Thursday, February 13, 2014

[securityaffairs] FAQ on Absolute Computrace case – Security Vulnerability Claims

Kaspersky confirms hidden threat in BIOSes PC and warns that Absolute Computrace Anti-Theft agent can be remotely hijacked.Absolute Software refuses claims.

After the case raised by Kaspersky team on the Computrace agent I tried to contact Absolute software received the following official reply on the results of the investigation.
On Wednesday, February 12th, Kaspersky Lab published a press release and a report where they have made assertions about perceived vulnerabilities with Absolute Computrace technology. In particular, Kaspersky claims that Absolute Computrace can be activated without the customer’s knowledge.
As far as we’re aware, Absolute Software has never been contacted by Kaspersky Lab in order to validate their research and provide technical insight. We received no response from Kaspersky Lab until the press release and report were published.
Since we did not have the benefit of reviewing the report until the day it was published, and because we have no insight to the veracity of the technical testing Kaspersky apparently undertook, our response is limited to the narrative within the report.


What is Kaspersky alleging about Computrace?
Initially we heard about the Kaspersky report from a journalist who had received a draft press release from Kaspersky as a means to generate coverage. Kaspersky alleges that the report confirms and demonstrates how Absolute Computrace can be used as a “powerful utility for cyber attackers”. They also assert that this will allow attackers to fully access millions of users’ computers. Absolute considers Kaspersky’s analysis flawed and rejects its conclusions.
Is it possible for an attacker to use Computrace to access millions of users’ computers?
The report does not describe a demonstration of a successful attack. It’s important to note that any potential attack depends upon the endpoint or other devices being compromised first.  This must happen before Computrace can be used maliciously. The obstacles to mounting such an attack are considerable and are not achievable via the mechanism outlined in the Kaspersky report.
In the report, Kaspersky states that some device owners have claimed they’ve never installed, activated, or had ever known that Computrace was installed on their device. Is this true?
Again, we can only base our response on the narrative within the report. Thus we can only hypothesize that these types of scenarios may be the result of defective implementations, improper service procedures and/or poor IT practices.
We cannot comment on the specific cases described by Kaspersky where Computrace appeared to have been activated without the consent of the owner of the device since we were not given an opportunity to investigate how these devices were activated.
Absolute would be happy to examine these devices to provide a more accurate assessment. It’s important to note that Kaspersky’s survey of new computers in retail outlets revealed no activations of Computrace.
Are there any scenarios where Computrace is activated before a customer receives the computer?
Yes. Some of Absolute’s corporate customers may request that the computer manufacturer activate the Computrace software client so that the computers arrive with Computrace already activated. This is typically done as a security measure so that the devices are protected while in transit. If the devices go missing, Computrace can be used to determine chain of custody, allowing the customer to address a potential security issues. Pre-activation can also be done as a time-saving measure for IT. Since this is a transaction between the customer and the OEM, we have no insight to specific details regarding frequency of these requests or the number of devices.
Is Absolute alerted when a defective implementation occurs?
It depends on the scenario. In instances where we are alerted, we provide assistance to proactively disable any impacted devices.
Isn’t this scenario similar to the allegations made at the Black Hat security conference in 2009?
Yes, this is a very similar scenario. Our response in 2009 is still posted on our website for reference. The technical facts we provided at that time are still accurate and current today. Additionally, Absolute Software continually improves the security of its systems to harden them against attack.
Kaspersky calls out the whitepaper by Alfredo Ortega and Anibal  Sacco of Core Security Technologies as pre-existing research to back up the perceived weaknesses of Absolute Computrace.  Does this support Kaspersky’s position?
No, it does not. This same whitepaper was presented in 2009 at the Black Hat security conference. As we stated back then, the research described in thiswhitepaper was based on one example of BIOS stub code, version 785 which was never active in any BIOS to our knowledge. Our earliest released version of the Computrace BIOS module was version 802 which was released about five years after version 785 was created.
Even if the BIOS vendor inadvertently included inactive dead code in the build of the BIOS examined, Absolute has no method to activate this version and it cannot be exploited by a malicious attacker.
Kaspersky alleges that some device users are unable to remove Computrace because it is designed to reinstall if efforts are made to remove it. Is this true?
Absolute persistence technology is designed to rebuild the security if efforts are made to remove it. Many of our customers purchase Computrace for this reason since it allows them to maintain a connection with their device, regardless of user or location. Authorized customers are able to uninstall the Computrace software agent and disable persistence at their discretion.
Kaspersky states that there is no proof that Absolute Computrace is being used as a platform for attacks but that experts from several companies see the possibility for attacks. Is this true?
Absolute is unaware of any successful attack on its technology of the nature suggested by Kaspersky. Since Kaspersky does not identify the “experts from several companies” it is not possible for us to validate or disprove these claims.
In their guidance, Kaspersky asserts that “powerful tools such as Computrace software must use authentication and encryption mechanisms to continueserving the greater good”. Why doesn’t Computrace incorporate these measures?
Computrace employs strong authentication and encryption in its client / server communications. The Kaspersky report does not show the transmission of unencrypted, sensitive data at any time.
Kaspersky states that numerous opportunities exist for remote attacks in a hostile network environment. Some examples they provide include an attack on a local area network to redirect all traffic from a computer running Small Agent to the attacker’s host via ARP-poisoning. Or the use of a DNS service attack to trick the agent into connecting to a fake C&C Server. Is this possible?
Kaspersky does not describe a successful implementation of such an attack. There are security measures beyond those described in the Kaspersky report to restrict such an attack.
Why would Kaspersky promote so many inaccuracies in their report?
We are uncertain. We attempted to reach out to the communications team at Kaspersky to understand their motivation and have meaningful discussions about Computrace technology and the research that they have undertaken.  The Kasperskycommunication team did not respond to our requests until after the press release andreport were published.

No comments:

Post a Comment