Thursday, June 21, 2018

@War review

I finished Shane Harris' book on Cyber Warfare recently and felt obligated to write a review about it on GoodReads. Given I spent the time writing it up, thought it might be worth sharing here for those following my blog who share an interest in the cyber security/warfare communities.


A thorough introduction to the world of cyber warfare from the perspective of a journalist surveying published media from mid 2005-2015 time frame. Some sampled private discussions and insights into behind the scenes discussions and classified projects. A good read for someone new to the field to catch up quickly. 

Unfortunately the author spends a significant amount of time pontificating on concerns that have been excessively debated elsewhere and attempting to seem moderate while making clear his opinions where the concerns lie... and unfortunately basing his conclusions on rumors he heard from self-proclaimed "experts". One example is the "thousands of exploits" the NSA is hoarding. This claim appears to be based on a single unquoted individual, and appears inconsistent to the other information in his book. (Pointing to a budget of $25M to acquire exploits, and price tags of $50,000-$1,000,000 would imply a catalog of 25-500 (dozens or hundreds, not thousands)) Much hand wringing is spent on NSA surveillance, defense-industrial relations, foreign government spying, and other topics that have been extensively discussed in the media over the last decade and a half.

Speculation is rampant in the book regarding what's happening behind closed doors and allegations are made without the editorial self-control that a reputable paper would employ. As someone with two decades of experience in this community, this reviewer recalls numerous relevant events that were not included and significant portions of the book devoted to commonly discussed events from various media sources (with a few interesting exceptions). In fact, the acknowledgements section credits many of the content writers of those stories from the news sources covering cybersecurity/cyber warfare (Michael Riley, Nicole Perlroth, Kim Zetter, etc.)  who actually interviewed the original sources and wrote about the events as they happened (or as they were uncovered!)

Books such as "Countdown to Zero-Day" by Kim Zetter provide a much deeper look that is more technically accurate and better sourced and represent a good alternative for a reader looking to gain insight into the technical and political aspects of the cyber warfare complex through a single (large) operational lens. 

@War is a good option if one has no prior exposure and views it as a breathless description of the events of the last 10-15 years in the US cyber warfare community from a non-technical observer doing his best to share what he's read about and been told as an outsider.

Friday, January 19, 2018

2017-2018 Update


 Nehemiah Security Siege Technologies     

As readers of this blog (or former readers!) have noticed I have been updating the blog less and less over the years. We successfully sold Siege Technologies to Nehemiah Security back in 2016 and have been working on the integration between the firms.
Pretty exciting to see technology we've been developing for years (Now known as AtomicEye RQ) make its way into the broader commercial market and getting traction with some big (Fortune 500) customers in addition to mid size and various government groups.
 AtomicEye
It wouldn't have happened without an experienced team like the group that Nehemiah brings to the table. Hopefully once that stabilizes I'll be able to get back to blogging more often, either this year (2018) or next (2019). Hoping to get back to some technical/cyber topics but will probably also include more diverse content as well. Stay tuned!

Wednesday, April 19, 2017

Leadership lessons

Normally use this blog for longer form discussions about public news in the "cyber" field, but since I don't have another blogging forum I'm going to post this writeup here.

Getting tweens/teens to do chores can provide some lessons on leadership. I've assembled ten of them below for your enjoyment. 😀

1) Questions are OK. Sure, they're doing it to try to delay/distract/disrupt your objective as long as humanly possible. But it's OK to want to know what the objective and buy into the overall mission.
2) Be specific. If you don't know where you're going it's unlikely you'll get there. Describe what you're looking for and there's a small (OK, tiny) possibility it will happen the first time around.
3) Explain what triggers task completion and try to avoid time based metrics. If it's time, the human response is to conserve energy (see: USSR as an example of how well that works out). But if it's goal based, people will often choose to work harder to accomplish the objective quickly and do other things they value more. Like watch Netflix.
4) Positive and negative outcomes are useful and must be tailored to the individual. Some people love chocolate, others don't. Some would consider reading a punishment, others a pleasure. Personally I find beatings are consistently unpopular but you might find something else works well. 😏
5) Music and humor are great ways to make tasks more enjoyable and lighten the mood. Unless you're listening to NF's rap song about Mom dying and leaving him, in which case you want to start crying and console each other.
6) Yelling doesn't produce anything positive IMHO. Except fear/anger. Which, if you're trying to train a Sith could be useful I suppose.
7) Showing/training is important for things more complicated than "carry this from here to there". Although sometimes even that requires instructions.
8) Have reasonable expectations and don't accept poor work. The DMV is a great reminder that even adult humans are perfectly willing to work in a way that yields a terrible product/experience. Don't be United Airlines and accept that just because it's the way things are or you might end up with kicking, screaming and blood everywhere.
9) Positive feedback provided promptly to people doing great work or with a great attitude is helpful. Kind of like participation trophies, but actually earned. 🏆
10) Lead by example. Returning to my Sith Lord example, Darth Vader doesn't make his troops do all the enemy soldier killing, he's at the front of the line doing it himself (even at a distance). Showing everyone you're willing to work just as hard slaughtering enemy troops means they have someone that they can and should follow. Or get force choked.

Hardware enabled trust

Siege has been doing some work with hardware and software enabled root of trust implementations over the past few years. Specifically, looking at implementations like Trusted Platform Module (TPM), boot processes, UEFI, hypervisors and other implementations that utilize hardware "trust" functionality. Wanted to share some insight into what the research and implementation communities are doing.

To start, the major presentation that started a lot of attention for hypervisors and hardware trust was Joanna Rutkowska's 2006 Blue Pill presentation at Blackhat. That discussed injecting a hypervisor rootkit into a running operating system utilizing AMD's SVM (Secure Virtual Machine) instructions. Also discussed countermeasures, detections, and possible extensions to Intel's VT-x instructions. Also in 2006 researchers from Watson research discussed virtualizing the TPM so virtual machines could utilize TPM functionality.

In 2009 Rafal Wojtczuk, Rutkowska and Alexander Tereshkin presented several attacks  against the Intel's TXT (Trusted Execution Technology). Also in 2009 Rafal and Joanna presented an attack against System Management Mode (SMM). From the paper:
System Management Mode (SMM) is the most privileged CPU operation mode on x86/x86_64 architectures. It can be thought of as of "Ring -2", as the code executing in SMM has more privileges than even hardware hypervisors (VT), which are colloquially referred to as if operating in "Ring -1".
The authors describe
how to practically exploit this problem, showing working proof of concept codes that allow for arbitrary SMM code execution. This allows for various kind of abuses of the super-privileged SMM mode, e.g. via SMM rootkits
In 2011 Rafal Wojtczuk and Rutkowska presented an attack against the Intel VT-d and by extension Intel's TXT (Trusted Execution Technology). Wojticzuk, Rutkowska and Tereshkin were all part of Rutkowska's Invisible Things Lab, where the Qubes OS was also developed. Some of their posts on Qubes are available here. Qubes is an interesting project as they are attempting to implement defenses against the operating system/kernel, hypervisors and hardware that they are aware of by utilizing the full functionality of the hardware and secure design principles with strong isolation to build a significantly more secure operating system environment.
There are tons of other papers out there as well, I'd love to do a more comprehensive survey on the topic at some point. Siege has been doing some really cool research in the area and we started years ago, finally got to present it at Blackhat in 2016. Breaking Hardware Enforced Security with Hypervisors has some good information on the area and approaches to subverting the TPM interactions with the kernel/boot process by leveraging other architectural features (in our case, VT-x). Hopefully we'll have an opportunity to present some of the other things we've done in the domain in the next few years.

Thursday, May 26, 2016

From public sector to private sector: A view from the trenches.

(An abridged version of this post appeared in the CipherBrief on May 15th, 2016) 

In 2009 I left a job at the Defense Advanced Research Projects Agency and started Siege Technologies. My goal was to fill the vacuum of small, innovative companies building advanced, disruptive technical solutions in offensive and defensive cyber warfare left by recent large corporate acquisitions.  The last day at DARPA I signed paperwork removing all the accesses I had received during my time there with DARPA and our numerous partners. They took my green badge, CaC card, DARPA badge, and computer. I felt a little like George Banks in Mary Poppins when the bank fires him and proceeds to destroy his umbrella and poke a hole in his hat as part of the discharge process.  I founded Siege Technologies two weeks later and slowly collected most of those resources again over time. The experience was extremely informative and provided some important lessons for anyone contemplating a move into private industry from government or into a startup from a large company.

Advantages of government experience

There are some powerful advantages that time in government provide someone making the plunge into entrepreneurship. The biggest is a perspective on what’s going on at a national or even global level. Insight into the hard problems, operational challenges and thought leaders are invaluable takeaways from government service. Additionally the friends and contacts created throughout government, industry and academia can provide valuable assistance down the road. Having worked as a contractor, government employee and corporate employee again there’s a big difference walking into your favorite government agency with a “blue badge” versus a “green badge”. Having a government badge causes government people to assign moral characteristics to you that are significantly different than the negative assumptions pinned on contractors sadly. And strangely these positive views follow you out into corporate America. Even though I was the same person throughout the experience there is a significant difference in how the people you meet while wearing the government badge perceive you, during and after government service.

Starting from scratch is hard

It is not easy to take a blank piece of paper and write a novel. Starting a company is similar, as building something from nothing requires the ability to see a future that does not yet exist, and execute to make that vision a reality. Taking a small firm and helping it break out of a small business mindset to reach its potential is equally hard (and maybe harder in some ways) because you need to reshape structures that may have hardened and take on risk that may have been previously discarded or avoided. The technical team, technology, access to customers and partners, cash, and information are never as robust as you would like and are often in a state of flux. A challenge unique to moving to a startup from government is the gossip mill of other disgruntled government/commercial individuals who allege stolen ideas, inside access, or other improprieties as the real drivers of success. Changing the mindset of the brave souls who move from the comfort of government to the excitement of a startup is imperative, as there is no checklist of procedures or higher authority to consult before getting things done. Sitting at your desk or attending meetings are not going to get a product built or customers signed up, startups are an exercise in energy exertion. I vividly remember talking to my wife in December of 2009 about whether we would have a paycheck before Christmas and estimating how many days until our final credit line was maxed. Getting my first Siege paycheck on Christmas Eve was the best Christmas Eve gift I’ve received! As Benjamin Franklin said, “Nothing ventured, nothing gained”.

Smaller is riskier

There is a big difference between a job in the government, a job at a big business and a leadership position in a startup. The government has a difficult job ever firing anyone or laying people off, although it does happen in rare occasions. Big business doesn’t usually fire people and layoffs are usually focused on culling the weaker ranked employees (although entire segments of the business can be felled in a single swipe!) And while small companies engage in layoffs and firing, they introduce a new variable into the equation: Cash. In business they say “cash is king” because without it, a business cannot conduct operations. Starting a company involves working for free, reduced pay, gaps in funding, contributing money, and wondering how to make payroll. Borrowing money from friends, banks, and signing numerous contracts as the guarantor. Even well funded VC-backed firms have to worry about cash throughout the process and keeps track of the “going out of business” point when your burn rate chews up the cash in the bank.

Smaller is faster

Making decisions in a small company is easy. The individual makes a decision and moves out. Sometimes there are managers or stakeholders to consult, but the reporting chain is much smaller and stakeholders to consult much fewer. The ability to make decisions quickly allows companies to react to changing market dynamics and technology much more quickly than larger firms competing in the same space. A great example of this is purchasing. When I worked at a large defense contractor, in the 1990's I needed to get a copy of “PC Anywhere”. Weeks went buy until I heard it was authorized. Weeks turned into months and I reached out to find where it was to discover the acquisition system had lost my order. When I explained what I needed I was assured it would be coming soon. A week or two later a different product (PC-Xware) arrived! Contrast that with a small firm with a flat management chain… if someone needs something at a small firm they ask their manager and it gets ordered on a corporate card within a day or two.

Smaller is more innovative

It’s easy to understand why small companies move faster, but where does the phrase “small companies innovate, big companies integrate” exist? Innovation is a complex topic which numerous books have been written about to describe. I believe there are a number of factors behind the wave of innovation coming from small firms:

  • Ability to attract and retain top talent. Employees like to work in nimble, more fun, better paying environments!
  • Emphasis placed on innovation. Small companies are taking on larger, often entrenched competitors and creating something new is often imperative to survival.
  • A culture that values disruption over the status quo. Big companies don’t change quickly while growth-oriented small companies are focused on how to change the game and become a big company!
  • Quicker access to resources and decision making. The lack of process and large management chains enable individuals to go and quickly buy/hire/talk/build whatever they need to do as part of their mission to get the job done, while larger organizations utilize processes to limit risk. 

Building a company is rewarding

Taking a company from nothing or small into something large enough to have some “punching power” is extremely satisfying. It means the market recognizes that you are offering something of value. That people are joining your endeavor to make a difference. The resources you accumulate as you grow mean some of the concerns from earlier days are mitigated and new opportunities begin to present themselves. A new era of entrepreneurs are rising up who are increasingly availing themselves of the opportunity to inject a conscience into their work and engage in social causes through their corporate position, products, and with the resources created by the firm. My wife and I have committed to giving the bulk our gains from Siege some day to charitable causes and view the firm as an opportunity to have a positive impact at a scale unachievable as individual contributors to those causes. Firms like Newman’s own give away their profit to philanthropic causes, and numerous clothing/jewelry/coffee businesses integrating a social cause into their corporate mission and value statement. In fact the percentage of corporate giving is inversely correlated with size, with the smallest firms giving the most generously[1],[2]

Perspectives on the cyber security startup market

The cyber security startup market has been hot. On fire is probably more accurate. The graph below shows how investment has been ramping up over the last seven years (I started Siege at the relative low point of 2009, apparently not a good year from investors perspective!)

Figure 1 Millions of Dollars invested in Cybersecurity Companies.
Spending on cybersecurity in 2015 exceeded $75 billion according to Gartner[3]. The market is over $100 billion according to Market and Markets and will grow to $170 billion (USD) by 2020, at a Compound Annual Growth Rate (CAGR) of 9.8 percent from 2015 to 2020[4]. The cyber security insurance market is expecting significant growth and should reach $7.5 billion in annual sales by 2020, up from $2.5 billion this year[5].

But in 2015 signs were showing that the valuations and dollars heading to cybersecurity companies had begun to cool. Specifically, “some are predicting a measured slow-down leaving a slew of Seed/Series A funded companies without a Series B sponsor”[6]. Median security EV/revenue multiples have declined from 5.5x in 2013, to 5x in 2014 and 4.5x in 20154.

That said the problems still remain. Enterprises large and small, government agencies and individuals are still being targeted and compromised with increasing frequency. 2015 alone saw a reported jump of 48% in compromises that were reported, and successful detected attacks have been rising at a compounded annual growth rate of 66% year over year since 2009[7]. The annual cost of these attacks range from hundreds of billions to trillions depending on your estimation methodology and sources (considering theft of IP versus just cleanup, for example). Nobody has built the silver bullet solution to solve the problem and significant opportunities exist if entrepreneurs are really providing new solutions to the problems that exist and loom over the horizon in the form of technologies or services.

Perspectives on transitioning government-funded technology

At Siege we have a number of technologies that we have developed with external funds, spanning areas as diverse as cyber quantification to custom hypervisors to software protection and software vulnerability remediation. Some were developed entirely with government funds, some with almost exclusively internal or commercial funds and most with a hybrid. Taking these capabilities from the lab to product is not easy. Numerous hurdles must be addressed, from classification to export control to publication restrictions to the myriad of intellectual property rights issues. And that’s before you address the “valley of death” that exists between research and products. An article in IEEE captures this challenge well, saying “New and innovative technologies will only make a difference if they're deployed and used. It doesn't matter how visionary a technology is unless it meets user needs and requirements and is available as a product via user-acceptable channels.  One of the cybersecurity research community's biggest ongoing challenges is transitioning technology into commercial or open source products available in the marketplace[8] and that reflects my personal experience working in research and innovation at big companies, DARPA and now a smaller firm. 

Inventors are often beholden to their creations and believe it possesses more value than they often do. There is usually a gap between the requirements targeted during development and what the market needs. And there is funding required to get the product from where it is currently to where it needs to be. Inertia fights against changing anything and turning this technology into a product, but the fight can be well worth it if the numerous obstacles are addressed with vigor head on. It is a fight that must be won in order to “change the game” and make a difference instead of allowing the solutions to important national and global problems to die an inglorious death in the lab.

Conclusion

It is impossible to affect change without taking risk. Change necessitates overcoming resistance and various obstacles to achieve a necessary goal. Starting or joining a new venture provides the opportunity to affect significant change at personal, technological, national and societal levels if success is achieved. But even if failure is an outcome, lessons are learned and character is formed through that process. The average successful entrepreneur has several failures in his or her belt (I had two false starts) and is middle aged with the median age entrepreneurs started their companies being 40[9].  Teddy Roosevelt captures the opportunity well with his famous quote: “It is not the critic who counts; not the man who points out how the strong man stumbles, or where the doer of deeds could have done them better. The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood; who strives valiantly; who errs, who comes short again and again, because there is no effort without error and shortcoming; but who does actually strive to do the deeds; who knows great enthusiasms, the great devotions; who spends himself in a worthy cause; who at the best knows in the end the triumph of high achievement, and who at the worst, if he fails, at least fails while daring greatly, so that his place shall never be with those cold and timid souls who neither know victory nor defeat.[10]




[1] CEO Force For Good, “Giving in Numbers 10TH ANNIVERSARY 2015 EDITION”, September 2015.
[2] https://philanthropy.com/article/Most-Small-Companies-Make/225215
[3] http://blogs.wsj.com/venturecapital/2016/02/17/the-daily-startup-increased-spending-in-cybersecurity-drives-funding-surge/
[4] http://www.marketsandmarkets.com/PressReleases/cyber-security.asp
[5] PwC, “Insurance 2020 & beyond: Reaping the dividends of cyber resilience”, September 2015
[6] Momentum Partners, “Cybersecurity Market Review 4Q 2015 Year End”, January 2016
[7] http://www.pwc.com/us/en/press-releases/2014/global-state-of-information-security-survey-2015.html
[8] Maughan, D., Balenson, D., Lindqvist, U., & Tudor, Z. (2013). Crossing the Valley of Death: Transitioning Cybersecurity Research into Practice. IEEE Security & Privacy, 11(2), 14-23.
[9] Ewing Marion Kauffman Foundation, “The Anatomy of an Entrepreneur”, August 2009.
[10] Theodore Roosevelt, Excerpt from the speech "Citizenship In A Republic" delivered at the Sorbonne, in Paris, France on 23 April, 1910.

Wednesday, November 12, 2014

Side channel attacks


Interesting paper came out late 2013 describing a method to use audio emanations from a CPU to determine the private key.

Since the 1990's work has gone on using timing or power analysis to accomplish the same thing (deduce secret keys). Paul Kocher pioneered much of this work, including timing attacks against RSA (paper here). Multiple attacks against RSA have used power attacks with success. There are multiple defenses against timing and power attacks, including filtering emanations, smoothing activity (adding noise), blocking the ability for someone to sense data, etc. with varying degrees of success.

The recent work can be viewed as a derivative of that prior work. But instead of measuring time between actions, or power surges directly it's using acoustic emanations to derive the same information.

Of course, the field of side channel attacks on systems is old and interesting. Some classics:
  • Tempest-style attacks intercepting video broadcasts from outside the building since the 1980's.
  • Optical tempest, where the authors analyzed the activity light on various systems and constructed a system to intercept the light from across the street of an office building and recreate a serial data stream (Pre-published version here, ACM version here.)
  • Creative attack described in 2007 to use the microphone on your system to drive input to a speech parsing engine (such as Windows Speech Recognition in Vista). MS downplayed it of course but it highlights an interesting attack vector.
  • George Hotz's PS3 hack, where he used an FPGA board to disrupt the memory bus on the PS3 and cause instruction flow to jump into regions of memory that he controlled.
  • I discussed using speakers for covert channels in an earlier post.
Another interesting side channel technique came out in 2014 from researchers at Ben Gurion university. They showed that you can use FM receivers in mobile phones to collect specially encoded data from nearby video displays to create a cooperative TEMPEST exfiltration channel. Not really an attack per se, as it involves cooperative systems but it's certainly useful to enable broader attacks. (Just like ASLR bypasses aren't attacks per se, they are information leaks that can be utilized to enable complex attacks/exploits.) Also not new, as it's building on the Tempest work from before but doing it from a cell phone is novel.

Using RFID to access systems or propagate code has been discussed since at least 2006. Vulnerabilities in optical character recognition systems (which take pictures, and analyze them in an attempt to convert into digitally represented text) were published in 2007.  Attacks using QR codes were deployed in the wild in 2012.

Those attacks rely on analog systems that are looking for digital input in the analog medium provided by an adversary. Denial of service attacks that are purely analog (such as pointing a light at a camera, or EMP disables the function of systems quite nicely) have been well documented. But what about hacking a passive sensor such as a wireless IDS? (there are hundreds of vulnerabilities in just two popular passive, inline sensors: Wireshark (285, 22 enable RCE) and Snort. (10, 2 enable RCE)) And what would you call it if you took advantage of a feature extractor (such as a facial or gait recognition engine in a camera) to crash or even exploit a device? 

It's my opinion that as computing devices become more ubiquitous and embedded in everything you'll see these types of attacks in more and more interesting locations (Police car license plate scanners anyone? Border security systems. NFC is getting owned all over the place lately. The list goes on). Attacks will move beyond information leaks and disruption to include remote access via non-anticipated "side channels" or subsystems that people don't realize create risk. (Your Antivirus software, your networked coffee pot, your tire pressure monitors!)

Tuesday, November 12, 2013

#badBIOS and Nefarious / Advanced Malware

Screen shot of possible high frequency audio channel in badBIOS
"badBIOS" is a name given to a suspected attack that had been going on for several years against systems owned by Dragos Ruiu. He posted on it on Twitter (@dragosr) using the hashtag #badBIOS and Google+. The story gained momentum when Ars Technica did an excited writeup about it. I'm going to try to summarize the nearly magical properties that it is believed/suspected to possess with references (herehere, here) but I apologize if I confuse the claims/rumor/possibilities:
  • It infects OpenBSD, Linux, Mac and Windows systems.
  • It infects the BIOS (UEFI and others).
  • Even if the BIOS has been reflashed, it persists through reboots.
    • Dragos posited it is due to video or network card firmware modifications
  • It utilizes IPv6 even if that's disabled in the network stack.
  • It loads a hypervisor
  • It transfers via USB and other mechanisms.
  • It "reacts and attacks the software that we're using to attack it". For example, the registry editor stopped functioning to prevent them from performing forensics analysis.
  • It communicates via high frequency audio sent through the computer microphones and speakers.
  • It can hide itself in Windows font files and deletes them if inspected. 
From the Ars interview:
"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys."
The argument being that if it is not connected via the network (Bluetooth, Wifi and Ethernet were all removed/unplugged) and a USB drive wasn't used to reinfect the system, how could it have been infected despite a reflashed BIOS and new hard drive? 
But the story gets stranger still. In posts herehere, and here, Ruiu posited another theory that sounds like something from the screenplay of a post-apocalyptic movie: "badBIOS," as Ruiu dubbed the malware, has the ability to use high-frequency transmissions passed between computer speakers and microphones to bridge airgaps.
That summarizes the major posited properties of the malware. With such powerful, never before seen, complex properties posited, Dragos has encountered some skepticism from (normally skeptical) security/IT community. I won't highlight them all, but there are plenty on Twitter, the Blogosphere (here, here, etc.), etc. Even Ars posted a follow up article to give attention to the amount of skepticism. badBIOS already has its own satirical Twitter account.  Renowned researcher Tavis Ormandy went through the font files and disk images and concluded that there was nothing suspicious there and Dragos should just ignore it and relax. [Turned out to be good advice.]

The major concerns seem to revolve around the following points:
  1. Where is the evidence? (Both the lack of available data, and nothing in the data provided)
  2. Why has this been going on for three years and just now being exposed?
  3. Why would someone combine so many novel attacks into one network/attack against Dragos?
  4. Can you even build a set of code that is portable against so many firmware/hardware/OS configurations? In a bandwidth constrained environment? 
There have been multiple people supporting Dragos, with Tweets from known members of the community (like Alex Stamos or Jeff Moss), blogs (here and here), or even news pieces
There are viable counter arguments for the doubters:
  1. Dragos has been providing some disk images, spectral analysis of the audio and other forensics data sources for analysis (although mostly to private, often unnamed sources). 
  2. It is possible that the code has been growing in complexity over time. And Dragos wasn't aware of the issue until later on.
  3. Dragos runs the Pwn2Own competition at CansecWest. Between that and his normal work (which presumably involved enough 0-day research to qualify him to start such a contest in the first place) might make him an interesting target for someone trying to acquire 0-days. 
Interestingly, almost nobody seems to doubt that the individual components are not possible. Now that I've summarized how we got here and what's been seen to date, I'm going to add some thoughts. 

First, there were a LOT of skeptics when Stuxnet came out. I was one of the early people (late September 2011) who embraced Ralph Langer's hypothesis (seemed like the most obvious solution given all the evidence.) There were people speculating that the analysis was flawed, it was really a ruse by the Russians or Chinese, etc.) Turned out that the analysis was fine and the nefarious/advanced malware option, was in fact, the correct conclusion. There are lots of compelling research demonstration in each of the areas postulated to date, the only really novel thing here (so far) would be the fact that they are all combined into one VERY complex piece(s) of code:
  • Researchers at Siege Technologies and academics in Germany have demonstrated covert channels are possible over audio channels. 
  • BIOS infections can provide persistence and are definitely not new. They just keep getting better over time.
  • Proof of concept infections/reprogramming of Network cards (here and here) and video cards have already been developed (and now people are publishing papers on how to catch them). One aspect of such low level attacks is they are impervious to disk replacement or BIOS reflashing and don't care about the version of the operating system. 
  • Hypervisor attacks have been around for years.
  • Ipv6 is just a standard network protocol. Even if it is "disabled" you could still utilize the code on the host system.
  • USB sticks have been a well known attack vector for years. In 2005 researchers at Blackhat showed that you could exploit the operating system USB drivers when plugging in the device. This was also shown more recently in 2014, where it had been improved to hide on USB firmware.
  • Malware has been sensing/reacting to evade detection for years. 
  • Multiple platforms can be handled many ways. One would be code residing on the BIOS or peripheral devices (NIC/Graphics/etc) as discussed in bullets above. Another would be motherboard/processor components such as the AMTmanageability engine
  • For storage, people have used hard drives for ages. Given they were removed here, other approaches must be considered. Obviously if components in hardware were reflashed (as described in the research papers above) that would provide persistence. Other research has shown that NAND regions marked as unusable on disks could be utilized (of course, that would most likely be on the hard drive removed, but it could theoretically extend to boot flash for other components). Others have discussed since 2006 modification of the processor itself, by exploiting the ability of the processor to upgrade the microcode. (Of course that's difficult to do given the cryptographic signature constraints.) McAffee filed for a patent in 2011 to put security in at the microcode level.
So to summarize:
  • The lack of third party confirmation means that probably everything that is "suspected" isn't "actual". The very definition of suspected means that confirmation is missing. 
  • Nothing that has been suggested as a possibility is theoretically new, although the practical deployment of a robust tool might be novel. 
  • Certainly the integration of all of those capabilities would be very novel. The combination of even 3/4ths (or maybe even half!) of the alleged capabilities would put it on par or ahead of Stuxnet
  • Knowledge of capabilities and threats can certainly induce paranoia, especially in a field that advocates it as a desirable property
Personally, I think it's likely that there have been a few nefarious things on the network, some of which are gone. As a result of that absence, significantly advanced properties are suspected instead of assuming that the attack is transient. I remember significant challenges I had trouble shooting a random hard crash my system was experience. A mistake in malware that was exploiting hardware was definitely one of my concerns... but nothing I did could identify a problem. Turned out after I turned for outside help it was temperature, the fans were going and it was simply overheating.

Seems obvious now but the complete absence from logs, random behavior, persistence despite testing and replacement of hardware had led me to some interesting possibilities that were theoretically possible but unlikely. Might be the same thing going on here. [Update: Turns out that's exactly what it was..., Dragos came out and said he was incorrect. Looks like he was just overly paranoid and hadn't spent enough time looking at all the weird OS things that happen under the hood. His knowledge led him to unlikely but possible nefarious causes, instead of a simpler answer.]

It's really hard to do forensics when you don't have a position of trust. When you don't know what's good or bad. And when those beliefs keep getting disrupted because you don't have consistent data/records. And doing complex analysis in isolation is a bad idea, crowdsourcing is a great approach to this sort of problem (with data provided of course, everyone was crowdsourcing opinions!)

It's also been interesting to see the community awaken to the possibilities of these academic, proof of concept types of attacks existing in the wild. Much like the snarky reactions to Stuxnet, most don't believe these would ever occur in the "real world". But most of the techniques discussed in this post and around badBIOS date back to mid 2000's and probably even earlier in less obvious forums (obscure blogs, email lists, IRC, etc.) There's nothing new under the sun, and yesterday's research will be today's proof of concept... and tomorrow's operational code.

[November 2014: Updated to include Dragos saying he was wrong, just overly paranoid, #badBIOS USB firmware publications, and MITRE's BIOS implant work]