Slashdot Mirror
Aging Security Vulnerability Still Allows PC Takeover
Jackson writes "Adam Boileau, a security consultant based in New Zealand has released a tool that can unlock Windows computers in seconds without the need for a password. By connecting a Linux machine to a Firewire port on the target machine, the tool can then modify Windows' password protection code and render it ineffective. Boileau said he did not release the tool publicly in 2006 because 'Microsoft was a little cagey about exactly whether Firewire memory access was a real security issue or not and we didn't want to cause any real trouble'. But now that a couple of years have passed and the issue has not resolved, Boileau decided to release the tool on his website."
There is also another Security researcher who find an efficient way to gain privilege though the hibernation file. Slashdot news: http://slashdot.org/firehose.pl?op=view&id=551924
...finding a PC with a firewire port.
(The only ones at my workplace are the two I put firewire cards in. Don't ask, it's complicated.)
-Rob
Biblical fiscal responsibility
So why exactly is it a desirable feature for a firewire node to be able to access another node's memory unsolicited?
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
This does require physical access to a machine. If you want to access the machine, you can reboot using a USB stick and access the hard disk that way, or even just open the machine and take the drive, then modify the contents to your heart's content before putting it back
This isn't the first guy to get frustrated with Microsoft's lack of commitment in the security vulnerability area and just release his nasty onto the world.. It probably won't be the last either.
Maybe they decided potential compatibility problems a fix would cause (TFA says that memory access is a feature) weren't worth it?
Not saying its good reasoning, but we don't know how just how badly other things would break if they fixed this.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
Which is it?
Not to say that Microsoft shouldn't have patched this, for it is certainly a design flaw to allow computers hooked up to a machine to access its memory, but if you're plugging something into the Firewire port of a computer, then you're sitting at that computer, aren't you? It's true of all hardware that if you have physical access, then you can do whatever you want with it anyway.
-Nick
Comment removed based on user account deletion
Maximillian Dornseif demonstrated this same Firewire vulnerability against Linux and OS X machines in 2005. Adam Boileau just gets more press because he performed the hack against Windows PCs.
____
~ |rip/\/\aster /\/\onkey
i would assume that it requires less "overhead" and allows for swifter transfer
But this works with crypted drives.
This
Or you could just, you know, use any old livecd to steal the SAM file and crack it in a few minutes. That way your adversary doesn't know they've been compromised.
+1 for the above poster. As far as windows machines, arent there numerous floppy disk/cd tricks that allow you to change the windows password/make it blank IF YOU HAVE ACCESS TO THE DRIVE? How is this news other than its anti MS?
"There is no real right or wrong, just what the majority accepts at the time."
That's not exactly the same.. Take my library for example all machines are set to boot correctly and the cases are physically locked to their location. Also looks a lot less suspicious when you're not ripping the guts out of a machine that it's obvious you don't own in public..
For Microsoft to have failed to patch an issue such as this must be indicative of either breathtaking arrogance or utter stupidity... or perhaps both
How about apathy? They'll wake up when and if they ever lose market share because of their shoddy product. I mean come on, if I can sell a Yugo at Escalade prices, why should I produce a quality product? That would be stupid. And if I could sell Yugos at Escalade prices I think my arrogance would be understandable and forgivable.
They've been selling an insecure OS for as long as PCs have been networked, why should they secure it now?
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
This though appears to have the advantage of not requiring a reboot, so rendering BIOS passwords ineffective.
It's all very well to say if someone has physical access all security is compromised. That doesn't mean you need to make it as easy and quick as possible. Now if you lock your computer and pop to the bathroom, a visitor could be in and out of your PC before you get back.
What, expecting to be modded up for such "wisdom"?
And what stops someone from doing the same thing against Linux?
See my previous post on that subject.
____
~ |rip/\/\aster /\/\onkey
Except that the owner of the machine might easily notice the reboot ("Where are my started applications?"), while with this, it's possible to, e.g., steal files from a running machine without anyone noticing, or at least in a much more inconspicuous way. At least, the possibility is there.
Ezekiel 23:20
With this hack, you can spawn a command prompt with admin rights directly from the login screen. No reboot required.
____
~ |rip/\/\aster /\/\onkey
This same vulnerability also affects OS X as reported here: http://blog.juhonkoti.net/2008/02/29/automated-os-x-macintosh-password-retrieval-via-firewire
As well, as Linux, as reported in an earlier 2005 report about this firewire feature: http://www.matasano.com/log/695/windows-remote-memory-access-though-firewire/
A lot of workplaces will have physically secured machines but nonetheless with ports open. People might notice if you remove a server from a rack to access its insides, but just plugging in a cable?
Yes offcourse, not that many machines have firewire and servers are even rarer (although my pc has a port) but still, there is a major difference between the access needed to open a PC and gets its HD and just plugging in a cable.
See it as the difference between having to steal secret documents and being able to copy them at the spot.
If this tools indeed works in seconds then that is a lot faster then opening up a PC, taking out its HD, installing it in another machine, breaking its security, reading the contents you want (which at this point would give you only the contents on the HD, not the network), re-installing it and closing the cover and removing every trace of your access.
A lot of security is about inconvenience. Safes ain't rated for being unbreakable, but how long it takes to open them. ANY safe can be opened, the trick is making the process take so long that it can not be done without being found out. Thanks to MS, breaking its security has just become a lot more convenient.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Which is it?
This post expresses my opinion, not that of my employer. And yes, IAAL.
"You see, this serious security problem was designed in from the start, so therefore... it's not a problem! Ta-da!"
Not anymore! Microsoft probably submitted this article.
How do you know they're not?
Most of the people in my computer class lock their laptops and take off while on break. If this does indeed work, I'm going to have some fun with it.
Perhaps on 64bit systems, you could limit firewire to a 32bit virtual address space... And only map things into it that you actually need the firewire devices to access. I'm not sure if firewire even supports a 64bit address space anyway.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
certainly has one. They're quite common.
Clear, Dark Skies
It's not Microsoft's fault, it's a hardware problem. FireWire is a peer-to-peer protocol with commands for using the DMA controller. Any device plugged in via a FireWire port can issue DMA requests. It can dump the entire contents of (physical) memory and write data at arbitrary locations. A FireWire controller ought to only permit DMA to and from regions the driver allowed it to, but most don't. The only work around for this is to either disable FireWire or use something like the Device Exclusion Vector on modern AMD chips to block the device's access to memory.
I am TheRaven on Soylent News
Comment removed based on user account deletion
Once your machine's physical security is compromised, just about anything can happen. If someone is in your data center or office unattended and hooking up equipment to your PC, you're sort of in a world of hurt anyway.
--I'm so big, my sig has its own sig.
-- See?
... it turns out, his site is vulnerable to the slashdot effect :)
Parent was answering GP's question, mods. How is this 'redundant'?
This PDF shows how you can filter Linux and Mac firewire.. No idea if this has been integrated into the distros..
Page 37 for Linux, 38 for Mac
http://www.msuiche.net/2008/03/04/physical-memory-access-is-fashion/ SandMan author let an officiel message on his blog about this kind of attacks.
Having worked with (possibly alongside is closer) Adam in the past, that's not the point. In all probability, this hasn't occurred to him. It would still be interesting to test, but let's face it, isn't bashing windows the main point here. Whether such and such getting_more_obscure_hardware breaks is one thing, but it breaks in windows! And in truth, if your security is compromised to the point where people can plug things in, it's essentially useless anyway.
... and today's pet project has
Once again, on Slashdot, I say, 'who cares?' This is a Windows vulnerability and I thought Slashdot was an open source outlet for news and for some stories that people so-called 'care about', not Windows vulnerabilities. Yeah sure, every time a Windows Vista (which is always negative, in fact every Microsoft story is negative) story comes out and we can bash all we want and everything, and same for a story similar to this, but this is getting old. It has gotten old. I do not feel the need to bash Microsoft any more, they're going whatever which way they are, bad or not.
I know the poster of this story certainly feels like 'this'll definitely get them started', or whatever. Not me. I could go on and on all day about the mistakes that I feel Microsoft is making right now and past mistakes that are causing all these issues of now, but nothing is going to change substantially until we stop bashing and start pushing open source software usage, if that is what we care about. I am not going to waste much time bashing Microsoft.
I need not go any further than 'Windows + security = joke'. We already know that. That makes this news old. I do not care about this news because I, like most other 'power computer users', know how to use Windows 'properly' enough to not run into these vulnerabilities. Besides, don't we use Linux most of the time anyway? (I know I do.)
All I'm saying is, Slashdot has no need to post these stories about vulnerabilities in Windows or Mac. If stories are going to be related at all to Windows or Mac, then it should have to do with open source. Apple praise/Microsoft bashing is old. Soon enough, if Apple takes over the market, it will become Apple bashing. We all know this. Apple is easily able to be just anti-open-source as Microsoft.
We want open source OS's (Linux, FreeBSD, Syllable, etc) to be the most-used, don't we? Well, posting stories like this just to point and laugh at Microsoft makes the open source community look very pretentious, like looking at a 'Windows admin' and laughing at them because they do not know basic UNIX commands. How about this: teach, do not laugh. It is the only way to get those people on our side.
Doesn't that also mean that Linux is also vulnerable to Apples firewire design faults?
you've not heard of the Beethoven solution, keeping a chamber pot under your workstation?
There also happens to be a fix for Mac and Linux too.. What's your point?
Or perhaps slashdot on another uneducated baseless diatribe directed towards that little known company MS.
Did you read the article or did you just check the headline and decide to try get cheap mod points? Ill point out why you dont deserve them.
'Paul Ducklin, head of technology for security firm Sophos, said the security hole found by Boileau was not a vulnerability or bug in the traditional sense, because the ability to use the Firewire port to access a computer's memory was actually a feature of Firewire.'
Now maybe this was just excuses but the fact it came from a third party with no particular connection to MS should have made you pause for thought. Even if you dont know much about firewire it would take you moments to do a quick search and actually realise this is a 'feature' of the actual specification itself. As in _every_ O/S had the same problem. Linux, OSX even BSD were using this exploit even before MS were cracked. There are still reports of new OSX and Linux systems being hacked by firewire right in to 2008. (Though admitedly ive not heard much from BSD, probably because there admins tend to actually have a clue.)
This is a universal flaw in security stemming from naivety with regard to externally connected hardware. You want secure firewire, disable it when you are not using it yourself. That goes for any system, any O/S, any person. End of story.
One of the things I always hear in the USB vs Firewire debates is how much lower overhead Firewire is. In informal testing, this certainly seems to be the case. Well, one of the reasons it might be is if it has DMA. You'll find that's how a lot of PCI hardware works. It can read and write directly to memory, it doesn't have to do things through the processor. Keeps system load much lower, it'd quickly peg the CPU if it had to deal with shuffling around all data on the system. However, it also can lead to problems, of course.
Well, if Firewire has the same capability, it would explain why it is much lower overhead than USB, but it would also allow for things like this.
In general, DMA is probably something that needs to be looked at being cleaned up/reworked. It is a non-trivial cause of system instability: Hardware goes nuts (or maybe driver orders hardware to so something stupid), craps on memory it shouldn't system goes down. However anything like that is going to take a back seat to performance, at least in regular PCs. As nice as it would be to have the CPU fully in charge of everything, people aren't going to put up with it if it means a 10x drop in performance.
As I understand the vulnerability, MSFT can't fix this - the problem is that the 1394 hardware specification allows a device plugged into a 1394 port to read or write to arbitrary locations in memory. The OS isn't involved.
As such, this is a hardware vulnerability - every OS in the world is affected.
Because he linked to the main story. It's the same link in the summary. That's redundant.
maybe they aren't smart, maybe they are dumb, that means even a dumb ass can crack windows security.
What if Tetris was invented by Nazis?
Does it? I don't know the Windows kernel and the EFS layer well enough to say for sure but my understanding is that EFS uses a hash of your SID and your password to do the public key crypto. I know if you change your password a couple times without touching your EFS volumes you can lose access to the files if you don't have a key recovery agent setup.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Both!
The creator of this post (Jacob Smith) hereby releases it, and all of his other posts, into the public domain.
Comment removed based on user account deletion
Look, the security vulnerability just wants us off its lawn. Unless any of us happens to play bridge, or enjoy long rambling stories. And maybe some hot cocoa?
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Some commenters note that this is a feature of Firewire. But would there be any problem with MS just disabling the port whenever the system is password locked, unless there is something already plugged into the port when the system was locked (after all, there might be a Firewire HD plugged in, and a process writing to it). Probably the best way to handle the latter case would be to watch for an unplug event when the system is locked, and then disable the port as soon as the device is unplugged. This is very simple, and I don't see any downside to it.
Or I could use a bootdisk with a password hash file modifier...
He didn't say it's not a problem, he said it's not a bug or vulnerability in the traditional sense.
It's also not a Windows issue, because it's the nature of Firewire itself. Which is why this hack can also be done on Linux and OSX, although TFA doesn't bother to mention this.
This is why my laptop has a big button on the side that enables/disables Firewire, and it's disabled by default on boot. I'd have to "opt in" to this vulnerability.
"You cannot simultaneously prevent and prepare for war." -- Albert Einstein
You'll be wanting to hang out at that incredibly popular blog where the merits of Windows are discussed. There with your pals you can discuss the pitfalls of the long haired smellies and their open sores software.
My google-fu must not be working this morning. I tried to find you a link and couldn't.
Help stamp out iliturcy.
You can't really blame Pongo. Cruella keeps trying to make beautiful coats from those cute puppies.
You can't talk about Wikipedia's flaws on Wikipedia
I've decided to be against you.
You can't talk about Wikipedia's flaws on Wikipedia
Or the attacker, could, you know, opt in for you by pressing the button? :)
You mean the one that only works when the computer is unlocked?
"You cannot simultaneously prevent and prepare for war." -- Albert Einstein
"So I tied an onion to my belt. Which was the style at the time. Now, to take the ferry cost a nickel, and in those days, nickels had pictures of bumblebees on 'em."
You can't talk about Wikipedia's flaws on Wikipedia
Someone mod the parent up. That's a very valid question.
The government can't save you.
Just about every new PC that is released with USB ports has an IEEE connection (Firewire) on the front of the case, which the motherboard supports. You seem to have forgotten that the motherboard doesn't need to have a firewire port on it, it already supports it externally (unless you have a PC that doesn't have extra USB slots except on the motherboard itself....and I guarantee you in the last 10 years no PCs have been made like that). I remember 600 mhz systems that had firewire.
Every HP, Dell, and others from more than 5 years ago still had some form of firewire from the beginning of the XP days and possibly even further back.
so you can also remove the tapes as well after you are done with the job.
of the software ERD Commander released years ago that allows you to do the same thing. And I'm sure there have been many variations of that program since its inception. Of course you could always purchase one of those nifty USB keyloggers as well...you're more likely to find a USB port on a PC rather than a IEEE1394.
Neither!
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
That's an important feature of Linux. (Or Windows?)
It is true that the DMA must write to RAM where the DRIVER tells it to. It is the responsibility of the Driver to not write data where the device tells it to, and do proper bounds checking.
hey now. Not all of us need this crack to bypass windows security.
Mind you I'm not a hardware guy, but I saw this very exploit used over Firewire on a pre-OSX Macintosh at MacHack years ago. The entire audience did the ew, ah, thing and withdrew in horror. Subsequently nothing was done to fix Firewire or the fact that remote devices could write whatever they wanted and exercise whatever privilege on the host device. I suspect that this is the same thing we see here and it is surprising that such a vulnerability exists. There's blame to go around, I'm sure but it seems unlikely if this is a hardware vulnerability that anything Microsoft could do would really fix the problem short of breaking Firewire support entirely.
Whose spec was this anyhow? While blame is shared according to Wikipedia, Firewire was Apple's interface design.
So what?
There's dozens of other ways to compromise a PC (Windows or not) if you can sit down in front of it. Even if you don't have to reboot with this, or can sniff enough stuff to log in remotely later across the internet...
This is why the server room and racks are locked, it's really really hard to combat against someone who as physical access and a bit of time/knowledge to use to evil ends.
Sure, it's creative but come on...
See, now you didn't mention that in your original article. You just said firewire was disabled at boot, and there was a button that enabled it. I presumed you had a switch like my laptop does for it's wireless adapter, a physical switch that works no matter what the pc's doing.
My bad. (I'd love to know what laptop has a hotkey for enabling/disabling firewire tho. Make/model?)
If you connect a Linux box to a Windows box via firewire, who is pwning whom?
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
<technical bitching>
That's IEEE 1394 sir. IEEE is an institute.
</technical bitching>
Hey! That's my sig you're smoking there!
Yeah, I didn't think of it at the time. It's an Acer Aspire. Can't quite remember the model number right now (I'm at work, it's at home).
"You cannot simultaneously prevent and prepare for war." -- Albert Einstein
Sorry, IEEE 1394....too early in the morning :P
Sure, but if the system is live and has the EFS mounted, the key must be held in memory, otherwise the OS couldn't decrypt the EFS partition. With the key in memory, and Firewire having Direct Memory Access, the bad guy has the EFS (or PGP, or TrueCrypt, or whatever) key. That, plus passwords, web pages being viewed, engineering documents being edited, etc.
here, fixed it for you.
Today, most motherboard you buy as separate part in computer shops (MSI's, ASUS', Gigabyte's, etc...) all have firewire, because these parts are usually bought by geeks like you and me who usually understand the usefulness of firewire and like to have as much features as possible crammed into our machines.
On the other hand most computer sold by brands (either on Dell's website, or brands in big malls) try to have the lowest price tag to appeal Joe Sixpack. Thus they tend to cut as much functionality as possible and most of the time feature only network and a bunch of USB2 connector (no dual network, no firewire, no legacy key/mouse port, no serial or parallel port, etc.).
Big corporations (the juicy targets fir this kind of hacking) tend to buy branded computers (Dells or HPs mostly here around), instead of building them from parts and thus it's harder to find firewire ports to hack the machines and steal valuable data.
(Apple computers (built-in firewire in most machine) and universities' and Google's linux cluster (hand built from parts) tend to be the exception rather than the rule).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
... whether on not Microsoft will include this demonstrated vulnerability the next time they calculate the average time security vulnerabilities remain unpatched on Windows versus Linux.
Wait, I forgot - they only include the vulnerabilities they've acknowledged.
#DeleteChrome
Having a smoking section in a public restaurant is like having a peeing section in a public swimming pool.
Actually, ignore my comment about the Firewire button -- I've been up since 3:00 am. It just occurred to me that the button I'm thinking of actually enables/disables Bluetooth, not Firewire. My bad. I don't have the laptop in front of me right now, and of course I don't use either Firewire or Bluetooth, so I've never actually used the button in question. There's also a button to enable/disable wi-fi -- which I do use, and it seems to me that only works when the laptop is unlocked. Again, I don't have the laptop here to verify that.
So, going back to my original post, maybe there should be a button like the one I described, since this is the nature of Firewire and not a Windows problem as TFA suggests.
"You cannot simultaneously prevent and prepare for war." -- Albert Einstein
It's also the responsibility of the operating system to manage memory, separate processes, and prevent various processes from accessing the memory of other processes... unless drivers aren't included in that requirement.
Having a smoking section in a public restaurant is like having a peeing section in a public swimming pool.
Should be. It's a "feature" of Firewire.
Some Mac people figured it out early (at least by 2001)
http://rentzsch.com/macosx/securingFirewire
The FreeBSD people were already using it way back in 2002, quote:
"As you know, IEEE1394 is a bus and OHCI supports physical access to the host memory. This means that you can access the remote host over firewire without software support at the remote host. In other words, you can investigate remote host's physical memory whether its OS is alive or crashed or hangs up"
In other words it doesn't matter what OS it is or whether there is even an OS.
Oh yeah there's also "Linux Kernel debugging over Firewire" but that's recent - 2006.
Yes, yes ... people keep repeating this. It's not untrue, but I'd be much more worried about this type of attack working from a regular old PC workstation. If it lets you immediately give yourself administrator rights on a system you're not even supposed to have a valid user account on, that's a huge security hole right there - regardless of if you have physical access to a server room.
... but how many times do you see specific PCs with lots of locally stored data on them? I find plenty of high-level execs and accounting people who feel more comfortable/in control of their critical data if they store it on their PC's C: drive and do their own personal nightly backups with an internal tape backup drive or DVD-R drive.
How "odd" would it look for, say, a service tech. to come into a typical office carrying a notebook computer (or maybe even a little Smartphone running Linux?), and to sit down at an unoccupied desk for a few minutes? Seems like the ability to hook up a firewire cable to a port on the desktop PC sitting on that desk would be quick and easy enough to do - and he could get in, copy stuff off that workstation's C: drive, and get back out without raising an eyebrow.
Sure, a "properly designed LAN" would have most of the important data on the server
Linux has this same bug. It's in "ohci1394.c". I reported this to the Linux kernel mailing list years ago, and the reaction of the kernel developers was to make it a "feature" for "remote debugging" that's enabled by default.
Technically, here's how it works. First, see the OHCI specification, section 5.15, "Physical Upper Bound register". This determines the highest memory address into which an external device can store directly by sending a packet. If set to zero, this feature is disabled. That feature is intended for slave devices, like peripherals. On computers with an operating system, it should be zero. It's not.
In the Linux kernel, that security hole was installed in "ohci1394.c" with the comment:
/* Turn on phys dma reception.
*
* TODO: Enable some sort of filtering management.
*/
In early kernels, it was unconditionally enabled. In 2.6, it's enabled by default, but can be turned off.
Also, This patch indicates that this security hole may have been designed into some FireWire controllers, so that the "upper bound register" didn't really do anything, but read back zero.
As you clearly couldnt be botherd to check if your point has been made already, it has. The point of the article is that AFAIK microsoft have provided no way to avoid compromise, but unix systems can be secured
" by LingNoi (1066278) Alter Relationship on Tuesday March 04, @02:28PM (#22635144)
This PDF [hudora.de] shows how you can filter Linux and Mac firewire.. No idea if this has been integrated into the distros..
Page 37 for Linux, 38 for Mac"
So its not so much anti-MS bull, as one of the 1st three comments here was pointing to the linux/os x vulnerability.
IranAir Flight 655 never forget!
All my HP servers and workstations are less than 1 year old. And none has a FW port.
I have never seen a Dell desktop with one either.
morcego
That's a bit like saying a virus on a USB flash drive needs physical access, because somebody has to plug in the drive... Never mind that the owner will suspect nothing, and be happy to do it.
You only need "physical access" if you are assuming those with firewire ports NEVER have them plugged in to anything...
OTOH, if a computer with firewire ports is ever plugged-in to a smart firewire device (one where you can get remote root access) then this firewire problem becomes a remote exploit.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
If you have an IOMMU (e.g. on a decent Sun workstation), you can set up page tables for each device so that they DMA into a virtual address space. Your driver can then define regions which the device can access transparently. On newer AMD chips, you have a Device Exclusion Vector (DEV). The DEV is a sort of IOMMU-lite. It performs access control, but not translation. This means that the host OS (or driver) can mark each page of physical memory as read / write accessible on a per-device basis. On these machines, a well-designed OS or driver could prevent these attacks.
On other systems, it is not possible to prevent this attack. It's also a known problem on FreeBSD and OS X. OpenBSD does not implement FireWire support for the explicit reason that it is impossible to do securely on most systems.
It is the responsibility of the Driver to not write data where the device tells it to, and do proper bounds checking. You are possibly confusing DMA with Programmed I/O (PIO). On a PIO device, the driver writes data to device-mapped memory or an I/O port, the driver then reads it from here and writes it to wherever it is meant to go. On a DMA device, the driver (or, in the case of FireWire, a remote peer) just tells the device where to write the data and it does so without CPU intervention.I am TheRaven on Soylent News
How silly to post such a link to /.
We probably DDOS'ed the entirely NZ pipe because of this.
Yay us.
-Billco, Fnarg.com
Ron Paul!
By the taping of my glasses, something geeky this way passes
I really don't see how this is news. I can do the same thing by booting into a Windows PE or Linux environment off of a CD. Physical access to a machine isn't nor ever has been a true "security issue." If you have physical access to the machine, you can literally do anything you want unless all data on the disk is entirely encrypted.
The Computations of AdamR
http://www.adamreyher.com
In a corporate environment as others stated, you probably won't see it. It isn't seen as "needed/etc". In a home environment, it's almost guaranteed. In any form of development environment...
I see no reason for a server to have it. I would expect to see more servers with ESata than with firewire, perhaps I should have specified I meant for home use. Every PC I've built for my customers has had it on the case or on the motherboard whether I require or like it or not really. Considering this error sounds like a windows scenario, it's never been an issue (they mostly use Ubuntu anyway).
Sure, but if the system is live and has the EFS mounted
EFS isn't a partition encryption system, so there's no mounting involved. Each individual file has its own file encryption key.
What you said applies if the account whose data you want is already logged in and the machine merely locked, but not if the account isn't logged in, in which case the EFS key is not loaded yet and won't be decryptable without the real password.
(Bitlocker, on the other hand, is a volume-encryption system, like TrueCrypt.)
The responses to my comment tell me that I'm really not cut out to be a security expert. Which is fine. I don't mind being told I'm wrong.
It's just a shame MS are hiring people like me for their security.
Doesn't that also mean that Linux is also vulnerable to Apples firewire design faults?
I'd also be curious to know if the Playstation 2 is vulnerable. It's older technology now, but it would still be pretty cool to be able to have R/W access to its RAM.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
This "vulnerability" is basically irrelevant for notebooks. Most notebooks have hot-swappable CardBus or ExpressCard slots, both of which have DMA support and can be used to dump the system's memory. Or you could do the "memory freeze" trick.
The correct solution would be to map the FireWire address space into virtual memory, but this has to be done at the hardware level.
I realize that every operating system is vulnerable to this "feature" by default, but according to one of the links left by another poster this vulnerability doesn't affect Mac OS X if the OpenFirmware password is set because that will also disable Firewire DMA. That information is from 2004 and obviously only applies to PowerPC Macs, but I wonder if the same holds true for all the modern EFI/Intel Mac models. Anyone have more info on that?
Here's the link I'm referring to: http://rentzsch.com/macosx/securingFirewire
Hey, he could be referring to IEEE 1284
.
Many of the "vulnerable" PCs are Intel Macs runing Windows.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
Ever since Macs have had Firewire ports, you can boot a Mac holding down the T key and its hard disk become accessible via Firewire cable on another Mac. Mac OS X setup even prompts you to do this if you're migrating settings & data from one Mac to another.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
Winnar!
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Ehh...
People on slashdot don't really know what they're talking about. Your point regarding physical access negating security is spot-on. This really is nothing interesting, except in the corner case of business travelers who: have valuable data, on a laptop, with an enabled firewire port, with the correct drivers installed and lacking a patch for this vulnerability, AND they leave their valuable piece of equipment unattended for long enough to break in and infect the box/steal the data.
Then again, assuming the laptop is unattended anyways, there are many other ways of getting access to the information on it, including dressing like a bum and stealing the thing to pay for a crack habit.
Just another "DOJ fascist authoritarian totalitarian bootlicker" -- Zeio
To use this hack, I have to bring in a Linux machine, hook it up with a Firewire cable to a Firewire port on the target machine, and then run a command.
And this is better than simply booting Ultimate Boot CD for Windows and running the Linux-based utility on it to reset the Admin password to blank how?
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Yes, this Vulnerability affects every operating system supporting the FireWire specification equally, you can take over Macs and Linux computers as well as Windows computers.
In addition, the same problem exists with USB devices.
Here is a document describing the hack on Apple
Anyone one over try downloading the geeksquad MRI-ISO? When booting from that disc it's possible to erase the password from accounts in less than a minute.
Not sure what to say other than the fact that I have used linux exclusively on the desktop for more than a decade, and USB is a new thing here. Mostly for cams. Server boards (true SMP with big RAM) just for the longest life and build my own since the pentium pro. Its a combo that I can recommend.
C|N>K
As you clearly couldnt be botherd to check if your point has been made already, it has. The point of the article is that AFAIK microsoft have provided no way to avoid compromise, but unix systems can be secured
So, going into device manager, locating the firewire port, and disabling it, doesn't actually work in windows?
Disable the port when you aren't using it, enable it when you are. You don't even need to reboot in modern releases of windows.
Ahem, of course having a Cube running OpenBSD as my webserver, support for FireWire is something I've wished was present in OpenBSD. But you know what they say, free, functional, secure, choose any three.
That is an interesting possibility. The "newer" version(s) playstation 2 do not have firewire ports, if I remember correctly. I wonder if this vulnerability had anything to do with the decision to remove them.
Can't the OS immediately disable the second connection as soon as notices a plug-in event?
One can do the same thing to a computer WITHOUT firewire, given the exact same conditions.
Thus, its not an additional vulnerability. It is however a problem, because most people assume (incorrectly) one has to disassemble a computer to do this, which has never been the case, and base their physical security on the modal 'Well if it doesn't look fishy, it's OK'
If it was a windows machine, and you have the ability to touch the computer and insert something into it, you don't need firewire, a CD or modified USB flash drive with an autorun.ini will do. And if you can modify some hardware to use this exploit in a firewire device, you can also get your hands on a USB flash drive configured to show up not as a removable HD but as a CDROM, thus autorun.ini will work.
There was a big stink over USB that can allow autorun, and the general advice if you cant/wont provide physical security was to disable the USB ports. Now firewire is proven to be in the same group.
The only new bit here is this works on more than windows, so people that thought autorun was not an issue due to choice of OS, or OS configuration, and dont/wont provide any physical security preventing this, now have a new problem.
But under unix , it is/ or atleast can be setup to do this whenever the screen is locked.
If hooking into the windows locking system is as easy as hooking into the unix ones then ill eat my words.
IranAir Flight 655 never forget!
No, I doubt renaming a hardware protocol someone else made has introduced any new design defects
A serrated harpoon, weighted on the tethered end, and launches at 23,525 fps. You can run, but you CAN'T HIDE... Your hide will be HAD.
Secondary security is gigantic rat traps, optimized for restraining human variety.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Pull your head out of your ass.
You can use this method to root a Mac or *nix box as well.
The issue here is that the 1394 bus has DMA access to the system - it is an architecture flaw in 1394 and not in the Windows OS.
http://www.atm.tut.fi/list-archive/freebsd-security/msg05438.html
Wait... Windows has security?
The FireWire hack uses a bug that make the system's memory available to the attacker, to the local disk.
So that means that, wherever the files are stored, as long as the user types his password in a log-on screen and that password gets dumped from memory using a FireWire hack, the cracker has access to it, even if it is on a remote server.
Password-securing files is only as secures as the machine and relies on the running environment to be secure enough to allow log-ins on the servers. The FireWire hack puts a gigantic back door on the memory.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
What reboot, this exploit, judging by the code, doesn't need to reboot anything.
It can even unlock locked sessions on the fly.
To avoid criticism; Say nothing, Do nothing, Be nothing.
I'd personally use something else other than OpenBSD, because once I start running services on it, it's the services which tend to have most of the security problems, and that's the same on all platforms.
I believe OpenBSD has also had at least one remote kernel exploit in recent times.
"2007-03-05: Core develops proof of concept code that demonstrates remote code execution in the kernel context by exploiting the mbuf overflow."
Sure OpenBSD is paranoid about security, but for all they do I don't really see that it's significantly much better for the loss in functionality and performance.
I got a Toshiba Satellite Pro A100 with Vista Business. Runs fine. What specs you got? It originally came with Vista Home Basic and 512MBs of RAM, but I upgaded to Vista Business and put in 2GBs of DDR2 and it runs like a charm still. I guess you just need to have the RAM proportional to the version of the OS. I still have the same crappy integrated GFX card though, a Mobile Intel 945 Express Chipset, not the 915 chipset that the lawsuit is about though, thank god. Maybe if that's what you have I feel sorry for you. But really if you have anything higher and you're content with Windows Vista Basic, and not Aero, as your theme then I wouldn't say Vista is too bad. Oh and of course RAM RAM RAM! You need a good deal more than XP needed, but of course it's proportionate to the OS version I think. So less for Basic and more for Ultimate. And if you can't stuff anymore RAM into it then avail of the ReadyBoost feature. Get a flash USB key/SD memory card with a 1ms read speed and use readyboost with it. You'll see a difference! I think it's the new SuperFetch that needs all the RAM. But it's not really a bad thing. Superfetch is a cool new feature if you read up on how it works.
...you can change/delete passwords with a boot disk, and do it that way. I could see where this would be useful if you wanted to do things on the fly, but you can unlock a system in about 2 minutes with a bootdisk.
There are 2 groups of people you can make fun of on the Internet without fear of attack. The illiterate, and the Amish.
If you have an IOMMU (e.g. on a decent Sun workstation), you can set up page tables for each device so that they DMA into a virtual address space. Your driver can then define regions which the device can access transparently.This was mentioned near the end of the Wikipedia article on firewire. Something similar was brought up in an article on Trusted Solaris being certified to operate with hot-pluggable media (USB and Firewire).
Actually, no.
Adding a firmware password to my PPC Macs puts them into a heightened security mode that turns off Firewire DMA (and was tested specifically with the hack you referenced). I would expect the Intel units to have this feature also. And the new Linux firewire driver tackles the DMA vulnerability issue too.
What I've read on the subject so far indicates that most or all Firewire chipsets allow operation without DMA, and that it is possible to secure the DMA modes by programming the memory controller to restrict access to specific buffers
FWIW, Apple was similarly "cagey" (actually silent) on the issue, but at least gave us the ability to secure the port through openfirmware.
What I would worry about more are the DMA interfaces that no one is discussing re: security... PCMCIA/PCCard and other hot-swappable ports (PCI-X? eSATA?) that support bus mastering. I'm pretty sure that non-USB-implemented CF slots are a risk.
As I mentioned elsewhere in comments, Firewire allows DMA to be turned off. And MS isn't giving you a way to turn it off.
It is known that Apple's openfirmware disables DMA (hence securing the machine) on its PPC systems when the password is enabled.
Neither OS vendor is actually talking (the Apple fix was discovered by happenstance) which seems to be the real problem here: the desire for secrecy.
OTOH, Linux allows you to turn off DMA, though it is enabled by default.
At this late date, it seems like mainly a Windows problem to me. MS may have provided a fix, but if so then they have told no one, nor has anyone discovered it yet.
Hogswallop. Deliberate features that happen to allow the circumvention of security are not as common as buffer overflows, but they certainly happen, and serious security people consider them to be vulnerabilities (what else would they be?). ActiveX is one. Debian categorizes them as "design flaws" in their advisories. To say that it's not a vulnerability "in the traditional sense", or recommend that people disable the impossible-to-secure system "when you aren't using it", is a bunch of crap.
USB devices can use DMA too. How does it differ to Firewire?
Does the driver in the OS restrict what a USB device can do before it's enumerated?
Is it the USB controller that schedules the DMA or the driver?
If the Controller chip can schedule a DMA without the device being enumerated then it looks like USB would exhibit the same security flaw. And USB ain't exactly uncommon.
I understand perfectly what TFA is about. Perhaps you have difficulty reading, because you are simply rephrasing what I was trying to explain to the parent poster.
Ezekiel 23:20
Actually this has been demonstrated here http://blog.juhonkoti.net/2008/02/29/automated-os-x-macintosh-password-retrieval-via-firewire