When is a remote access tool a remote access trojan?

April 23, 2014 Leave a comment

Remote Access Trojans (RATs) are a blight on the internet – they allow attackers to take complete control of the victim’s computer to do and steal what they wish. Remote Access Tools (RATs), however, are increasingly valuable to provide remote support to an increasingly distributed workforce. Which is which is not always clear.

At the end of last month, Trustwave‘s David Kirkpatrick looked at the NetSupport remote management application (clearly designed to be one of the latter). He was testing the security of a client and noticed hundreds of computers running NetSupport; and decided to see if any were susceptible to a particular remote buffer overflow vulnerability.

Not wanting to potentially cause disruption to hundreds of clients running the exploit against all of them I needed to find the version of the software running and also see if any of the hosts could be taken over using no authentication, for the quick win.
An Intro to NetSupport Manager Scripts

He wrote a script to remotely find if the NetSupport installations required specific authentication, and to see if he could connect if they did not. He found that he could connect, and therefore use, any installation that did not require user authentication. The implications would be quite severe if

  1. he didn’t need to do this from within the NetSupport Manager
  2. the connection did not pop up a warning window on the accessed PC

Since then he has worked on a more covert method to take over NetSupport clients – and today he will announce his success on a new Trustwave SpiderLabs blog post.

Since then [the March post], I’ve written a basic Nmap script that can be used to do a similar function to check whether authentication is required and if not also returns useful NetSupport configuration settings from the hosts. This negates the requirement to use the NetSupport software to find hosts configured with this weakness.

But by coming via Nmap from outside of the network, the new script doesn’t trip the users’ ‘connect’ warning.

This meant I could run this script across the network and the clients would be unaware I was testing their configuration… But more worryingly, an attacker could remotely connect to the host without the need for a password, bypassing Windows local or domain passwords.


The information returned by Kilpatrick's Nmap script

The information returned by Kirkpatrick’s Nmap script


Put bluntly, using this new Nmap script, Kirkpatrick found that he could “easily bypass any Domain or Windows credentials and use NetSupport to remotely connect to the hosts and compromise them.”

What we end up with is the archetypal description of a dual-use weapon. In the hands of a white hat pentester, this script will allow the auditor to rapidly, and with no disturbance to the network, discover which NetSupport installations have not been properly secured by their users. But in the hands of a black hat hacker, it can be used to covertly completely and remotely take over the user’s PC. The moral is simple: never accept the out-of-the-box default security settings for any product – if there is an option for password authentication, take it; and always change any default password to one of your own.

Categories: All, Security Issues

The Julie Ann Horvath story is just the tip of the iceberg

April 22, 2014 1 comment

The GitHub/Horvath saga should make for uncomfortable reading for all companies; and especially tech companies. It exposes an uncomfortable work environment that lies above legality but below acceptability — women are harassed and bullied in the work environment; and I would suggest this happens more often than not.

Julie Ann Horvath felt forced to resign from GitHub. Her story is recounted by TechCrunch. She described what amounts to bullying by an unnamed but obvious co-founder and his wife, and sexual harassment from an unnamed colleague.

While the above was going on, Horvath had what she referred to as an awkward, almost aggressive encounter with another GitHub employee, who asked himself over to “talk,” and then professed his love, and “hesitated” when he was asked to leave. Horvath was in a committed relationship at the time, something this other employee was well aware of, according to Horvath.

The rejection of the other employee led to something of an internal battle at GitHub. According to Horvath, the engineer, “hurt from my rejection, started passive-aggressively ripping out my code from projects we had worked on together without so much as a ping or a comment. I even had to have a few of his commits reverted. I would work on something, go to bed, and wake up to find my work gone without any explanation.” The employee in question, according to Horvath, is both “well-liked at GitHub” and “popular in the community.” [And has apparently since been promoted]
Julie Ann Horvath Describes Sexism And Intimidation Behind Her GitHub Exit — TechCrunch

She got precious little support from HR and eventually left.

GitHub suspended Tom Preston-Werner. CEO and co-founder Chris Wanstrath announced,

We know we have to take action and have begun a full investigation. While that’s ongoing, and effective immediately, the relevant founder has been put on leave, as has the referenced GitHub engineer.
Update on Julie Horvath’s Departure

The result of that investigation has now been announced:

The investigation found no evidence to support the claims against Tom and his wife of sexual or gender-based harassment or retaliation, or of a sexist or hostile work environment. However, while there may have been no legal wrongdoing…
Results of the GitHub Investigation

This is arse-covering of the first order. There has been no ‘legal wrongdoing’; and yet Tom Preston-Werner has resigned. GitHub is forced to protect itself legally — as any company would. But the problem with this is that it allows a divisive and bullying culture to continue because it is within the bounds of legality.

This sort of culture was described by Asher Wolf more than a year ago in her article, Dear Hacker Community – We Need To Talk:

Some parts of this article deal with misogyny, sexism, and harassment, while other aspects of it respond to experiences of down-right douche-baggery.

It doesn’t apply to all of you, but a number of you engage in it and many of you are bystanders.
Dear Hacker Community – We Need To Talk

Asher Wolf is no shrinking violet.

And yes, after I quit I said “fuck” a whole lot, and cried an ocean, then packed my son the toddler off to my mother’s house for the night and got profoundly drunk.

And now I’m ready to talk about the arse-hattery that basically broke me over the last few months.

I’m not some wall-flower or “pearl-clutching” provoker of needless moral outrage.

The experiences of Julie Ann Horvath and Asher Wolf are, I believe, the tip of the iceberg; and it is something that business needs to address. It seems to be worst in male-dominated professions — and engineering is one of the worst.

I don’t know the answer. As long as there is a ‘legal’ threshold, anything beneath that line is fair game and will continue — unless and until Asher Wolf’s bystanders cease to be bystanders. The good men in this world need to stand up and step in.

Otherwise weak men will continue to bully women because they are afraid and jealous of their professional abilities, and because they can.

Categories: All

Diplomat to be new head of GCHQ

April 16, 2014 Leave a comment
Robert Hannigan -- new head of GCHQ

Robert Hannigan — new head of GCHQ

The new head of GCHQ is neither a spy by trade nor a hard-hitting political bully — he is a diplomat. Robert Hannigan, selected to replace Sir Iain Lobban, as head of Britain’s spy agency GCHQ comes out of the Foreign Office and is a former adviser to Tony Blair in Northern Ireland.

Ex-colleagues say choice of Foreign Office diplomat as GCHQ chief suggests government is leaving door open to reform
Robert Hannigan: GCHQ director who can balance secrecy and accountability — Guardian

The implication is clear: maybe, just maybe, Cameron has realised the severity of not just public concern and distrust over GCHQ, but the dismay of our European political allies. It will take some serious diplomacy to soothe some very ruffled feathers. It already seems likely the Britain will be excluded from the EU’s Schengen-routing and Schengen-cloud (see here for details); and that would put the country at a severe trade disadvantage in our most important export market.

The Guardian goes on to give an example of Hannigan’s diplomacy:

Hannigan rose from being the head of communications in the Northern Ireland Office to running its political affairs department. At one particularly critical moment in the peace talks in 2007, Hannigan helped overcome an impasse between Sinn Féin’s Gerry Adams and the DUP’s Ian Paisley. The latter wanted an adversarial arrangement with the parties glaring at each other across a table; Adams wanted them sitting side by side, as partners. Hannigan suggested a diamond-shaped table as a compromise.

The best of all possible worlds will be that Hannigan’s brief is to open up GCHQ to some form of public transparency. The greater likelihood, however, is that his brief is to pull the diplomatic wool over everyone’s eyes to allow GCHQ to continue as is.


Categories: All, Politics, Security Issues

Google amends its Terms of Service

April 16, 2014 Leave a comment

google logoWith most privacy laws you can pretty much do what you want provided you are up front about it. The key is the ‘informed consent’ of the user.

Google has been getting grief from legislators who claim that the complexity of its privacy policies make it impossible for users to be informed, and difficult for them to opt out if they do not consent.

One continuing argument is over Google’s scanning of email content in order to provide targeted advertising to Gmail users. The nub of the argument is that claimants say they have not given consent to this scanning while Google’s response is that consent is implied by use.

Now Google has made its practices explicit with a Monday addition to its terms of service. It has added a new paragraph:

Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.
Google Terms of Service

I think Google was correct in reality if not legality when it claimed that consent was implicit in use — most if not all users are perfectly aware that email content is scanned electronically. The new paragraph makes this explicit: informed consent is now given by use of Google services.

What I still find interesting is that this consent is said to apply to received emails. If a non-Google user sends me a message, how is that user giving consent for the message to be scanned by Google? Is it realistic for non-Gmail users to read Google’s terms of service before emailing a Google user?

I don’t believe it is. So who owns the content: the sender or receiver? Copyright would suggest it is the sender — in which case this amendment to the terms of service will go some way, but not all the way, towards solving Google’s privacy issues.

Categories: All, Security Issues

Having sex online can seriously damage your economic health

April 15, 2014 Leave a comment

Get Safe Online is warning young males about the webcam scam sex blackmail. It seems to be targeting youngsters in Avon and Somerset because when I asked about other cases I was told, “The City of London police haven’t been able to provide any further stats, as this is a relatively new type of fraud.”

Strange, because it certainly isn’t new and is unlikely to be limited to Avon and Somerset.

Avon and Somerset Constabulary has dealt with several cases where, following connecting via social networking sites, victims (usually young males) are lured into taking off their clothes in front of their webcam – and sometimes performing sexual acts – which is videoed by the fraudster. The victims are then threatened with blackmail to avoid the video being published online and shared with their contacts. Investigations have revealed that most of these cases stem from abroad, making them difficult to trace.

That’s the scam in a nutshell. But it’s certainly not new – and you can get a more complete description from a report in the BBC from September 2012.

She said she was French, living in Lyon, but was on holiday in Ivory Coast. We then chatted for a bit on MSN and I could see a video of her. She was a very beautiful French-looking girl, very pretty.

She was dressed to begin with and asked whether I would be interested in going further. I asked what that meant and she said she wanted to see my body… everything.
Blackmail fraudsters target webcam daters

This particular case seems to have been in France, but adds another potentially more worrying aspect. The subsequent video was published with a caption saying the victim performed a sex act in front of a young girl – and that unless he pays €500 to take it down, the world would soon know he is a paedophile.

“At the moment we are persuaded that there are several blackmail attempts committed every day,” says Vincent Lemoine, a specialist in cybercrime in the Gendarmerie’s criminal investigations unit.

So it’s not new and already widespread. Perhaps it’s just newly migrated to the UK because, let’s face it, we Brits have a reputation for not even shaking hands without a formal introduction. But it is a problem and it’s very likely to be an increasing problem. I just wish that Get Safe Online would get real with the young of today. Its language simply doesn’t resonate.

“It’s terrible that fraudsters are targeting innocent people in such a personal way,” said Tony Neate, Chief Executive of Get Safe Online. The language is so British and understated. Terrible? Devastating and possibly life threatening (“His blackmailers were relentless and he could see no end to his ordeal. A week after the first demand, he killed himself.” BBC report) might be more accurate.

I also have some concerns over whether Get Safe Online actually understands young culture. The purpose of the warning is admirable – but the advice given somewhat misses the mark. “Be wary about who you invite or accept invitations from on social networking sites. Don’t accept friendship requests from complete strangers. You wouldn’t do this in real life!”

That’s the problem. That’s exactly what people actually do in real life. We dress up, go out on the town, hook up with a complete stranger and have sex. It’s called a one-night-stand and it’s what weekends were invented for. And all friends were strangers before they became friends, so saying don’t make friends with strangers is a bit silly.

So I would say to Get Safe Online, if you want to seriously warn the youngsters of today, Get Safe should first get real.

If you want more advice on the threat from Get Safe, there’s an outline on their site:

Get Safe warning

I think the illustration is meant to show a worried young man who is being blackmailed – but it could just be someone giving head to a stranger he just met on Facebook.

Categories: All, Security Issues

New Android flaw could send you to a phishing site

April 14, 2014 Leave a comment

Last week news of the Heartbleed bug broke. Initial concern concentrated on the big service providers and whether they were bleeding their users’ credentials, but attention soon turned to client devices, and in particular Android. Google said only one version of Android was vulnerable (4.11 Jelly Bean); but it’s the one that is used on more than one-third of all Android devices.

The problem is, Android simply won’t be patched as fast as the big providers. Google itself is good at patching; but Android is fragmented across multiple manufacturers who are themselves responsible for patching their users – and historically, they are not so good. It prompted ZDNet to write yesterday,

The Heartbleed scenario does raise the question of the speed of patching and upgrading on Android. Take for instance, the example of the Samsung Galaxy S4, released this time last year, it has taken nine months from the July 2013 release of Jelly Bean 4.3 for devices on Australia’s Vodafone network to receive the update, it took a week for Nexus devices to receive the update.
Heartboned: Why Google needs to reclaim Android updates

Today we get further evidence of the need for Google to take control of Android updating – information from FireEye on a new and very dangerous Android flaw. In a nutshell, a malicious app can manipulate other icons.

FireEye mobile security researchers have discovered a new Android security issue: a malicious app with normal protection level permissions can probe icons on Android home screen and modify them to point to phishing websites or the malicious app itself without notifying the user. Google has acknowledged this issue and released the patch to its OEM partners.
Occupy Your Icons Silently on Android

The danger, however, is this can be done without any warning. Android only notifies users when an app requires ‘dangerous’ permissions. This flaw, however, makes use of normal permissions; and Android does not warn on normal permissions. The effect is that an apparently benign app can have dangerous consequences.

FireEye's POC test app does not display any warning to the user

FireEye’s POC test app does not display any warning to the user

As a proof of concept attack scenario, a malicious app with these two permissions can query/insert/alter the system icon settings and modify legitimate icons of some security-sensitive apps, such as banking apps, to a phishing website. We tested and confirmed this attack on a Nexus 7 device with Android 4.4.2. (Note: The testing website was brought down quickly and nobody else ever connected to it.) Google Play doesn’t prevent this app from being published and there’s no warning when a user downloads and installs it. (Note: We have removed the app from Google Play quickly and nobody else downloaded this app.)

Google has already released a patch for Android, and Nexus users will soon be safe. But others? “Many android vendors were slow to adopt security upgrades. We urge these vendors to patch vulnerabilities more quickly to protect their users,” urges FireEye.

Categories: All, Security Issues

Is it safe to carry on using Dropbox with Condoleezza Rice on the Board?

April 14, 2014 Leave a comment
Drew Houston, Dropbox (Wikipedia)

Drew Houston, Dropbox (Wikipedia)

No. How could you even ask? Leopards do not change their spots except on the road to Damascus; and Rice was too involved in the road to Baghdad with warrantless wiretapping along the route.

And what is Drew Houston, founder and CEO of Dropbox even thinking? On 9 April he blogged:

Finally, we’re proud to welcome Dr. Condoleezza Rice to our Board of Directors. When looking to grow our board, we sought out a leader who could help us expand our global footprint. Dr. Rice has had an illustrious career as Provost of Stanford University, board member of companies like Hewlett Packard and Charles Schwab, and former United States Secretary of State. We’re honored to be adding someone as brilliant and accomplished as Dr. Rice to our team.
Growing our leadership team

Condoleezza Rice, 2005 (Wikipedia)

Condoleezza Rice, 2005 (Wikipedia)

It is true that Rice has had an illustrious career. However, some of the bits not mentioned by Houston include being a board member of Chevron (one of the top six ‘supermajor’ oil companies) before becoming Bush’s National Security Advisor (the two positions actually overlapped for one month). As National Security Advisor she understood the need for the petrodollar invasion of Iraq and was a strong supporter of the 2003 invasion.

On Iraq’s weapons of mass destruction, the primary and false premise that justified the war, she said, “The problem here is that there will always be some uncertainty about how quickly he can acquire nuclear weapons. But we don’t want the smoking gun to be a mushroom cloud.” As Ming Campbell said of Tony Blair, you are either incompetent or lying.

There’s more. Rice was a strong supporter of the NSA’s warrantless wiretapping program; and it is claimed she personally authorised eavesdropping on UN officials. The Guardian reported on a leaked memo in 2003 instructing the NSA to increase surveillance “‘particularly directed at… UN Security Council Members (minus US and GBR, of course)’ to provide up-to-the-minute intelligence for Bush officials on the voting intentions of UN members regarding the issue of Iraq.”

The existence of the surveillance operation, understood to have been requested by President Bush’s National Security Adviser, Condoleezza Rice, is deeply embarrassing to the Americans in the middle of their efforts to win over the undecided delegations.
Revealed: US dirty tricks to win vote on Iraq war

Now, seriously, do we want a supporter of warrantless surveillance to be on the Board of a company that holds some of our most precious documents, photos and thoughts?

Categories: All, Politics, Security Issues

Get every new post delivered to your Inbox.

Join 127 other followers