There is a New DNS Sheriff in Town

One of the things that we see from time to time is SSL/TLS certificates issued by less than reputable – or simply don’t care – certificate authorities for domains that the certificate requester does not own.

The Internet Engineering Task Force, the body that oversees the technical operation of the Internet, has released a new capability.  By this fall, all certificate authorities – the organizations that issue SSL certificates will be REQUIRED TO recognize a new DNS record type.

This is in the early stages, so there are are still kinks to be worked out, but businesses should start using these new features as soon as they can.

The new feature is called DNS Certification Authority Authorization (CAA) and support for it by SSL certificate issuers becomes mandatory in September 2017.

There are two parts to it – one part that you need to take care of and one the certificate authority has to deal with.

The DNS CAA record specifies WHO is allowed to issue an SSL/TLS certificate on your behalf.  If you say that, for example, only Digicert can issue a certificate for a domain that you own, then, according to the rules, if anyone, including you, asks a different certificate authority to issue a certificate, they are supposed to deny the request.  There is an option in the CAA record to notify you if a certificate is issued  for that domain as well as a number of flag bytes and other parameters.

In order for this to work, YOU have to add a CAA record to your DNS entry.  This is the part that is more dicey.  For example, tonight, I reached out to one of my ISPs and asked them how I create a CAA record and they told me that I could not.  I *suspect* that by September, when this becomes mandatory, most ISPs will support it, but you will have to check.

For those businesses that operate their own DNS server software, they will likely have to upgrade versions to support this new capability.  Bind, the granddaddy of all DNS servers, supports CAA records starting with version 9.9.6.

For those of us who don’t run our own DNS servers, we will need to bug our ISPs until they support the capability.

Even if you don’t use SSL/TLS today, you should still add a CAA record because you don’t want anyone to get an SSL certificate in your name and masquerade as you.

While there is no such thing as a silver bullet when it comes to security, this is a useful addition.

Information for this post came from Wikipedia.

Microsoft Loses Terabytes of Windows 10 Source Code

Both the NSA and CIA have been in the news way too many times recently when organizations like WikiLeaks and others released stolen software that the organizations would rather remain private.  In the case of the spy agencies, that software is their internally developed hacking tools.

Now it is someone else’s turn.

Microsoft has acknowledged that some of their Windows 10 source code has been released into the wild.  Not all of it, but a lot.

32 terabytes of installation images, documentation and code for hardware drivers, USB and WiFi code, some kernel code and other source code was leaked and available for download by anyone who had access to the appropriate hacker sites.

Microsoft calls it their Shared Source Kit.  It is distributed privately based on contracts which restricts how it is handled.  Typically it is provided to hardware manufacturers, selected customers and some researchers.  Now it is available to hackers also.

Some of the images contain information that is never released publicly that would definitely help hackers.

It also would allow hackers to look for bugs that they can exploit.  That is much easier if you have the source code.

While this is not the end of the world and it does not involve a breach of Microsoft’s network, it is still embarrassing and a security problem for Microsoft.

On the other hand, given the number of businesses that likely have access to the Shared Source Kit, this leak is not completely surprising.

After all, it only takes one of these partners to be hacked for the code to be out in the wild.  No one is suggesting that a partner who legally has this code released it into the wild.

What is your level of confidence that your company’s family jewels are really still secret?

Information for this post came from The Register.

Petya Ransomware – A New Low

After the WannaCry Ransomware affected businesses in 150 countries last month, you would think that people would have learned.  Apparently not.

The Petya ransomware doesn’t encrypt files, it encrypts the whole disk.

Unlike typical ransomware that picks selected files (like Word or Excel files), instead this ransomware replaces the Master Boot Record or MBR and forces Windows to reboot.  When Windows loads the fake MBR, it launches something that looks like CHKDSK, a Windows utility that is used to fix disk problems.  Except, in this case, what it is really doing is encrypting the Master File Table or MFT.  Unlike typical ransomware that can take a long time to encrypt files one at a time, Petya can encypt the MFT in less than a second, making the whole disk unreadable.  POOF!

Companies – big companies – in many countries have been affected:

  • WPP, the British based worldwide advertising company
  • Law firm DLA Piper
  • Danish shipping firm Maersk

And many, many others.

It appears to have started with an infected software update from an Ukraine accounting software firm according to many experts.  The firm denies that.  Time will tell.

In the mean time the infection is going viral in Ukraine, who is blaming Russia, but Russian government computers are also being infected.  In fact, Ukraine and Russia represent the largest concentration of infections.

Why do these ransomware attacks seem to gain steam in Eastern Europe and Asia.  It is not clear to me, but one possibility is that there is a lot of pirated operating system software in that part of the world and those users cannot get patches.  That is a possible explanation.

Like WannaCry, there is a way to stop the propagation, but unlike WannaCry, a file needs to be installed on each and every computer.  And it only minimizes the damage, it doesn’t eliminate it.

Now here is the bad news.  The hackers are asking for $300 in Bitcoin to unlock the computer.  It asks you to communicate with the hackers via an email address and it provides a bitcoin wallet – the same wallet for every user.

But here is the problem.  The email address used by the hacker is hosted on Posteo, a German ISP.  They have decided to cancel the user’s account for violating their terms of service.  That means that there is no way to communicate with the hackers and no way to get a decryption key.

Of course, if the hackers wanted to, they could publicize another email address anonymously.

But, maybe, they don’t want to.

If, as suspected, this is the work of Russia to destabilize Ukraine and if a little collateral damage in Russia provides cover, Russia probably figures that is OK.  If this is the case, then they don’t want people to be able to recover.

In this case, unlike some other ransomware attacks, having good backups is all you need.  Format the disk and restore from your backup and you are good to go.

So what is the moral?

Backups are still critical for recovering from many ransomware attacks and HOW LONG IT TAKES to recover is the next most important thing.  If you can restore but it takes you a week to get back to work, that is a problem.

Do you know how long it would take your company to recover from a major ransomware attack?  Important question.

Information for this post came from The Guardian, Bleeping Computer and Risk Based Security.


Germany Allows Police To Hack Phones, PCs To Get Around Encryption

Last week the German Parliament passed a law that allows hack your computer or phone when investigating anything from murder to betting fraud and many other crimes.

How would this work?  It would allow police to covertly install software on your computer or phone that allows police to siphon data off your phone.  Whether that breaks your phone or steals data that they are not supposed to have – well, that is up in the air.

This is a way to get around the encryption of data and it if done right, is very effective.  Instead of putting a back door in the encryption algorithms, which experts say will weaken protection for everyone, this solution targets on the suspects of crimes.  Of course, it means that the police have to figure out how to hack your phone.

When this law goes into effect, the protections for privacy that German citizens have will be much lower because the bar for allowing the police to hack your phone are relatively low.

Germany has had, until now, a pretty high standard for individual privacy after a 2008 decision by the German Federal Constitutional Court .  What is not clear is whether this law will be in conflict with that ruling and how the high court would rule if asked to.

Similar to the U.S. Congress, the German Parliament sneaked the rules into seemingly unrelated bills and amendments and fast tracked those bills through the legislature.

While we have not seen this technique in the U.S. Congress yet, don’t be surprised if that happens.  Look at the current attempt at a new health care bill.  Draft it in secret – even from your own party – and then try to shove it down the throats of the rank and file very quickly.  While that has not worked so far with the health care bill, that is because Senators have gotten more than an ear full from the constituents.  Absent public interest, these types of bills sail through Congress and then it is up to the courts to sort out the mess.

Information for this post came from the law firm of Morrison Foerster.

Why Paying Ransomware May Not Be A Great Idea

You may recall that a hacking group called the Dark Overlord hacked into Larson Studios, a third party provider to Netflix and other studios.  They stole the unreleased copies of the whole season of Orange as well as about 36 other series and movies.

Now we are beginning to hear the back story and it points out that paying ransomers is dicey business.

Larson’s owners tried to protect their customers.  The did this by paying the ransomers $50,000 in bitcoin.  The theory was that they would not release any of the titles if they did.

Investigators discovered that ground zero for the attack was a Windows 7 PC.  Whether it was patched current or not is unclear, but as we are seeing with the Wikileaks releases of CIA and NSA exploits, being patched does not mean being secure.  The CIA and NSA do not have an “exclusive” on exploits.

When Larson’s IT guy looked at the server and found the shows were gone, they called the FBI.  They did not tell their clients because the group said not to and at that point they were still hoping to contain the damage.

They paid the ransom.  It took a while to work through the system to buy $50,000 in bitcoin.  About a week in total.

The Dark Overlord got a bit greedy and contacted Netflix and the other studios trying to get them to pay a ransom also.  Those studios opted not to pay.  So, even through Larson paid the ransom, they released the titles.

It is a bit of a crap-shoot as to whether hackers will keep their word, even though not keeping their word should, in theory, destroy their business model.

In many cases, having a backup will protect you from having to pay the ransom.  Not in this and any number of cases where the hackers can steal intellectual property.  Like at law firms or accountants, for example.

Once they have your intellectual property, it is a new game.

They could sell it or publicly release it.  Depending on the model, they might want to embarrass the company, destroy it or make money.

Your best bet is to keep the hackers out.  That is not always so easy.

After the fact, Larson upgraded security.  Files are encrypted.  The network is segmented so that if an attacker gets in they don’t have free range to the whole company.  They no longer keep the audio files and video files together to make it harder for an attacker to get something useful.

Larson lost some customers over this, but they learned a lesson.  An expensive lesson.  Lost customers PLUS ransom PLUS reputational damage PLUS the cost of re-engineering the network EQUALS an expensive lesson.

You can spend the money before an attack or spend a lot more money after the attack.  It is your choice.  But there is no free lunch.

Information for this post came from Data Breach Today.


Cisco, Others Share Source Code With Russia

The universe is an interesting place.

While the Senate and House, among others,  are trying to figure out how much damage Russia did during last year’s election cycle, Cisco and others are sharing their source code with the people who supposedly hacked us.  Seem strange? It is!

Here is the story.

For some countries, including Russia, the government requires foreign vendors to share source code with supposedly independent testing labs.  The objective, they say, is to make sure that there are no back doors in the code that would allow others such as the NSA and CIA to hack into them.

Cisco, IBM, HP and SAP are among those who have agreed to share source code with the Russians and others.

Symantec has told Russia to stick it where ….

As a result, Symantec does almost no business in Russia.

The U.S. government has suggested that this isn’t a great plan, but money usually rules.  The government, under most circumstances, has no legal ability to stop U.S. companies from doing that, however.

Who in Russia wants to check out our source code?  None other than the FSB, the successsor to the KGB, Russia’s former spy agency.

Also the FSTEC, another Russian agency with strong ties to the spy community is doing some of the source code reviews.

For their part, the U.S. tech companies are trying to reduce the risk.  They say that the code reviews are done in the United States, not Russia and they are done in a clean room environment where reviewers cannot take anything in or out.  But if the people doing the reviews are skilled Russian hackers, simply the ability to look at the code – to see how the programs work – may be enough to allow them to later hack us.

For companies, they have to make a decision.  The Russian tech market is estimated to be worth around $20 billion.  Do they let Russian spies look at the source code of their security software in order to be able to take a bite out of a $20 billion apple or do they let their possible share of the market go to a competitor.  Without agreeing to Russian demands, it is likely that Russia will not allow U.S. tech companies to sell their products in Russia.

My take – giving Russian spies access to the family jewels is a really bad idea.  I understand that sometimes money clouds people’s vision and this is one of those times.  It is kind of like giving a burglar both the key to our house and a map telling them where our valuables are.  And hoping that they don’t take anything.


Information for this post came from Reuters.