After reading some research papers about cold boot attack, I got a big shock and start searching for ways to protect against that kind of vulnerability. I got one solution that is using BitLocker pin access to RAM. But I have still a concern.
- Windows 10 Latest patch can protect cold boot attack?
- DDR3 or DDR4 RAM still have vulnerability?
- Is there another way to protect rather than BitLocker pin?
I’m trying to learn techniques used in malware development.
Dexphot’s advanced techniques, such as the use of fileless execution, polymorphic techniques, and smart and redundant boot persistence mechanisms. source
I was searching for the term “redundant boot persistence mechanism”, but couldn’t find anything useful.
In a moment of desperation and without thinking, I executed an
.exe file purporting to be a pirated version of a hard-to-find program, forgetting that I had no real-time antivirus active. A few seconds later Malwarebytes (the free version, so not real-time) had been removed from the system. I then hurriedly tried to do a System Restore but sure enough, found that my boot sector had been wiped.
Thankfully, the virus – or maybe more accurately, just malware? – hadn’t touched any of my data, including the image backups on one of my internal disks, so I was able to restore back to a working system within a few hours, but this sobering experience has left me wondering: what exactly is the purpose of such a destructive virus?
I can understand ransomware, cryptominers, or malware that turns my computer into part of a botnet, but what motivation would a malware developer have to wipe out a system’s boot sector? What’s the endgame to doing so? As a bonus question, is there known active malware that goes further and wipes out a user’s actual data?
Can we consider the Integrity Check on power-on and the secure boot equal from security point of view?
Secure boot is about allowing only a trusted SW to boot on the processor. A chain of trust can be built as a result of sequence of a securely booted Software components: for example:
- Bootloader authenticates the OS.
- The OS authenticates Application.
Let’s imagine that a system provides an Integrity check on power on, which means on power-on, the stored data (Bootloader, OS, Application) is hashed and the new hash is compared to the old stored hash of the same data. In this case, the integrity of all the stored SW component are going to be checked all together. Then a boot-up is only allowed when the integrity check was successful.
Does it make a difference to check the integrity/authenticity of the SW one after one (secure boot) or to conduct an integrity check on all of them together on power-on? In other words, when can we consider the integrity check and the secure boot equal?
Context: Secure boot is one of the important elements of Trusted Computing in computer system. One variety of the Secure boot is authenticated boot. While secure boot prevent the boot of a non trusted software, the authenticated boot detects a non trusted software but does not prevent its boot.
What are the reasons that would encourage deploying authenticated boot in the system rather than secure boot? In my point of view, it makes more sense (from security point of view) to deploy the secure boot.
Is there other varieties of the secure boot except the authenticated boot?
Any recommendation of reading about Trusted Computing and secure boot?
High Availability Boot (HAB) is a technique described here in an NxP application note. This is best summarised as:
“HAB authentication is based on public key cryptography using the RSA algorithm in which image data is signed offline using a series of private keys. The resulting signed image data is then verified on the i.MX processor using the corresponding public keys. This key structure is known as a PKI tree. Super Root Keys, or SRK, are components of the PKI tree. HAB relies on a table of the public SRKs to be hashed and placed in fuses on the target.”
The procedure burns Super Root Key (SRK) fuses using a software tool called srktool. In it’s proper use, I would use an SSL certificate with the OID set for code-signing. This would have an oid of 188.8.131.52.184.108.40.206.3.
However, there doesn’t appear to be anything that stops me from using a certificate that is created for other purposes, e.g. for client authentication with the OID of 220.127.116.11.18.104.22.168.2.
The problem is that if I have two certificates from the same CA:
- Code-signing certificate
- Client certificate
I could sign the image with the code-signing certificate. If I could update the public key on the target device, then it would be possible to sign it with the client certificate and it would be accepted as valid.
The only option is use different CAs for both code-signing and client certs. I’m wondering if there’s some way to check the OIDs?
This is most likely a naive question, but I failed finding proper answer to it, so I dared to ask here.
When I was using TrueCrypt / VeraCrypt, my key / hash / password was never stored anywhere and I was forced to provide it upon each boot. When I have now enabled BitLocker in my Windows 10 Pro, my key / hash is stored inside TPM (?) and I am never asked for it. My system disk is being decrypted on-the-fly as system boots.
Now, if I don’t have to provide this key during boot then my disk is completely unsafe, if someone would stolen it toghether with my computer (very likely, most often scenario?). I am only safe, if an attacker will get the disk, but not the computer, and will install it in its own computer.
When I was using TrueCrypt / VeraCrypt, I always safe, now matter whether unauthorized person got access to my disk in mine or in any other computer. Without key / hash, my disk was garbage.
Please, explain what am I missing? How can BitLocker be considered safer than TrueCrypt / VeraCrypt give above two scenarios.
I am installing ubuntu on HP laptop with windows 10 preinstalled . Each time i install ubuntu on a partition the grub is not installing i386 file in /boot/grub folder which causes error as grub searches for that file and run into grub rescue at each boot , hence i cannot boot into ubuntu nor windows , i manually added the file by live usb but failed to make grub config for such changes . My partition show (hd,msdos6) as root . grub is installed on root partition. Grub never installs the i386 file and this file can be found in /usr/lib/grub .
I just installed the april 2018 windows 10 update but now I get stuck on this screen whenever I try to boot into windows in grub 2 dual boot. the screen is a like a. broken gub 2 background
View post on imgur.com