Another good security tip I’ve heard before was to avoid opening .PDF’s and other documents from known sources of malware.
The NSA has published online a guide for IT admins to keep systems free of bootkits and rootkits. The American surveillance super-agency's 39-page explainer [PDF] covers UEFI security and, in particular, how folks can master Secure Boot and avoid switching it off for compatibility reasons. A bootkit is a piece of software …
I don't think it's viable to never open a PDF these days; too much documentation and official forms come in that format.
Instead install and use non-standard PDF reading software that knows how to open and display those documents, but doesn't ever try and execute code from them, or allow editing, or introduce other attack vectors.
Obviously the sweet spot is software that's successful enough to justify ongoing maintenance and bug fixes (in case any security flaws are found) but obscure enough that it's not worth the effort of trying to hack.
Well, a great many people had a lot of physical access to your device before it came into your possession. Not to mention the access to the design process of the chips and electronics before they were even manufactured. Oh, and don't blindly trust your compilers and other systems type code including the OS and all the various firmwares. Just accept that the system is compromised by design and plan accordingly. Fatalistic I know but in lifetimes past, this was the game we played.
why the **hardware itself** can't display a dialog box on the physical display, with physical-keyboard-only required to confirm the change, anytime the firmware/BIOS/UEFI is updated? Seems like that would completely and totally prevent bootkits. And do the same anytime the MBR is updated.
Even better, a hardware button inside the case for desktops, maybe some weird keyboard combo for laptops, so a rogue USB device can't pretend to be a keyboard.
That would make mightily difficult to update the BIOS chips at scale. And since BIOS (and ME) updates are coming at least quarterly to mitigate vulns and/or fix something, that's a helluva lot of legwork, especially for those working remotely. And since most people are using laptops these days - getting to the mobo takes time and a lot of unscrewing.
Other than that, a fine suggestion.
"Bring back the Read Only RO jumper on the BIOS PROM chip on the motherboard!"
Yes, but that would cost 2 cents for that jumper and pin header on the motherboard.
TOO, TWO, TOO expensive for the trusted Hardware security it provides. This motherboard manufacturer has NO SENSE to spare with solid security. So we just enable "SECURE" boot ie BOOT ONLY THAT NASTY VIRUS LADEN ROOTABLE MicroSoft Windows that everyone knows and loves.
Nimwits and Windows only trained Information Technology desk jockeys declare "TOO Hard to use a security conscious OpenBSD.org operating system" , or FreeBSD.org with 40 year history , or Ghostbsd.org. Well not TOO hard for me or you to use a BSD with nice GUI desktop, nicely designed in Access Control Lists (ACL) multiuser from the beginning of the OS.
No, No, Spam, Spam, Every where. That is what I like. Viruses for all to enjoy I say. MS Windows is the superior operating system that is easy to use. /SARC
How many millions of computer users financial information must be compromised, before some smart IT Windows Guru Guy recognizes it is Truly MS Windows that is designed for ease to be a massive Virus spreader. Read up on Krebsonsecurity dot com or twitter briankrebs
Turning on Secure Boot also makes it a lot more complicated for offline backups.
So - would you prefer defending against the largely mythical nation state attacker (if you are not in the defense industry/intel agency/government official space) or improving business continuity interruption protection against the very virulent ransomware gangs?
"Turning on Secure Boot also makes it a lot more complicated for offline backups."
It will be more complicated if the boot media doesn't have a signed bootloader. If it's the good ol' Norton Ghost, then yes, you'll face problems.
I've worked in a place where a baremetal recovery works fine with Secure Boot turned on. The recovery media in this case was based on Windows PE, but shouldn't it be possible with a signed Linux bootloader too?
"So - would you prefer defending against the largely mythical nation state attacker (if you are not in the defense industry/intel agency/government official space) or improving business continuity interruption protection against the very virulent ransomware gangs?"
Those nation state attackers are very much into ordinary companies' IP as well. There's a whole line of companies from a lemonade stand to say, pharmaceutical juggernauts, and there's no single computer security solution that fits them all. If the payoff for unscrupulous (Chinese) companies is big enough, they'll target you and send a Mission Impossible team to gather the blueprints.
This is the same security agency that claimed there was no way to disable USB ports on Windows PCs to stop information being stolen, after the agent took home pirated and infected M/S Office software to have Kaspersky find the secret hacking software on his PC. .
After reading the article I googled it and there was/is a way with a simple registry edit and gpedit. Not taking security advice from NSA
Biting the hand that feeds IT © 1998–2020