Worried about bootkits, rootkits, UEFI nasties? Have you tried turning on Secure Boot, asks the No Sh*! Agency
And have you tried simply asking hackers to not hack?
The NSA has published online a guide for IT admins to keep systems free of bootkits and rootkits.
The American surveillance super-agency's 39-page explainer [PDF] covers UEFI security and, in particular, how folks can master Secure Boot and avoid switching it off for compatibility reasons.
A bootkit is a piece of software that runs before the OS starts up and tampers with it to ensure it runs some kind of malicious code later. Said code could be a rootkit that ensures another piece of the puzzle – spyware or ransomware, say – is deployed and executed with sysadmin-level powers. Secure Boot is a mechanism that uses cryptography to ensure you're booting an operating system that hasn't been secretly meddled with; any addition of a bootkit or rootkit should be caught by Secure Boot.
The guide walks people through the steps to deploy Secure Boot. The key thing is stopping a miscreant who has managed to obtain physical or admin-level access to a computer from gaining persistent, hidden control over the machine by altering the operating system and any software on top of it from the firmware level.
Windows Server to require TPM2.0 and Secure boot by default in future releaseREAD MORE
"Malicious actors target firmware to persist on an endpoint," the agency noted.
"Firmware is stored and executes from memory that is separate from the operating system and storage media. Antivirus software, which runs after the operating system has loaded, is ineffective at detecting and remediating malware in the early-boot firmware environment that executes before the operating system. Secure Boot provides a validation mechanism that reduces the risk of successful firmware exploitation and mitigates many published early-boot vulnerabilities."
While the document is intended to serve as a guide for admins in US government organizations, such as the Department of Defense, it also has good advice for those in the private sector worried about software nasties, rogue insiders, and other miscreants gaining a sturdy foothold in corporate networks.
The best way to avoid trouble, says No Such Agency, is to simply avoid turning off Secure Boot in the first place. The NSA acknowledges that this isn't always practical, and there are a number of situations where Secure Boot gets in the way. With that in mind, the agency recommends the following:
* Machines running legacy BIOS or Compatibility Support Module (CSM) should be migrated to UEFI native mode.
* Secure Boot should be enabled on all endpoints and configured to audit firmware modules, expansion devices, and bootable OS images (sometimes referred to as Thorough Mode).
* Secure Boot should be customized, if necessary, to meet the needs of organizations and their supporting hardware and software.
* Firmware should be secured using a set of administrator passwords appropriate for a device's capabilities and use case.
* Firmware should be updated regularly and treated as importantly as operating system and application updates.
* A Trusted Platform Module (TPM) should be leveraged to check the integrity of firmware and the Secure Boot configuration.
Mind you, this doesn't mean Secure-Boot-capable firmware is infallible at stopping bootkit and rootkit infections. The NSA noted that PCs with UEFI Fast Boot enabled may not vet software as thoroughly, and therefore may allow malware like LoJax to sneak through.
Because of this, the agency advises government agencies that are particularly paranoid about their network security to check the Secure Boot settings on all machines to make sure they've set up the proper protections and disabled any bypasses.
Other options for improving Secure Boot security include rolling your own allow and deny-list databases and removing the Microsoft Certificate database that is used by default to check operating systems and hardware components. This would, the NSA notes, prevent inside attackers from downgrading the OS or installing other hardware components.
#include <std/nsa_can_already_bypass_this_theory.h> ®