[nSLUG] BIOS updating

George N. White III gnwiii at gmail.com
Thu Jun 15 08:04:40 ADT 2017


On 14 June 2017 at 21:03, D G Teed <donald.teed at gmail.com> wrote:

>
> There are 3 different things that clobber/enable the problem.
>
> One is a BIOS update.  Have to wait for vendor for a patch based on
> Intel's.
>
> One is disabling the feature in the BIOS.  It is usually enabled by
> default in
> the BIOS/Intel AMT.  This is a simple Yes/ON.
>
> A third is provisioning.  This is different than enabling the BIOS.
> Provisioning means installing the service (windows as far as I can tell)
> which configures the lights out management, has been set up.  You would
> know if you had set this up!
>
>
 "Intel AMT supports remote applications running on Microsoft Windows* or
Linux*." -- see:
https://software.intel.com/en-us/articles/intel-active-management-technology-start-here-guide-intel-amt-9

https://www.kernel.org/doc/Documentation/misc-devices/mei/mei.txt is a nice
summary

I gather that provisioning with Intel AMT installs hooks that are visible
to the OS, but provisoning with potential malicious software would not be
easy to detect.


> Most people are going to be potentially vulnerable by reason of Intel BIOs
> flaw and the feature being on in the BIOS.  Very few are going to be
> vulnerable by way of the configuration/provisioning having been done.
> All three have to be available/configured for a system to be hacked.
>
> Like many security alerts these days, it is partly about
> promoting the security industry, so spreading the
> FUD is first priority.  It is indeed a very ugly potential
> flaw with no quick fix, but only certain places have adopted it,
> and they would be large labs or enterprise situations.
>

Security Industry is promoting network behavioural monitoring -- are
unexpected packets going to or from a host?  APT malware now has clever
ways to hide information in "normal" appearing text on socal networks, see:
http://www.pbwcz.cz/Articles%20of%20english/apt.html

We can tell if a system has been provisioned with Intel software, but in
principle it could be provisioned with malware that would not be easliy
detected.  Provisioning could easily be done by someone with physical
access (such as a
nefarious manufacturer).  It might be better to provision IME with "known"
software that can be monitored than to rely on tests for Intel AMT
provisioning.


-- 
George N. White III <aa056 at chebucto.ns.ca>
Head of St. Margarets Bay, Nova Scotia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20170615/1762115c/attachment.html>


More information about the nSLUG mailing list