ARLINGTON, Va.—Unless you were at Black Hat on Feb. 28, you probably woke up safe in the assumption that if a rootkit hit your system, reimaging would remove it. You probably also thought that the best way to search a PC's volatile memory, or RAM, was by grabbing it with a PCI card or a FireWire bus.
You were wrong.
At the Black Hat Briefings here on Jan. 28, two breakthrough hardware hacks were demonstrated. One shocker was Coseinc Senior Security Researcher Joanna Rutkowska's demonstration of a way to subvert system memory through software—in essence, the shattering of our long-held belief that "going to hardware" to secure incident response is a security failsafe.
Security professionals at the show called it the "attainment of the holy grail," particularly since the only way to fix the system's memory corruption is to reboot—thus erasing all tracks of the subversion.
It's a digital forensic team's worst nightmare. How can you figure out—and prove in court or to auditors—what people have been doing on your company's PCs, for good or evil?
Hardware heresy didn't stop there. John Heasman from NGSS (Next Generation Security Software) proved that rootkits can persist on a device—on firmware—rather than on disk, and can thus survive a machine being reimaged. Even reformatting won't save us these days.
These hacks are esoteric, but they're proving that much of what we thought of as hardware unassailability is pure folklore.
Jamie Butler, principal software engineer at security services provider Mandiant, explained the significance of Rutkowska's hack in an interview with eWEEK at Black Hat here. "The significance of it is there's been this folklore, this legend that if you do hardware acquisition of memory, it's not subvertible," Butler said. "But if you're running software and you're accessing memory, you can be subverted."
For full story: