[clug] Intel Management Engine MINIX

[Bob Edwards]

On 24/2/19 4:23 pm, George at Clug via linux wrote:
> Bryan,
> 
> 
> I am not that concerned about the security implications of the Intel
> Management Engine MINIX.
> 

It is certainly worth knowing that the ME is present on _many_ (but not
all) Intel CPUs and what vulnerabilities it might introduce.

The ME can be used for good as well as evil. If you suspect that your
machine (generally, server) has been visited by a threat actor, without
wanting to give away that you are on to them, the capabilities of the
ME can help. Of course, there is a bit of a learning curve to get really
friendly with it. Oh yeah - and you can use it to manage your servers -
who knew?

Still, worth firewalling (separately from the candidate machine) if you
want to keep the NSA and their friends out (oh yeah, I keep forgetting,
it is the Russians and Chinese and North Koreans who are the bad guys).

Some of the news that came out 18 months or more ago when this Minix
story first broke are hilarious. I am sure there are _many_ more CPUs
not running Minix than are, like ARM CPUs in all Android and iOS 
devices. To suggest that Minix is the most common OS is a bit of a
stretch. A server running 200 VMs might have one ME running Minix but
200 VMs running all manner of other OSs (usually Linux and Windoze).

Then there are the 2/3/4/5G MAC CPUs in all mobile phones, separate to
the main CPU running your fav. apps. Who knows exactly which phone uses
what OS on those CPUs and what backdoors might exist? V. hard to
firewall as well...

cheers,
Bob Edwards.

> 
> If your computer is connected to the internet, then I am sure there a
> many ways that access can be gained to my computer, if an actor really
> saw value in my device/data.
> 
> 
> 
>  From my observations of attacks over my IT career, in general people
> are attacked, not by sophisticated backdoors resulting from NSA (think
> CISCO switches) or other high level vulnerabilities such as Meltdown,
> Spectre, UEFI, etc, but from simple, easy to avoid mistakes, such as
> falling prey to Phishing emails (about the biggest issue), poor
> password practices, using untrustworthy sites, downloading software
> from non-professional sites, not applying basic security to their
> computer systems (e.g. to modems, web servers or any other type of
> server; suitable firewall settings, not checking logs, not configuring
> software correctly, not removing old settings that are no longer used.
> I am sure the list goes further than my short list.
> 
> 
> 
> So in short, keep and eye on the simple things that you do, maintain
> good password practices and firewalls, then sleep peacefully at night.
> Otherwise you could always disconnect your valuable data from the
> internet, never allowing access to it other than from you keyboard.
> 
> 
> 
> https://www.csoonline.com/article/3203804/security/know-your-enemy-understanding-threat-actors.html
> 
> 
> https://www.beyondtrust.com/blog/entry/difference-between-a-threat-actor-hacker-attacker
> 
> 
> 	* Threat Actor: According to Tech Target [1], “a threat actor, also
> called a malicious actor, is an entity that is partially or wholly
> responsible for a security incident [2] that impacts – or has the
> potential to impact – an organization's security.”
> 	* Hacker: According to Wikipedia [3], “In computing [4], a hacker
> is any skilled computer expert that uses their technical knowledge to
> overcome a problem. While "hacker" can refer to any computer
> programmer [5], the term has become associated in popular culture [6]
> with a "security hacker [7]", someone who, with their technical
> knowledge, uses bugs [8] or exploits [9] to break into computer
> systems.
> 	* Attacker: According to Wikipedia [10], “In computer [11] and
> computer networks [12] an attack is any attempt to destroy, expose,
> alter, disable, steal or gain unauthorized access to or make
> unauthorized use of an asset.” Thus, an attacker is the individual
> or organization performing these malicious activities.
> 
> 
> https://whatis.techtarget.com/definition/threat-actor
> A threat actor, also called a malicious actor, is an entity that is
> partially or wholly responsible for an incident [13] that impacts –
> or has the potential to impact -- an organization's security.
> 
> 
> 
> George
> 
> 
> On Sunday, 24-02-2019 at 14:09 Bryan Kilgallin via linux wrote:
> 
> 
> Thanks, George:
> 
>> https://fossbytes.com/minix-worlds-most-popular-os-threat/
>> “Intel takes the integrity of its products very seriously. Intel
>> does not put back doors in its products nor do our products give
> Intel
>> control or access to computing systems without the explicit
> permission
>> of the end user,” he wrote in a blog post [1].
> 
> Surely if NSA wants a backdoor, it gets a backdoor!
> 
>>
> https://www.networkworld.com/article/3236064/servers/minix-the-most-popular-os-in-the-world-thanks-to-intel.html
>>
>>
>> But here’s the crazy part: That’s not the only operating system
>> you’re running.
>>
>>
>>
>> If you have a modern Intel CPU (released in the last few years) with
>> Intel’s Management Engine [2] built in, you’ve got another
>> complete operating system running that you might not have had any
> clue
>> was in there: MINIX [3].
> 
> {Since 2008, most of Intel’s chipsets have contained a tiny
> homunculus
> computer called the “Management Engine” (ME).}
> 
> https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it
> 
> According to Wikipedia, my tower-PC's Intel Core 2 DUO CPU E4700 was
> released in March 2008. And my laptop's Intel Core i5-@%@)M was
> released
> in February 2011. So both include the ME.
> 
> {There are two places to disable AMT feature
> 1. In BIOS, Advance chipset Feature ->Intel AMT (Enabled,Disabled)
> 2.CTRL+P to go AMT Menu(Inte ME Control state(Enabled,Disabled)}
> 
> https://software.intel.com/en-us/forums/intel-business-client-software-development/topic/285926
> 
> Unfortunately for both computers, I couldn't find that BIOS item, or
> get
> control-P to work as above!
>