’s Friday Security Roundup – June 12, 2015

SSL_com_logo Hard to believe that today marks 19 years since the Communications Decency Act of 1996 was successfully challenged in Federal court. The CDA, as the grayer ponytails among us will remember, was a poorly-crafted bundle of legislation intended to save Americans from various unspeakable horrors made available by the shiny new Information Superhighway. The decision we commemorate today struck down the CDA’s more egregious sections, since they conflicted with First Amendment rights. The CDA is still very relevant due to Section 230, which protects online service providers from liability for the words and actions of their users and is described by the Electronic Frontier Foundation as “crucial to the free flow of expression online“. Without Section 230 we probably wouldn’t have Gmail, Twitter or Facebook (and definitely wouldn’t have Reddit).

In our run-up to Flag’s Friday Security Roundup is pleased to salute the U.S. political process (we know, sounds kind of weird to us, too) and of course to honor free speech in all its forms (even the dumb ones) – and happy as ever to present some of the security issues we’ve been following this week.

German Government and the Unbreakable Trojan

Embedded, in the German Parliament’s computer network: pernicious malware which will require wiping and reinstallation of software on an unknown number of devices. The intrusion began in early May, with more alarmist reports claiming that total replacement of all hardware and software used in the “Parlekom” network would be required and that the Trojan involved was still transmitting data to an unknown recipient (*cough* they suspect the Russians *cough*). A more measured, possibly saner response from the speaker of the Bundestag Thursday stated that no hardware will need to be replaced and that no data loss occurred.

Status: Ziemlich schrecklich. We will follow this story with interest (we’re interested in more detailed forensics on the Trojan, used for instance). Interesting to us: the investigation is complicated by ongoing fallout of the Snowden revelations and a resulting serious lack of trust (link in German) between different sections of the German polity. Several Bundestag members thus refused access to their systems to investigators from the Bundesnachrichtendienst (the German foreign intelligence service) due to ill will and suspicion that the BND is a little too pally with the US National Security Agency.

Ask Not How This %$*# Toolbar Got Installed In Your Browser…

Designated as malware, by Microsoft security software: the widely-hated Ask Toolbar. This is a result of changes regarding “search protection functionality” – the short version is that any attempt to hijack browser settings is now declared a Bad Thing to be defended against. Since hijacking your browser’s search function is basically all the Ask Toolbar does, Microsoft security software will now flag all but the very latest version as verboten. The Ask Toolbar is bound into all Java installations (including the frequent updates security-conscious users undergo) but also found in other bundles like Symantic’s Norton antivirus products. Ask gets installed by default unless an annoyingly easy-to-miss box is checked off, and widely decried for being difficult to completely uninstall (confirmed through past inadvertent testing by researchers), but unfortunate readers can use the Ask Toolbar Remover and take other steps as detailed here to root it out of their systems.

Status: About damn time. Browser hijacking is terrifically annoying in the case of Ask Toolbar, but something to be wary of whenever installing unknown software from sketchy sources (and Java updates from Oracle). declares our undying hatred for crapware in all its forms, from foistware like Ask Toolbar to genuinely dangerous products like Superfish – a controversial position, we know, but one we stand behind.

Duqu 2.o vs Kapersky

Hacked, by parties unknown: Kaspersky Lab, discoverers of Flame malware and the possibly-NSA-related “Equation Group“. The attack used sophisticated techniques and exploits related to Duqu malware (which is itself descended from Stuxnet). Dubbed Duqu 2.o, Kaspersky reports the software employed at least one zero-day Windows exploit, a narrowly-targeted spearphishing attack, remote datawipes to remove email and browsing logs, “false flags” to misdirect researchers, and multiple payloads and packages that target specific different portions of a compromised network. One peculiar aspect of Duqu 2.0 is the victims selected – Kaspersky found that besides their own system, targeted systems included some supporting the recent nuclear negotiations with Iran and entities commemorating the 70th anniversary of the liberation of Auschwitz-Birkenau. Stuxnet and its brethren are defined as APTs, or advanced persistent threats.  It’s a term we expect to hear more frequently going forward, and Duqu 2.0 looks like the most advanced yet found.

Status: The genie looks to be out of the bottle, folks. We expect more (and worse) such stories to follow, sadly. A representative of Kaspersky described this exploit as part of an “arms race,” and the New York Times recently called for negotiations for cyber arms control – but the anonymous-or-deniable nature of state-sponsored, extremely skilled and sharply focused attacks like Duqu 2.0 suggest that control is going to be difficult at best. The Kaspersky folks, incidentally, are to be applauded for releasing full details of this attack (technical PDF)- as they note, “For a security company, one of the most difficult things is to admit falling victim to a malware attack”, but full marks for transparency here.

WhatsApp, Gang?

Enabled, by analysis of WhatsApp messages: The apprehension by Belgian police of alleged plotters of a terrorist attack. The arrests (of members of alleged Chechen jihadists) came as a result of messages exchanged using the IM service (recently acquired by Facebook). It is presently unclear as to the exact methods used – metadata analysis or decryption of actual messages – and, if the latter, whether the shoutout to “US authorities” given by the Belgians refers to the NSA. Meanwhile, a bit of dust got kicked up in a scuffle regarding WhatsApp’s encryption methods (which are apparently a work in progress) involving the always-entertaining Moxie Marlinspike.

Status: Real gangsters use ICQ, anyhow.

US CIO Orders Crypto Everywhere.

Ordered, by Tony Scott, the US Chief Information Officer: HTTPS-only connections to all Government sites. As Scott notes in his directive (PDF), use of insecure connections “leaves Americans vulnerable to known threats, and may reduce their confidence in their government.” The requirement will require HTTPS with HSTS for all external-facing sites by December 31, 2016 (intranets are encouraged but not required). You may remember that we covered this as a non-binding proposal back in March – this week’s announcement is a more definitive requirement with a date certain for action. What makes this even more interesting is that only last week a representative from the FBI stated that internet companies should “prevent encryption above all else“. Tech companies fired back with a trade-group letter to President Obama declaring themselves “opposed to any policy actions or measures that would undermine encryption“. (Meanwhile, legacy issues from the last time the government tried to legislate encryption are still raising serious security risks decades after the fact.)

Status: Top marks. agrees that encryption is a positive way to reduce vulnerability and increase confidence for internet users. We also note that Wikipedia announced site-wide HTTPS-only connections with HSTS just today, and even Microsoft finally introduced HSTS in all flavors of IE 11 this week. No single security method is a cure-all, of course, but the trend towards HTTPS-with-HSTS adoption is a welcome move.

As always, the security universe is chock-full of interesting items we didn’t get to – so nothing about Apple’s recent, slightly improbable push to position itself as a privacy champion, or a claim that the recent OPM hack compromised every single current Federal employee (plus a couple million retirees), or the assessment of the cost to the US economy from business lost due to NSA practices ($35 billion is the conservative estimate) – but we’ll be back next Friday with more. As always, we at appreciate your reading these words, and remind you that a safer internet is a better internet.