Everyone has a story to tell, and today, I’m sharing my story—a tale of commitment, cybersecurity, and an unforeseen end. This is where I was forced into retirement by the Chief Security Officer of New York City.
The Turning Point: Security Issues in 2021
In 2021, I was issued a New York City laptop to work from home. It didn’t take long to uncover a critical flaw: the BIOS/UEFI admin/system admin passwords were not set up. This oversight left the system vulnerable, allowing anyone to boot up and alter the BIOS/UEFI settings. Such vulnerabilities open the door to potential malware infections that can persist regardless of how many times the hard or solid-state drive is reformatted.
The Perpetual Threat of BIOS/UEFI Malware
Malware that infects the BIOS/UEFI subsystem is particularly insidious. Even the most thorough malware scanners, designed to protect hard drives and solid-state drives, cannot detect infections at this level. Three of the most notorious types of malware that exploit these vulnerabilities are LoJax, MoonBounce, and MosaicRegressor.
LoJax: The Silent Invader
LoJax, linked to the APT28 hacking group, embeds itself in the UEFI firmware, evading detection and surviving OS reinstalls and hard drive replacements. This malware represents a grave threat, especially in government and enterprise environments where security is paramount.
MoonBounce: The Stealthy Lurker
MoonBounce is another UEFI firmware malware notable for its stealth and persistence. It embeds malicious components within the firmware, allowing attackers to maintain undetected access to compromised systems.
MosaicRegressor: The Sophisticated Menace
MosaicRegressor, attributed to Chinese state-sponsored actors, leverages UEFI malware to gain long-term persistence on targeted systems. This sophisticated malware represents a significant challenge for cybersecurity professionals.
The Role of the Trusted Platform Module (TPM)
The Trusted Platform Module (TPM) in the BIOS/UEFI is a critical component designed to enhance hardware security. TPM provides a hardware-based approach to generating, storing, and limiting the use of cryptographic keys. In theory, TPM should protect against unauthorized access and tampering, but without proper BIOS/UEFI passwords, its security is severely compromised.
A Systemic Failure: The Bureaucratic Hurdle
Despite my repeated attempts to raise awareness of these critical security flaws, my concerns fell on deaf ears. I reached out through emails and formal channels, only to be met with indifference. One of the core issues is the shift from hiring seasoned hackers with deep technical knowledge to appointing bureaucrats with security certifications but limited practical understanding of both PC and mainframe systems.
The Appointment of a New Chief Security Officer
In 2022, a new Chief Security Officer was appointed for the City of New York. Driven by our commitment to rectify the security issues, I reached out directly, bypassing the bureaucratic red tape. I located her personal phone number and informed her of the laptop's vulnerabilities. My efforts to secure the city's digital infrastructure, however, led to an unexpected consequence.
Forced into Retirement: The Aftermath
Within two hours of my call to the Chief Security Officer, I was disconnected from all authority over the mainframes and servers of New York City. This marked the beginning of a year-long struggle to retain my position, ultimately resulting in my forced retirement.
The Personal Toll
This professional setback was not just about losing a job; it was deeply personal. I am a survivor of the 1993 World Trade Center bombing. my cousin, Tommy Farino, a New York City Fire Department captain, perished on 9/11. My zeal for security was not merely professional but rooted in a profound personal commitment to protecting the city and its citizens.
A Call for Change
My story underscores the urgent need for a comprehensive approach to cybersecurity, one that balances bureaucratic oversight with technical expertise. Those in positions of authority must possess not only certifications but also a profound understanding of the systems they oversee.
A Legacy of Vigilance
My forced retirement does not diminish the importance of the issues we raised. The vulnerabilities in BIOS/UEFI security remain a critical concern that requires immediate attention. As we step back from our roles, I hope my story will inspire a renewed focus on robust cybersecurity practices.
The City of New York, like any modern metropolis, relies heavily on its digital infrastructure. Ensuring its security is not just a technical challenge but a moral imperative. I may have been forced into retirement, but my commitment to cybersecurity remains unwavering. I hope that the city will heed the warnings, address the vulnerabilities, and safeguard its systems against those who seek to exploit them.
Paul F. Renda has over 30 years in information security. He has spoken at a number of above-ground and below-ground hacker conferences. He studied at Queens College and the University of Houston, and has worked as a system administrator for IBM Z/OS and Linux systems.
Wrong Speak is a free-expression platform that allows varying viewpoints. All views expressed in this article are the author's own.
Very informative. I (re)learned some terms and abbreviations. I had to pause to look things up, which is one of my favorite things to do.
Thank you
Makes sense. "Everyone has a story to tell, and today, I’m sharing my story—a tale of commitment, cybersecurity, and an unforeseen end." Indeed, it happens every day [https://unbekoming.substack.com/p/heresy].