Bios HHD pwd changed on pfsense machine, backdoor?
-
Running 2.2, a few days ago had need to shutdown system and reload it, had been up for 67 days at that point but much to my surprise the hd pwd I set via the bios no longer worked so now I have a trashed msata ssd in my little intel 847 nuc using a variety of 10/100 plugable usb nics.
It would seem there is a way for someone, perhaps those that like to demonstrate their abilities but didnt know how to break it to the world the extent of their abilities, that a method exists to change the hd pwd which is set using the uefi bios.
Could I have forgetten the pwd? No as I have a little black book with all the pwd's in (not advised by some I know) and its worked up to that point so I can rule that out.
Knowing the out of band vPro/AMT abilities built into Intel CPU's & nic's could that be one method? Perhaps although supposedly these facilities are not present in bottom of the range celeron's like the one in my little NUC 847 but might be in the onboard nic.
Maybe something in the UEFI bios itself? Perhaps, theres been plenty of updates for the intel NUC 847.
Maybe something in the facilitiy that allows the config to be pulled from the wan of your pfsense device itself? Perhaps, its possible to execute code in pfsense at the OS level so maybe something could be exploited from that new feature.
Either way I can speculate all I like as to how the hd pwd was changed, but I do know the rabbit hole goes deep. ;)
FWIW.
-
Could I have forgetten the pwd?
Yes. No, really. Or something else along those lines that's innocuous. As much as you seem to like conspiracy theories, there are generally more sensible explanations.
Maybe something in the facilitiy that allows the config to be pulled from the wan of your pfsense device itself? Perhaps, its possible to execute code in pfsense at the OS level so maybe something could be exploited from that new feature.
There is no such feature and never has been.
-
I bet it's the same guy that's running the CAM-scanner in Nigeria …
https://forum.pfsense.org/index.php?topic=93199.0 -
@cmb:
Could I have forgetten the pwd?
Yes. No, really. Or something else along those lines that's innocuous. As much as you seem to like conspiracy theories, there are generally more sensible explanations.
Maybe something in the facilitiy that allows the config to be pulled from the wan of your pfsense device itself? Perhaps, its possible to execute code in pfsense at the OS level so maybe something could be exploited from that new feature.
There is no such feature and never has been.
Suggesting a conspiracy theory is one of the easiest ways to shutdown enquirying minds thinking and debate, its an old trick and as always theres more data you are not privvy too.
With regard to the no such feature, I'll post this link from earlier in the year as one example in particular the communication with ns1.pfmechanics.net. even when the feature to check for new updates was switched off. The fact my packet capture systems that sit in front of pfsense gets hacked constantly making it difficult to capture the hack attempts in which to learn from would also suggest some dont like what I'm doing.
https://forum.pfsense.org/index.php?topic=88010.10;wap2Thats not to say there isnt a backdoor built in somewhere, which could simply be a rather obvious bug being exploited much like what we see here https://forum.pfsense.org/index.php?topic=93208.0
Admittedly without hard evidence its hard to prove which is ultimately how the spooks operate by virtue of being military and military operate in secret, making it virtually but not impossible to prove in a court of law but even then as my uncle found out, evidence can still be withheld by the prosecution which led to him carrying out the seemingly impossible in an attempt to prove his innocence if what he told me is true. He was in the no2 prison break FYI.
http://www.cracked.com/article_20331_5-real-prison-escapes-that-shouldnt-have-been-possible_p2.htmlThe Guv'nor of the prisoner would use the keys to point at the prisoners when telling them off which is how they memorised the keys amongest other things.
So pardon me if I'm a little suspicious but theres a lot you are not privy too and when you have a high signal lesion in the genu of the corpus callosum which is high density wiring between the left & right hemisphere which according to studies on pubmed suggests a higher IQ than most, coupled with a head injury to the left side of brain which possibly leads to aquired savant syndrome https://www.wisconsinmedicalsociety.org/professional/savant-syndrome/resources/articles/the-acquired-savant/
you might perhaps now understand why the system tests me as I test them in a variety of ways as I continue to learn a variety of subjects in my quest to build an AI which some might perceive to be the ultimate weapon! And lets face it what so called clever monkey wouldnt want to get their hands on that, if it should even be built in the first place?I'll also hilight this link as well as its a fine line between creativity and being schizo http://www.bbc.co.uk/news/10154775.
Anyway I digress.
-
-
So whats BS?
-
-
Nice try but I've got the manual so to speak. I can even sell you the automated sock puppets if you want, and I can even give you a copy of the US Fed's tender for their own sock puppet software if you so desire. ;D
Read it, its quite illuminating.
http://pastebin.com/irj4Fyd5Some more interesting links can be found here.
http://cryptome.org/2012/07/gent-forum-spies.htmEdit.
From a psychological perspective it appears you have some obedience to authority which is explained by Stanley Milgrams obedience to authority psychology experiments.
http://wadsworth.cengage.com/psychology_d/templates/student_resources/0155060678_rathus/ps/ps01.htmlhttp://sdata.stacklink.cn/cache/acb/acb034a0fec0249867dbaa508be82c2f/Social%20Psychology.pdf
-
I'm not interested in reading your conspiracy crap at all. Additionally, stop injecting this useless shit into technical topics (like the DoS thread). So yeah, NSA teamed up with ESF, they've heap sprayed your pfSense box, remotely changed the HDD password to render your HW useless, and now they'll just intercept the new HDD shipment and inject their backdoor into the replacement HDD's firmware. Gotcha. Right.
Someone press the lock thread button here, please.
-
Educate yourself, starting with this. http://www.simplypsychology.org/cognitive-dissonance.html
Another good link. http://psychology.about.com/od/theoriesofpersonality/ss/defensemech_3.htm
And if that fails then just shout the loudest as mentioned here.
http://www.dailymail.co.uk/sciencetech/article-2333165/The-best-way-win-argument-Shout-louder-people-simply-assume-youre-right.html -
Suggesting a conspiracy theory is one of the easiest ways to shutdown enquirying minds thinking and debate, its an old trick and as always theres more data you are not privvy too.
No, it's just the truth.
With regard to the no such feature, I'll post this link from earlier in the year as one example in particular the communication with ns1.pfmechanics.net. even when the feature to check for new updates was switched off.
There are 3 hostnames that the system may communicate with. updates.pfsense.org (update checks), packages.pfsense.org (package installs/downloads), and files.pfsense.org (bogon updates, package file downloads). None of those are hosted on the pfmechanics.net/com NSes at the time of that writing nor today, they're on Namecheap's NSes.
Something else on your network was attempting to resolve pfmechanics.com for whatever reason (nothing in any software we've ever written will do that), that hostname doesn't exist, so it appended your default domain. If it were some back door, no one would write it to query a hostname that doesn't exist and has never existed. The only thing pfmechanics.com is used by externally is our PTRs anyway.
Again, easy, reasonable explanations.
The fact my packet capture systems that sit in front of pfsense gets hacked constantly making it difficult to capture the hack attempts in which to learn from would also suggest some dont like what I'm doing.
https://forum.pfsense.org/index.php?topic=88010.10I'd say it's more likely to suggest your inability to deploy secure systems. If some intelligence agency didn't like what you were doing and was owning your systems, they'd sure as hell be better about it to the extent you wouldn't likely find it.
Thats not to say there isnt a backdoor built in somewhere, which could simply be a rather obvious bug being exploited much like what we see here https://forum.pfsense.org/index.php?topic=93208.0
You apparently don't understand XSS/CSRF. That's not exactly easy to exploit. And as paranoid as you are, you're of course using a different browser to manage your systems than you use for general Internet browsing, right? That makes it impossible to exploit those.
I lean towards doktornotor's suggestion of locking the thread since it's complete garbage, but that just incites stupidity about how it must really be a conspiracy theory then, and we're silencing dissenting opinion.
-
My setup was basically
Intel NUC running pfsense.
1 wan to net
1 lan with default allow to fw rule was a rpi used solely for the configuration of pfsense.
multiple usb nics to individual machines ie no default rule existed and rules were added to allow a service out like freeswitch or mailserver.
Domains were also allowed for rules so a windows machine could only update to ms as detailed here for example.
https://forum.pfsense.org/index.php?topic=87247.0I think that only one device namely a rpi was used to access and configure pfsense on the default lan and all other additional nics to internal machines had to be enabled to the extent I have detailed here https://forum.pfsense.org/index.php?topic=92804.msg517267#msg517267
would suggest reasonable precautions had been taken? Or have I missed something. I think its a pretty good paranoid setup if one had to come up with a good setup.With regard to "Something else on your network was attempting to resolve pfmechanics.com for whatever reason" I will investigate further if possible but as my HD's are slowly being locked and thus rendered unusable its getting quite costly not to mention locking me out of the data that could prove useful for proof.
"I'd say it's more likely to suggest your inability to deploy secure systems. If some intelligence agency didn't like what you were doing and was owning your systems, they'd sure as hell be better about it to the extent you wouldn't likely find it. "
Govt's especially the military have far greater resources than most businesses.
-
I suggest you make the ultimate router security upgrade… Unplug the WAN cable...
Then you can sleep well at night.
-
Govt's especially the military have far greater resources than most businesses.
Which was exactly my point. They also likely wouldn't be so sloppy about it as to get caught repeatedly. You have to be deploying systems over and over again with the same security hole(s) that eventually someone scanning finds and owns. Unless you're a high profile target, no one's going to waste a high value 0 day on you. Every time you use it, it's more likely to be found out.
I think that only one device namely a rpi was used to access and configure pfsense on the default lan and all other additional nics to internal machines had to be enabled to the extent I have detailed here https://forum.pfsense.org/index.php?topic=92804.msg517267#msg517267
would suggest reasonable precautions had been taken?I would call that reasonable precautions. That's far better than most people.
Still plenty of ways to be compromised. Some incident response definitely would be justified to figure out how that's happening to you.
-
I suggest you make the ultimate router security upgrade… Unplug the WAN cable...
Then you can sleep well at night.
That is the logical conclusion but I sleep well already. :)
-
@cmb:
Govt's especially the military have far greater resources than most businesses.
Which was exactly my point. They also likely wouldn't be so sloppy about it as to get caught repeatedly. You have to be deploying systems over and over again with the same security hole(s) that eventually someone scanning finds and owns. Unless you're a high profile target, no one's going to waste a high value 0 day on you. Every time you use it, it's more likely to be found out.
Who needs a 0 day as you rightly point out below, but then do you buy the stories the Govt dont have the money for xyz?
I think that only one device namely a rpi was used to access and configure pfsense on the default lan and all other additional nics to internal machines had to be enabled to the extent I have detailed here https://forum.pfsense.org/index.php?topic=92804.msg517267#msg517267
would suggest reasonable precautions had been taken?I would call that reasonable precautions. That's far better than most people.
Still plenty of ways to be compromised. Some incident response definitely would be justified to figure out how that's happening to you.
Well if my hd's with packet capture data and others werent being trashed I'd be able to provide something, unfortunately my hd's keep being trashed, making it difficult to provide any such data for analysis.
But if you needed a backdoor into a system, hardware is where I'd put it as its virtually impossible to inspect as this vid explains from 2007.
https://www.youtube.com/watch?v=VV_v_OEOhH0Wake on lan has been around years since 1996. http://en.wikipedia.org/wiki/Wake-on-LAN#History
So do you (or anyone else*) have any suggestions to overcome the hw issues? Apart from using older hw and perhaps usb nics (although some would suggest not using them) I dont have any other ideas to avoid getting hacked which could prove the hacking methods used especially considering this post of mine from earlier on in the year. https://forum.pfsense.org/index.php?topic=88180.msg486376#msg486376
*Like I said to Kejianshi, the logical thing to do is unplug from the net.
