Heartbleed bug not as widespread as thought

Having tested a few servers I’m involved with, many of which are using old or very old versions of OpenSSL, I can’t say I’ve found many with the problem. You can test a server here: http://filippo.io/Heartbleed/ on a site recommended by Bruce Schneier.

So what’s going on? Does this affect very specific nearly-new releases. This story could turn out to be a serious but solvable problem, and a media panic. I recall spending most of 1999 doing interviews on how the “year 2000 bug” was going to be a damp squib, but it’s early days yet.

Heartbleed bug

Someone’s finally found a serious bug in OpenSSL. It allows a remote attacker to snoop around in the processes memory, and this is seriously bad news because this is where you will find the private keys its using. They’re called “private keys” because, unlike public keys, they need to remain private.

This is going to affect most web sites using https, and secure email (if you’re using it – most aren’t). But before user’s rush off to change their passwords (which are different for each site, aren’t they?) – there’s no point in doing this if an attacker is watching. The popular press reckons your passwords are compromised; I don’t. If I understand it correctly, this exploit theoretically allows an attacker to intercept encrypted traffic by pretending to be someone else, and in doing so can read everything you send – including your password. So don’t log in until the server is fixed. They can’t read your password until you use it.

To cure this bug you need a new version of OpenSSL, which is going to be a complete PITA for server operators who aren’t on-site. Hell, it’ll be a PITA even if you are on-site with the servers. Once this is done you’ll also need new certificates, and the certificate authorities aren’t geared up for everyone in the world changing at once.

But the big fun one is when you can’t update OpenSSL. It’s used everywhere, including in embedded systems for which there was never any upgrade route. I’m talking routers, smart TVs – everythign.

I believe that SSH isn’t affected by this, which is one good thing, but I’m waiting for confirmation. Watch this space.

But, if you’re using a secure web site to log in over SSL, consider the password compromised if you’ve used it in the last few days and be prepared to change it soon.

Criminals using self-assessment tax filing deadline to drop Trojans

I’ve intercepted rather a lot of these:

From: <gateway.confirmation@gateway.gov.uk>
To: <**************>
Date: Mon, 3 Feb 2014 20:33:49 +0100
Subject: Your Online Submission for Reference 485/GB6977453 Could not process

The submission for reference 485/GB6977453 was successfully received and was not processed.

Check attached copy for more information.

This is an automatically generated email. Please do not reply as the email address is not monitored for received mail.

Someone (via France, and the sender certainly does not speak proper English) is taking advantage of people’s panic about getting self-assessment tax forms in before the 31st January deadline to avoid a fine The attached ZIP file contains an executable with a .scr extension. It doesn’t show as being anything recognisable as nasty, so someone’s planned this well. Be careful; this is slipping through ISP malware scanners (and all the Windoze desktop scanners I’ve checked it against).

 

Direct Response monitored alarms fail to show

Not to an alarm call out, but they had an appointment at 9am today to talk about their monitoring service. At 9:30 they called to say they weren’t coming with the excuse that they’d tried to call to confirm the appointment but couldn’t get through. Except they confirmed it yesterday afternoon and there’s someone on the hot-line number they claim to have used since 6am today.

Okay, they double booked slots and got caught with their pants down and this is the best they could come up with, but a company trying to sell an ARC service, not showing for an appointment has to be the biggest no-no going. LOL!

They’re actually possibly worth talking to, because they use the rather interesting Risco panels. Risco is an Israeli company, and they’re upping the game by integrating CCTV and IDS in one system with PIR detectors that will take a snapshot of what triggered them and sending to the ARC. The lady on the phone said they just wanted to demonstrate this, and I couldn’t resist even though we’re happy with the British-made Texecom kit (although we use Risco beam sensors already).

However, this is the same Direct Response that got hauled before the OFT and clobbered in 2009 for telling porky pies about their monitored alarms getting a priority response from the police. The caller also claimed the alarms were made in Iran (“or somewhere like that”). And they’re still using the same old sales tactics (“We are calling as part of an awareness campaign, and four people in your area will be selected at random for a free alarm worth £999”, without mentioning the £400 installation fee up front and claiming a £5/week monitoring fee – I’ll be pleasantly surprised if this bit is true).

The appointment’s been re-made for 9am on Monday. Let’s see. In fairness, I did warn the first and second callers that they hadn’t called a normal householder. All they gotta do is Google me.

Botnet shows itself with New Year spam :)

The crims have been at it again this Christmas season (more elsewhere). The latest interesting activity has been a flood of emails with :) as the subject and “Happy new year !” as the text-only payload. Don’t feel left out if you didn’t get one, as they’re only being sent to email addresses made of random numbers at various domains I monitor.

What are the crims up to? Probably testing out mail servers to see if they’ll accept things to random addresses. Every domain should, and deliver them to a human postmaster (not that many net newbies are even aware of this rule). However, there’s nothing to say they can’t also go to analysis tools.

What makes this latest caper interesting is that the botnet they’re coming from doesn’t show up on the usual lists of such things – it’s either new or extended rapidly from an old one. New botnets popping up after Christmas aren’t uncommon as the seasonal fake greeting cards and amazon purchase confirmation trojans are relentless in the days before, together with the lack of staff available over the holiday to deal with them. However, I find this one unusual as most of the IP addresses used to send out the probes are from Europe (Germany and Spain in particular).

 

Google shoots own foot in war on child abuse images

If you believe the Daily Mail and the BBC, Google and Microsoft have buckled under pressure from the Government to block images of child abuse on the Internet. What they’ve actually done is block around 100,000 search terms that are used by peodphiles looking for material, whether such search terms could be used to locate other content or not. Great.

Actually, this is rubbish. Google (about which I know more) has not even been indexing such sites, so search terms won’t have found any that it knew about anyway. I’m sure the other search engines have similar programmes in place. This is a public relations exercise, with a piece by Eric Schmidt in the Mail today. It’s a desperate PR stunt that will back-fire on Google.

Eric Schmidt of Google, seeming desperate (from Wikipedia)
Eric Schmidt of Google, seeming desperate

The fact is that household names like Google don’t have a case to answer here. They’re not ISPs, they’re not providing hosting space for illegal material and they’re not actually responsible for it in any way. The only thing they can do is spend their money researching such sites, dropping them from there indices and alerting the relevant authorities to their research. This they already do. So when the likes of Mr Cameron criticize them, as an easy target, the correct response is “Don’t be silly, it’s not us, and it’s the job of your Police to catch the criminals whether they’re using the Internet or not”. What Google has done with this move is give legitimacy to the original false accusation.

As anyone concerned with cybercrime will tell you, the major criminal activity takes place in areas outside the World Wide Web – areas not indexed by Google or any legitimate company. It travels around the Internet, encrypted and anonymous; and the peodophiles seem to be able to find it anyway. All this move will achieve is pushing the final remnants underground, where they’ll be much harder to track.

Looking at the comments that have appeared on the Daily Mail site since it was published is depressing. They’re mostly from people who have been taken in by this line (originally spun by the Daily Mail, after all), and they clearly don’t understand the technical issues behind any of this. I can’t say I blame them, however, as the majority of the population has little or no understanding of what the Internet is or how it works. They simply see a web browser, normally with Google as a home-page, and conflate the Internet with Google. The Prime Ministers advisors are either just as simple-minded, or are cynically exploiting the situation.

 

Skype under investigation for NSA links

According to today’s Guardian, Skype is being tackled by the data protection commissioner in Luxembourg over concerns it has secret links with the US National Security Agency, and its Prism communications intercept programme. Like many “interesting” companies such as eBay, Amazon and even Starbucks, Skype chose to be be based in the Luxembourg  in the hope it would be left alone. However, the infamous tax haven’s constitutionally enshrined right to privacy might turn around and bite Skype.

Skype Login PageMicrosoft bought Skype a couple of years ago; it had once been owned by eBay and, as a separate division, Microsoft has presumably decided to keep it in Luxembourg for the tax advantages. However, while Microsoft was allegedly one of the first large technology group to be pulled in to Prism, Skype has been widely thought of as a secure communications channel. If Luxembourg-based Skype has been passing intercepts to the NSA, its users and the local authorities will not be pleased.

I understand that the local law does allow this kind of thing, and for it to remain secret, if it’s specially negotiated by the government. And as such the data commissioner may not have been in the loop.

But, you may wonder, how does an encrypted peer-to-peer system like Skype get intercepted anyway? The protocol was designed to pirate media files in such a way that lawful authorities were unable to track or disrupt it (which is why no network administrators would ever want it on their LANs). If it has weaknesses, they must have been there from the start. And I believe they were.

A few years back I was talking to someone from Facetime, a manufacturer of firewalls. They’ve since found that flogging their domain to Apple for an iPhone product is also lucrative, and now they’re called Actiance. But I digress.

Facetime had struck a deal with eBay to get details of the secret protocol so that they could manage Skype on local networks. As it’s obfuscated and designed to avoid firewalls, this is a neat trick, and they were the only people able to do it at the time. As an example, they were able to determine which versions of Skype were in use and block those that didn’t fit with company policy. In other words, they could positively recognise the obfuscated protocol and make sense of it.

According to the files the Guardian claims to have seen, Skype was ordered to cooperate with the NSA in February 2011, and it only took them a few months to have call intercepts in place. I’m not that surprised; given the Facetime firewall’s abilities I suspected that payload decryption was going to be possible if you asked the right questions whilst brandishing a big enough stick.

Making this information public, as is now the case, is simply going to push the people that should be intercepted on to systems not under the influence of the USA. How about a Chinese Skype-alike instead? Perhaps not, as it’s widely believed that the Chinese version has a back-door for the local authorities to plunder. But there are plenty of anarchist outfits out there with the ability to write a VoIP system that isn’t compromised by big business’s need to cooperate with governments if they want to make a profit.

Meanwhile, let’s see how Luxemburg’s data protection commissioner gets on.

 

Spam from global switch

My spam traps pick up dodgy emails from all sorts, including large companies that ought to know better. But today one was hit with a marketing communication from Global Switch. Not from an errant client of the data centre, but from Global Switch themselves, marketing their rack space (half price for the first 12 months, apparently).

I’m not sure what to make of this, but if you’re thinking of starting up a spamming operation, Global Switch looks like the place to be. If they don’t care whether they’re using legitimate, opt-in lists, why should they hassle their customers. Needless to say I contacted them about it; needless to say there was no one available to comment. If anyone from Global Switch is out there, it’s still not too late.

Further:

I did get through to Global’s sales team. While they stopped short of condemning the practice, they said they’d investigate if I gave them enough information to identify the honeypot. I’m sure they’d wouldn’t have bought the list they used if they suspected it was dodgy, which just goes to show.

 

Who needs a botnet when you can Yahoo?

Someone, somewhere is making full use of Yahoo webmail to send out  what could be millions of fake emails pretending to be Amazon order confirmations (extrapolating on the numbers received here). Needless to say, they really contain a ZIP file with a rather nasty looking Microsoft executable file inside.

My guess is they’re using accounts compromised earlier in the year, as reported here, which gets them through spam filters as most ISPs trust Yahoo. Actually, ISPs generally don’t trust Yahoo but their users don’t see it that way when their friends’ Yahoo email is blocked.

Is this Yahoo’s fault? Normally I’d blame the criminals, but in this case Yahoo could be doing a lot more to to help. This has been going on for three days, and there’s no legitimate reason why any of its users should be sending out with addresses @amazon.co.uk. Even if they can’t scan to detect the latest malware, recognising these fake emails is easy enough.

It’s hardly a new tactic by the criminals, of course. amazon.co.uk’s name was abused back in May to deliver similar Trojan malware.

It’s about time Yahoo (and other freemail services) took responsibility for the damage caused by their business model.

 

Your Smart TV is watching YOU

There were a couple of  interesting presentations at Black Hat yesterday Aaron Grattafiori and Josh Yavor from iSEC Partners and Seungjin Lee from Korea University were both talking about hijacking Smart TVs. These devices are Internet connected and basically do a lot of their stuff using web browser technology, including JavaScript and other well known attack vectors. iSEC Partners were testing Samsung TVs in particular, but they all work pretty much the same way and apparently the manufacturers’ programmers haven’t done much to consider the security aspects.

Grattafiori was particularly keen to point out that the cameras on such devices were as susceptible to hijacking as anything else.

He went on “Because the TV only has a single user, any type of compromise into an application or into Smart Hub, which is the operating system — the smarts of the TV — has the same permission as every user, which is, you can do everything and anything.”

He suggested you might want to  make sure the TV in your bedroom has it’s lens covered with a sticky label.

Earlier this year Samsung has issued a software update for the TVs affected by the security flaws described in Las Vegas, but the fact they’re all using flaky browser technology means we should all be wary of them.