Thunderstruck

It is a pleasure to introduce our guest contributor, Avi Deitcher, founder, consultant, and blog editor at Atomic, Inc. (http://www.atomicinc.com).  Avi’s article below provides us timely and relevant insight as the workforce continues to evolve and employ technology focused on seamless productivity:


 

I am not the biggest AC/DC fan, but their classic song Thunderstruck really could serve as the theme to the latest exploit on Macs, and a nasty one at that.

NakedSecurity reports that Trammell Hudson, an American security researcher, has found a way to permanently and totally own your Mac, and at the hardware level.

For years, people in the tech world have loved their Macs for several reasons:

  1. Coolness factor: there is “social acceptance” in displaying a Mac at the office, airplane lounge or Starbucks.
  2. Unix: the underlying Unix-derived operating system makes many technology tasks far easier and more natural
  3. Ease of use: Macs historically have been easier to use that alternatives, although recent issues have led many to question that (here and here).
  4. Security: Mac’s Unix security model along with its smaller market footprint and the greater technical awareness of its users has led to fewer exploits.

So your business decides to let its people work with the tools it finds most productive, you buy 5,000 MacBooks… and along comes Thunderstrike.

Thunderstrike is particularly bad. Almost all malware out there seeks to infect the memory or hard drive of your computer. However, even the worst is only so bad:

  1. Because it is on the hard drive, you can detect it with the right tools.
  2. Because it is on the hard drive, you can wipe it clean and reclaim the equipment.

The key to these mitigating factors is that the first step in booting up your computer, and thus the most sensitive one, isn’t your hard drive, even the boot sector. It is the hardware. After all, how can your computer hardware even know to find and interpret the hard drive?

The hardware itself has software built right into a chip on the computer that tells it how to get started. This startup software, the BIOS or ROM, is the most sensitive element of all. Should it become corrupted, your computer is 100% useless, and cannot be fixed or recovered without physically removing the chip and replacing it with a new one.

Of course, once in a while, your computer manufacturer needs to update it, and so a mechanism is in place to update the system firmware. To be safe, they also place into the firmware security elements to validate the update. But if you could somehow bypass that security, the digital signing of the updates, you are at massive risk.

What could someone do?

  • Make your computer as useful as a pile of bricks (a.k.a. “bricking”)
  • Wreak havoc on your network
  • Sit quietly and watch everything you do, quietly collecting passwords and even trade secrets

Unlike hard-drive-based exploits, there is no way to truly detect it, as of now.

Many IT departments will respond rationally, from their perspective: from here on in, no Thunderbolt peripherals! And to be safe, many will add: no peripherals at all!

This is a radical overreaction, but I am confident we will see many companies go down this path. I once worked at a firm that banned any USB peripherals, and install software to monitor for it.

It won’t help.

The key to good cybersecurity is to understand that people need to get work done. If your infosec policy keeps you 100% safe by enabling 0% business, you have not succeeded, you have failed. Since people are getting paid to do their work, they can and will bypass and ignore your restrictions.

So what, then, should productive policies be?

There is no one policy that fits all exploits. Required is a process of risk evaluation. Each and every type of exploit (not each one, as there are many millions of them) should be evaluated on the basis of 2 simple criteria:

  1. How can we reduce (not eliminate) the risk of infection, and what is the cost of doing so?
  2. How can we mitigate damage after the fact, and what is the cost of doing so?

For example, if you could spend $50MM guaranteeing no infection (assuming any prevention is 100% effective), and it will cost you $10MM in lost business and productivity due to restrictions in activity, but all expected infections can be mitigated for $5MM, where do you think you should spend?

In the case of Thunderstrike, at least until Apple patches its Macs, a simple and saner policy might be:

  • All data is continually backed up, so loss of a machine is just the $1,000 laptop, not the invaluable data on it. In any case, no irretrievable data should be on laptops anyways. Mitigation
  • Do not attach peripherals until after booted. Prevention
  • Find use cases that require boot peripherals before users need them and give them solutions, so they do not need to find them on their own. Prevention
  • Never leave laptops alone. Prevention
  • Look for tools to verify the ROM on devices, and run them nightly. I expect manufacturers like Apple to release these fairly soon. Mitigation

This is a far cry from “no peripherals”, and may be manageable by employees.

As in all cases, the key is a combination of prevention, evaluation, mitigation, with the business goals in mind.

Comments are closed.