Microsoft wipes out No-IP in botched cyber security move

Microsoft has accidentally taken down potentially millions of dynamic IP users while going after subdomains used by criminals taking advantage of the free No-IP service, run by Vitalwerks Internet Solutions in Nevada. Yesterday (US time) they used a court order to take control of domains belonging to no-IP, which their users map to their temporary dynamic addresses, and stopped them from all from working. According to No-IP themselves, what Microsoft tried to do is redirect the domain names to their own servers and filter off the bad ones, but they failed spectacularly because Microsoft’s servers weren’t up to the job (as per usual) and collapsed under the weight of traffic.

No-IP are decidedly hacked off by Microsoft, pointing out that they have a good reputation when it comes to dealing with abuse and had Microsoft but contacted them about the sub-domains in question they’d have done something about it. Instead, secretly, Microsoft goes and gets a court order and acts without warning.

According to, Richard  Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit, “Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity”. He’s referring to Cisco here, as far as I know. The security community regularly reports on all anonymous free services, all of which are exploited by criminals. As yet, I’ve heard nothing from Microsoft to actually back his statement up. In another post, Microsoft’s Tom Rains, a marketing manager in the their Trustworthy Computing division, explains that they were after Bladabindi and Jenxcus, both of which use No-IP provided subnets in the C&C. He doesn’t imply any wrongdoing by Vitalwerks, or justify the way Microsoft has treated them.

Quite why Microsoft has any claim to be the world’s cyber-police is hard to see, given that most criminals (based on our research) prefer Microsoft’s free, no-checks, outlook.com email service. Perhaps Microsoft should try getting its own house in order first?

I’m still waiting for any official comment back from Microsoft.

 

How to hack UNIX and Linux using wildcards

Leon Juranic from Croatian security research company Defensecode has written a rather good summary of some of the nasty tricks you can play on UNIX sysadmins by the careful choice of file names and the shell’s glob functionality.

The shell is the UNIX/Linux command line, and globbing is the shell’s wildcard argument expansion. Basically, when you type in a command with a wildcard character in the argument, the shell will expand it into any number of discrete arguments. For example, if you have a directory containing the files test, junk and foo, specifying cp * /somewhere-else will expand to cp test junk foo /somewhere else when it’s run. Go and read a shell tutorial if this is new to you.

Anyway, I’d thought most people knew about this kind of thing but I was probably naïve. Leon Juranic’s straw poll suggests that only 20% of Linux administrators are savvy.

The next alarming thing he points out is as follows:
Another interesting attack vector similar to previously described 'chown'
attack is 'chmod'.
Chmod also has --reference option that can be abused to specify arbitrary permissions on files selected with asterisk wildcard.

Chmod manual page (man chmod):
--reference=RFILE
use RFILE's mode instead of MODE values

 

Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post

Oh, er! Imagine what would happen if you created a file named “–reference=myfile”. When the root user ran “chmod 700 *” it’d end up setting the access permissions on everything to match those of “myfile”. chown has the same option, allowing you to take ownership of all the files as well.

It’s funny, but I didn’t remember seeing those options to chmod and chown. So I checked. They don’t actually exist on any UNIX system I’m aware of (including FreeBSD). On closer examination it’s an enhancement of the Linux bash shell, where many a good idea turns out to be a new vulnerability. That said, I know of quite a few people using bash on UNIX.

This doesn’t detract from his main point – people should take care over the consequences of wildcard expansion. The fact that those cool Linux guys didn’t see this one coming proves it.

This kind of stuff is (as he acknowledges) nothing new. One of the UNIX administrators I work with insists on putting a file called “-i” in every directory to stop wild-card file deletes (-i as an argument to rm forces an “Are you sure?” prompt on every file. And then there’s the old chestnut of how to remove a file with a name beginning with a ‘-‘. You can easily create one with:
echo test >-example
Come back tomorrow and I’ll tell you how to get rid of it!

Update 2nd July:

Try this:
rm ./-example

Smart TVs attacked over the airwaves

A group of researchers from Columbia University have published the results of some experiments with mixed mode digital TV broadcasts here.

The problem is that the new but widely implemented HbbTV standard allows HTML to be embedded in with the picture data. What could possibly go wrong?

Well apart from the fact you only need an encoder and transmitter to mess up all the sets in range by sending them HTML spam, the Columbians reckon that with the right HTML you can turn people’s tellies into a botnet and attack targets through their internet connection. I’m not yet convinced this will work in practice, but building a web browser in to anything has always been risky when it implements more than plain HTM. It’s always been possible to broadcast alternative TV and radio signals over the top of legitimate channels, but generally, it doesn’t happen in practice.

 

Anonymous to attack World Cup sponsors

According to an article in the Guardian, Anonymous is planning attacks on World Cup sponsors to coincide with the football tournament in a few days time. Whilst I certainly disapprove of all types of cybercrime, I have to admit that the rationale for such an escapade has my sympathy.

Someone calling himself Che Commodore has claimed to be part of the Anonymous collective, and is a name that popped up a lot last year in connection with Anonymous Brazil. He’s hacked off because the Brazilian government is spending loads of money on a football tournament while people in the country are starving (putting the case directly and emotively). Attacking the commercial sponsors for colluding with this is an obvious choice.

Is he serious about the threat? The Guardian figures he must be, because he wouldn’t be boasting about it early unless everything was in place. I’m less convinced. Forewarning allows sites to get ready to use scrubbing centres against DDoS attacks. Is it really a “watch this space”, or is it a bluff? In the absence of any evidence that the self-styled Anonymous Brazil has the capabilities to carry out such an attack, I have to disagree with the Guardian (once again) and go with it being a bluff. But it’s a good one, as it’s raised awareness of the warped priorities that lead to huge amounts of money being spent on sports tournaments, in excesses reminiscent of the circus maximus. But you can only bluff once, and I suspect Mr Commodore’s stunt isn’t going to go down well with other users of the anonymous Moniker.

Personally I’m already boycotting as many of the sponsors as I can, but the intrigue has got me marginally interested in the World Cup for the first time ever.

 

eBay security problem in February – just noticed!

Well, it had to happen. Today eBay announced a serious security compromise. Apparently someone’s got hold of employee login details that allowed access to databases containing customer names and contact details, together with a password hashes.

Should anyone be worried?

Well, a hashed password isn’t a password but it’s possible to crack, especially if it was a weak one (i.e. a word or two words conflated, with a digit on the end and possibly a full stop). eBay says that there’s no evidence of anything fraudulent transactions. Yeah, great. The problem is going to come when people have used the same password elsewhere, like on their PayPal account, bank account or somewhere important – armed with their contact details and a crackable password, those people could be in real trouble.

eBay is due to email everyone very soon to ask them to change their password. It’s called shutting the stable door once the horse has bolted – this data may have been in the hands of the criminals for a couple of months now. You don’t need to change your eBay password; you need to change the password on every system that used it.

The sooner this antiquated means of verifying identity was replaced by secure public certificates, the better – by the punters won’t understand how those work.

So what does this mean? Your password was secure but now it isn’t? No. It was only secure before if you trusted the eBay employees. And a find upstanding bunch they are.

Next, of course, the scammers are going to spam everyone with phishing eBay credential change emails. And when this hits the news, who’s going to disbelieve it. eBay really needed to manage the news dissemination better.

 

 

Internet Explorer scare

I’m getting a lot of calls about Internet Explorer. Apparently it’s got another security bug. It must be true because it was on the BBC.

Well it’s partly true. The bug is actually in ActiveX, which is Microsoft’s dodgy web browser application format. All browser application formats are dodgy. Allowing web sites to download code and run it on your PC is just a bad idea.

I’ve said it before and I will say it again: just turn off ActiveX. That said, looking at the details of this particular vulnerability it doesn’t appear very easy to exploit. I suspect it’s getting more of a mention than it deserves as Microsoft isn’t going to patch it for IE6 or Windows XP for the first time, or so they say.

Hmm. What can Microsoft be thinking? Either they patch this regardless, or lose a further share of the browser market to Chrome – and another nail in the coffin of Active-X.

 

Thoughts on Infosec, 2014 – first day

I usually post a show report about Infosec somewhere, and for various painful reasons, this year it has to go here. And this year I’m at a bit of a loss.

Normally there’s a theme to the show; the latest buzzword and several companies doing the same thing. I wasn’t able to spend as long as normal there today, thanks to the RMT, but I think it’s probably “Cloud Security” this year. As with “cloud” anything, this is a pretty nebulous term.

Needless to say, the first day of the show lacked the buzz, with a smaller than usual number of visitors, haggared by disrupted journeys, mooched around the booths.

I was a bit surprised to see very little on the “heartbleed bug”, although there were a couple of instances. Either the marketing people didn’t understand it, or had uncharacteristically been put in their places.

One stand that’s always interesting is Bit9, a company after my own heart with alternatives to simple virus scanning. They went on a spending spree earlier in the year and have purchased and integrated Carbon Black. This is technology to allow their customers to monitor exactly what’s happening on all their (Windows) computers; which applications launch with others, what initiates a network connection and so on. It’s all very impressive; a GUI allows you to drill down and see exactly what’s happening in excruciating details. What worries me is the volume of data it’s likely to generate if its being used for IDS. There will be so much it’ll be hard to see the wood for the trees. When I questioned this I was told that software would analyse the “big data”, which is a good theory. It’s one to watch.

Plenty of stands were offering the usual firewalls. Or is that integrated solutions to unified threat management. Nothing has jumped out yet.

At the end of the day there was a very sensible keynote address by Google’s Dr Peter Dickman that was definitely worth a listen. All solid stuff, but from Google’s perspective as an operator of some serious data centre hardware. He pointed out that Google’s own company is run on its cloud services, so they’re going to take care of everyone’s data as they would their own. Apparently they also have an alligator on guard duty at one of their facilities.

I was a bit saddened to see a notice saying that next year’s show will now be in early June and Olympia. I’ve got fond memories of Earls Court going back more than thirty years to the Personal Computer World show. And Earls Court just has better media facilities!

 

US judge tells Microsoft to hand over data on foreign servers

Yesterday, a judge in a New York court ordered Microsoft to hand over information stored on a server in Ireland following a US search warrant. Magistrate Judge James Francis reckons a search warrant for servers is different to a search warrant for anywhere else – more of a subpoena to hand over documents. Unsurprisingly, Microsoft plans to roll the dice again with a Federal judge this time.

Microsoft, of course, has recently been soothing its cloud customers by saying that if the data is held outside the US, Uncle Sam won’t be able to plunder it in violation of the users’ local rights. In particular, the EU legislation being drafted to prevent companies sharing EU citizens’ data with foreign powers unless explicitly allowed by international treaty or another EU law. The NSA, or US corporations, would not be allowed to just look at whatever they wanted.
This plays right in to Angela Merkel’s proposal for an EU communications network that can’t be legally snooped on by the yanks by avoiding the use of US-based servers.

In a statement to Reuters, Microsoft said:

“A U.S. prosecutor cannot obtain a U.S. warrant to search someone’s home located in another country, just as another country’s prosecutor cannot obtain a court order in her home country to conduct a search in the United States. (Microsoft) thinks the same rules should apply in the online world, but the government disagrees.”

Is Microsoft really so naive? Although the ruling followed its challenge of a search warrant concerning a Microsoft account, its implications apply to all US cloud service providers. Although they intend to appeal, in the mean time any US company holding your data off-shore might as well have its servers in America – they’ll be forced to hand over all your data either way.

This isn’t to say that data held in the UK, for example, is any more secure. There’s RIPA to worry about – the Act allows authorities can plunder what they like, although it does make it illegal for anyone other than the State to do this.

 

Infosec 2014 set to be disrupted by tube strike

It could hardly come at a worse time for Infosec, the UK’s best Information Security show due to take place at Earls Court next week. The RMT is planning a tube strike through the middle of it. Infosec 2014 runs from 29th April to 1st May; the strike runs from the evening before and services aren’t expected to resume until the 1st May. As many exhibitors shut up early on that day and head for home, and the real networking happens in the evenings at the hostelries around Earl’s Court, this is something of a disaster.

On a personal note, the largest outlet for my scribblings on the show in recent years shut up shop at the end of 2013; I’ll be putting the trade stuff in the Extreme Computing newsletter and probably blogging a lot more of it here. If I can get there. I shall try my best, and blog live as the show continues.

Freeloaders step in to fund Open Source thanks to OpenSSL fiasco

Some good has come out of the heartbleed bug – some of the larger organisations using it have decided to put some money in to its developemnt. Quite a lot in fact. it’s through an initiative of the Linux Foundation, and is supported by the likes of Microsoft, Cisco, Amazon, Intel, Facebook, Google and IBM. The idea is to fund some critical open source projects.

While this is welcome news for the open source community in general, and certainly vindicates the concept, I have to question its effectiveness. The vulnerability was actually reported by the community two years ago, and had already been fixed. However, it persisted in several releases until it had been. One could blame the volunteers who developed it for sloppy coding; not spotting it themselves and not fixing it when it was pointed out to them earlier. But I can’t blame volunteers.

It’s up to people using Open Source to check its fit for purpose. They should have carried out their own code reviews anyway. At the very least, they should have read the bug reports, which would have told them that these versions were dodgy. Yet none of them did, relying on the community to make sure everything was alright.

I dare say that the code in OpenSSL, and other community projects, is at last as good as much of the commercially written stuff. And on that basis alone, it’s good to see the freeloading users splashing a bit bit of cash.

I wonder, however, what will happen when Samba (for example) comes under the spotlight. Is Microsoft really going to fund an open-source competitor to its server platform? Or vmware pay to check the security of VirtualBox? Oracle isn’t on the current list of donors, incidentally, but they’re doing more than anyone to support the open source model already.