Glimpse of the current and future state of espionage

Ars Technica has a fascinating look into a ‘cyber-spat’ (trademark pending) between Georgia and Russia.

A custom piece of malware started showing up in Georgian systems, which searched for documents based on political keywords. Those documents were then sent off to a server and retrieved by the hackers.
The CERT team in Georgia analyzed the malicious program and traced it back to Russia. When hacks occur across international lines, there is often little legal recourse. This was true here, and Georgia determined that the best course of action was to bait the attacker into taking a file which would infect his own computer.

They were successful.

Now this may not seem to accomplish much. If the Russian government is in fact sponsoring these attacks, they will continue. The identified hacker is not facing any legal proceedings. But, as the source article puts it:

The goal isn’t necessarily to get the host country to ease up on the hacks—though it may have some temporary effect—but to raise public awareness so that other forces like Congress or NATO will themselves put more pressure on some country you can hardly hope to stop alone.

Right now, there is little that is agreed upon in international law when it comes to computer crime. This will change as state sponsored attacks grow more sophisticated and gain the potential to do serious harm. Chemical warfare was outlawed after its devastating effects were seen in World War I, we’ll see some Internet attacks outlawed if state sponsored attacks start taking out electrical grids or water treatment plants.

Hopefully the world can agree on some rules of engagement before it comes to that.


Fighting Fire with Fire.

Japan has issued a contract to research the development of a virus which could counterattack malware sources.

This idea comes up from time to time, to use hackers’ own weapons and techniques against them instead of only playing defense.   There’s even a course dedicated to it now.

Some of these countermeasures are great ideas: Honeypots waste an attacker’s time and can collect data on them.  Tarpits can tie up the attacker’s network connection.

Sending out “good” viruses seems like a logical step, but it’s probably not a good idea.

Sending out self-replicating code can have ripple effects that are not always considered when the code is written.  For example, the Stuxnet virus which was seemingly created to only target Iranian nuclear facilities still ended up spreading into Eastern Europe and causing problems on some systems (which is how the virus was discovered).

Taking specific and limited action against a hostile IP address is a reasonable and sometimes necessary action.  Virus code is neither specific nor limited.  It cannot be controlled once released to the Internet.

It would be like trying to clean out dead underbrush by setting a fire.  You think it will just burn all the dead stuff and then peter out, but the possible repercussions make it highly irresponsible and dangerous to do.

So lets just keep this research as research and not go anywhere else with it.

OK, Japan?


Good News! A new worm!

It’s been a while since a worm has made the rounds of the Internet (I think Stuxnet may have been the last one to make any waves).

Morto is the new kid on the block.

Although my title is meant to be sarcastic, there is actually good news about this worm.  It spreads by attempting to log into an open RDP (Remote Desktop Protocol) port, passing the Administrator user account and using a dictionary-based password crack.

The good news is that OS security has improved so much over the past few years that malicious code now has to rely on bad practices by administrators, rather than using exploits in running processes.

Of course the bad news is that any systems were vulnerable to this in the first place.  Any one of three changes in security practice stop this worm from getting into your systems.  Two of them are incredibly simple.

1. Change the ‘Administrator’ name. 

In a Windows environment, the Administrator account is there by default and has full permissions to the machine.  The account name is not set in stone (unlike UNIX/Linux.  Root is always root).  Everyone should change their Administrator account login to something else.  It’s very simple to do, and immediately removes the threat of any scripted attack that tries to use Administrator as a login.  With just a tiny bit of extra work, you can also set up a new account named Administrator that actually has no privileges.  If an attacker is able to enumerate the users on your systems it will give them a little bit of misinformation.

2.  Enable password complexity rules.

The worm has a dictionary of common passwords that it uses to attempt to log in.  They are all terrible passwords.

Like ‘password’.

STOP DOING THAT. Systems should REQUIRE mixed-case and digits at a bare minimum.

On Windows this is one click on a checkbox in Group Policy.

3. Do not open RDP to the internet

This one is slightly more complicated, but your average administrator should be able to handle it easily.

Yes, it’s very convenient to be able to log into your stuff remotely.  I do it all the time.

The difference is that I have to tunnel my RDP session through an SSH connection.  You should block incoming RDP requests (port 3389 by default) at your firewall.

You do have a firewall, right?  I mean, I assume you do, but then again I assumed you wouldn’t have Administrator:password as your master login

Update:  Morto tries a number of common account names, not just Administrator.  Not sure if this is new information or a variant of the worm.