT usually comes up with possible solutions on such occasions, this time it has asked users to apply the latest security techniques suggested by Microsoft.

A total of eight types of vulnerabilities have been found in Microsoft applications which may lead to problems like execution of arbitrary codes in the system, spoofing and other problems. Vulnerability in Microsoft Project and Visio could allow remote code execution while vulnerability in DNS client could allow spoofing, according to the CERT note.

The vulnerability of Apple application QuickTime could be exploited by an attacker for malicious purposes to disclose potentially sensitive information or compromise a user's system. These vulnerabilities exists in the processing of movie files which can be exploited to cause memory corruption and may allow execution of arbitrary code (leading to loss of password) when a user accesses specially crafted movie files. QuickTime is Apple's technology for handling video, sound, animation, graphics, text, music, and even 360-degree virtual reality (VR) scenes.

Five versions of the software, Quicktime player 7.4, 7.3, 7.2, 7.1 and 7.x, have been affected by the malware. Your system could come under attack while doing any Java related job on it including browsing of any files running on Java applications. The activities most likely to get affected by the fault are browsing movie files or running clippings, according to details available with the department of information technology's (DIT) computer emergency response system (CERT).

The attacker could de-serialise the objects in the Java file through Apple software. This would prompt the user to open the files making way for the hacker to decode passwords and get sensitive information from the computer. Also, hackers have created a customised software which asks for data references while the user is browsing files. This helps the hackers in creating specially crafted data reference atoms in the movie file and persuade users to open the same.

Successful exploitation of this vulnerability may result in unexpected application termination or arbitrary code execution.