Posted on

Bad software and security

Today, LinkedIn decided I might want to see this post from Thomas Barnett:

“Most businesses don’t get hacked because of bad software.
They get hacked because someone clicked.”

(Apologies if the link doesn’t work – it’s a Microsoft site).

He is, of course, quite correct in that phishing and trojans are the most exploitable vulnerability in most organisations, but it hinges on the term “bad software”. If you’re new to the world of computing you won’t remember a time when this wasn’t a problem, but it has become one largely thanks to Microsoft thinking of profits before security, with features to “create a richer user experience”. I’d classify this as “bad software”, and it very much is the cause.

In the early days of the Internet there was assumed security, as any miscreants could be apprehended by the system operator checking which terminal they were on and paying them a visit. Unencrypted data flew back and forth on the network without it being a huge risk, as access to the wires was controlled by bricks and mortar. It took a while to add encryption when the Internet went public, but that’s done. Logins require security certificates. SMTP relays are closed. It should all be good.

Then some fools decided it would be “cool” to embed software in network traffic.

“Let’s allow people to send executable files by email that look like any other file and can be opened by clicking on them.” Bad software.

“Let’s embed JavaScript in web pages so we can run stuff on the user’s machine.” Bad software.

“Let’s embed software in Microsoft Office documents.” Bad Software.

“Let’s use passwords for accessing important data instead of security certificates tied to a host.” Bad Software.

There are other forms of idiocy around, such as downloading software from a package repo, placed there by anyone on the Internet, simply because there are so few actual software engineers around who can configure a server without a Docker image. But using passwords to log into remote systems, encrypted or otherwise, where the user has no way of knowing whether it’s the real login page is nuts. So is embedding software in electronic communications.

A cybersecurity industry has built up trying to place mitigations on this bad software. People like me have been warning about the fundamental dangers of Microsoft’s “Rich user experience” mantra for decades. I remember writing a piece for PCW in November 1996 when Netscape (not Microsoft, for once) proposed adding JavaScript to web browsers. (Previously Java Applets* were theoretically sandboxed).

Before this, when Microsoft added WordBasic in Word for Windows and DOS, people like me who’d been on the forefront of antimalware in the 1980s, were scarcastingly asking “What could possibly go wrong?”

So Mr Barnett is right to say these things are the most effective attack vector. Organisations should be very afraid. But they’re only attack vectors because the software is bad.

*JavaScript and Java share the name but are nothing like the same thing.

Posted on

Sophos UTM sets ambitions goals; and fails to score

Okay, I’m being a bit unfair on singling out Sophos here, but they’re a current source of irritation. Like all security vendors they’re selling products that don’t work. Actually, Sophos is one of the few larger players that will talk about this honestly, which is why they have been my first choice recommendation for a long time.

The problem is that if you have companies selling “total security” products, which are nothing of the sort, the public are likely to believe such a thing is possible. If you describe your product realistically the idiots will look elsewhere, purchasing based on the most outrageous claims. A look at the Sophos customer base suggests they’re not selling to idiots.

So what’s my problem with Sophos at the moment. Well I’m falling foul of their UTM Web Defender at an educational establishments. Some of my information sites are unclassified on their list of web sites, and so they’re blocked. They contain educational material that I use when teaching. Not helpful.

Okay, this isn’t default behaviour and the establishments in question have made a decision to block anything that Sophos hasn’t classified yet. Some of these sites have been there since 1992, so presumably there’s a long backlog. And this illustrates the problem very nicely; there are over 300,000,000 domain names registered, with 1,000,000 being added every month. Web filtering companies have to look at all these web sites, and sub domain web sites, and classify them all. It’s an impossible task. I know Sophos does this manually, heroic but doom to failure.

The World Wide Web was created to allow the sharing of knowledge; particularly academic and research information. Unfortunately this is just the kind of web site that’s likely to remain unclassified by content filters; obscure links to non-commercial servers giving the information needed for research.

There is a solution. A few years ago I decided to write my own web search engine for a laugh. I then modified it to try and figure out what the web sites were about. Google has built an empire on doing this extremely well, but my quick heuristic solution did a pretty good job.

So here’s what Sophos et all should do. When their web defender appliance hits an unclassified site it should automatically submit it to them for evaluation. An automated system using heuristics can then figure out the likely classification, with a probability threshold for human checking.

This doesn’t have to be instant to be a hell of a lot better than their current system. To get past a Sophos filter (for example) you have to manually submit every site to them by filling in a form, and then they’ll go and classify it within a week. Possibly. And in reality, who’s going to submit such a request to access a web site they can’t actually view because it’s blocked as “unclassified”. There’s a hole in their bucket!

Posted on

Five year old “new” malware discovered “by Kaspersky”

Yesterday Russian security company Kaspersky has released an analysis of what it claims is previously undiscovered malware, which has come to be known as Salron. Kaspersky’s analysis is incomplete, but contains more detail than was generally available in public beforehand. They admit it’s “probably” been around for five years, and this is true; but it’s not exactly unknown. The unknown group  behind the attacks has become known as Strider, and they’re using a backdoor program called Remsec. Details of this were published by Symantec a week ago.

Kaspersky’s conclusion is that this is a “Nation State” level piece of malware. It’s possible, but other than being very competently produced, I have seen no conclusive evidence to back the claim at this stage, but there’s quite a bit that’s circumstantial. According to Symantic, it’s been used to target relatively few organisations – mostly in Russia, with a Chinese airline and an unspecified embassy located in Europe. In other words, that naughty Mr Putin is at it again. Or is it the Chinese attacking their neighbour?

Based on the public analysis, it was written by some very smart people and avoids the mistakes made in previous systems such as Stuxnet. Kaspersky points to it being a rung up the technology ladder as an indication it was another government-sponsored effort, although in practice, anyone could learn the same lessons and produce a new generation.

AV companies have been detecting this for over a week, and it hasn’t thrown up a large number of infections. This is intriguing. Also, the way it works  to circumvent very specific and uncommon high-end security software indicates its in the APT category.

Microsoft, who’s operating systems it attacks, has yet to comment.

Posted on

Am I being phished?

Today I received an intriguing email with a Microsoft Word attachment implying I had money coming to me if I filled in a form. Yeah, right. I was just about to hit delete but I was a bit surprised the sender was addressing me as Prof. Leonhardt. It’s hardly the first time someone’s got this wrong – and to be on the safe side I can see why people might start high and work backwards through Dr. and so on, as people who are about such matters are only offended if you start too low.

But why would a botnet add the title?

On closer inspection I recognised it was a royalty payment enquiry from a publishing company that had actually done a book for about five years ago. I didn’t expect it to sell (it wasn’t that kind of book), so hadn’t thought much about out.

But I still haven’t opened the attachment. The email headers suggest it came from the publisher, but they can be forged. And this could be a clever spear-phishing attempt – after all, if you bought the book, which was largely about email security, you’d have the name of the publisher and my name – and the email address used can be found using Google.

I don’t believe I have ever been spear-phished before, so I’m feeling a bit more important than I did yesterday.

Time to fire up the sandbox!

Posted on

New mystery “Appear in Court” malware

In the early hours of the morning (BST) I intercepted a large number of emails of the “Appear in Court” variety, but unlike usual, these were not Microsoft documents but JavaScript (stored in a .ZIP file). They end in .doc.js, which means they obviously look odd.

I couldn’t resist running a few, to see what they did, and the answer is not much. They run cmd.exe and I’m pretty sure it does an egg hunt to find some code in core to execute, and it goes looking for DOCUME~1.DOC in various likely locations. But in my sandbox, it doesn’t get anywhere.

These are being spammed from clean IP addresses, no AV currently detects them by signature, so they’re going to get through. But what do they need to run, and what do they do if they succeed? Unfortunately I can’t stick around this morning to check further.

Posted on

Flash Crash (Adobe version)

AGet the dobe Flash (the browser plug-in) is notorious as a security risk, and the current batch of known exploits does nothing to improve it’s reputation. Sorry Adobe.
CVE-2016-1010 is the latest biggie, as it allows remote code execution on all but the very latest plug-in. There’s also CVE-2015-8651, CVE-2015-7645, CVE-2016-0963 and CVE-2016-0993 to worry about.

You should, of course, make sure that you have the latest plugging installed on your browser. Unfortunately the version numbering system varies by platform so I can’t easily tell you which you need.

When looking at multifarious Adobe Flash vulnerabilities in the NIST database I’m always amused to note that it appears to be written in Coldfusion. For the last ten years that’s been Adobe Coldfusion. Oh my!

 

Posted on

Android Stagefright bug gets serious

AndroidLogoSThere’s a bug in all by the most recent versions of the Android operating system that can theoretically allow attackers to take over the device simply by viewing a web page or downloading a media file. It’s actually in the Stagefright library, and was the talk of Black Hat last August. Then it was considered hard to exploit, but security researcher Hanan Be’er at  North-Bit in Israel has now published a paper proving it’s very dangerous.

Stagefright is the name of the media processing library found in all versions of Android you’re likely to find. It opens and reads any media downloaded to the device. With a specially crafted file you can cause it to crash when it does this; you don’t have to even play the file. However, it has been difficult to make use of this fact to “break out” and do anything more nasty.

Since Android 5.0, a system called Address Space Layout Randomisation (ASLR) has been in use. Basically the memory space is shuffled randomly so malicious code doesn’t know where anything else is, making attacks more difficult. This made exploiting Stagefright’s flaws a lot harder. The fact that the problem exists on Android 2.2 to 4.x, which doesn’t do ASLR, has been the subject of much complacency. Google has released fixes for the bug, known as CVE-2015-3864, but by no means have all the Android devices been updated. I guess that the vast majority have not, including the recent ones using Android 5.x. The infrastructure for updating Android simply doesn’t exist. Apple’s devices are very exploitable, but at least they have a mechanism for updating them.

So how does the North-Bit exploit work? It’s actually very straightforward. First you deliver a dodgy video file to the device; putting it on a web site is the obvious, easy method. This will cause Stagefright to crash and restart in a known state. When it does this, some JavaScript running on the same page slurps various parameters on the system, such as the current location of libc, and sends it back to the attacker. A new video file is then created and sent using this information, and it’s game over – possibly after a few tries, but North-Bit says the exploit is reliable.

How worried should we be? I’d say we should be very worried. Unless your device manufacturer and/or mobile network rolls out the patch, I can’t see any mitigation.

Posted on

Spam from the Government Secure Internet

gov.uk

Well that’s what it looks like. Criminals apparently from Bangalore have been distributing loads of malware spams from addresses like Nich***.Davi**.5208@vosa.gsi.gov.uk, and they’re getting through spam filters.

The messages continue:

 

 

 

Subject: DVSA RECEIPT

Good afternoon

Please find attached your receipt, sent as requested.

Kind regards

(See attached file)

Fixed Penalty Office
Driver and Vehicle Standards Agency | The Ellipse, Padley Road, Swansea,
SA1 8AN
Phone: 0300 123 9000



Find out more about government services at www.gov.uk/dvsa

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed.  Any views or opinions presented may be those of the
originator and do not necessarily represent those of DVSA.

If you were not the intended recipient, you have received this email and
any attached files in error; in which case any storage, use,
dissemination, forwarding, printing, or copying of this email or its
attachments is strictly prohibited.  If you have received this
communication in error please destroy all copies and notify the sender
[and postmaster@dvsa.gsi.gov.uk ] by return email.

DVSA's computer systems may be monitored and communications carried on
them recorded, to secure the effective operation of the system and for
other lawful purposes.

Nothing in this email amounts to a contractual or other legal commitment
on the part of DVSA unless confirmed by a communication signed on behalf
of the Secretary of State.

It should be noted that although DVSA makes every effort to ensure that
all emails and attachments sent by it are checked for known viruses
before transmission, it does not warrant that they are free from viruses
or other defects and accepts no liability for any losses resulting from
infected email transmission.

Visit www.gov.uk/dvsa  for information about the Driver Vehicle and Standards Agency.
*********************************************************************


The original of this email was scanned for viruses by the Government Secure Intranet virus
scanning service supplied by Vodafone in partnership with Symantec.
(CCTM Certificate Number 2009/09/0052.) This email has been certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for
legal purposes.

 

This all looks pretty genuine – they probably copied it verbatim with the exception of the “good afternoon”.

The payload is a Microsoft Word document with macros, but I’ve yet to figure out exactly what it’s doing. In the parlance of the security “industry” it’d be a zero-day exploit, but that’s not interesting. What did come as a bit of a surprise to me is that GSI doesn’t seem to bother with SPF records, which would have helped detect the fake. Bayesian analysis throws up nothing, and it’s coming from a clean IP address that has yet to be listed. The only things wrong with it are that there’s no reverse lookup, and no SPF on vosa.gsi.gov.uk to flag it as dodgy.

The civil service clearly hasn’t got this security business clear yet.

Posted on

Lincolnshire Council in £1M ransomware plot

Coat_of_arms_of_Lincolnshire_County_CouncilReports are that Lincolnshire Council has been shut down for four days because it’s been targeted by ransomware that has encrypted all its files. That they’ve been a victim of such a scam doesn’t surprise me – it’s all too common. What’s moving my eyebrows skyward is the fact that the criminals are asking for £1M to restore their data.

I’ve seen a lot of this before, and the criminals generally ask for a sum that it’s easier to pay than mess around trying to repair the damage. In other words, £500 is normal but £1M is not. For this to be credible, someone would have had to target them specifically, and come up with a plot to damage a lot of data in one go. This is possible if one PC has R/W access to a lot of files on a server, but for the criminals to expect to do this value of damage the council would have to be pretty incompetent and the criminals would have had to know this for certain. (What am I saying?)

From the BBC report there are a couple of interesting lines:

“The authority said it was working with its computer security provider to apply a fix to its systems.”

Hmm. So who is their computer security provider? If they have one that’s any good, the network would have been set up to avoid such wholesale damage. Serco took over the Council’s IT operations in April 2015. in a £70M+ deal. Whether the outsource company has outsourced the “security provision” is a little harder to know.

Further down the BBC article it says:

“Chief information officer Judith Hetherington-Smith said only a small number of files were affected.”

If that was true, restore them from a backup or take the hit – how can a small number of files be worth £1M?

Locking down the network after such an attack is a good idea, and this would disrupt office services for certain. But something just doesn’t add up here. It’s possible that the £1M ransom demand has been made up, to cover their embarrassment. Or it could just be sloppy journalism by the BBC – no facts checked and a story about some ransomware being blown out of all proportions. Serious news media haven’t had much to say on the subject. The Register has covered it, but has not repeated the £1M ransom claim.

Posted on

Microsoft Security Essentials hangs during a full scan

First off, can I be clear about one thing – endpoint virus scanners don’t make your computer “secure”. A lot of the most dangerous stuff gets past them, but trusting lusers believe they’re safe and will therefore take risks they outerwise wouldn’t. See my posts and academic papers passim ad nauseam. Now that’s out of the way, I favour Microsoft Security Essentials (or Microsoft Endpoint Security) on Windows as I find it less likely to make the system unusable. I don’t recommend it, except as the least-worst option.

On with the problem…

Sometimes, especially in the last year or so, I’ve found Security Essentials will stall when its doing a background scan. You may not notice its done this, but some symptoms are that web browser file downloads won’t work (it’ll download 100% but never finish) and the PC won’t hibernate automatically using the power-saving settings.

I’ve looked for solutions to this, as well as searching the web for an answer. You’ll often see people posting (without references) that this is bug and Microsoft are working on, or have now fixed it. I’ve tried theories myself to see if it’s caused by compression or archive formats causing a decompresser to break (I’ve noticed this often fits the facts), but this is little help when finding a solution, and even then it sometimes still hangs when the option to check compressed files is turned off.

What I’ve yet to find is anyone giving a real solution, so here it is:

  1. Deinstall Security Essentials.
  2. Download and install Security Essentials.

I’ve never known this not to work. On the other hand, I’ve known all the other theories you see posted on forums fail to work pretty consistently.