Remote Access Trojans (RATs) are a blight on the internet – they allow attackers to take complete control of the victim’s computer to do and steal what they wish. Remote Access Tools (RATs), however, are increasingly valuable to provide remote support to an increasingly distributed workforce. Which is which is not always clear.
At the end of last month, Trustwave‘s David Kirkpatrick looked at the NetSupport remote management application (clearly designed to be one of the latter). He was testing the security of a client and noticed hundreds of computers running NetSupport; and decided to see if any were susceptible to a particular remote buffer overflow vulnerability.
Not wanting to potentially cause disruption to hundreds of clients running the exploit against all of them I needed to find the version of the software running and also see if any of the hosts could be taken over using no authentication, for the quick win.
An Intro to NetSupport Manager Scripts
He wrote a script to remotely find if the NetSupport installations required specific authentication, and to see if he could connect if they did not. He found that he could connect, and therefore use, any installation that did not require user authentication. The implications would be quite severe if
- he didn’t need to do this from within the NetSupport Manager
- the connection did not pop up a warning window on the accessed PC
Since then he has worked on a more covert method to take over NetSupport clients – and today he will announce his success on a new Trustwave SpiderLabs blog post.
Since then [the March post], I’ve written a basic Nmap script that can be used to do a similar function to check whether authentication is required and if not also returns useful NetSupport configuration settings from the hosts. This negates the requirement to use the NetSupport software to find hosts configured with this weakness.
But by coming via Nmap from outside of the network, the new script doesn’t trip the users’ ‘connect’ warning.
This meant I could run this script across the network and the clients would be unaware I was testing their configuration… But more worryingly, an attacker could remotely connect to the host without the need for a password, bypassing Windows local or domain passwords.
Put bluntly, using this new Nmap script, Kirkpatrick found that he could “easily bypass any Domain or Windows credentials and use NetSupport to remotely connect to the hosts and compromise them.”
What we end up with is the archetypal description of a dual-use weapon. In the hands of a white hat pentester, this script will allow the auditor to rapidly, and with no disturbance to the network, discover which NetSupport installations have not been properly secured by their users. But in the hands of a black hat hacker, it can be used to covertly completely and remotely take over the user’s PC. The moral is simple: never accept the out-of-the-box default security settings for any product – if there is an option for password authentication, take it; and always change any default password to one of your own.
The new head of GCHQ is neither a spy by trade nor a hard-hitting political bully — he is a diplomat. Robert Hannigan, selected to replace Sir Iain Lobban, as head of Britain’s spy agency GCHQ comes out of the Foreign Office and is a former adviser to Tony Blair in Northern Ireland.
Ex-colleagues say choice of Foreign Office diplomat as GCHQ chief suggests government is leaving door open to reform
Robert Hannigan: GCHQ director who can balance secrecy and accountability — Guardian
The implication is clear: maybe, just maybe, Cameron has realised the severity of not just public concern and distrust over GCHQ, but the dismay of our European political allies. It will take some serious diplomacy to soothe some very ruffled feathers. It already seems likely the Britain will be excluded from the EU’s Schengen-routing and Schengen-cloud (see here for details); and that would put the country at a severe trade disadvantage in our most important export market.
The Guardian goes on to give an example of Hannigan’s diplomacy:
Hannigan rose from being the head of communications in the Northern Ireland Office to running its political affairs department. At one particularly critical moment in the peace talks in 2007, Hannigan helped overcome an impasse between Sinn Féin’s Gerry Adams and the DUP’s Ian Paisley. The latter wanted an adversarial arrangement with the parties glaring at each other across a table; Adams wanted them sitting side by side, as partners. Hannigan suggested a diamond-shaped table as a compromise.
The best of all possible worlds will be that Hannigan’s brief is to open up GCHQ to some form of public transparency. The greater likelihood, however, is that his brief is to pull the diplomatic wool over everyone’s eyes to allow GCHQ to continue as is.
Last week news of the Heartbleed bug broke. Initial concern concentrated on the big service providers and whether they were bleeding their users’ credentials, but attention soon turned to client devices, and in particular Android. Google said only one version of Android was vulnerable (4.11 Jelly Bean); but it’s the one that is used on more than one-third of all Android devices.
The problem is, Android simply won’t be patched as fast as the big providers. Google itself is good at patching; but Android is fragmented across multiple manufacturers who are themselves responsible for patching their users – and historically, they are not so good. It prompted ZDNet to write yesterday,
The Heartbleed scenario does raise the question of the speed of patching and upgrading on Android. Take for instance, the example of the Samsung Galaxy S4, released this time last year, it has taken nine months from the July 2013 release of Jelly Bean 4.3 for devices on Australia’s Vodafone network to receive the update, it took a week for Nexus devices to receive the update.
Heartboned: Why Google needs to reclaim Android updates
Today we get further evidence of the need for Google to take control of Android updating – information from FireEye on a new and very dangerous Android flaw. In a nutshell, a malicious app can manipulate other icons.
FireEye mobile security researchers have discovered a new Android security issue: a malicious app with normal protection level permissions can probe icons on Android home screen and modify them to point to phishing websites or the malicious app itself without notifying the user. Google has acknowledged this issue and released the patch to its OEM partners.
Occupy Your Icons Silently on Android
The danger, however, is this can be done without any warning. Android only notifies users when an app requires ‘dangerous’ permissions. This flaw, however, makes use of normal permissions; and Android does not warn on normal permissions. The effect is that an apparently benign app can have dangerous consequences.
As a proof of concept attack scenario, a malicious app with these two permissions can query/insert/alter the system icon settings and modify legitimate icons of some security-sensitive apps, such as banking apps, to a phishing website. We tested and confirmed this attack on a Nexus 7 device with Android 4.4.2. (Note: The testing website was brought down quickly and nobody else ever connected to it.) Google Play doesn’t prevent this app from being published and there’s no warning when a user downloads and installs it. (Note: We have removed the app from Google Play quickly and nobody else downloaded this app.)
Google has already released a patch for Android, and Nexus users will soon be safe. But others? “Many android vendors were slow to adopt security upgrades. We urge these vendors to patch vulnerabilities more quickly to protect their users,” urges FireEye.
No. How could you even ask? Leopards do not change their spots except on the road to Damascus; and Rice was too involved in the road to Baghdad with warrantless wiretapping along the route.
And what is Drew Houston, founder and CEO of Dropbox even thinking? On 9 April he blogged:
Finally, we’re proud to welcome Dr. Condoleezza Rice to our Board of Directors. When looking to grow our board, we sought out a leader who could help us expand our global footprint. Dr. Rice has had an illustrious career as Provost of Stanford University, board member of companies like Hewlett Packard and Charles Schwab, and former United States Secretary of State. We’re honored to be adding someone as brilliant and accomplished as Dr. Rice to our team.
Growing our leadership team
It is true that Rice has had an illustrious career. However, some of the bits not mentioned by Houston include being a board member of Chevron (one of the top six ‘supermajor’ oil companies) before becoming Bush’s National Security Advisor (the two positions actually overlapped for one month). As National Security Advisor she understood the need for the petrodollar invasion of Iraq and was a strong supporter of the 2003 invasion.
On Iraq’s weapons of mass destruction, the primary and false premise that justified the war, she said, “The problem here is that there will always be some uncertainty about how quickly he can acquire nuclear weapons. But we don’t want the smoking gun to be a mushroom cloud.” As Ming Campbell said of Tony Blair, you are either incompetent or lying.
There’s more. Rice was a strong supporter of the NSA’s warrantless wiretapping program; and it is claimed she personally authorised eavesdropping on UN officials. The Guardian reported on a leaked memo in 2003 instructing the NSA to increase surveillance “‘particularly directed at… UN Security Council Members (minus US and GBR, of course)’ to provide up-to-the-minute intelligence for Bush officials on the voting intentions of UN members regarding the issue of Iraq.”
The existence of the surveillance operation, understood to have been requested by President Bush’s National Security Adviser, Condoleezza Rice, is deeply embarrassing to the Americans in the middle of their efforts to win over the undecided delegations.
Revealed: US dirty tricks to win vote on Iraq war
Now, seriously, do we want a supporter of warrantless surveillance to be on the Board of a company that holds some of our most precious documents, photos and thoughts?