Lets start with the problems in this article.

First it is true that most main boards that are deployed now do not need a jumper to be moved to allow the BIOS to be flashed. So flashing the BIOS would not be incredibly hard to do. Of course you would have to deal with the fact that there are a number of different BIOS manufactures and each one has numerous different products with different revisions. This makes it a little harder. If you make the assumption that they all use the standard hooks to get into the BIOS this makes it a lot easier, but they don?t. So this is not impossible but also is not an easy thing to do. Using AML at a low level or ASL at a high level is also difficult because most manufactures do not conform to the standard. Stating that this will happen in the next month is really pretty silly. This could have happened for a long time in the past, but it hasn?t, and the reason is that it is much more complex that an over simplified speech makes it sound. It is one of those things that in theory seems easy but in practice is very very complex. Still that is not to say someone will not try this at some point in time. That brings up the very important question of how to protect against this type of attack, and in reality there are two distinct types of attacks that I can see from this.

The first is an attack of the sort where you have a worm caring a virus payload with a root kit which is simply meant to cause mass computer system disruption. This can be defended against in a number of ways which most large and midsize organizations should already be implementing. 1. The BIOS should be password protected. 2. Most modern BIOS?s have an integrated virus protection feature that can be turned on and must be turned off before flashing the BIOS. This should be enabled. These two things should eliminate 99% of the threat.

The second type of attack is of the sort where an ex-employee for a company installs a root kit to allow themselves access to a company?s computer systems. This is also easily foiled by a few simple precautions in most organizations. 1. Corporate firewalls should be set to only allow the necessary ports from the subnet used for user?s computers; ports such as (20, 21, 80, 443) etc. This would keep most root kits from working by sending out information on a non standard port to another computer somewhere on the internet. 2. Most companies should be using True Proxy firewalls for internet connectivity (no this does not mean a firewall that caches requests) and they should be set so that proxying must occur to allow outbound access. These two things should eliminate most of this threat as well. By the way this also eliminates numerous other security threats.

The whole root kit issue that this article addresses does not have to be an issue if things are done right from the start.

Samuel Stetler

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11372/33058#33058