Category Archives: Things that are bad

Timeline: NSA hacking tool to WannaCry

A recent Washington Post article is helping to answer some questions about Microsoft’s actions in recent months. Here’s a timeline of events:

2012 (or possibly earlier): The NSA identifies a vulnerability in Windows that affects all existing versions of the operating system, and has the potential to allow almost unfettered access to affected systems. A software tool — an exploit — is developed either for, or by, the NSA. The tool is called EternalBlue. People at the NSA worry about the potential damage if the tool or the vulnerability became public knowledge. They decide not to tell anyone, not even Windows’ developer, Microsoft.

EternalBlue finds its way into the toolkit of an elite hacking outfit known as Equation Group. Although it’s difficult to know for certain, this group is generally assumed to be operating under the auspices of the NSA. Equation Group may work for the NSA as contractors, or they may simply be NSA employees. Regardless, the group’s actions seem to align with those of the NSA: their targets are generally in places like Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali.

Early to mid-2016: A hacking group calling themselves The Shadow Brokers somehow gains access to NSA systems or data, and obtains copies of various NSA documents and tools. Among those tools is EternalBlue.

August, 2016: The Shadow Brokers begin publishing their NSA haul on public services like Tumblr.

January 7, 2017: The Shadow Brokers begin selling tools that are related to EternalBlue.

Late January to early February 2017: The NSA finally tells Microsoft about the vulnerability exploited by EternalBlue. We don’t know exactly when this happened, but it clearly happened. The NSA was Microsoft’s source for this vulnerability.

February 14, 2017: Microsoft announces that February’s Patch Tuesday updates will be postponed. Their explanation is vague: “we discovered a last minute issue that could impact some customers.

Late February 2017: The Windows SMB vulnerability exploited by EternalBlue is identified publicly as CVE-2017-0144.

March 14, 2017: March’s Patch Tuesday updates from Microsoft include a fix for CVE-2017-0144, MS17-010. The update is flagged as Critical and described as Security Update for Microsoft Windows SMB Server (4013389). Nothing in Microsoft’s output on March 14 calls special attention to this update.

April 14, 2017: The Shadow Brokers release 300 megabytes of NSA material on Github, including EternalBlue.

May 12, 2017: WannaCry ransomware infection wave begins. The malware uses EternalBlue to infect vulnerable computers, mostly Windows 7 PCs in Europe and Asia. Infected computers clearly had not been updated since before March 14, and were therefore vulnerable to EternalBlue.


It’s now clear that the NSA is the real problem here. They had several opportunities to do the right thing, and failed every time, until it was too late. The NSA’s last chance to look at all good in this matter was after the vulnerability was made public, when they should have made the danger clear to the public, or at least to Microsoft. Because, after all, they knew exactly how useful EternalBlue would be in the hands of… just about anyone with bad intent.

Everyone involved in this mess acted foolishly. But whereas we’ve grown accustomed to corporations caring less about people than about money, government institutions — no matter how necessarily secretive — should not be allowed to get away with what the NSA has done. Especially when you consider that this is just the tip of the iceberg. For every WannaCry, there are probably a thousand other threats lurking out there, all thanks to the clowns at the NSA.

Ars Technica’s analysis.

Techdirt’s analysis.

WannaCry update

According to Kaspersky Labs, almost all of the computers infected with WannaCry (WCry, WannaCrypt) were running Windows 7. A small percentage (less than 1%) were running Windows XP.

Microsoft released updates in March 2017 which — if installed — protect Windows 7 computers from WannaCry infections. So all those Windows 7 WannaCry infections were only possible because users failed to install updates. This is a good argument for either enabling automatic updates, or being extremely diligent about installing updates as soon as they become available.

A researcher at Quarkslab discovered a method for decrypting files encrypted with WannaCry, although it only works on Windows XP, and only if the computer has not been restarted since the files were encrypted.

Building on the discoveries of Quarkslab, researchers at Comae Technologies and elsewhere developed a tool that can decrypt files encrypted by WannaCry on Windows 7 as well as XP. The new tool — dubbed wanakiwi by its developers — uses the same technique as its predecessor and has the same limitation: it doesn’t work if the infected computer has been restarted since encryption occurred.

The Register points out that while the NSA was hoarding exploits, Microsoft was doing something similar with patches. Microsoft is in fact still creating security updates for Windows XP and other ‘unsupported’ software; they just don’t normally make those updates available to the general public. Instead, they are only provided to enterprise customers, which pay substantial fees for the privilege. When Microsoft released the Windows XP patch in response to the WannaCry threat, the patch was already developed; all Microsoft had to do was make it available to the general public. Sure, developing updates costs money, and Microsoft wants to recover those costs somehow, but it seems clear that we would all be better off if they made all updates available to everyone.

Bruce Schneier provides a useful overview of WannaCry, and how best to protect yourself. From the article: “Criminals go where the money is, and cybercriminals are no exception. And right now, the money is in ransomware.”

Update 2017May21: Analysts have confirmed that WannaCry’s initial infections were accomplished by scanning the Internet for computers with open Server Message Block ports, then using the EternalBlue SMB exploit to install the ransomware. Once installed on any computer, WannaCry spread to other vulnerable computers on the same local network (LAN). Earlier assumptions about WannaCry using spam and phishing emails to spread were not accurate.

WannaCrypt variants infecting systems worldwide

The accidental stifling of WannaCrypt’s spread was too good to last, apparently. New versions of the ransomware — unaffected by the serendipitous domain registration of a security researcher — are now making their way around the world. You can even watch the malware spread using MalwareTech’s WannaCrypt live feed.

Our advice remains the same: make sure all your Windows computers have the relevant updates installed, including Windows XP. Microsoft’s Customer Guidance for WannaCrypt attacks is a good place to start; there are links to the updates at the bottom of that page. For more information about the exploit used by WannaCrypt, see Microsoft’s MS17-010 bulletin from March 14.

SANS has a good summary of the technical aspects of WannaCrypt.

Update 2017May16: There’s plenty of blame to go around for this mess. Microsoft is being criticized for abandoning Windows XP when it’s still widely used. Meanwhile, Microsoft is blaming the NSA’s vulnerability hoarding.

WannaCrypt ransomware: Microsoft issues updates for unsupported Windows

Ransomware known as WannaCrypt (aka WCry, WannaCry) has already crippled as many as 75,000 unpatched Windows computers in Europe and Asia. So far it hasn’t done much damage in North America, but that could change quickly.

The flaw WannaCrypt uses to infect Windows computers was patched by Microsoft in March, but unpatched computers and those running unsupported versions of Windows were left unprotected.

Microsoft has long since stopped releasing security updates for Windows XP, but WannaCrypt is spreading quickly, and Windows XP computers are essentially defenseless against it. So Microsoft has taken the unprecedented step of publicly releasing an update that protects Windows XP computers from the flaw that WannaCrypt uses to spread.

If you manage any computers that run Windows XP, you should install the update immediately: download update for 32-bit Windows XP Service Pack 3. There’s more information about this from Microsoft.

Techdirt points out that the flaw WannaCrypt exploits was exposed in the recent NSA tool leaks. Which is exactly the problem when security organizations hoard flaws instead of reporting them responsibly.

Update 2017May14: Apparently a security researcher at MalwareTech registered a (previously unregistered) domain used by WannaCrypt as part of his investigation into the ransomware. This is standard practice, because it often allows researchers to gain a better understanding of their subject. Surprisingly, this move stopped WannaCrypt from doing any further damage.

The latest guidance from NCSC.

Don’t use Edge to print or create PDF files

A bizarre bug in Microsoft’s Edge web browser is baffling users. Depending on the selected printer and other factors, attempting to print a PDF file, or use Edge’s ‘Print to PDF’ function, will cause random changes in the output. The changes are difficult to detect: we’re not talking about the usual kind of printer garbage. For example, users are reporting shifted cell numbers, added words and symbols, and substitution of words and characters.

If you’re printing invitations to a neighbourhood barbecue, this issue is unlikely to cause any serious problems, but what if you’re printing legal, medical, or architectural documents?

Microsoft hasn’t said much about this yet, but according to at least one bug report, they are at least aware of the problem. Which is good, because Microsoft just announced that Windows 10 is running on 500 million devices; Edge is the default browser on all those devices, and Print to PDF is the default printer on many.

My advice? If you use Windows 10, don’t use Edge at all if you can avoid it: try Firefox or Chrome. If you must use Edge, use a different PDF reader to view and print PDF files. Adobe’s Reader is free and actually works as expected.

Vulnerability in Microsoft’s anti-malware software

All of Microsoft’s anti-malware software is based on a common core: MsMpEng, the Malware Protection service. That includes Microsoft Security Essentials, System Centre Endpoint Protection, and Windows Defender. If your PC is running Windows, there’s a good chance that MsMpEng is running as well.

Which is bad, because Google’s Project Zero just discovered a vulnerability in Microsoft’s anti-malware engine that has the potential to provide almost unlimited access to any computer running MsMpEng. The vulnerability can be exploited in various ways, including via specially-crafted email that can do its damage without even being opened.

Project Zero’s analysis includes a proof of concept, and shows that the vulnerable component of MsMpEng is nscript, which analyzes any file or activity that appears to be Javascript.

I just checked my Windows 8.1 test PC, and although Windows Defender is disabled, MpMpEng is running, describing itself as ‘Antimalware Service Executable’. On my Windows 7 test PC, I’ve installed Avast, which was supposed to have disabled Microsoft’s software; but again I see that MsMpEng is running.

If Windows Defender is disabled, why is MsMpEng running? If it’s disabled, is the computer still vulnerable to this exploit? I’d like to think that even though MsMpEng is running, it’s not actively analyzing file and network activity, in which case the vulnerability would be mitigated. But it’s difficult to know for sure.

In any case, Microsoft has issued an update, and since all of their various anti-malware offerings update themselves automatically, most Windows systems may already have the necessary fix in place. You can find out by checking your software’s ‘About’ information. For example, if you’re running Windows Defender for Windows 8.1, double-click the blue shield icon to open its interface, then click the small triangle next to Help and select About. In the About dialog, look for Engine Version; if it’s 1.1.13704.0 or later, it’s up to date.

Report from Ars Technica.

It’s probably a good idea to stop using LastPass right now

Password management tools are generally a good thing. Most of us have so many passwords now that remembering them all is difficult. While it’s tempting to use one or two passwords everywhere, this is generally viewed as a bad idea. Same goes for short or easy-to-guess passwords: bad idea.

I recommend using password management software that runs natively, on your computer. I personally use Password Corral, and have used Bruce Schneier’s Password Safe. Both store your password data on your computer, not on someone else’s computer (aka ‘the cloud’). Both are relatively basic in terms of functionality: they allow you to store all of your passwords securely; password data is encrypted and protected by a master password. They can also generate new, random passwords.

There are plenty of other password management solutions out there. Some of the most popular ones, like LastPass, provide more features and are easier to use, but there’s typically a cost. For instance, it would definitely be convenient if I could access my passwords from any computer. But if that means my password data is stored on the cloud somewhere, well, no thanks. The same goes for browser extensions that enter passwords automatically.

Which brings us to yesterday, when a Google Project Zero security researcher reported a serious vulnerability in the LastPass browser extension. With the extension enabled in your browser, a malicious web site could steal all of your passwords from the LastPass data files. Yikes. But wait, there’s more! If you’re also running the main LastPass software on your computer, a malicious web site could execute arbitrary code on your computer.

LastPass issued a response to this report, confirming the problem. Their advice to users is vague, but that’s actually a good thing: if they said too much, it could provide clues about the vulnerability to malicious hackers. But the message is clear: if you have to use LastPass, disable the Lastpass browser plugin:

Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.

Interestingly, of the three recommendations provided, two are standard advice for anyone who uses the web: enable and use Two-Factor Authentication for sites and services that offer it; and be wary of phishing attempts.

Windows 10 cumulative updates hopelessly botched

Recently I noticed that my Windows 10 test PC wasn’t staying logged in. Every morning, despite not having logged out the day before, I was seeing the login screen. A bit of poking around in the Windows 10 settings showed that Windows was trying to install update KB4013429, rebooting to complete the install, failing to complete the install, and rolling back the changes. Rinse and repeat daily, since March 14.

Searching online, I immediately found other people experiencing this problem. No official solution from Microsoft, but plenty from other users, including what turned out to be the only thing that worked for many: a total reinstall of Windows 10.

One user pointed to an interesting tool, available in the TechNet Script Center, called Reset Windows Update Agent. (Note: this script was created and submitted by a non-Microsoft contributor, not by Microsoft.) Since I wasn’t getting anywhere looking for an official solution, I tried the tool’s main feature, which does indeed reset all things Windows Update. After rebooting, Windows successfully installed a few updates, then started to install ‘Cumulative Update for Windows 10 Version 1607 (KB4015438)’, which Microsoft issued on March 20 to address problems with KB4013429. But that update also failed to install, and now we’re back in our daily loop.

I considered contacting Microsoft about this, but then I remembered my previous encounters with Microsoft support, shuddered, and thought better of it. After all, Microsoft already knows my PC is having trouble installing this update, because of all the telemetry in Windows 10, right? If anything, they should be contacting me with a solution. Yeah, right. Like that would ever happen.

I really don’t want Microsoft to be in a position to make my life miserable, especially now that they can do that remotely, without my explicit consent, and usually without my knowledge. At a time when Microsoft should be showing us just how much they’ve learned about managing Windows updates, they seem to be getting worse.

I sympathize with anyone who tries to do anything productive with Windows 10. I only use it for testing and media playback, but even so, this is the end of the line for my relationship with Windows 10. I’ll be installing Linux Mint MATE next.

Update 2017Apr30: I decided to call Microsoft after all. I figured it was only fair to give them one last chance. The call was relatively painless; I was only on hold for a few minutes. The tier one support person I spoke with identified himself as such and was happy to escalate my problem to the next support tier once it became clear he couldn’t help. We arranged a callback from tier two support, which happened yesterday. Both support people I spoke with started by asking if they could start a remote session to the affected computer, which I declined in both cases. I understand being able to control a computer remotely makes support much easier, but I’m just not comfortable with the idea. The tier two guy confirmed that Microsoft knows about this problem and is working on it. He also confirmed that lots of people are reporting the same problem. Unfortunately, the only fix he could provide was to hide the troublesome update, so that it stops trying to install every day. The ability to hide updates exists in the classic Windows Update, but that feature was removed from Windows 10, so a special download was required. The Microsoft support article “How to temporarily prevent a driver update from reinstalling in Windows 10” includes a link to a tool called the Show or hide updates troubleshooter package. I downloaded and ran the tool, and it listed a few pending updates, including the most recent failing cumulative update. I hid that update, and so far so good: the computer no longer tries to install the update daily. According to the tier two support guy, when Microsoft finds a fix, they’ll include it with a subsequent cumulative update, and all will be well with the world. But in the meantime, my Windows 10 PC isn’t getting security updates. So it’s not much of a solution. Linux, here we come.

They’re here: ads in Windows 10

We called it. Microsoft denied it. Now the reality of advertising in Windows has arrived. We’re not talking about the tiny, easily-ignored ads commonly seen in Skype, either. The ads that just started appearing in Windows 10 are hard to miss, and they’re in Windows Explorer, arguably the core user interface of the system.

Of course Microsoft is calling these ads ‘tips’ and insists that they just provide helpful information to Windows 10 users. Okay, let’s take a look at what users are seeing:

You be the judge: is this an advertisement?

You may disagree, but in my opinion, that’s an ad. It might as well say “Your Advertisement Here” or “Advertise In This Space”. At this stage, I’m sure we’ll only see ads from Microsoft in Explorer, but once the anger subsides, it’s difficult to imagine Microsoft won’t start selling that space – and others like it – to the highest bidder.

That’s right, Windows 10 really is an advertising platform, just as we’ve been saying all along. It explains why Microsoft was so happy to give away the O/S to anyone who upgraded from an earlier version, why they pushed so hard and literally tricked people to upgrade from earlier versions, why they included so much user activity tracking in Windows 10, and why they retrofitted that tracking into earlier versions when people failed to upgrade in sufficient numbers.

Clearly, the underlying reason for Microsoft’s advertising-in-Windows strategy is simply the enormous amount of money being made by Google from advertising.

Linux is looking a lot better now, isn’t it?

Analysis from The Verge and Ars Technica.

Update 2017Mar17: Tom Warren over at The Verge reacts to the new ads in Windows 10. He describes it as an ‘infestation’, and I agree with his assessment.

Nasty Cloudflare bug leaked sensitive information for months

Cloudflare provides caching, proxy, and security services for thousands of web sites, including some very popular ones like digitalocean.com, patreon.com, bitpay.com, news.ycombinator.com, medium.com, 4chan.org, yelp.com, okcupid.com, zendesk.com, uber.com, 23andme.com, curse.com, and minecraftforum.net.

For about five months, starting in September 2016, a truly awful bug in Cloudflare’s services caused private information from sites hosted by Cloudflare to be leaked to unrelated systems. Since the leaked information was merrily crawled and stored by all the major search engines, all that data became available to the entire planet.

The leaked data includes just about everything you wouldn’t want leaked, such as encryption keys, cookies, passwords, private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, and hotel bookings.

My initial reaction to the news of this leak was relief, because I don’t use Cloudflare for any of my (or my clients’) web sites. But I use other web sites and services that use Cloudflare, so my private information may have been leaked. Almost anyone who uses the web actively could be affected by this bug, and its fallout.

The bug itself has been fixed by Cloudflare. The major search engines are working with Cloudflare to scrub related private information from their databases. But the damage has already been done.

What should you do?

If you run any web sites or services that use Cloudflare, you should take action immediately, by invalidating all user sessions (e.g. login cookies). How this is done depends on the platform you’re using (WordPress, Joomla, etc.) You should probably recommend to your members/subscribers that they change their passwords.

If you use any of the affected sites or services, you should probably change the associated passwords. This may turn out to be overkill, but it’s difficult to know for certain.

The full extent of the damage caused by this bug remains to be seen. In the worst case scenario, malicious hackers noticed the bug when it first appeared, and proceeded to gather leaked information for months.

References

Continue reading Nasty Cloudflare bug leaked sensitive information for months