Date : Sun, 01 Aug 2010 22:40:11 +0200
From : rick@... (Rick Murray)
Subject: bbcdocs website problem
On 01/08/2010 18:58, Ed Spittles wrote:
> Thanks for the pointer. Sounds like this:
> http://www.zdnet.co.uk/news/security-threats/2010/06/11/windows-7-open-to-attack-via-memory-40089203/
Well, it looks at a cursory glance that in order to reduce system load
and processor utilisation, and perhaps to permit manically-fast speeds,
the interface(s) support the ability to have the device plugged in to
perform some sort of DMA behaviour to push data directly into system
memory, with little in the way of OS scrutiny, thus allowing a specially
compromised device to push viral code directly into the target machine
and there isn't a damn thing that can be done to stop it.
It is my impression that this, however, falls down on two sticking points:
1. It would require a specially-constructed interface device to
attempt the DMA to get the code onto the host in the first place.
As this assumes a degree of hardware involvement, for general
day-to-day pwnage, this might prove too complex or expensive than
repurposing USB sticks or plug-in-modem hardware, etc.
There is also the problem of getting the mark to want to plug the
thing into their computer in the first place.
2. Unless to want to overwrite the OS to execute your custom code, or
trash the harddisc, your mark will need to be running a compatible
operating system. I think loading an infected driver or program
will be a lot simpler through the OS (which will set up links, mem
mapping, etc) than trying to push a bit of code into the system.
This also relies upon the mark taking zero initiative in basic
security. If I was given a USB key (don't have PCMCIA ;-) ) or such
from an unknown source, the first thing I'd do is boot into Linux
off the SD card and format it from there. If I was given an SD card
from an unknown source, it would be formatted on the digital
camera. [and, yes, I'm paranoid enough to do this to store-bought
media :-) ]
So looking at it, it IS a viable compromise, but I'm not sure it is a
viable threat. It's like saying we could be struck by meteors (which is
possible, especially if you live in Bosnia ;-) ) therefore we must erect
solid metal shields around our houses (which is nonsense as, well,
when's the last time you personally saw a meteor strike?).
Many thanks to Peter and Ed for providing some pointers to look to
tracking down some truth behind this story. I did try to explain to mom
that it wasn't quite so panic-worthy as the BBC radio programme might
have implied, but got lost at the concept of DMA. Oh well...
<long nostalgic sigh> Things were somehow simpler in the 8 bit days;
it's harder to pwn a system running a ROM-based OS and ROM-based filing
systems. Hell, a major educational network system used to transmit
passwords "in the clear" and nobody thought the world had ended. We even
had the joys of MachinePeek and MachinePoke and RemoteJSR, along with
fiddling the links to make your station >240 so it had special
privileges. ;-)
Of course, get, like, ten minutes alone with the FileStore, you can boot
it in maintenance mode, format your own floppy, log in as SYST, insert
the class floppy, give yourself admin rights, remove your floppy,
restart the server... And yet, the world didn't end as you STILL
couldn't compromise the computers or the fileserver, only play around
with data. Sure, you could in theory modify the general boot up to
insert a key logger, but what the hell would be the point if you can
read out the $.Passwords file and, like, LOOK? :-)
Yeah... <sigh> Life was simpler back then.
Best wishes,
Rick.
--
Rick Murray, eeePC901 & ADSL WiFI'd into it, all ETLAs!
BBC B: DNFS, 2 x 5.25" floppies, EPROM prog, Acorn TTX
E01S FileStore, A3000/A5000/RiscPC/various PCs/blahblah...