[Cryptography] Equation Group Multiple Malware Program, NSA Implicated

ianG iang at iang.org
Tue Feb 17 06:24:08 EST 2015 

On 17/02/2015 01:43 am, Bill Frantz wrote:
> On 2/16/15 at 1:17 PM, fergdawgster at mykolab.com (Paul Ferguson) wrote:
>
>>> GETTING THE SOURCE CODE
>>>
>>> Raiu said the authors of the spying programs must have had access
>>> to
>> the proprietary source code that directs the actions of the hard
>> drives. That code can serve as a roadmap to vulnerabilities, allowing
>> those who study it to launch attacks much more easily.
>>>
>>> "There is zero chance that someone could rewrite the [hard drive]
>> operating system using public information," Raiu said.
>
> While I agree that getting the source code by asking for it, perhaps as
> part of a security review, is the most likely route, I really think the
> NSA could reverse engineer hard drive control code. My guess is that
> reverse engineering is much easier than decrypting Verona. This
> technique might be useful for a secret foreign piece of hardware.


I agree they could do likely it, but I suspect they are constrained by 
the same economics as us.  How likely is it that their big malware 
packages are going to be useful in the case of a secret foreign piece of 
hardware?

Their suite cost lots of programmers over a lot of time.  We're counting 
it in man-years.  They have to leverage that cost across a lot of 
victims unless we're talking about a Manhattan style attack victim.

In contrast their victim is likely moving around across a bunch of 
standard hardware.  Changing laptops, upgrading to newest hardware, etc. 
  As it is the sysadm community at relatively high-tech outfits, they're 
probably seeing rollover at 1 year, which means they likely have to hit 
all the big disk drive players, and hope nobody goes for arcane stuff.

One question of detail -- are drives bus-masters on modern systems? 
What does this drive do once it is pwned?  It would seem that just 
seeing all the data come in isn't enough, it needs to be able to start 
doing things actively.  If only to bypass the effects of FDE.



iang

More information about the cryptography mailing list