The recent discussion of the FBI working with the tech people at Best Buy got me wondering.
Lets say you take your computer in for service. You have to give them your passwords. They then have several days to do anything they would want to your computer.
Could an expert install some sort of spyware then that ordinary antivirus and antispyware software would not see?
And just for fun:
Sony BMG copy protection rootkit scandal
Trivially. (Where trivially means the installation is easy.)
There are so many holes where malware can lurk that there is no chance that unless you knew exactly what to look for you would never find it. Once someone has physical access to your machine they can plant stuff where you might not even guess it could live.
My current favourite is to install the persistent component onto the disk’s internal controller. Various other devices have internal persistent state as well. Perhaps the thing most overlooked by people thinking about malware protection is that even the most basic of personal computers nowadays contain a good half dozen or more processors. The one running the main software and operating system is not always the one that gets subverted. Most anti-malware has no clue about looking in these other areas. Indeed, it mostly can’t even look to see.
Well, definitely. I’d be appalled if they couldn’t and I’d want new intelligence service people hired immediately.
If you give a technically adept developer a computer running an OS of more than marginal sophistication (i.e., not just an adding machine) and let them hang onto it for awhile, they should be able to modify its behavior up to and including covering the tracks and traces of what they’ve done.
It’s a specific application of Gödelian principles. Any expression system of sufficient complexity can be used to express a true statement that the syntax of the system cannot verify. Or, to put it another way, any sophisticated operating system by its very nature is going to make it possible to modify all of the information-displaying routines in such a way that they won’t display the specific information that that very modification did indeed take place.
Yes, sophisticated malware can hide from antivirus software. To take an extreme example, suppose the bad guy has the resources to write a complete operating system that looks and acts just like Windows, but internally is doing all sorts of nefarious stuff. All the system files are untouched Microsoft files, so antivirus software doesn’t see anything wrong, but these files aren’t actually being run; they’re just for show. The real OS files are hidden by the (compromised) file system software and you can’t ever see them. This is just an extreme example of a root kit.
But what if the investigator is more sophisticated? Instead of booting the (compromised) OS, he boots a clean OS from a CD or USB stick and uses that OS to examine the system files. Can the bad guy prevent that from detecting the infection? This is trickier, and probably required the back guy to replace the machine’s BIOS, but this can certainly be done too. But I don’t think it’s possible to completely close this hole, since the BIOS is limited in size, and probably can’t be modified to be sophisticated enough to boot a compromised version of Linux, Windows, OS/9, or whatever else might be on the USB stick.
However, a serious and sophisticated investigator would not do any of these things. She would remove the disk from the computer and examine it on a clean, air-gapped, uncompromised system. There’s probably nothing that the bad guy could do to hide his infection from that kind of probe. Francis Vaughan, I’d be interested to see a reference for your claim that malware can hide in a disk’s internal controller, but even if that were possible, it wouldn’t help this scenario, because the disk wouldn’t know whether it was being booted normally (so should return the compromised data) or was being probed investigatively (so should return the original Microsoft data).
Which makes for an interesting challenge when so much of the electronic hardware we use is produced in nations not all that friendly us. If China wanted to they could practically monitor the earth with controller embedded spyware. The flip side is if they do that and get caught at it that market will probably dry up and they lose hundreds of billions in potential GNP.
This Schlock Mercenary strip seems appropriate.
Yes, if the KGB had physical access and installed spyware on your system, and the NSA investigated it to find out of it was compromised, the NSA is going to discover the problem.
However, me just running Malwarebytes on the compromised system isn’t going to find the problem.
The original question was whether, if you took your laptop to Best Buy, could the FBI install spyware on your system that a typical user–the kind who takes his laptop to Best Buy to get it fixed–could not find. And the answer is yes, they could easily put spyware on your system that would be impossible to discover unless you’re an expert on that sort of thing. But could they do it so that not even the NSA could discover the malware? No.
Physical security is the last line of cybersecurity protection. Anyone with physical access to your computing hardware can basically do whatever they want to it. All the antiviruses, malware protection and firewalls in the world won’t work if the bad guys can just pull the hard drive out of your computer and replace it with their own. Often the best defense against hackers is a sturdy door with a good lock.
Never mind theoretical; let’s get practical. Unless you are engaged in sooper-seekret military work, the effort it would take to find out which porn you like best just isn’t worth the risk.
I wonder how the experts feel about the opposite approach … just not typing in sensitive personal information … for example, and as far as I know, my SSN isn’t anywhere in any data file in the all of my computer … is this false security?
Presumably the spyware would want to send messages via Internet to its masters, communicating its discoveries. Those messages would show up with an Internet monitor like Fiddler, if you knew what to look for. (Install Fiddler after getting the machine back.)
I’m sure this could be defeated by sufficiently smart spyware, but should work in most cases, no? (Assuming you know what to look for in Fiddler’s output — I wouldn’t.)
If malware were installed in the BIOS then software on the PC would not pick up the internet traffic. However, your router would. Of course, most people don’t have routers sufficiently capable of showing it.
There have been several cases reported on Slashdot of some AV company coming across a sophisticated malware program installed on a machine. (These are usually targeted towards a specific group of people or industry.) After checking around they find out that this malware had been around for a few years and had not been detected by any malware company in that time!
Given the number detected in this way, the number of undetected such malware is no doubt troublingly high.
One type of malware that really keeps the experts up at night is the kind that installs itself into the firmware of a computer’s HD. HD companies are reluctant to provide the information or tools to allow AV experts to build scanners to check for a HD infected this way. Even if you do a complete wipe and fresh install, it’s still there.
How paranoid is the user, and what is the spyware doing?
If the spyware is collecting data of some sort and sending it to an external site on a daily/weekly/whatever basis, and I have a firewall or other external network device keeping a log of all outgoing connections, it could be caught that way.
Now, is the type of person who would make periodic reviews of connection logs the type of person who would hand over a PC to Best Buy’s Geek Squad? Probably not.
IMO it’s partial security.
If you never use your computer to perform any e-commerce or e-finance, and never write a word processing doc or email to anyone containing your name, address, email address, ssn, driver’s license#, passport#, credit card numbers, etc., then yes, there’s not much potentially harmful info someone could glean by monitoring your every keystroke and screenview.
Which means pretty much using your PC like an old-fashioned TV, but with more pr0n channels. That’s a pretty extreme limitation to place on your use of a computer in this day and age.
Even assuming you were willing to go that hard over, consider this:
Let’s say you bank at Bank of America and have your investments at Charles Schwab. They have websites. Your account is connected to their website whether you’ve ever signed up for online access or not. Somebody could notice a BofA or Schwab envelope in your incoming snail-mail or outgoing trash. And with some e-skullduggery connect to their websites as you, activating the online access. Then transferring the money to their account in Bulgaria.
So computers are involved in the theft, but not *your *computer.
I’ve actually experienced this situation in real life.
At a previous job our mail server kept getting blacklisted (DNSBL, ORBS, etc.) because we were being labeled as a spammer. I got us removed from the list, because false positives happen. But we just ended up back on it.
Eventually we checked our firewall and confirmed an unusual amount of mail traffic coming from a specific internal IP address. We then went to the location, found the PC, and ran a whole suite of detection programs. Malwarebytes, Kaspersky, Combofix, even an emergency AV that ran off a bootable flash drive. Nothing found anything.
We then ran a port monitor and it found crazy amounts of SMTP traffic. And I was able to isolate the source. Some genius installed a free video game on his work computer that was actually a Trojan and made that PC part of a botnet. He got disciplined, we wiped that system, and I eventually got us off the blacklist. Took a few days total to track it down though.
There is some really evil stuff out there and sometimes even a thorough search won’t find it unless your search is very targeted. Luckily that was the first and last time I ever had to deal with something like that.
One of the clues that might inform you there was malware present is speed, either the speed of the PC or your internet connection. If either prove significantly slower after the repair that could alert you to the problem. But otherwise, no, you’d have to be an expert or use some sophisticated software to see if anything is afoot.
This was my initial reference to the idea- although there has been a lot more since.
The critical point is that disc controllers are quite complex and powerful devices. The one on the cited article had three ARM processors in it. (The fun project for another day is to try to rework the disc controller so it boots Linux 
) With the amount of power available it is possible to make the controller only enable the malware component in specific circumstances. It can watch the order of disc accesses and decide if it is being booted into a live OS, or is just being scanned for instance. It might only ever deliver the malware after a series of access patterns indicative of a login of the target user. (Shades of VW’s diesel performance testing hack.)
Yes, because your SSN is available online without much trouble. Plus it’s in lots of other people’s computers: your income tax preparer, your bank & all financial companies, your employer (and all past employers), probably your insurance companies, credit card companies, etc.
SSN is not very secure at all. (But that doesn’t matter as much as people think.)