Security researchers at FireEye / Mandiant [say] "We identified the presence of a financially-motivated threat group that we track as FIN1, whose activity at the organisation dated back several years."
[...] "FIN1 used this malware to access the victim environment and steal cardholder data. The group, which may be located in Russia, is known for stealing data that is easily monetised from financial services organisations such as banks, credit unions, ATM operations, and financial transaction processing and financial business services companies."
[...] The malware's installation location also means it will persist even after re-installing the operating system, widely considered the most effective way to eradicate malware.
Can we all agree that updating firmware should require the movement of a physical jumper?
Related Stories
The Hyatt hotel chain discovered credit-card stealing malware in its payment system on November 30 and announced it December 23, in an apparent attempt to spread holiday cheer.
Hyatt's notice to customers has very few details about the investigation, such as how long the breach lasted or how many consumers may have had their card data stolen as a result. Hyatt did say that it has taken steps to strengthen its systems, and that "customers can feel confident using payment cards at Hyatt hotels worldwide."
Hilton, Starwood, and Trump hotels have enjoyed similar data breaches over the past few months.
(Score: 4, Informative) by wonkey_monkey on Tuesday December 08 2015, @09:12PM
...that "pwns" isn't a word?
Damn kids with your hippity-hop and your Snoopy-Snoopy-Dog-Dog...
systemd is Roko's Basilisk
(Score: 2) by Nerdfest on Tuesday December 08 2015, @10:34PM
Kids? Dude, that word's been in use for about 25 years, I think.
(Score: 2) by Pino P on Tuesday December 08 2015, @10:51PM
If not "pwn", then what's a better word for "to gain control equivalent to ownership over something"?
(Score: 0) by Anonymous Coward on Tuesday December 08 2015, @11:42PM
pwn, personally own. To have full control over, generally in an adversarial context.
(Score: 2) by Tork on Wednesday December 09 2015, @04:08AM
🏳️🌈 Proud Ally 🏳️🌈 - Give us ribbiti or make us croak! 🐸
(Score: 0) by Anonymous Coward on Wednesday December 09 2015, @04:54AM
Even if it did, so what?
(Score: 2) by Tork on Wednesday December 09 2015, @05:12AM
🏳️🌈 Proud Ally 🏳️🌈 - Give us ribbiti or make us croak! 🐸
(Score: 2) by Bill Evans on Wednesday December 09 2015, @01:52AM
These days, a deliberate misspelling is used as an intensifier. Examples: pwn, ZOMG.
(Score: 2) by wonkey_monkey on Wednesday December 09 2015, @08:47AM
Well, I think it's ridonculous.
systemd is Roko's Basilisk
(Score: 2) by Gaaark on Wednesday December 09 2015, @10:11AM
I'd say it's supercilious!
Oh.. wait......
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 0) by Anonymous Coward on Wednesday December 09 2015, @06:31PM
I'd say that's just wonkey!
(Score: 0) by Anonymous Coward on Wednesday December 09 2015, @10:30PM
this crapulence is borking soylent!
(Score: 3, Insightful) by Anonymous Coward on Wednesday December 09 2015, @04:56AM
> Can we also agree...
> ...that "pwns" isn't a word?
Not until you agree to stop posting the first line of text in the subject field.
(Score: 0) by Anonymous Coward on Wednesday December 09 2015, @08:31PM
So there.
(Score: 2) by wonkey_monkey on Wednesday December 09 2015, @09:43PM
Careful now...
systemd is Roko's Basilisk
(Score: 0, Interesting) by Anonymous Coward on Tuesday December 08 2015, @09:13PM
Can we all agree that updating firmware should require the movement of a physical jumper?
Sure, but that doesn't do squat. That's like saying "my thoughts and prayers are with the families of those who were so brutally murdered". That's all great and gives you a warm fuzzy in thinking that you are part of the solution but in reality, it doesn't do anything. In fact, you are part of the problem; by not tackling the problem, you only make it worse.
What is needed is advocacy, by which I mean educating, proper advocacy. Not the zealous "closed source is evil", "M$FT and AAPL are Teh 3v1L!" but real education of end users so that the pool of people who actually care about this grows from (right now) being mostly just us, techies to as many people as possible. This advocacy and education needs to be aimed outside of our closed 'tech' circles, towards people who would normally respond with "I don't really know a lot about computers" because they are in the majority.
Whether you like it or not, companies like MSFT and AAPL *do* listen to their customers, but only if money is on the line. Dare to inconvenience yourself by *not* buying the products of companies you don't agree with (and I know some of you *do indeed do that, but the majority of those here don't). So what if you can't have the latest and greatest android device or facebook or some app, ask yourself whether you really need it that much.
Here's how you go about in effecting that change: if each one of us can convince at least 3 other people of the value of privacy and IT security then we're at least a bit on our way. And make it so that at least one of these 3 people also becomes an advocate!
But we have to make people care about these things by making them realize how it impacts them today, instead of waving around with fancy hypotheticals and scare-scenarios. Unless you show them how it impacts them today, how it already, right this very moment, impacts them already, they won't change their behaviors because change is hard and people are lazy. (BTW, here is a good documentary to show people in order to get started on privacy: Terms and Conditions May Apply [imdb.com])
I have convinced 2 people already (so no, this isn't a "do as a say, not as I do", I actually am asking you to "do as I do") and am working on others as well. I educate people about privacy, freedom of speech, IT security, etc. to make sure they too spread that to at least three others and so we change the world... (one can dream)
(Score: 3, Informative) by Anonymous Coward on Tuesday December 08 2015, @09:30PM
It is nothing like that at all. It proposes an actual solution to a problem as opposed to wishy-washy statements. Putting a physical switch is an attempt to PREVENT such infections in the FUTURE. Similar to how Chromebooks have a similar switch. Yeah, you could own a Chromebook all the way down, but it is made a lot harder by having said physical switch.
(Score: 3, Interesting) by Nerdfest on Tuesday December 08 2015, @11:25PM
I'm pretty much at the point of disregarding nay comments from people that refer to companies by their stock symbols. For an interesting read, go back through old stories looking for comments where people do that.
(Score: 2) by Bill Evans on Wednesday December 09 2015, @01:55AM
Yeah, I've had it up to here with negativity as well.
(Score: 2) by Nerdfest on Wednesday December 09 2015, @02:33AM
You ought to be horse-whipped for trotting out a comment like that.
(Score: 2) by Fnord666 on Wednesday December 09 2015, @02:36AM
(Score: 1) by anubi on Wednesday December 09 2015, @04:43AM
I am building industrial Arduino-compatibles.
MODBUS (RTU) / SCADA compatible. Uses a graphical HMI. As well as all those nifty little Arduino I2C interfaces.
One thing I am extremely concerned with is that I do not allow the thing to get into programming mode until the jumper to force a reset at the appropriate time is in place.
The question I have for this forum is.... just how easy is it to pwn an Arduino if you are only allowed to talk to it via its serial port?
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 4, Informative) by edIII on Tuesday December 08 2015, @11:38PM
I have no idea what you're on about, but it's nonsensical. Privacy advocacy on its own provides very little meaningful increases in security for the OS.
A jumper works wonderfully if it works exactly as advertised. Meaning you can't possibly write to the firmware without the jumper being in place.
In this situation, pray tell, how do you physically short a jumper from a remote network? I can't figure out how, so I certainly can't figure out what you've been smoking :)
It's what we've needed for a very long time. A method by which we could install read-only firmware. Want to update? Short the jumper, insert the USB stick, restart the unit, wait for flash success, remove USB stick, unshort the jumper, and restart.
Very simple reason why manufacturers don't do this. They're lazy, don't care, and don't want it to be that hard to update firmware in the first place. It provides a very high barrier to entry, but one I think may eventually be absolutely necessary.
What makes very little sense is that people poo-poo the jumper, but endorse Secure Boot and UEFI (which makes running most Linux distros impossible). Encrypted keys are not nearly as secure as the jumper, and they actually provide a pretty contentious barrier to entry themselves. The jumper is the FOSS version of SecureBoot that doesn't require any encrypted keys.
Also quite puzzling, is your further diatribe on privacy. I think you're spot on, but you're overlooking the fact that the jumper can provide people what you want in the first place; Privacy & Security. Neither of which can come without absolute transparency (not one single blob/binary), and the ability to moderate secure boot loaders and firmwares you need to get your system up and running.
What you want most likely is a combination of a Purism product with a jumper secured read-only bios. The bios/firmwares themselves need not be written the motherboard at all, but held on a USB stick, or MicroSD. Pull it out, put in another system (dev), load your bios/firmwares and possibly bootloaders, put it back in the system, and restart. The USB stick by default could be read-only period in that setup, if we're okay with requiring a pair of systems.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by hemocyanin on Tuesday December 08 2015, @11:48PM
Gewg suggests a jumper (a dip switch would be fine too) that would require manual intentional activation in order to make a firmware change. You say that won't help, and suggest instead:
So, are you a PHB? Gewg's solution was an actual solution in that a person has to consciously and intentionally do something to allow a change to a machine's firmware. Yes, you could trick a few people to do this, but people who have trouble finding the "on" button are going to have a hell of a time opening up the computer case and finding a bank of dip switches inconveniently wedged under the power supply, and the savvy ones will be immediately appalled at the notion that some piece of software has to monkey with firmware. Gewg's idea would make this kind of malware infection so much harder. Your students would just be pissed off about it after they got infected.
(Score: 2) by DECbot on Tuesday December 08 2015, @11:48PM
I'll agree to your "talk to three people" challenge if you can direct me to the three people I need to converse with to implement a physical jumper in order to flash the bios.
cats~$ sudo chown -R us /home/base
(Score: 3, Informative) by anubi on Wednesday December 09 2015, @05:41AM
I do not think three people need to be involved.
Look for the "Write Protect" line in an EEPROM datasheet. Keep your boot code in an EEPROM.
You can read it as much as you want, but in order to write back to it, the Write Enable must be LOW. Pull it high with a resistor.
When you want to write new code into the chip, pull this line low first with a jumper to ground.
Then run your write code.
Anyway, that is what I am doing with my Arduino/Propeller stuff - when its my intention that only the possessor of the physical device should be able to program the thing.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by Joe Desertrat on Wednesday December 09 2015, @07:06PM
I have convinced 2 people already (so no, this isn't a "do as a say, not as I do", I actually am asking you to "do as I do") and am working on others as well. I educate people about privacy, freedom of speech, IT security, etc. to make sure they too spread that to at least three others and so we change the world... (one can dream)
You may be better at convincing people than me but in a world where people think things should be fixed in the time it takes to press a button it is a hard sell. Most people buy a Windows PC, after a while it gets slow and they either wipe it an reinstall or buy a whole new PC. They have grown up with the idea that is the normal thing to do. No matter how many times you tell them, no matter you can show them your PC and tell them you never have to do that, as soon as they have to take one extra step in their daily activities it becomes too much of a burden to them. Somehow ingrained in their minds losing all their data and having to start over is a better solution than having to extend any thought and effort into their daily activities.
(Score: 2) by tibman on Tuesday December 08 2015, @09:21PM
Put an actual button on the device. Wait! Nevermind! Was just imaging people getting popups telling them to press the button : / But a small serial display with checksum and a button to apply would be awesome for a hobbyist machine.
SN won't survive on lurkers alone. Write comments.
(Score: 2) by jmorris on Tuesday December 08 2015, @09:25PM
This is not a BIOS attack so forget the jumper. It is just a Windows boot attack and a reference to a different MBR based attack.
And you don't even need a jumper anyway, only to forbid BIOS updates from after booting, limit it to the BIOS itself where you have to boot into setup, pick update BIOS and have the file on a USB stick. Solves 99% of the problem. Better still would be if the industry could come together and establish a standard where EVERYTHING inside the case that makes use of upgradable firmware could gate access in a standard way. Then the BIOS could not only update itself but the attached drives and other bits as well. That would allow the BIOS/bootrom to throw the locks on the drives, network adapter, etc. right before loading and transferring control to the first stage boot code.
(Score: 2) by Urlax on Tuesday December 08 2015, @09:45PM
isn't this how smartphones work?
those can't be unlocked either..
there was a moment in time the jailbraking process could be done from a website, due to browser bugs and privilige escalations..
(Score: 0) by Anonymous Coward on Tuesday December 08 2015, @10:19PM
the jailbraking process
The process of reducing the speed of your jail? Does it involve retro-jets?
(Score: 2) by VanessaE on Wednesday December 09 2015, @04:26PM
How do you get the updated BIOS image onto that stick without risking the file itself being compromised (e.g. some virus modifies the file at some point between downloading it and flashing it out)?
(Score: 2) by jmorris on Wednesday December 09 2015, @05:04PM
That is a pretty solved problem. RSA signatures are a commonplace solution.
(Score: 2) by edIII on Tuesday December 08 2015, @10:15PM
Wellllll..... I wanted a local credit union to stick it to the man, and it..... runs a MS web server and MS platform for the banking system. I think I need to make a phone call.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Tuesday December 08 2015, @11:12PM
Speaking as someone who works in the industry and works with a large number of businesses in the industry. Most of them don't even know what Linux is. Some of them still call their workstation the "CPU."
(Score: 0) by Anonymous Coward on Wednesday December 09 2015, @01:25AM
Redesigning a case so there's a hole in it for a jumper costs money. Soldering on a switch or a header does, too. If the idea is implemented as "open the case, then cut this PCB trace to make the flash read-only; oh by the way your warranty is now void" then manufacturers might like it. The manufacturers have all the power in this market.
(Score: 2) by choose another one on Wednesday December 09 2015, @11:55AM
I still get all hot and bothered by stuff like flashing BIOSes, I end up checking and rechecking, sitting-on-hands, actually writing stuff down with a pen in case I have to troubleshoot without internet (which means finding an actual pen and paper which usually takes a while and some exercise), usually I get so hot by that point that I do have to remove my jumper, and I find that very movement concentrates my attention and thus reduces errors - at least based on my problem free experience so far.
(Score: 0) by Anonymous Coward on Wednesday December 09 2015, @08:53PM
Or rather, jumpers are the answer *only* for those smart enough or knowledgeable enough.
How will you convince 75-year-old-Aunt-Emma to open her case, look for and switch the position of the jumper, then do an update, because a new exploit not in firmware requires a firmware update to combat it? (Oh, sorry your Credit Card info was stolen Aunt Emma, you needed to take your computer to an authorized repair center but didn't....)
How will you keep 75-year-old-Aunt-Emma from doing the instructions given by that nice man who called from "Microsoft" Tech Support giving her the instructions to change the jumper setting so that "Microsoft" can update her computer?
You're trying to fight a human problem with technical means. Good luck.