Archive for April, 2014

My willy is bigger than yours

April 30, 2014 Leave a comment

I got an email yesterday (29 April 2014). It said:

Today the Websense Security Labs found a new vulnerability in Microsoft Internet Explorer which affects Internet Explorer versions 6 through 11. However, current reported attacks are targeting Explorer 9 through 11. The Labs have issued a blog post which outlines solutions for those who have been affected by the attack.

Not another IE 0-day surely? Because FireEye found one just a couple of days ago. On Saturday (26 April 2014) FireEye blogged:

FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. This zero-day bypasses both ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue.
New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks

This is strange, because the 0-day ‘found’ by Websense two days later is also given the vulnerability assignation CVE-2014-1776:

A new vulnerability found in Microsoft Internet Explorer affects Internet Explorer versions 6 through 11. However, current reported attacks are targeting only Internet Explorer 9 through 11. The vulnerability allows attackers to remotely execute arbitrary code on the target machine by having the user visit a malicious website.

This vulnerability has been assigned reference CVE-2014-1776…
Microsoft Internet Explorer Zero-day – CVE-2014-1776

In fairness to Websense, its blog does not claim to have found the vulnerability itself – that is left to the email sent to journalists such as myself. But nor does it give any credit to FireEye – which would have been good. Just in case there is any doubt about who really did first discover this particular vulnerability (apart from the hackers of course), Microsoft’s advisory is quite explicit:

Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11…

Microsoft thanks the following for working with us to help protect customers:

  • FireEye, Inc. for working with us on the Internet Explorer Memory Corruption Vulnerability (CVE-2014-1776)

Microsoft Security Advisory 2963983

OK. So having established that FireEye really does have the bigger willy, and implying that Websense is a wee bit envious in trying to pass off the discovery as its own… what is this vulnerability? Well, it’s a bad one. Bad enough, in fact, for the European security agency, ENISA, to issue its own advisory (something I am not aware of it having done before).

  • This is a significant threat for IE users as there is no quick fix to repair, and “patch” this
  • Users who want to avoid the abovementioned risk should temporarily use another browser until this security gap has been fixed
  • Users should keep their systems patched and up-to-date
  • Many users have two different browsers installed so they should easily be able to switch. If not, this is a good reason why they should have it; when needed.

This is the best advice I’ve seen. While many experts are advising users not to surf in admin mode, to install EMET and to activate EPM, the majority of IE users will not even know what any of this means. Far simpler, and much more effective, would be to install multiple browsers (I’ve got five: Firefox, Chrome, IE, Safari and Opera); to keep them all fully patched; and to switch between them whenever a new 0-day is discovered for any one of them.

Categories: All, Security Issues

US magistrate makes Schengen internet more likely

April 29, 2014 1 comment

Microsoft could either see the Schengen Cloud coming or was privy to politicians’ thoughts. In January this year it announced that it would allow European customers to keep their data on servers within Europe. This followed a blog by legal counsel Brad Smith in December 2013 that voiced concern over US surveillance:

And we’ll assert available jurisdictional objections to legal demands when governments seek this type of customer content that is stored in another country.
Protecting customer data from government snooping

So when news broke in February that Germany’s Merkel and France’s Hollande were keen on developing a European cloud to protect the privacy of European citizens, Microsoft was in a strong position to say, hey, we’re already with you: European data will remain within Europe; Microsoft can be part of the European cloud. (That proposed cloud is now known as the Schengen Cloud. Since the UK has never joined the Schengen group it is a way of excluding the UK — and specifically GCHQ — from Europe’s cloud.)

Alexander Hanff, Think Privacy Inc

Alexander Hanff, Think Privacy Inc

But the reality is different. Privacy expert Alexander Hanff, CEO of Think Privacy Inc, said at the time: “Microsoft knows full well that it makes no difference whether the data is hosted in the US or not. They are a US corporation and therefore any data they hold is vulnerable to the US surveillance machine no matter where it is. It is clear from the announcement that Microsoft (as well as the rest of the cloud industry) is really concerned about losing revenues for cloud services and they know there is a strong movement within Europe (not least by the European Commission) to create infrastructure independent of the US and US tech giants.”

He called it right. Brad Smith had been true to his word and had challenged a US law enforcement demand for customer details held in Ireland. The unnamed LEA had demanded everything on the customer, including the content of emails, user’s contact lists, IP addresses and even bank details. Microsoft went to court. It argued that warrants could not be served overseas, and that the warrant should be negated.

On Friday, a US magistrate delivered his decision. He said that while the LEA demand was couched as a warrant, because it involved telecommunications it was to be enacted as a subpoena — and subpoenas can be enforced on overseas locations. Thus, as Hanff had predicted, it matters not where a US company stores its data, the PATRIOT Act can demand and enforce access to it.

In fairness, Microsoft seems to have expected this. It will appeal. Microsoft’s deputy general counsel David Howard blogged on Friday,

When we filed this challenge we knew the path would need to start with a magistrate judge, and that we’d eventually have the opportunity to bring the issue to a U.S. district court judge and probably to a federal court of appeals. Today the Magistrate Judge, who originally issued the warrant in question, disagreed with our view and rejected our challenge. This is the first step toward getting this issue in front of courts that have the authority to correct the government’s longstanding views on the application of search warrants to content stored digitally outside the United States.
One step on the path to challenging search warrant jurisdiction

The stakes are high. If the US courts ultimately uphold law enforcement’s right to demand the data of European citizens held on European premises for all US companies, and if Europe proceeds with the Schengen Cloud, then Microsoft, Google, Facebook, Twitter and other US tech giants will simply be excluded from Europe. This will hurt the US economy. Firstly these companies will be excluded from one of the world’s most important markets, and secondly it will be a huge boost to the indigenous European tech industry — which will hurt the US economy even more.

Categories: All, Politics, Security Issues

Has big business won; has net neutrality died in America?

April 25, 2014 Leave a comment
Tom Wheeler – doesn't want net neutrality

Tom Wheeler – doesn’t want net neutrality

After being a long-term supporter of net neutrality, the American Federal Communication Commission (FCC) has taken an axe to it. The current chairman Tom Wheeler is proposing to allow broadband providers to charge larger providers larger fees. This mirrors the view of Digital Agenda commissioner Neelie Kroes in Europe. Both claim that it will not negate the principles of net neutrality; and both are attempting to pull the wool over our eyes.

The generally accepted definition of net neutrality was described by the European Data Protection Supervisor Peter Hustinx in October 2011:

The concept of net neutrality builds on the view that information on the Internet should be transmitted impartially, without regard to content, destination or source, and that users should be able to decide what applications, services and hardware they want to use. This means that ISPs cannot, at their own choice, prioritise or slow down access to certain applications or services such as Peer to Peer (‘P2P’), etc.
Net neutrality: an introduction and opinion from the European Data Protection Supervisor

Neelie Kroes

Neelie Kroes– does not want net neutrality

Wheeler and Kroes now both wish to allow providers to prioritise some traffic (on payment of a suitable fee, of course) for the larger content providers. Netflix has already agreed to pay Comcast more for a better service. But the simple math is that from a fixed pot, you cannot give more to one person without giving less to another. By prioritizing some traffic, the ISPs will necessarily penalise others.

In America the new proposals follow a court case in February that declared the old genuine net neutrality rules of the FCC to be illegal. The basic reason was that the ISPs do not fall within the FCC’s regulatory remit. The easy solution would have been for the FCC to redefine the providers as common carriers (which it could do) and bring them back under its regulatory remit. It chose not to do so. Like Kroes, Wheeler is now firmly under the sway of big business.

The effect will be twofold. Prices will rise and innovation will stall. Those providers who find it necessary to pay the broadband providers more to remain competitive will not pay out of their profit — they will increase their subscriptions so that users pay. That’s called capitalism: maximise profits and ignore the consumer.

Innovation will also stall. New fledgling companies with new services will never be able to compete with the big established companies. They will not able to afford the premium services and will be at a service disadvantage from the word go. By effectively buying up the available bandwidth, the big companies will starve the innovators.

This looks like the death of net neutrality in America under Wheeler. It’s clinging on in Europe despite Kroes. Her style of false neutrality was rejected earlier this month by the European Parliament. But that’s not the end of it. Parliament,s decision needs to be ratified by the national governments — which means that it has still got to get pass that friend of big business and scourge of the people, David Cameron.

Categories: All, Politics, Security Issues

Well done, Josie

April 24, 2014 Leave a comment

When Josie Herbert (@phinessence) told me that she intended to cycle up Mount Snowdon as part of her Easter Holiday, my first thought was, Nah. My second thought was, Impossible. My third thought was, But this is Josie.

So I made her promise to send me a photo when she got to the top.


Josie Herbert at the top of Snowdon

Josie Herbert at the top of Snowdon


I had an ulterior motive.

Josie kept her end of the bargain. She cycled up Mount Snowdon and sent me a photo from the top. It was at this point that I was going to do a new blog. Based on the photo it was going to be:

Snowdon’s latest revelations!

But I was foiled by the weather. So all that is left is for me to say, “Well done, Josie!”

Categories: All

When is a remote access tool a remote access trojan?

April 23, 2014 Leave a comment

Remote Access Trojans (RATs) are a blight on the internet – they allow attackers to take complete control of the victim’s computer to do and steal what they wish. Remote Access Tools (RATs), however, are increasingly valuable to provide remote support to an increasingly distributed workforce. Which is which is not always clear.

At the end of last month, Trustwave‘s David Kirkpatrick looked at the NetSupport remote management application (clearly designed to be one of the latter). He was testing the security of a client and noticed hundreds of computers running NetSupport; and decided to see if any were susceptible to a particular remote buffer overflow vulnerability.

Not wanting to potentially cause disruption to hundreds of clients running the exploit against all of them I needed to find the version of the software running and also see if any of the hosts could be taken over using no authentication, for the quick win.
An Intro to NetSupport Manager Scripts

He wrote a script to remotely find if the NetSupport installations required specific authentication, and to see if he could connect if they did not. He found that he could connect, and therefore use, any installation that did not require user authentication. The implications would be quite severe if

  1. he didn’t need to do this from within the NetSupport Manager
  2. the connection did not pop up a warning window on the accessed PC

Since then he has worked on a more covert method to take over NetSupport clients – and today he will announce his success on a new Trustwave SpiderLabs blog post.

Since then [the March post], I’ve written a basic Nmap script that can be used to do a similar function to check whether authentication is required and if not also returns useful NetSupport configuration settings from the hosts. This negates the requirement to use the NetSupport software to find hosts configured with this weakness.

But by coming via Nmap from outside of the network, the new script doesn’t trip the users’ ‘connect’ warning.

This meant I could run this script across the network and the clients would be unaware I was testing their configuration… But more worryingly, an attacker could remotely connect to the host without the need for a password, bypassing Windows local or domain passwords.


The information returned by Kilpatrick's Nmap script

The information returned by Kirkpatrick’s Nmap script


Put bluntly, using this new Nmap script, Kirkpatrick found that he could “easily bypass any Domain or Windows credentials and use NetSupport to remotely connect to the hosts and compromise them.”

What we end up with is the archetypal description of a dual-use weapon. In the hands of a white hat pentester, this script will allow the auditor to rapidly, and with no disturbance to the network, discover which NetSupport installations have not been properly secured by their users. But in the hands of a black hat hacker, it can be used to covertly completely and remotely take over the user’s PC. The moral is simple: never accept the out-of-the-box default security settings for any product – if there is an option for password authentication, take it; and always change any default password to one of your own.

Categories: All, Security Issues

The Julie Ann Horvath story is just the tip of the iceberg

April 22, 2014 1 comment

The GitHub/Horvath saga should make for uncomfortable reading for all companies; and especially tech companies. It exposes an uncomfortable work environment that lies above legality but below acceptability — women are harassed and bullied in the work environment; and I would suggest this happens more often than not.

Julie Ann Horvath felt forced to resign from GitHub. Her story is recounted by TechCrunch. She described what amounts to bullying by an unnamed but obvious co-founder and his wife, and sexual harassment from an unnamed colleague.

While the above was going on, Horvath had what she referred to as an awkward, almost aggressive encounter with another GitHub employee, who asked himself over to “talk,” and then professed his love, and “hesitated” when he was asked to leave. Horvath was in a committed relationship at the time, something this other employee was well aware of, according to Horvath.

The rejection of the other employee led to something of an internal battle at GitHub. According to Horvath, the engineer, “hurt from my rejection, started passive-aggressively ripping out my code from projects we had worked on together without so much as a ping or a comment. I even had to have a few of his commits reverted. I would work on something, go to bed, and wake up to find my work gone without any explanation.” The employee in question, according to Horvath, is both “well-liked at GitHub” and “popular in the community.” [And has apparently since been promoted]
Julie Ann Horvath Describes Sexism And Intimidation Behind Her GitHub Exit — TechCrunch

She got precious little support from HR and eventually left.

GitHub suspended Tom Preston-Werner. CEO and co-founder Chris Wanstrath announced,

We know we have to take action and have begun a full investigation. While that’s ongoing, and effective immediately, the relevant founder has been put on leave, as has the referenced GitHub engineer.
Update on Julie Horvath’s Departure

The result of that investigation has now been announced:

The investigation found no evidence to support the claims against Tom and his wife of sexual or gender-based harassment or retaliation, or of a sexist or hostile work environment. However, while there may have been no legal wrongdoing…
Results of the GitHub Investigation

This is arse-covering of the first order. There has been no ‘legal wrongdoing’; and yet Tom Preston-Werner has resigned. GitHub is forced to protect itself legally — as any company would. But the problem with this is that it allows a divisive and bullying culture to continue because it is within the bounds of legality.

This sort of culture was described by Asher Wolf more than a year ago in her article, Dear Hacker Community – We Need To Talk:

Some parts of this article deal with misogyny, sexism, and harassment, while other aspects of it respond to experiences of down-right douche-baggery.

It doesn’t apply to all of you, but a number of you engage in it and many of you are bystanders.
Dear Hacker Community – We Need To Talk

Asher Wolf is no shrinking violet.

And yes, after I quit I said “fuck” a whole lot, and cried an ocean, then packed my son the toddler off to my mother’s house for the night and got profoundly drunk.

And now I’m ready to talk about the arse-hattery that basically broke me over the last few months.

I’m not some wall-flower or “pearl-clutching” provoker of needless moral outrage.

The experiences of Julie Ann Horvath and Asher Wolf are, I believe, the tip of the iceberg; and it is something that business needs to address. It seems to be worst in male-dominated professions — and engineering is one of the worst.

I don’t know the answer. As long as there is a ‘legal’ threshold, anything beneath that line is fair game and will continue — unless and until Asher Wolf’s bystanders cease to be bystanders. The good men in this world need to stand up and step in.

Otherwise weak men will continue to bully women because they are afraid and jealous of their professional abilities, and because they can.

Categories: All

Diplomat to be new head of GCHQ

April 16, 2014 Leave a comment
Robert Hannigan -- new head of GCHQ

Robert Hannigan — new head of GCHQ

The new head of GCHQ is neither a spy by trade nor a hard-hitting political bully — he is a diplomat. Robert Hannigan, selected to replace Sir Iain Lobban, as head of Britain’s spy agency GCHQ comes out of the Foreign Office and is a former adviser to Tony Blair in Northern Ireland.

Ex-colleagues say choice of Foreign Office diplomat as GCHQ chief suggests government is leaving door open to reform
Robert Hannigan: GCHQ director who can balance secrecy and accountability — Guardian

The implication is clear: maybe, just maybe, Cameron has realised the severity of not just public concern and distrust over GCHQ, but the dismay of our European political allies. It will take some serious diplomacy to soothe some very ruffled feathers. It already seems likely the Britain will be excluded from the EU’s Schengen-routing and Schengen-cloud (see here for details); and that would put the country at a severe trade disadvantage in our most important export market.

The Guardian goes on to give an example of Hannigan’s diplomacy:

Hannigan rose from being the head of communications in the Northern Ireland Office to running its political affairs department. At one particularly critical moment in the peace talks in 2007, Hannigan helped overcome an impasse between Sinn Féin’s Gerry Adams and the DUP’s Ian Paisley. The latter wanted an adversarial arrangement with the parties glaring at each other across a table; Adams wanted them sitting side by side, as partners. Hannigan suggested a diamond-shaped table as a compromise.

The best of all possible worlds will be that Hannigan’s brief is to open up GCHQ to some form of public transparency. The greater likelihood, however, is that his brief is to pull the diplomatic wool over everyone’s eyes to allow GCHQ to continue as is.


Categories: All, Politics, Security Issues