Nerdpedes,
have a look at
https://security.stackexchange.com/questions/64915/what-are-the-biggest-security-concerns-on-pxe
Best of:
I can capture a full machine image. Do your systems automatically connect to the domain controller after setting up the machine? If so, this image probably has domain controller credentials on it, that I can capture and use elsewhere.
Computer makes a DHCP request --> DHCP server responds with address and PXE parameters --> Computer downloads boot image using TFTP over UDP
If the good guys got the traffic on that low level, unencrypted. Then they would have it all.
In over simplified terms, It allows you to ignore the onboard Operating configuration and instead of booting from the internal drive, it downloads another configuration or additional executables from over the network.
So a machine that has been audited can then have PXE enabled post audit to boot up an entirely different image or functions than which was audited.
However, in this scenario they would have to fake the logs on the built in OS for the required dates, otherwise it would be obvious it wasn't in use at the relevant time.
good point
Wasn't there something about missing/deleted logs a bit back? Maybe they were not deleted, but the logs are on a remote profile somewhere and would account for missing log entries? I am pretty ignorant of PXE boot so if the above is stupid feel free to call me out and correct please.
I would guess that if they were network booting the voting machines then the missing logs are part of the evidence the audits picked up.
The story I heard was that the logs are a finite size and someone had logged in well after the election and had caused many records to be written to the log. That caused the records from the election being "scrolled" off the top and lost.
Yes, to expand on what you've said.
IDRAC allows both remote control, and BIOS configuration changes. With the BIOS changes they could be configured to boot from network first essentially having them boot "Dirty" via PXE Boot during the elections. The dirty OS run its own version of the vote counting software that the auditors never see, and writes the results to the Database on Disk. Once the elections are over. They boot clean from disk. When an auditor powers them back on the PXE server isnt on the network so the boot they disk, and load the clean OS and all the clean programs, and appear good.
In sprit this has a lot of parallels to how Volkswagen cheated, albeit more technical and with a few more steps, but at the end of the day these ran DIRTY during the election, and would appear CLEAN to an auditor or anyone who powered them up.
The thing is about all this is the router logs would have a good chance of catching this via logs on DHCP forwarding, which is why the Maricopa Country Board of Supervisors is fighting tooth and nail not to turn over the logs.
Up up
And after the machine shuts down, the entire partition that the PXE was mounted on can be reformatted, and written over with military grade erasure so there is no evidence that the PXE boot was invoked
This is how computer builders load the image on your PC or Laptop and configure it the way you ordered