Sony and Microsoft games network hack

Both the Sony an Microsoft games network servers have been badly disrupted from Christmas day. The cyber vandals Lizard Squad have admitted responsibility.

This outage has nothing to do with millions of new games consoles being unwrapped and connected at the same time. Oh dear me no. Their network servers would have taken the huge spike in workload in their stride. This is definitely something to blame on those awful hactivists, and any suggestion that it was teetering on the brink and all it needed was a little push is a foul slur on the competence of Microsoft and Sony.

The extent to which Lizard Squad was involved may be in question, but major respect for the expert way they’ve played the media. Again.

No-IP back on-line

I’ve just had a note from No-IP that says that Microsoft has returned all twenty-tree of second level domains it had seized by court order. It’ll obviously take a while for DNS to propagate. I’ve been testing this periodically, and it’s been a right mess with the Microsoft DNS failing to return anything in many cases.

I actually use No-IP for a couple of non-critical purposes, but I don’t use the hostname under their second-level domain directly. Given recent events, others may wish to follow the same idea. It comes down to customer routers on domestic ISP lines, and how you get to them easily if they’re on a dynamic IP address.

Basically, the trick is to map yourname.no-ip.net to yourname.yourdomain.com using a CNAME in the zone file. You can then program to the router to register yourname.no-ip.net, but you refer to it as yourname.yourdomain.com. How does this help? Well when the problem happens you only have to mess with your zone file to make the changes. If you can find out the changeable dynamic IP you can set it as an A record directly. If (as was the case here) you needed to choose a new second-level domain from No-IP’s remaining stock, all you need to is change the zone file and the affected equipment. Anything else accessing it does so through yourname.yourdomain.com, and therefore can remain as-is.

It’s still a pain, and something for which Microsoft should probably pay (or their side of the story had better be spectacularly better than it has been thus far). But it’s somewhat less of a pain than if you’d programmed everything in your universe with the no-ip version.

 

 

Microsoft wipes out No-IP in botched cyber security move

Microsoft has accidentally taken down potentially millions of dynamic IP users while going after subdomains used by criminals taking advantage of the free No-IP service, run by Vitalwerks Internet Solutions in Nevada. Yesterday (US time) they used a court order to take control of domains belonging to no-IP, which their users map to their temporary dynamic addresses, and stopped them from all from working. According to No-IP themselves, what Microsoft tried to do is redirect the domain names to their own servers and filter off the bad ones, but they failed spectacularly because Microsoft’s servers weren’t up to the job (as per usual) and collapsed under the weight of traffic.

No-IP are decidedly hacked off by Microsoft, pointing out that they have a good reputation when it comes to dealing with abuse and had Microsoft but contacted them about the sub-domains in question they’d have done something about it. Instead, secretly, Microsoft goes and gets a court order and acts without warning.

According to, Richard  Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit, “Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity”. He’s referring to Cisco here, as far as I know. The security community regularly reports on all anonymous free services, all of which are exploited by criminals. As yet, I’ve heard nothing from Microsoft to actually back his statement up. In another post, Microsoft’s Tom Rains, a marketing manager in the their Trustworthy Computing division, explains that they were after Bladabindi and Jenxcus, both of which use No-IP provided subnets in the C&C. He doesn’t imply any wrongdoing by Vitalwerks, or justify the way Microsoft has treated them.

Quite why Microsoft has any claim to be the world’s cyber-police is hard to see, given that most criminals (based on our research) prefer Microsoft’s free, no-checks, outlook.com email service. Perhaps Microsoft should try getting its own house in order first?

I’m still waiting for any official comment back from Microsoft.

 

US judge tells Microsoft to hand over data on foreign servers

Yesterday, a judge in a New York court ordered Microsoft to hand over information stored on a server in Ireland following a US search warrant. Magistrate Judge James Francis reckons a search warrant for servers is different to a search warrant for anywhere else – more of a subpoena to hand over documents. Unsurprisingly, Microsoft plans to roll the dice again with a Federal judge this time.

Microsoft, of course, has recently been soothing its cloud customers by saying that if the data is held outside the US, Uncle Sam won’t be able to plunder it in violation of the users’ local rights. In particular, the EU legislation being drafted to prevent companies sharing EU citizens’ data with foreign powers unless explicitly allowed by international treaty or another EU law. The NSA, or US corporations, would not be allowed to just look at whatever they wanted.
This plays right in to Angela Merkel’s proposal for an EU communications network that can’t be legally snooped on by the yanks by avoiding the use of US-based servers.

In a statement to Reuters, Microsoft said:

“A U.S. prosecutor cannot obtain a U.S. warrant to search someone’s home located in another country, just as another country’s prosecutor cannot obtain a court order in her home country to conduct a search in the United States. (Microsoft) thinks the same rules should apply in the online world, but the government disagrees.”

Is Microsoft really so naive? Although the ruling followed its challenge of a search warrant concerning a Microsoft account, its implications apply to all US cloud service providers. Although they intend to appeal, in the mean time any US company holding your data off-shore might as well have its servers in America – they’ll be forced to hand over all your data either way.

This isn’t to say that data held in the UK, for example, is any more secure. There’s RIPA to worry about – the Act allows authorities can plunder what they like, although it does make it illegal for anyone other than the State to do this.

 

Freeloaders step in to fund Open Source thanks to OpenSSL fiasco

Some good has come out of the heartbleed bug – some of the larger organisations using it have decided to put some money in to its developemnt. Quite a lot in fact. it’s through an initiative of the Linux Foundation, and is supported by the likes of Microsoft, Cisco, Amazon, Intel, Facebook, Google and IBM. The idea is to fund some critical open source projects.

While this is welcome news for the open source community in general, and certainly vindicates the concept, I have to question its effectiveness. The vulnerability was actually reported by the community two years ago, and had already been fixed. However, it persisted in several releases until it had been. One could blame the volunteers who developed it for sloppy coding; not spotting it themselves and not fixing it when it was pointed out to them earlier. But I can’t blame volunteers.

It’s up to people using Open Source to check its fit for purpose. They should have carried out their own code reviews anyway. At the very least, they should have read the bug reports, which would have told them that these versions were dodgy. Yet none of them did, relying on the community to make sure everything was alright.

I dare say that the code in OpenSSL, and other community projects, is at last as good as much of the commercially written stuff. And on that basis alone, it’s good to see the freeloading users splashing a bit bit of cash.

I wonder, however, what will happen when Samba (for example) comes under the spotlight. Is Microsoft really going to fund an open-source competitor to its server platform? Or vmware pay to check the security of VirtualBox? Oracle isn’t on the current list of donors, incidentally, but they’re doing more than anyone to support the open source model already.

Internet Explorer – new vulnerability makes it just too dangerous to use

There’s a very serious problem with all versions of Internet Explorer on all versions of Windows. See here for the osvdb entry.

In simple terms, it involves pages with Flash content, and all you’ve got to do is open a page on a dodgy web site and it’s game over for you. There’s no patch for it.

Microsoft’s advice can be found in this technet article. It’s pathetic. Their suggested work-around is to deploy the Microsoft Enhanced Mitigation Experience Toolkit (EMET). Apparently this is a utility that “helps prevent vulnerabilities in software from successfully being exploited by applying in-box mitigations”. Microsoft continues “At this time, EMET is provided with limited support and is only available in the English language.”

Here’s my advice – just don’t use Internet Explorer until its been fixed.

Update

21-Sep-12

Microsoft has released a fix for this. See MS Security Bulletin MS 12-063.

If you have a legitimate copy of Windows this will download and install automatically, eventually. Run Windows Update manually to get it now – unfortunately it will insist on rebooting after installation.

 

WPAD and Windows 7 and Internet Explorer 8

I’ve recently set up WPAD automatic proxy detection at a site – very useful if you’re using a proxy server for web access (squid in this case). However, some of the Windows 7 machines failed to work with it (actually, my laptop which is just about the only Windows 7 machine here). This is what I discovered:

It turns out that those smart guys at Microsoft have implemented a feature to stop checking for a WPAD server after a few failed attempts. It reckons it knows which network a roaming machine is on, and leaves a note for itself in the registry if it’s not going to bother looking for a proxy server on that again. A fat lot of use if you’ve only just implemented it.

If it fails to find a proxy, but manages to get to the outside world without one it will set the following key:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\
WpadDecision = 0

If you want it to try again (up to three times, presumably), you can simply delete this key. You can disable the whole crazy notion by adding a new the DWORD registry key:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride = 1

You may well want to do this if you’re using a VPN or similar, as I really don’t think Windows 7 has any completely reliable method of determining the network its connected to. I’m impressed that it manages to ever get it right, but I’m sure it’s easy enough to fool it. Does anyone know how it works?