How to Tweet a Storm with Writerack – techcabal.com

How to Tweet a Storm with Writerack – techcabal.com.

via How to Tweet a Storm with Writerack – techcabal.com.

Advertisements

Firmware Vulnerablity Injection

>working draft in progress<

Objective: Document the research behind the reason one site was blocked in one CPU.

To begin, it was noted that the site http://www.aspireresourcesinc.com/ returned with the details:

This webpage is not available

Google Chrome could not load the webpage because http://www.aspireresourcesinc.com took too long to respond. The website may be down, or you may be experiencing issues with your Internet connection.
Check your Internet connection
Check any cables and reboot any routers, modems, or other network devices you may be using.
Allow Chrome to access the network in your firewall or antivirus settings.
If it is already listed as a program allowed to access the network, try removing it from the list and adding it again.
If you use a proxy server…
Check your proxy settings or contact your network administrator to make sure the proxy server is working. If you don’t believe you should be using a proxy server: Go to the Chrome menu > Settings > Show advanced settings… > Change proxy settings… > LAN Settings and deselect “Use a proxy server for your LAN”.
Error code: ERR_CONNECTION_TIMED_OUT
The internet connection was good, Chrome had access through the firewall, proxy server was not in use.
No other site was being timed out or blocked. Other CPUs within the network could access the site. The suspect box was moved to a different router to test for a router hack. The site could not be accessed from the new router by the suspect CPU.
Nor could the site be accessed when using its IP address,  cookies was cleared, the CPU was scrubbed using CC, and the host file checked.
 A TRACERT was preformed. It showed the site being dropped at

IP address 206.187.112.206

Address type IPv4
ISP Data Research Associates
Organization Data Research Associates, Inc.
Timezone America/Denver (UTC-7)
Local time 07:15:26
Country United States  
State / Region Utah
City Lehi
Coordinates 40.3916, -111.851
By chance we experienced a region wide power outage and stopped work to conserve power. When we returned the suspect site was timing out at:

216.187.112.206 Whois Report

This is the full research report for 216.187.112.206, which is an IP address.

Whois Server

whois.arin.net

Status

ALLOCATED

Contact Email

Registrant

Peer 1 Network (USA) Inc.
75 Broad Street
2nd Floor
New York, NY 10004
UN

Administrative Contact

Peer 1 Network AUP Enforcement Peer 1 Network AUP Enforcement
Telephone: 16044842588 16044842588
Email:

Technical Contact

PEER 1 Network Inc PEER 1 Network Inc
Telephone: 16044842588 16044842588
Email:

216.187.112.206 is the IP address you have a ran a report for on February, 08, 2015.

If you meant to use another IP other than 216.187.112.206, then enter above and try again.

It is 3:01 PM CET when you ran this report for 216.187.112.206 here on our website, IP-Adress.com. When it comes to 216.187.112.206, you can trust that if we have IP Whois information available for it, we will display it further below to assist in your research of this IP address. Feel free to run another search for 216.187.112.206 or a different search.

Timestamp Confirmation:
The IP Whois report for 216.187.112.206 was ran at 3:01 PM CET on February 8, 2015 and the information is provided below if available.

View comments on this 216.187.112.206 Whois IP address report below or add your own comment about 216.187.112.206.

Now you can review additional IP Whois data for 216.187.112.206 below. Things like the status of 216.187.112.206 and the server of 216.187.112.206.

Don’t forget that the server that hosts 216.187.112.206 could also host other IP addresses, so research accordingly.

216.187.112.206 Server Details

IP address:

216.187.112.206

Server Location:

New York, NY in United States

ISP:

Peer 1 Network (USA)

A call was placed to tech support concerning the anomaly being experience by the suspect site. We explianed in detail the series of events. We were told that “some clients have can do anything with their servers and we have no control or ability to help” I restated that in the question, “So a dedicated server?” He did not confirm and he did not deny. We concluded our conversation with mutual understanding.
We took the research for peer review.
We posed such questions as:
How can one site be blocked from one CPU excluding cookies, malware, and the like?
It was during this research that a program request install came from Intell Manageability Engine Firmware Recovery Agent
Fullscreen capture 272015 71114 PM edit The question was raised was that program part of a RAT? Though questioned, this theory was explored.
Research for “Intel manageability engine firmware recovery agent hack” provided some information when coming across this site , which has numerous redflags suggesting this program was in use at one time as a little known hack or a cowing and intimidation hack.
Click picture to view

Click picture to view

Research for intel manageability engine firmware recovery agent uses provided these snippets (not in particular order)

Why the firmware recovery agent is needed in the first place, I don’t know. That is, if we can trust the use of “firmware” in the name, to mean it only deals with IME firmware. The IME Firmware Recovery Agent software is installed by the IME software installation program.

You may not know that Intel still provides the IME software to mother board manufactures,

http://forums.tweaktown.com/asrock/58650-do-i-need-intel-management-engine-drivers-asrock.html

  • Thread Tools
  • Display
  1. #1

    ROG EnthusiastArray

    Join Date
    Mar 2012
    Location
    Victoria, Australia
    Reputation
    10
    Posts
    65

    Intel manageability engine firmware recovery agent?

    I’ve had a program appear in my notifications asking to be installed called the intel manageability engine firmware recovery agent.

    Has anyone had this happen on their G75? And should I install it. I did google it, but being a technophobe had no idea if it was needed or not. I am assuming it checks for updated drivers or such for anything intel on the laptop? I really have no clue. Just not sure if I need to install it or not.

    Cheers!

  2. #2

    BannedArray

    Join Date
    Apr 2012
    Location
    Dubai
    Reputation
    18
    Posts
    192

    This is useless for us…. it is for IT people who want to manage a computer from a remote location

    I never install it or if it was installed automatically I remove it from the Control Panel “Programs & Features”

  3. #3

    ROG EnthusiastArray

    Join Date
    Mar 2012
    Location
    Victoria, Australia
    Reputation
    10
    Posts
    65

 

I un-installed Intel Manageability Engine Firmware Recovery Agent and no agent log file appeared! At least not yet! But I have a feeling that this was the program creating it. And I remember that I got error during its update. So in a way It all make sense now. Hope this is the real deal as I got really tired trying to figure out this agent log issue….

http://www.eightforums.com/general-support/46514-agent-log-file-4.html

That program surfacing along with the above posts suggest that this is a malware ie backdoor that is injected into firmware of a CPU..

It is also suggested that this  Manageability Engine Firmware Recovery Agent is creating log files. Most have reported as empty. However, we have noted when preforming a search for a lost txt file unusual log files. These log files would sometimes be empty and other time show a location and a password. The passwords were always incorrect, but plain text. The files did not raise significant redflags, other than they were labeled logs and had passwords, though incorrect. The anomaly was marked for research at another time and not acted upon at that moment.

With this knowledge, the next question was what data could be transfer by using this backdoor?

What is Intel Manageability Engine Firmware Recovery Agent?
Intel Active Management Technology (AMT) is hardware-based technology for remotely managing and securing PCs out-of-band. Intel AMT is hardware and firmware technology that builds certain functionality into business PCs in order to monitor, maintain, update, upgrade, and repair PCs. Intel AMT is part of the Intel Management Engine, which is built into PCs with Intel vPro technology. AMT is not intended to be used by itself; it is intended to be used with a software management application. It gives a management application (and thus, the system administrator who uses it) better access to the PC down the wire, in order to remotely and securely do tasks that are difficult or sometimes impossible when working on a PC that does not have remote functionalities built into it.

http://www.shouldiremoveit.com/Intel-Manageability-Engine-Firmware-Recovery-Agent-6378-program.aspx

It is a bootstrap giving access to PCs that do not have remote functionalities that creates logs, some blank some with very limited and specific text. Could the blank logs actually have hidden text?

In concluding we researched “firmware controller data flow”.

Abstract: Burst mode data transfer in emerging wavelength division multiplexing (WDM) and code division multiplexing (CDM) PONs faces major challenges in electronics design. We develop an embedded software solution to enable optical line terminals (OLT) and Optical network terminals (ONT) to process Burst mode data flow smoothly. Our solution implements three important components on an FPGA platform. The first consists of a PCI interface that allows the OLT/ONT unit to communicate with a PC. The second is the PowerPC that manages and controls the data flow. Finally, a burst mode transceiver examines data transaction, synchronization and error correction

http://fac.ksu.edu.sa/sites/default/files/Poster.pdf

Given the sporadic nature of the log files seen was the logs being “burst” out?

Flow control mechanism in a data processing pipeline
US 8526303 B2
ABSTRACT
Herein described are at least a system and a method for regulating data flow in a data pipeline that may be used in a video processing system. The system comprises a processor, one or more data buffers, and one or more processing stations. The one or more data buffers may be used to buffer corresponding processing stations. Each of the one or more processing stations may comprise a switching circuitry that is used to inhibit data transmission when a hold signal is received from the processor. The processor may send the signal in response to a feedback control signal generated by the one or more processing stations. The method may comprise determining if the processing time of a processing station exceeds a specified time. The method further comprises generating a feedback control signal to a processor if the specified time is exceeded.
This abstract lends to the possibility of how the suspect site was timed out. It also gives an possibility that the logs are not empty but a form of hidden information within a video file that is not registered on a norm basis.
Not to be confused with Control flow.

In data communications, flow control is the process of managing the rate of data transmission between two nodes to prevent a fast sender from overwhelming a slow receiver. It provides a mechanism for the receiver to control the transmission speed, so that the receiving node is not overwhelmed with data from transmitting node. Flow control should be distinguished from congestion control, which is used for controlling the flow of data when congestion has actually occurred.[1] Flow control mechanisms can be classified by whether or not the receiving node sends feedback to the sending node.

Flow control is important because it is possible for a sending computer to transmit information at a faster rate than the destination computer can receive and process it. This can happen if the receiving computers have a heavy traffic load in comparison to the sending computer, or if the receiving computer has less processing power than the sending computer.

https://en.wikipedia.org/wiki/Flow_control_(data)#Hardware_flow_control

It is possible that flow control would also be utilized to prevent a sending computer that bursts large data from malfunction or detection under normal means.

That concludes this session of research:

addendum

A netstat was preformed. Noted was programs engaged when should be listening. When those programs were stopped the suspect website went back to being timed out in Utah.

Security risks[edit]

Mark Shuttleworth, founder of the UbuntuLinux distribution, has described proprietary firmware as a security risk,[10] saying that “firmware on your device is the NSA‘s best friend” and calling firmware “a trojan horse of monumental proportions”. He has pointed out that low-quality, closed source firmware is a major threat to system security:[11] “Your biggest mistake is to assume that the NSA is the only institution abusing this position of trust – in fact, it’s reasonable to assume that all firmware is a cesspool of insecurity, courtesy of incompetence of the highest degree from manufacturers, and competence of the highest degree from a very wide range of such agencies”.

Researched : how to scan for injectable firmware

General Description The Sequencing SAR ADC component gives you the ability to configure and use the different operational modes of the SAR ADC on PSoC 4. You have schematic and firmware level support for seamless use of the Sequencing SAR ADC in PSoC Creator designs and projects. You also have the ability to configure up to 8 analog channels that are automatically scanned with the results placed in individual result registers. An optional “Injection channel” may also be enabled by firmware to occasionally scan a signal that does not need to be scanned at the same rate as other channels.

http://www.cypress.com/?docID=44475

When Firmware Modifications Attack: A Case Study of Embedded Exploitation

ndss-2013 < The PDF file to above

VID Chip maker AMD has patched holes across its firmware lines that could allow hackers to inject malware.

Czech programmer Rudolf Marek reported the holes in the Trinity, Richland, Kaveri, and Kabini silicon series ahead of a disclosure at the Chaos Communications Congress.

AMD’s System Management Unit (SMU) firmware code within x86 processors did not run adequate checks prior to execution, allowing Marek to inject his own commands.

Marek told attendees to ask their mainboard vendors to push the fixed AGESA to BIOSes.

“Tell your vendors for a fixed AGESA (AMD Generic Encapsulated Software Architecture),” Marek said during the talk aimed at encouraging more of the low-level security analysis.

“This is the only way to push vendors to update BIOSes for older platforms.”

Marek did not describe particular attack scenarios created by the lack of a protected code along with further firmware errors.

It took roughly a year to fix the flaws in an exchange he described as “responsible and helpful”.

http://www.theregister.co.uk/2015/01/14/amd_plugs_chip_firmware_holes/

Fault Injection on Firmware Level

Software-implemented fault injection (SWIFI) is an established method to emulate hardware faults in computer systems. Existing approaches either extend the operating system by special drivers, modify the runtime environment, or change the application under test.

The FutureSOC project on novel SWIFI approaches investigates new ideas for adding fault injection as standard dependability assessment tool in modern server environments. One approach relies on the Extensible Firmware Interface (EFI), the BIOS-successor available in latest X86 systems as provided by the FutureSOC lab. Our approach extends the firmware of these systems in order to a) make fault injection completely transparent to the operating system, and to b) support a larger variety of fault types. No modifications to the operating system or the application code are needed.

Our prototype is available for free use in non-commerical usage scenarios. Below you can find installation and configuration instructions. Binaries are provided for download at the end of the page.

In case of further questions, please contact Peter Tröger.

 

Cracking Dildos And Dollies: Hackers Expose Vulnerabilities In Connected Toys

“We don’t think it would take much to turn her into a device to spy on and potentially interact with children. You would be well advised to make sure that she is switched off when not explicitly in use and make sure that the mobile device is secured with a strong PIN, also kept and patched up to date. In  the longer term the manufacturer should apply a PIN for the Bluetooth pairing process, but we don’t think that can be done without a product recall.”

via Cracking Dildos And Dollies: Hackers Expose Vulnerabilities In Connected Toys.

via Cracking Dildos And Dollies: Hackers Expose Vulnerabilities In Connected Toys.

Back Waters – A Note On the Syria Yemen Campaign.

Tides.

A source came forward noting that during the Libya campaign they were approached to carry the campaign on to Syria. They stated that they declined, stating that the campaign was to go to Yeman next. That there was significant want and pull to have an campaign there. They noted that the people asking for the campaign to come to Syria was saying how very much it was needed in Syria and showing pictures of protests, but the protests being pictured out of Syria was not exhibiting a likely anti-corruption campaign. The photos were of women and children with balloons and smiling, not at all looking stressed or down-trodden. The source went on to say the photos had a look and feel like a PR company that had been campaigning against Iran on a Chinese Democracy and anti-Iran centric IRC servers. They also noted that while training an individual on IRC they noted a PR company making changes in obscure African countries wikipedias that were anti-Iran.

The source noted that after they said, no the campaign would not go towards Syria that Syria was not ready or in need for a campaign. They said they were told, “Fine , we are dedicated and will do this on our own.” It was at that time they noted the Yemen campaign ground to a halt due to US involvement, US strikes, and US propping of the Yemen government.

Al-Qaida update

I read with interest your latest analysis and forecast about al-Qaida.
Now al-Zawahiri has offered to “answer questions” he receives by
mid-January via the Internet. He is behaving like (setting himself up
as?) a mufti, who dispenses fatwas regarding any question from
believers–or perhaps, non-believers. This new tack may signal that he is
elevating himself to a position rivaling other internationally consulted
muftis, even though he is not a normative mufti. It is part of what you
have identified as the “ideological” battlefield.

In regard to your assumption of al-Qaida’s “devolution” (possibly a type
of failure), I would like to provide a few working principles from the
study of religion and violence, particularly in heterodox movements, which
may be of some interest:

From Cathy Wessinger (U.S., Loyola University, New Orleans): the concept
of a “fragile millennial group”
From Ian Reader (United Kingdom, U. of Manchester): the concept of “the
pragmatics of failure” (derived from his primary analysis of Aum
Shinrikyo)

A number of scholars have intensively studied new religious movements,
especially the problems a relative few present, since the Jonestown
incident and have developed some applicable principles, among which are
Wessinger’s and Reader’s.

Assumption: Al-Qaida is a millennial movement.

Millennialism (millenarianism, chiliasm) is “a belief in an
imminent transition to the millennial kingdom (i.e., the collective
salvation)”; it is a belief that “has the power to draw people together
to found new religious movements” that promise to reveal esoteric
knowledge about what is ultimately real and ultimately true.

Among the categories of millennial movements,

Al-Qaida is both “nativist” and “revolutionary.”

  • It is nativist because its ultimate concern is to
    defend the Muslim religion and the Muslim lands against cultural and
    physical alien invasion.
  • It is revolutionary because it possesses and
    acts according to a theology that legitimates violence (in order to attain
    the collective salvation/millennial kingdom).

    • It expresses the millennial kingdom in terms of a “caliphate” or “caliphates.”
    • Revolutionary millennial movements are also political, because the collective salvation
      is to be achieved on earth via a destruction of the status quo and a total
      transformation of the world. A hopelessly corrupted world will thus be
      rendered new, clean, and pure.

The fragility thesis applies when a millennial movement fails to meet its
unrealistic expectations, either because of external persecution or
internal stresses or a combination of both.

The group may then seek to
attain its collective salvation through other means, i.e., by legitimizing
violence against perceived scapegoats or by self-destructing as a witness
to the evil state of the status quo world.

An example of the former is

Aum Shinrikyo, which suffered humiliation in its foray into politics and
which fell short of meeting its unrealistic recruitment goals.

An example of the latter is

Jonestown, which conceived of no other option after its
continued existence in its Guyana refuge was threatened by exposure of its
practices and when Jones’ mental and physical health was deteriorating.

It is also possible that the Branch Davidians at Waco became a fragile
millennial group after they were assaulted by the FBI, believing that
Armageddon was occurring and that the “saints” were to be sacrificed, as
related in their version of Revelation. That may be why they set fires in
Mt. Carmel (recently verified by additional sources). In so doing, they
“witnessed” to the satanic evil of the opposing forces.

The point is that if al-Qaida/the International Jihad believes that its
expectations are not achievable, but that victory (of necessity) always
belongs to Allah, it may redefine “victory” and seek another mode of
enacting its self-identification as “the saved sect and victorious
group.”

It can do so in a variety of ways, some violent and some
peaceful.

Reader has proposed a “pragmatics of failure” thesis to account
for Aum’s turn to killing outsiders. First, Aum adopted a compassionate
doctrine from Tibetan Buddhism called “poa” that prescribed rituals to
deliver karmic merit to those who had died, and then it reinterpreted
“poa” to mandate the killing of the spiritually inferior souls in order to
prevent them from amassing further karmic demerits in this life. It could
not save all souls in the world, so it concentrated on saving itself and
accumulating more karmic merit for its victims.

However, it is also possible that achieving the millennial kingdom or
“mission” of the movement may be sought through peaceful means, such as
“routinization.” It is possible, for example, that a group that begins as
a revolutionary movement may seek to join the political process or seek
legimate status as a party or a church. The Bahai faith was one such
group.

In al-Qaida’s worldview, since Allah cannot fail, He will reveal to the
movement the modes of victory. What those modes may be may vary greatly
from self-destruction (group martyrdom or “witness”), religious
justification for the intensification of terrorism, or alternatives to
violence in order for the “truth” to prevail.

I am not suggesting that al-Qaida shares your view of their “devolution.”
Apparently, the leadership believes they have many options and that Allah
is gaining in victory over the infidels and apostates. However, should
they begin to believe that their efforts are futile, then we may expect
the movement to seek other modes to achieve their unrealistic goals. The
clue to any quantum shift will first appear in the group’s religious and
doctrinal rhetoric.

Thus, what the “mufti”–al-Zawahiri–issues as fatwas should be deciphered
by those who understand his worldview and religious emphasis. They may
signal a shift to other modes of achieving “victory,” whether it is
redefined in catastrophic or relatively irenic terms.

Jean Rosenfeld

Source: https://wikileaks.org/gifiles/docs/30/302969_al-qaida-update-.html

SANS Holiday Challenge

In this year’s challenge, you’ll get to match wits with an Artificially Intelligent agent, exploit a target machine, and do some detailed packet capture and file analysis, all with the goal of unraveling the mysteries of the Ghosts of Hacking Past, Present, and Future to save old Ebenezer Scrooge from certain doom.

via SANS Holiday Challenge.

via SANS Holiday Challenge.