German Government and the Unbreakable Trojan
Embedded, in the German Parliament’s computer network: pernicious malware which will require wiping and reinstallation of software on an unknown number of devices. The intrusion began in early May, with more alarmist reports claiming that total replacement of all hardware and software used in the “Parlekom” network would be required and that the Trojan involved was still transmitting data to an unknown recipient (*cough* they suspect the Russians *cough*). A more measured, possibly saner response from the speaker of the Bundestag Thursday stated that no hardware will need to be replaced and that no data loss occurred.
Ask Not How This %$*# Toolbar Got Installed In Your Browser…
Designated as malware, by Microsoft security software: the widely-hated Ask Toolbar. This is a result of changes regarding “search protection functionality” – the short version is that any attempt to hijack browser settings is now declared a Bad Thing to be defended against. Since hijacking your browser’s search function is basically all the Ask Toolbar does, Microsoft security software will now flag all but the very latest version as verboten. The Ask Toolbar is bound into all Java installations (including the frequent updates security-conscious users undergo) but also found in other bundles like Symantic’s Norton antivirus products. Ask gets installed by default unless an annoyingly easy-to-miss box is checked off, and widely decried for being difficult to completely uninstall (confirmed through past inadvertent testing by SSL.com researchers), but unfortunate readers can use the Ask Toolbar Remover and take other steps as detailed here to root it out of their systems.
Duqu 2.o vs Kapersky
Hacked, by parties unknown: Kaspersky Lab, discoverers of Flame malware and the possibly-NSA-related “Equation Group“. The attack used sophisticated techniques and exploits related to Duqu malware (which is itself descended from Stuxnet). Dubbed Duqu 2.o, Kaspersky reports the software employed at least one zero-day Windows exploit, a narrowly-targeted spearphishing attack, remote datawipes to remove email and browsing logs, “false flags” to misdirect researchers, and multiple payloads and packages that target specific different portions of a compromised network. One peculiar aspect of Duqu 2.0 is the victims selected – Kaspersky found that besides their own system, targeted systems included some supporting the recent nuclear negotiations with Iran and entities commemorating the 70th anniversary of the liberation of Auschwitz-Birkenau. Stuxnet and its brethren are defined as APTs, or advanced persistent threats. It’s a term we expect to hear more frequently going forward, and Duqu 2.0 looks like the most advanced yet found.
Enabled, by analysis of WhatsApp messages: The apprehension by Belgian police of alleged plotters of a terrorist attack. The arrests (of members of alleged Chechen jihadists) came as a result of messages exchanged using the IM service (recently acquired by Facebook). It is presently unclear as to the exact methods used – metadata analysis or decryption of actual messages – and, if the latter, whether the shoutout to “US authorities” given by the Belgians refers to the NSA. Meanwhile, a bit of dust got kicked up in a scuffle regarding WhatsApp’s encryption methods (which are apparently a work in progress) involving the always-entertaining Moxie Marlinspike.
US CIO Orders Crypto Everywhere.
Ordered, by Tony Scott, the US Chief Information Officer: HTTPS-only connections to all Government sites. As Scott notes in his directive (PDF), use of insecure connections “leaves Americans vulnerable to known threats, and may reduce their confidence in their government.” The requirement will require HTTPS with HSTS for all external-facing sites by December 31, 2016 (intranets are encouraged but not required). You may remember that we covered this as a non-binding proposal back in March – this week’s announcement is a more definitive requirement with a date certain for action. What makes this even more interesting is that only last week a representative from the FBI stated that internet companies should “prevent encryption above all else“. Tech companies fired back with a trade-group letter to President Obama declaring themselves “opposed to any policy actions or measures that would undermine encryption“. (Meanwhile, legacy issues from the last time the government tried to legislate encryption are still raising serious security risks decades after the fact.)
As always, the security universe is chock-full of interesting items we didn’t get to – so nothing about Apple’s recent, slightly improbable push to position itself as a privacy champion, or a claim that the recent OPM hack compromised every single current Federal employee (plus a couple million retirees), or the assessment of the cost to the US economy from business lost due to NSA practices ($35 billion is the conservative estimate) – but we’ll be back next Friday with more. As always, we at SSL.com appreciate your reading these words, and remind you that a safer internet is a better internet.