I got an email yesterday (29 April 2014). It said:
Today the Websense Security Labs found a new vulnerability in Microsoft Internet Explorer which affects Internet Explorer versions 6 through 11. However, current reported attacks are targeting Explorer 9 through 11. The Labs have issued a blog post which outlines solutions for those who have been affected by the attack.
Not another IE 0-day surely? Because FireEye found one just a couple of days ago. On Saturday (26 April 2014) FireEye blogged:
FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. This zero-day bypasses both ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue.
New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks
This is strange, because the 0-day ‘found’ by Websense two days later is also given the vulnerability assignation CVE-2014-1776:
A new vulnerability found in Microsoft Internet Explorer affects Internet Explorer versions 6 through 11. However, current reported attacks are targeting only Internet Explorer 9 through 11. The vulnerability allows attackers to remotely execute arbitrary code on the target machine by having the user visit a malicious website.
This vulnerability has been assigned reference CVE-2014-1776…
Microsoft Internet Explorer Zero-day – CVE-2014-1776
In fairness to Websense, its blog does not claim to have found the vulnerability itself – that is left to the email sent to journalists such as myself. But nor does it give any credit to FireEye – which would have been good. Just in case there is any doubt about who really did first discover this particular vulnerability (apart from the hackers of course), Microsoft’s advisory is quite explicit:
Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11…
Microsoft thanks the following for working with us to help protect customers:
- FireEye, Inc. for working with us on the Internet Explorer Memory Corruption Vulnerability (CVE-2014-1776)
OK. So having established that FireEye really does have the bigger willy, and implying that Websense is a wee bit envious in trying to pass off the discovery as its own… what is this vulnerability? Well, it’s a bad one. Bad enough, in fact, for the European security agency, ENISA, to issue its own advisory (something I am not aware of it having done before).
- This is a significant threat for IE users as there is no quick fix to repair, and “patch” this
- Users who want to avoid the abovementioned risk should temporarily use another browser until this security gap has been fixed
- Users should keep their systems patched and up-to-date
- Many users have two different browsers installed so they should easily be able to switch. If not, this is a good reason why they should have it; when needed.
This is the best advice I’ve seen. While many experts are advising users not to surf in admin mode, to install EMET and to activate EPM, the majority of IE users will not even know what any of this means. Far simpler, and much more effective, would be to install multiple browsers (I’ve got five: Firefox, Chrome, IE, Safari and Opera); to keep them all fully patched; and to switch between them whenever a new 0-day is discovered for any one of them.
Microsoft could either see the Schengen Cloud coming or was privy to politicians’ thoughts. In January this year it announced that it would allow European customers to keep their data on servers within Europe. This followed a blog by legal counsel Brad Smith in December 2013 that voiced concern over US surveillance:
And we’ll assert available jurisdictional objections to legal demands when governments seek this type of customer content that is stored in another country.
Protecting customer data from government snooping
So when news broke in February that Germany’s Merkel and France’s Hollande were keen on developing a European cloud to protect the privacy of European citizens, Microsoft was in a strong position to say, hey, we’re already with you: European data will remain within Europe; Microsoft can be part of the European cloud. (That proposed cloud is now known as the Schengen Cloud. Since the UK has never joined the Schengen group it is a way of excluding the UK — and specifically GCHQ — from Europe’s cloud.)
But the reality is different. Privacy expert Alexander Hanff, CEO of Think Privacy Inc, said at the time: “Microsoft knows full well that it makes no difference whether the data is hosted in the US or not. They are a US corporation and therefore any data they hold is vulnerable to the US surveillance machine no matter where it is. It is clear from the announcement that Microsoft (as well as the rest of the cloud industry) is really concerned about losing revenues for cloud services and they know there is a strong movement within Europe (not least by the European Commission) to create infrastructure independent of the US and US tech giants.”
He called it right. Brad Smith had been true to his word and had challenged a US law enforcement demand for customer details held in Ireland. The unnamed LEA had demanded everything on the customer, including the content of emails, user’s contact lists, IP addresses and even bank details. Microsoft went to court. It argued that warrants could not be served overseas, and that the warrant should be negated.
On Friday, a US magistrate delivered his decision. He said that while the LEA demand was couched as a warrant, because it involved telecommunications it was to be enacted as a subpoena — and subpoenas can be enforced on overseas locations. Thus, as Hanff had predicted, it matters not where a US company stores its data, the PATRIOT Act can demand and enforce access to it.
In fairness, Microsoft seems to have expected this. It will appeal. Microsoft’s deputy general counsel David Howard blogged on Friday,
When we filed this challenge we knew the path would need to start with a magistrate judge, and that we’d eventually have the opportunity to bring the issue to a U.S. district court judge and probably to a federal court of appeals. Today the Magistrate Judge, who originally issued the warrant in question, disagreed with our view and rejected our challenge. This is the first step toward getting this issue in front of courts that have the authority to correct the government’s longstanding views on the application of search warrants to content stored digitally outside the United States.
One step on the path to challenging search warrant jurisdiction
The stakes are high. If the US courts ultimately uphold law enforcement’s right to demand the data of European citizens held on European premises for all US companies, and if Europe proceeds with the Schengen Cloud, then Microsoft, Google, Facebook, Twitter and other US tech giants will simply be excluded from Europe. This will hurt the US economy. Firstly these companies will be excluded from one of the world’s most important markets, and secondly it will be a huge boost to the indigenous European tech industry — which will hurt the US economy even more.
After being a long-term supporter of net neutrality, the American Federal Communication Commission (FCC) has taken an axe to it. The current chairman Tom Wheeler is proposing to allow broadband providers to charge larger providers larger fees. This mirrors the view of Digital Agenda commissioner Neelie Kroes in Europe. Both claim that it will not negate the principles of net neutrality; and both are attempting to pull the wool over our eyes.
The generally accepted definition of net neutrality was described by the European Data Protection Supervisor Peter Hustinx in October 2011:
The concept of net neutrality builds on the view that information on the Internet should be transmitted impartially, without regard to content, destination or source, and that users should be able to decide what applications, services and hardware they want to use. This means that ISPs cannot, at their own choice, prioritise or slow down access to certain applications or services such as Peer to Peer (‘P2P’), etc.
Net neutrality: an introduction and opinion from the European Data Protection Supervisor
Wheeler and Kroes now both wish to allow providers to prioritise some traffic (on payment of a suitable fee, of course) for the larger content providers. Netflix has already agreed to pay Comcast more for a better service. But the simple math is that from a fixed pot, you cannot give more to one person without giving less to another. By prioritizing some traffic, the ISPs will necessarily penalise others.
In America the new proposals follow a court case in February that declared the old genuine net neutrality rules of the FCC to be illegal. The basic reason was that the ISPs do not fall within the FCC’s regulatory remit. The easy solution would have been for the FCC to redefine the providers as common carriers (which it could do) and bring them back under its regulatory remit. It chose not to do so. Like Kroes, Wheeler is now firmly under the sway of big business.
The effect will be twofold. Prices will rise and innovation will stall. Those providers who find it necessary to pay the broadband providers more to remain competitive will not pay out of their profit — they will increase their subscriptions so that users pay. That’s called capitalism: maximise profits and ignore the consumer.
Innovation will also stall. New fledgling companies with new services will never be able to compete with the big established companies. They will not able to afford the premium services and will be at a service disadvantage from the word go. By effectively buying up the available bandwidth, the big companies will starve the innovators.
This looks like the death of net neutrality in America under Wheeler. It’s clinging on in Europe despite Kroes. Her style of false neutrality was rejected earlier this month by the European Parliament. But that’s not the end of it. Parliament,s decision needs to be ratified by the national governments — which means that it has still got to get pass that friend of big business and scourge of the people, David Cameron.
When Josie Herbert (@phinessence) told me that she intended to cycle up Mount Snowdon as part of her Easter Holiday, my first thought was, Nah. My second thought was, Impossible. My third thought was, But this is Josie.
So I made her promise to send me a photo when she got to the top.
I had an ulterior motive.
Josie kept her end of the bargain. She cycled up Mount Snowdon and sent me a photo from the top. It was at this point that I was going to do a new blog. Based on the photo it was going to be:
Snowdon’s latest revelations!
But I was foiled by the weather. So all that is left is for me to say, “Well done, Josie!”
Remote Access Trojans (RATs) are a blight on the internet – they allow attackers to take complete control of the victim’s computer to do and steal what they wish. Remote Access Tools (RATs), however, are increasingly valuable to provide remote support to an increasingly distributed workforce. Which is which is not always clear.
At the end of last month, Trustwave‘s David Kirkpatrick looked at the NetSupport remote management application (clearly designed to be one of the latter). He was testing the security of a client and noticed hundreds of computers running NetSupport; and decided to see if any were susceptible to a particular remote buffer overflow vulnerability.
Not wanting to potentially cause disruption to hundreds of clients running the exploit against all of them I needed to find the version of the software running and also see if any of the hosts could be taken over using no authentication, for the quick win.
An Intro to NetSupport Manager Scripts
He wrote a script to remotely find if the NetSupport installations required specific authentication, and to see if he could connect if they did not. He found that he could connect, and therefore use, any installation that did not require user authentication. The implications would be quite severe if
- he didn’t need to do this from within the NetSupport Manager
- the connection did not pop up a warning window on the accessed PC
Since then he has worked on a more covert method to take over NetSupport clients – and today he will announce his success on a new Trustwave SpiderLabs blog post.
Since then [the March post], I’ve written a basic Nmap script that can be used to do a similar function to check whether authentication is required and if not also returns useful NetSupport configuration settings from the hosts. This negates the requirement to use the NetSupport software to find hosts configured with this weakness.
But by coming via Nmap from outside of the network, the new script doesn’t trip the users’ ‘connect’ warning.
This meant I could run this script across the network and the clients would be unaware I was testing their configuration… But more worryingly, an attacker could remotely connect to the host without the need for a password, bypassing Windows local or domain passwords.
Put bluntly, using this new Nmap script, Kirkpatrick found that he could “easily bypass any Domain or Windows credentials and use NetSupport to remotely connect to the hosts and compromise them.”
What we end up with is the archetypal description of a dual-use weapon. In the hands of a white hat pentester, this script will allow the auditor to rapidly, and with no disturbance to the network, discover which NetSupport installations have not been properly secured by their users. But in the hands of a black hat hacker, it can be used to covertly completely and remotely take over the user’s PC. The moral is simple: never accept the out-of-the-box default security settings for any product – if there is an option for password authentication, take it; and always change any default password to one of your own.
The new head of GCHQ is neither a spy by trade nor a hard-hitting political bully — he is a diplomat. Robert Hannigan, selected to replace Sir Iain Lobban, as head of Britain’s spy agency GCHQ comes out of the Foreign Office and is a former adviser to Tony Blair in Northern Ireland.
Ex-colleagues say choice of Foreign Office diplomat as GCHQ chief suggests government is leaving door open to reform
Robert Hannigan: GCHQ director who can balance secrecy and accountability — Guardian
The implication is clear: maybe, just maybe, Cameron has realised the severity of not just public concern and distrust over GCHQ, but the dismay of our European political allies. It will take some serious diplomacy to soothe some very ruffled feathers. It already seems likely the Britain will be excluded from the EU’s Schengen-routing and Schengen-cloud (see here for details); and that would put the country at a severe trade disadvantage in our most important export market.
The Guardian goes on to give an example of Hannigan’s diplomacy:
Hannigan rose from being the head of communications in the Northern Ireland Office to running its political affairs department. At one particularly critical moment in the peace talks in 2007, Hannigan helped overcome an impasse between Sinn Féin’s Gerry Adams and the DUP’s Ian Paisley. The latter wanted an adversarial arrangement with the parties glaring at each other across a table; Adams wanted them sitting side by side, as partners. Hannigan suggested a diamond-shaped table as a compromise.
The best of all possible worlds will be that Hannigan’s brief is to open up GCHQ to some form of public transparency. The greater likelihood, however, is that his brief is to pull the diplomatic wool over everyone’s eyes to allow GCHQ to continue as is.