NSA saved the world, no BIOS.
American TV news magazine 60 Minutes (NYSE:CBS) is once again in the news, for allegedly reporting the news. This time, there were no additional revelations of Amazon's schemes to drop tchotchkes from buzzing drones. Instead, during an interview by CBS correspondent John Miller with NSA officials, we learned of a nefarious plot worthy of the best Cold War era spy novels. NSA brass spoke of a Chinese "BIOS Plot", designed to "brick" all computers and crash the global economy. The supposed evil plan was foiled by the NSA, with the help of a few good computer companies.
In IT Blogwatch, the Never Say Anything (NSA) interview is all bloggers can talk about.
Your humble blogwatcher curated these bloggy bits for your entertainment, ably assisted by Stephen Glasskeys.
Recuperated, Darlene Storm diagnoses a sickness:
If you saw the 60-minute infomercial for the NSA, then you "know" the spy agency allegedly stops viruses / malware that could brick PCs and practically destroy the world. So where was it when Cryptolocker ransomware...did exactly that by destroying data...until the ransom was paid? Where was this intelligence that stopped disaster for any of the viruses, Trojans, or malware that have trashed computers?
...Supposedly, CBS News senior correspondent John Miller asked the "hardest questions we could find," but the 60 Minutes NSA interview was sickeningly one-sided and is being called a big load of "****" by security researchers and other critics.
..."The Snowden Affair" opened the way for NSA cyber defense director Debora Plunkett to describe how the agency saved the U.S. from a catastrophic Chinese “BIOS Plot” that allegedly would have bricked all computers in our country and possibly the world. MORE
Simon Sharwood prescribes friendly interviews for NSAilments:
The segment appears to have been far from a terrifying experience for the interviewees: the tone is that the NSA is a misunderstood entity doing its best to defend the USA. It therefore includes lots of soft stuff about...folks who work at the NSA and the cryptographic feats performed by its interns. There's also a quick primer on social engineering and how the bad guys use it to [do] bad things.
...How much weight to give to "revelations" like the BIOS attack is therefore hard to assess. One thing seems certain: the NSA has decided it needs to play harder in the battle for hearts and minds in the USA and beyond. 60 Minutes seems to have decided to play along. MORE
Straight from the horse's mouth:
One thing [the NSA] did see coming was called the BIOS Plot. It could have been catastrophic for the United States. While the NSA would not name the country behind it, cyber security experts...told us it was China. Debora Plunkett directs cyber defense for the NSA and for the first time, discusses [the NSA discovering] the plot.
...[Plunkett]: So the BIOS is a basic input, output system. It's, like, the foundational component firmware of a computer. You start your computer up. The BIOS kicks in. It activates hardware. It activates the operating system. It turns on the computer.
This is the BIOS system which starts most computers. The attack would have been disguised as a request for a software update. If the user agreed, the virus would’ve infected the computer.
John Miller: So, this basically would have gone into the system that starts up the computer, runs the systems, tells it what to do...and basically turned it into a cinderblock.
Debora Plunkett: A brick. ... Think about the impact of that across the entire globe. It could literally take down the U.S. economy.
John Miller: I don't mean to be flip about this. But it has a kind of a little Dr. Evil quality-- to it that, "I'm going to develop a program that can destroy every computer in the world." It sounds almost unbelievable.
Debora Plunkett: Don't be fooled. There are absolutely nation states who have the capability and the intentions to do just that. MORE
Dr. Roy Schestowitz foresaw the terminals illness:
With UEFI it has been demonstrated that motherboards can be bricked...irrespective of the platform. Imagine what can happen at times of war. If the NSA can take over Windows, which it can, it can brick any computer with such motherboards. This is serious because...even reinstalling the operating system or swapping operating systems would help. MORE
Angry, Robert Graham, is not accepting the denials:
Stripped of techie talk, this passage simply says "The NSA foiled a major plot, trust us." But of course, there is no reason we should trust them. It's like how the number of terrorist plots foiled by telephone eavesdropping started at 50, [eventually down] to 0, as the NSA was forced to justify their claims under oath instead of in front of news cameras. The NSA has proven itself an unreliable source...we can only trust them if they come out with more details -- under oath.
...Moreover, they don't even say what they imply. It's all weasel-words. Nowhere...does a person from the NSA say "we foiled a major cyber terror plot". Instead, it's something you piece together by the name "BIOS plot", cataclysmic attacks on our economy...and phrases like "would it have worked".
...So, in the end, it's just like the existing testimony from Clapper and Alexander that is never precisely a lie, but likewise, intentionally deceptive. MORE
Spencer Ackerman dispencers a remedy:
Among the more eye-opening claims made by NSA is that it detected what CBS terms the “BIOS Plot” – an attempt by China to launch malicious code in the guise of a firmware update that would have targeted computers...rendering them pieces of junk.
...There are as many red flags surrounding the BIOS Plot as there are in all of China. First, the vast majority of cyber-intrusions in the US, particularly from China, are espionage operations, in which the culprits exfiltrate data rather than destroy computers. Second, the US economy is too vast, diversified, and chaotic to have a single point of cyber-failure. Third, China’s economy is so tied to the US’s that Beijing would ultimately damage itself by mass-bricking US computers.
...Fourth, while malware can indeed turn a computer into scrap metal, no one has ever developed a cyber-weapon with the destructive capability of Plunkett’s scenario. MORE
However, Mike Masnick wants more research:
The reporting was conducted by John Miller, a former intelligence community official...in a spokesperson role and a variety of historical roles in the intelligence community. While he does "disclose" the ODNI role upfront...he left out that he's about to be hired in an intelligence role for the NYPD, a deal that has been described as "a 99.44 percent done deal."
...Miller claims he spoke to NSA critics...but that's not reflected in the questioning at all. He then defends the piece saying that his goal was to let the NSA explain its side of the story, which he argues wasn't getting enough attention. Seriously.
...Try not to laugh at that. He even claims that he didn't want it to be a puff piece -- which is exactly what it was.
...The one big "revelation" in the piece involves NSA people implying...how they stopped some sort of plot to turn everyone's computers into bricks by infecting the BIOS. But, as lots of people who actually understand this stuff are noting, that segment was pure gibberish. MORE
Meanwhile, Paul Wagenseil pushes placebos:
[There] was this scoop: The NSA stopped a "catastrophic" Chinese scheme, called the "BIOS plot," to "destroy every computer in the world."
...That was news to many security experts, who had never before heard of the "BIOS plot," even though "60 Minutes" asserted that "computer manufacturers" had worked with the NSA "to close this vulnerability." Such an undertaking would have been well known in the information-security community.
...Plunkett gave only the barest outline of the supposed Communist scheme, not specifying when and how the plot was uncovered and foiled. CBS' confirmation of the plot's existence and provenance relied on unnamed "cybersecurity experts briefed on the operation" who "told us it was China."
...Security experts aren't buying it. MORE
Subscribe now to the Blogs Newsletter for a daily summary of the most recent and relevant blog posts at Computerworld.