back to article Worried about bootkits, rootkits, UEFI nasties? Have you tried turning on Secure Boot, asks the No Sh*! Agency

The NSA has published online a guide for IT admins to keep systems free of bootkits and rootkits. The American surveillance super-agency's 39-page explainer [PDF] covers UEFI security and, in particular, how folks can master Secure Boot and avoid switching it off for compatibility reasons. A bootkit is a piece of software …

  1. Anonymous Coward
    Anonymous Coward

    Security tips

    Another good security tip I’ve heard before was to avoid opening .PDF’s and other documents from known sources of malware.

    1. Cederic Silver badge

      Re: Security tips

      I don't think it's viable to never open a PDF these days; too much documentation and official forms come in that format.

      Instead install and use non-standard PDF reading software that knows how to open and display those documents, but doesn't ever try and execute code from them, or allow editing, or introduce other attack vectors.

      Obviously the sweet spot is software that's successful enough to justify ongoing maintenance and bug fixes (in case any security flaws are found) but obscure enough that it's not worth the effort of trying to hack.

    2. Blackjack Silver badge

      Re: Security tips

      Here is another "Don't use e-mail!"

  2. cantankerous swineherd

    how do I disable the #include ?

    1. Graham Cobb

      Design and build your own chips.

      More seriously, does anyone know if anyone has done any work to evaluate any of the RISC-V implementations to see how exposed they are to running pre-boot code not under the user's control?

  3. Ken Moorhouse Silver badge

    Give me s PC with a traditional BIOS...

    ...any day.

  4. Potemkine! Silver badge

    Secure Boot is a mechanism that uses cryptography to ensure you're booting an operating system that hasn't been secretly meddled with; any addition of a bootkit or rootkit should be caught by Secure Boot.

    Except the NSA's ones, of course...

  5. bombastic bob Silver badge
    Linux

    they should have said...

    they should have said "do not boot windows".

    Then you can leave 'Secure' boot OFF, and enjoy your LINUX or FREEBSD. Just don't allow anyone physical access to the device that shouldn't have it, and you should be fine.

    (someone had to say it)

    1. Julz
      Black Helicopters

      Re: they should have said...

      Well, a great many people had a lot of physical access to your device before it came into your possession. Not to mention the access to the design process of the chips and electronics before they were even manufactured. Oh, and don't blindly trust your compilers and other systems type code including the OS and all the various firmwares. Just accept that the system is compromised by design and plan accordingly. Fatalistic I know but in lifetimes past, this was the game we played.

  6. Anonymous Coward
    Anonymous Coward

    ....then there's your data "in transit".......

    ......which makes me wonder if the NSA publishes nice PDFs about how to check up on (or secure) all those Cisco boxes which run the Internet? You know, the boxes with backdoors which Cisco ship at the behest of........the NSA!

    *

    Just saying.

  7. Anonymous Coward
    Anonymous Coward

    Is there some technical reason...

    why the **hardware itself** can't display a dialog box on the physical display, with physical-keyboard-only required to confirm the change, anytime the firmware/BIOS/UEFI is updated? Seems like that would completely and totally prevent bootkits. And do the same anytime the MBR is updated.

    Even better, a hardware button inside the case for desktops, maybe some weird keyboard combo for laptops, so a rogue USB device can't pretend to be a keyboard.

    1. Jim Mitchell
      Boffin

      Re: Is there some technical reason...

      Bring back the RO jumper on the BIOS PROM chip on the motherboard!

      1. Sandtitz Silver badge
        Meh

        Re: Is there some technical reason...

        That would make mightily difficult to update the BIOS chips at scale. And since BIOS (and ME) updates are coming at least quarterly to mitigate vulns and/or fix something, that's a helluva lot of legwork, especially for those working remotely. And since most people are using laptops these days - getting to the mobo takes time and a lot of unscrewing.

        Other than that, a fine suggestion.

      2. Never10_use_Puppylinux

        Re: Is there some technical reason...

        "Bring back the Read Only RO jumper on the BIOS PROM chip on the motherboard!"

        Yes, but that would cost 2 cents for that jumper and pin header on the motherboard.

        TOO, TWO, TOO expensive for the trusted Hardware security it provides. This motherboard manufacturer has NO SENSE to spare with solid security. So we just enable "SECURE" boot ie BOOT ONLY THAT NASTY VIRUS LADEN ROOTABLE MicroSoft Windows that everyone knows and loves.

        Nimwits and Windows only trained Information Technology desk jockeys declare "TOO Hard to use a security conscious OpenBSD.org operating system" , or FreeBSD.org with 40 year history , or Ghostbsd.org. Well not TOO hard for me or you to use a BSD with nice GUI desktop, nicely designed in Access Control Lists (ACL) multiuser from the beginning of the OS.

        No, No, Spam, Spam, Every where. That is what I like. Viruses for all to enjoy I say. MS Windows is the superior operating system that is easy to use. /SARC

        How many millions of computer users financial information must be compromised, before some smart IT Windows Guru Guy recognizes it is Truly MS Windows that is designed for ease to be a massive Virus spreader. Read up on Krebsonsecurity dot com or twitter briankrebs

  8. c1ue

    Turning on Secure Boot also makes it a lot more complicated for offline backups.

    So - would you prefer defending against the largely mythical nation state attacker (if you are not in the defense industry/intel agency/government official space) or improving business continuity interruption protection against the very virulent ransomware gangs?

    1. Anonymous Coward
      Anonymous Coward

      "Turning on Secure Boot also makes it a lot more complicated for offline backups."

      It will be more complicated if the boot media doesn't have a signed bootloader. If it's the good ol' Norton Ghost, then yes, you'll face problems.

      I've worked in a place where a baremetal recovery works fine with Secure Boot turned on. The recovery media in this case was based on Windows PE, but shouldn't it be possible with a signed Linux bootloader too?

      "So - would you prefer defending against the largely mythical nation state attacker (if you are not in the defense industry/intel agency/government official space) or improving business continuity interruption protection against the very virulent ransomware gangs?"

      Those nation state attackers are very much into ordinary companies' IP as well. There's a whole line of companies from a lemonade stand to say, pharmaceutical juggernauts, and there's no single computer security solution that fits them all. If the payoff for unscrupulous (Chinese) companies is big enough, they'll target you and send a Mission Impossible team to gather the blueprints.

  9. es30

    It seems the feds have granted the Linux trademark to one "Linus Torvolds" on p. ii.

    1. diodesign (Written by Reg staff) Silver badge

      Linux

      Linus owns the trademark and has owned it for many years.

      https://www.linuxfoundation.org/about/linux-mark/

      C.

      1. es30

        Re: Linux

        Indeed, but he also spells his last name "Torvalds". (Chalk it up to my OCD.)

      2. Anonymous Coward
        Anonymous Coward

        Re: Linux

        Side rabbit trail: that very site specifies right at the top that anyone sublicensing the Linux trademark "must agree not to challenge Linus Torvalds’ ownership of the Linux mark in any jurisdiction". That seems... odd.

  10. Version 1.0 Silver badge
    Unhappy

    Secure Boot is easy.

    All you need is a pair of wire cutters. The internet these days is like walking stark naked through a riot and having sex with everyone and their pets.

  11. BPontius

    This is the same security agency that claimed there was no way to disable USB ports on Windows PCs to stop information being stolen, after the agent took home pirated and infected M/S Office software to have Kaspersky find the secret hacking software on his PC. .

    After reading the article I googled it and there was/is a way with a simple registry edit and gpedit. Not taking security advice from NSA

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like