Just a quick note to say that the NYC4SEC group is holding a Meetup on Wednesday November 16, 2011 with Eric Huber of A Fistful of Dongles fame. Eric will be discussing Advanced Persistent Threat as it relates to digital forensics and incident response professionals. I’m looking forward to seeing old friends and meeting new people in the field. I can’t say enough times how much NYC4SEC has given to the New York DFIR community. Great thanks to Doug Brush and Jamie Levy for helping organize our group month after month. Please RSVP – we hope to see you there!
Archives
Lenovo Shipping Intel AMT with Web Server Enabled?
Intel AMT is a really great technology for IT administrators – you can push updates even when the box is turned off, get console access via serial over LAN, and a helpdesk tech can view and interact with a user’s active session to help them with issues. AMT comes with an enterprise access model that presents a REST interface, configurable with encryption and Kerberos authentication, for interaction with enterprise IT management tools which is great for central management. It also ships with an embedded web server that would typically be used in small business models. The previous link has some decent screenshots of the web interface.
Michael Herf makes a comment about AMT not only being present on his new Thinkpad, but also having the built-in web server active out of the box. This is kind of scary considering (if I’m reading this correctly) that in some Lenovo boxes the default password was “admin” (check out page 8 in the link). AMT does store logs of activity: “Persistent event logs, stored in dedicated memory (not on the hard drive) so the information is available anytime. IT technicians can now access the list of events that occurred even before a hardware or software problem was noticed, including events that occurred before a PC connected to the network.”
How many IR folks have looked at AMT logs before or even knew they were present? I’d love to know if there’s any useful content for investigations getting recorded in these. Perhaps they require configuration ahead of time to trap relevant data. Please let me know if you’ve had the occasion to use AMT logs in this capacity!