secure boot gone viral

After the spread of some information, and some mis-information, the story of secure boot in Windows 8, achieved through security features of UFEI has gone viral.  Linux forums all over the web are suddenly full of activists angry about some evil corporation wanting to deprive them of free software.  The aforementioned company has issued a long blog post by way of clarification.

The issue

In brief, the point is that there are plans to replace the BIOS – the main body of firmware which sets up a PC to be ready to run an operating system.  A key task of the BIOS in most systems is to start the boot loader program (or ‘pre-OS environment’), which in turn loads the operating system and gets it running.  This process is prone to attack: if someone can run an alternative boot loader (or reconfigure it, or launch a different operating system), they can either steal all the data on your disk, or they can launch something which looks just like your operating system, but is subverted to send copies of all your secrets – such as everything you type – to the bad guys. Continue reading

How not to look like a spearphishing attack

This is not a protip on how to make your spearphishing attacks more effective.

Today I received an email on my work account. It happens to be at a large defence contractor, and that’s relevant. Because spear phishing attacks are a primary threat in my environment, and they look just like this:

From: [redacted] SPAWARSYSCEN-ATLANTIC, 987654 [[redacted]@navy.mil]
To:
From:
Subject: EXTERNAL: Intelligence Advisor
Attachment: Newsletter_1.docx
 
All,
 
Attached is our latest Newsletter.  Please review.
 
r/
[name redacted]
ASSO/Security Specialist
SSC-Atlantic SSO
[telephone redacted]
[fax redacted]
https://iweb.spawar.navy.mil/depts/[redacted]
For Official Use Only - Privacy Sensitive - Any misuse or unauthorized disclosure may result in both civil or criminal penalties.

A few things stand out in that email: the empty To: and Cc: fields, the extremely generic filename of the attachment, the fact that the attachment is, or at least appears to be, a Word document; and in the body of the message, the odd capitalisation of ‘Newsletter’, the imperative phrase ‘Please review.’

I took the precaution of examining the mail headers in detail.  Thanks, Microsoft, for making that difficult to do.  The Received: header chain looked reassuring; it came from the expected place.  Interestingly, I only now noticed that the email was digitally signed.  The icon is so tiny I overlooked it.  Thank you, Microsoft, again for hiding that piece of important information from me.

I was still wary about the attachment, though.  After a suitable period of contemplation, I clicked on it.  The expected warning message from the OS appeared: “you should not open files received from unknown senders”.  Why show me that warning message when it knows that the message is digitally signed?  Instead of saying it’s from an unknown sender, why not show me the certificate path of the digital signature?  My future career prospects flashing before my eyes, I hesitated.  Instead of opening the attachment at once, I decided to try scanning it first with my computer’s anti-virus programme.

And promptly received a demand for the Administrator password—which I don’t have—because apparently that’s not something users are allowed to do.

So my question for the community is, how can this problem be solved?  Crippling suspicion can’t be good for the efficiency of organisations.

P.S. It was not a spear-phishing attack.  I had a nice conversation with the sender later and we comiserated over the state of trust on the internet.