Monday, March 31, 2014

Microsoft Hotmail Scandal? Google's Gmail Team Should Pay Attention!

Microsoft's Hotmail Scandal story (read Saturday's Register story here) ignores the basic fact that no responsible/credible person would ever use the Hotmail service. Only two audiences comprise 100% of the Hotmail userbase:
  1. Phishers, crooks, and scammers use Hotmail accounts to lie, cheat and steal their way to propserity.
  2. Morons and imbeciles who don't know any better use Hotmail.
Given the Hotmail audience, who the heck cares what the Microsoft license agreement says. Ditto for Yahoo, whose appalling lack of security earns them so much bad Karma that they rank lower on the list of good-fortune beneficiaries than Vladimir Putin (do a search to the left for "Yahoo" and see some of my Yahoo indictments). 

Fair warning:  Google needs to pay attention, as I am getting more and smarter phishing/scam attempts from Gmail addresses in just the last month. Something as simple as a forward site at Google where we can pass on suspicious accounts? You could use Google analytics to quantify bad cyber citizens and delete their accounts.

Saturday, March 29, 2014

DOD's Hagel: "We come in peace. Take this to your leader."

Yesterday's New York Times (see the full story here) reports some remarkable 1984-like doublespeak from Defense Secretary Chuck Hagel. Net-net: "The U.S. does not seek to militarize cyberspace, but we're going to triple our staff just in case."  Based on this and other data exhaust I will list below, it seemed prudent to make sure my tux fit. Because 2014 is going to be some kind of party.
Other data exhaust that predicts a truly gala 2014:
  1. 92% of all ATMs use Windows XP. Crooks can now infect ATMs and then send SMS messages to embedded cell phones to get said ATMs to spew cash (see Wednesday's Register story here). By the way, the ATM exploit has been credited to "Mexican cybercooks." The Symantec video showing how to do the exploit even used a Latino spokesperson. Give me a break! This is most certainly a Russia-inspired false flag operation.
  2. China is embarrassed and out for revenge after reports (see Thursday's Computerworld story here) that the NSA has been installing back doors in Huawei's hardware (see Saturday's New York Times story about the NSA exploit here).
  3. And once again, Time Magazine's runner-up Person of the Year, Edward Snowden, released documents showing that Microsoft sold your personal information to the the feds and cops for $50 a person (see the Saturday Register story here). The source was allegedly "Syrian" hactivists, clearly a false flag operation of either Russia or China (take your pick, although my vote leans toward Russia).
  4. As I reported on March 10th, Russia is so intent on proving that they're more than just a regional power that they played their "Snake" virus card in Ukraine (see my story here).

 So make sure your tux fits. You wouldn't want to miss the party.

Tuesday, March 18, 2014

Ukraine Data Exhaust

This morning, I took a look at the all-time readership history of The Morgan Doctrine! Unsurprisingly, the USA tops the list. But most surprisingly, Ukraine is a solid number two, followed (in order) by China, France, the UK, Germany, Russia, India, Canada and Singapore. Several hypotheses come to mind, which I'll keep to myself for now.

Saturday, March 15, 2014

Malaysia Flight 370: Hypothetical White House Conversation

PRESIDENT: Who's the guy with the Teddy Bear?

NSA DIRECTOR: Mister President, we call him Rainman. He wrote the classified Tripwire program that produced these data.

PRESIDENT: Yeah, well…that is the purpose of this meeting. Why the hell don't we tell the world what happened to Malaysia flight 370? I've seen your hi-res videos.

NSA DIRECTOR: We're confident that a foreign government engineered this disappearance to see exactly how advanced our global surveillance technology truly is.

RAINMAN: [Expletive]ing Chinese.

PRESIDENTIAL AIDE: Sir! You do NOT use that language in front of the president!

NSA DIRECTOR: Please forgive this outburst. Our Rainman is an autistic computer savant, and excitement sometimes presents itself as Tourette's.  I promise you, if it weren't absolutely necessary for him to be here…

PRESIDENTIAL AIDE: [interrupting]…That Teddy Bear stinks. Get it out of here.

NSA DIRECTOR: Sir, with due respect, the last person who tried to separate Rainman from his Teddy Bear has never completed a cell phone call since. In fact, any digital record of his life, including credit history, has ceased to exist on the planet. He currently lives in New York City's Central Park where he begs for food.

PRESIDENT: Back to the purpose of this meeting. Exactly why are we not showing the world what happened to flight 370?

NSA DIRECTOR: Sir, because we don't want the world to know the extent of our technology. Unlike the Russians who tipped their hand by using the SNAKE virus in Ukraine…

RAINMAN: [Expletive]ing Russians!

NSA DIRECTOR: Mister President, I am so very sorry…

Tuesday, March 11, 2014

SNAKE Added to Perfect Virus Report Card

Three years ago I did my first Virus Report Card (February 7, 2011), comparing Stuxnet, Zeus/SpyEye and Duqu to The Perfect Virus (see all 22 Principles of the Perfect Virus here). Just a month ago, I updated it with the Mask/Careto virus (see the update here). Thanks to the Russian "Snake" technology unleashed in Ukraine, here is yet another update.
While SNAKE lost some stealth points, it is nevertheless a step up in the virus food chain in that it allows the Command and Control (C&C) system to actually take over the target servers. With the exception of Stuxnet, which wreaked havoc with Iranian nuclear centrifuges, the other virus technologies infected client computers that had established a trusted relationship with more secure institutions in order to loot the data assets of the less-than-secure client. SNAKE, on the other hand, goes for the gold and actually takes over the target infrastructure. That's a big leap and one I suggested yesterday might have been a big Russian mistake letting out of the bag in Ukraine.

The BAE Systems report (read it here) did an exceptionally thorough job analyzing SNAKE and suggesting ways to determine it's presence on your system. Major points of special interest:
  1. SNAKE appears to be exclusively targeted toward Windows clients and servers. That has all kinds of implications that are beyond the scope of this writeup, although I would advise extreme caution to those who drive automobiles with computers powered by Windows mobile technology ("Hey Achmid, watch me have a bunch of cars slam on their breaks during The Great Satan's rush hour!").
  2. While SNAKE has the capability to dynamically reassign C&C servers for peer-to-peer control, it comes equipped with a large number of hard-coded C&C server locations. That seems silly, and may indicate expediency and a tight time line forced deployment of a less-than-perfectly secure virus.
  3. Point 2 above is reinforced by the fact that SNAKE was delivered with debugging hooks still compiled into the code that exposes the names of two developers (vlad and gilg) as well as the  name of this particular variant (sengoku). Sure, this could be a not-so-subtle "false flag" pointer to Russia, but my opinion is that the last-compiled versions of SNAKE on January 28, 2014 were rushed into operation in Ukraine because of Russian premeditation.
  4. Another possible "false flag" indicator is that the decryption XOR mask used by SNAKE was the same one used in the Agent.BTZ virus that hit Pentagon secure systems in 2008. While this seems rather silly for any government trying to avoid the "A" word (attribution), again it is my opinion that expediency trumped stealth. Ergo, Russia must have made a conscious decision to play the SNAKE cards face up due to their view of Ukraine's importance to them.
  5. Finally, Putin's ego and his desire to again be a major player on the global cyberwarfare stage may have dictated that Russia's fingerprints be firmly on this technology.
We still don't have a good idea how SNAKE was initially delivered in Ukraine, but given the number of Russian-leaning Ukrainians in important positions, one well-placed thumb drive could have done it all.

Net-net: 2014 is shaping up to be a most interesting year.

Monday, March 10, 2014

Should Russia Have Used "Snake" Cyberespionage in Ukraine Conflict?

Yesterday's New York Times story on Russia's cyberwar against Ukraine government assets (read it here) details the British-based defense and security company (BAE) report on 'Snake' cyberattacks. My opinion is that Russia's ability to take "full remote access to the compromised system"  should have been kept under wraps, unless of course the major cyberweapon governments of the world already knew about it. Whatever their reason for using this technology against Ukraine, "full remote access" represents current state of the art in the cyberwar landscape. Not particularly stealthy, since BAE sniffed them out, but nevertheless an indication of the current cyberwar advances.

Given that the BAE attribution of Snake as "a game-changer for security industry" (access the BAE report here), I rather suspect The Powers That Be in the U.S., the U.K, and in Israel may have been taken aback by the new sophistication revealed by Snake. I therefore opine that Russia may have prematurely played these cards face up in the cyberweapons casino.

Wednesday, March 5, 2014

Pre-installed Malware on New, Fresh-out-of-the-box Products

Three years ago, I quoted a GCN article stating that the number-one malware risk was infection of the supply chain and actually delivering infected products in unopened new products (see my post here). Today's Computerworld story (read it here) reports that some malicious Netflix applications—which send passwords and credit card information to Russia—are showing up on out-of-the-box Android phones. I've written extensively on supply chain exploits. Just type "supply chain" into the search bar at the left to see some knee-slappingly funny (if I do say so myself) prose on the subject.

Why go phishing when you can employ far less effort to simply roach the supply chain of major manufacturers? From EPROMs in printers to major software packages from Adobe and Microsoft to…yegads…Lenovo and Huawei products with prices too good to be true, the smart crooks are hitting the supply chains.

The GCN story concluded with an "On the bright side" statement:
Fortinet, a vendor of network security appliances, predicts that in 2011, there will be greater international collaboration to shut down the bad guys through the courts.
How's that working out, guys? Obviously you were "whistling in the graveyard" with that inane assessment. I predict that cyber privateers could put at stop to supply chain roaching within sixty days.

Tuesday, March 4, 2014

Chevy Chase & Dan Akroyd Must Be Laughing as Microsoft & Huawei Reprise "Spies Like Us."

My own nod to Chevy Chase's and Dan Akroyd's performances in the movie Spies Like Us bubbled up from a Microsoft speech at the recent RSA conference.

About a week ago, The Register reported Microsoft VP of Trustworthy Computing Scott Charney vehemently told an RSA audience that no-way-no-how has his company put back doors into any of their computer software (see the story here). I've been pretty hard on Huawei over this issue (see my advice to them here), and give Microsoft the same advice: PROVE IT! Offer a $1 million reward to the first person or organization who can show an intentional back door into Microsoft products.

I used the word "intentional" because I don't expect them to pay big bucks for some zero-day exploit that cleverly uses a flaw in the Microsoft architecture. Heck, they'd lose billions on that deal. But if anyone could demonstrate a drop-through/bypass-all-security back door that opens up the world, they'd get the million. One time. The first person to uncover the back door. Publicly administered by a trusted third party, with the exploit issued in a press release worldwide.

Emphatic denials don't cut it any more from Microsoft than then do from Huawei. I recently asked, "Who you gonna' believe, Huawei or your lying eyes?" Honor forces me to ask Microsoft the same question. Until either one of these companies puts money where their PR is, I must again conclude (as I did here), that "Microsoft spies for the U.S. and Huawei spies for China.

VP of Trustworthy Computing? Read Orwell's 1984 Mr. Charney. You might want to rethink your title.