lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <BLU127-W175A8DAC9628D049D2037096D70@phx.gbl>
Date: Mon, 5 May 2008 16:24:59 -0700
From: Aaron Kempf <aaron_kempf@...mail.com>
To: "J. Oquendo" <sil@...iltrated.net>, <bugtraq@...urityfocus.com>,
	<full-disclosure@...ts.grok.org.uk>
Subject: Re: Microsot DID DISCLOSE potential Backdoor


more importantly-- 
this is just another symptom that 'Microsoft makes Windows run slower over time' to force us to buy a new version'.
 
If the software is doing things-- that it wasn't designed (advertised) to do-- that by definition is called BLOATWARE.
 
It's time for MS to make performance _JUST_ as important as security.
Performance is important-- I'm hoping that Microsoft wakes up one of these days and starts talking about the 'Software Performance Lifecycle'.
 
Personally; I'm sick and tired of MS forcing crapware / bloatware down our throats.
This software that you're talking about-- is just another symptom that MS doesn't give a crap about it's users.
 
-Aaron
 
 
 
> Date: Sat, 3 May 2008 22:45:41 -0500> From: sil@...iltrated.net> To: bugtraq@...urityfocus.com; full-disclosure@...ts.grok.org.uk> Subject: Microsot DID DISCLOSE potential Backdoor> > While you were sleeping and focusing on COFEE...> > Microsoft Discloses Government Backdoor on Windows Operating Systems> Wednesday, April 30th, 2008 @ 6:00 am | Privacy, News> http://www.infiltrated.net/?p=92> > Microsoft may have inadvertently disclosed a potential Microsoft backdoor for law > enforcement earlier this week. To explain this all, here is the layman term of a backdoor > from Wikipedia:> > A backdoor in a computer system (or cryptosystem or algorithm) is a method of > bypassing normal authentication, securing remote access to a computer, obtaining access > to plaintext, and so on, while attempting to remain undetected. The backdoor may take > the form of an installed program (e.g., Back Orifice), or could be a modification to an > existing program or hardware device.> > According to an article on PC World: "The software vendor is giving law enforcers > access to a special tool that keeps tabs on botnets, using data compiled from the 450 > million computer users who have installed the Malicious Software Removal tool that > ships with Windows."> > Not a big deal until you keep reading: "Although Microsoft is reluctant to give out details > on its botnet buster - the company said that even revealing its name could give cyber > criminals a clue on how to thwart it"> > Stop the press for second or two and look at this logically: "users who have installed the > Malicious Software Removal tool" followed by " Microsoft is reluctant to give out details > on its botnet buster - the company said that even revealing its name could give cyber > criminals a clue on how to thwart it", what? This is perhaps the biggest gaffe I've read > thus far on potential government collusion with Microsoft.> > We then have the following wording: "Microsoft had not previously talked about its > botnet tool, but it turns out that it was used by police in Canada to make a high-profile > bust earlier this year." So again, thinking logically at what has been said so far by > Microsoft; "We have a tool called Malicious Software Removal tool...", "we can't tell > you the name of this tool since it would undermine our snooping...", "it's been used by > law enforcement already to make a high-profile bust earlier this year."> > Remember a "Malicious Software Reporting Tool" is a lot different from a "Malicious > Software Removal Tool". Understanding networking, computing, botnets, let's put this > concept into a working model to explain how this is nothing more than a backdoor. You > have an end user, we'll create a random Windows XP user: Farmer John in North Dakota. > Farmer John in North Dakota uses his machine once a week to read news, send family > email, nothing more. He installed Microsoft's Malicious Removal Tool. Farmer John's > machine becomes infected at some point and sends Microsoft information about the > compromise: "I'm Farmer John's machine coming from X_IP_Address".> > A correlation is done with this information and then supposedly used to track where the > botnet's originating IP address is from. From the article: "Analysis by Microsoft's > software allowed investigators to identify which IP address was being used to operate the > botnet, Gaudreau said. And that cracked the case." This is not difficult, detect a DST > (destination) for malware sent from Farmer John's machine. Simple, good guys win, > everyone is happy.> > The concept of Microsoft's Malicious Software Removal tool not being a backdoor is > flawed. For starters, no information is ever disclosed to someone installing the Windows > Malicious Software removal tool: "Windows will now install a program which will report > suspicious activity to Microsoft". As far as I can recall on any Windows update, there has > never been any mention of it.> > "But this is a wonderful tool, why are you being such a troll and knocking Microsoft for > doing the right thing!". The question slash qualm I have about this tool is I'd like to know > what, why, when and how things are being done on my machine. It's not a matter of > condemning Microsoft, but what happens if at some point in time Microsoft along with > government get an insane idea to branch away from obtaining other data for whatever > intents and purposes?> > We've seen how the NSA is allowed to gather any kind of information they'd like (http://www.eff.org/issues/nsa-spying), > we now have to contend with Microsoft attempting to do the same. Any way you'd like to > market this, it reeks of a backdoor: (again pointing to the definition) A backdoor in a > computer system ... is a method of bypassing normal authentication, ... obtaining access > to ... , and so on, while attempting to remain undetected. There's no beating around the > bush here on what this tool is and does.> > This is reminiscent of the 90's with the NSA's ECHELON program. In 1994, the NSA > intercepted the faxes and telephone calls of Airbus. What resulted was the information > was then forwarded to Boeing and McDonnell-Douglas in which they snagged the > contract from under Airbus' feet. In 1996, the CIA hacked into the computers of the > Japanese Trade Ministry seeking "negotiations on import quotas for US cars on the > Japanese market". Resulting with the information being passed off to "US negotiator > Mickey Kantor" who accepted a lower offer.> > As an American you might say "so what, more power to us" but to think that any > government wouldn't do it to its own citizens for whatever reason would be absurd. > There are a lot of horrible routes this could take.> > What happens if slash when for some reason or another the government decides that you > should not read a news site, will Microsoft willingly oblige and rewrite the news in > accordance to what the government deems readable?> > How about the potential to give Microsoft a warrantless order to discover who doesn't > like a President's "health care plan", or who is irrate and whatever policy; Will Microsoft > sift through a machine to retrieve relevant data to disclose to authorities?> > That doesn't include the potential for say technological espionage and gouging of sorts. > What's to stop Microsoft from say, mapping a network and reporting all "non-Microsoft" > based products back to Microsoft. The information could then be used to say raise > support costs, allow Microsoft to offer juicier incentives to rid the network of non MS > based products, the scenarios are endless.> > Sadly, most people will shrug and pass it off as nothing. Most security buffs, experts, etc., > haven't mentioned a word of it outside of "the wonderful method to remove, detect, > botnets!" and I don't necessarily disagree it's a unique way to detect what is happening, > but this could have been done at the ISP and NSP level without installing a backdoor. > Why didn't law enforcement approach botnets from that avenue? Perhaps they have, this > I'm actually certain of which leads me to believe this is a prelude of something more > secretive that has yet to be disclosed or discovered.> > http://www.pcworld.com/businesscenter/article/145257/microsoft_botnethunting_tool_helps_bust_hackers.html> http://cryptome.org/echelon-ep-fin.htm (ECHELON MISHAPS)> > More on Microsoft's *Potential* Government Backdoor> Thursday, May 1st, 2008 @ 7:21 am | Privacy, News> http://www.infiltrated.net/?p=92> > After reading through Microsoft's comments repeatedly yesterday, I cannot come to the > conclusion that Microsoft's "Malware Removal Tool" is not some form of backdoor. > Their comments in the initial article are extremely disturbing and anyone using a > Microsoft product should now be extremely weary about downloading new updates if > even deciding to continue using Microsoft at all.> > So let's take a look at the top botnets. Srizbi, Bobax, Rustock, Cutwail, Ozdok, Nucrypt, > Wopla, Spamthru, Storm, Grum, Onewordsub; These are the top as reported by Secure > Works. (http://www.secureworks.com/research/threats/topbotnets/?threat=topbotnets) > Guess what, eight out of eleven are all encrypted. Not that big of a deal until you decipher > what Microsoft stated in their original quotes in correlation to some facts.> > From the article: Microsoft security experts analyze samples of malicious code to capture > a snapshot of what is happening on the botnet network, which can then be used by law > enforcers, Cranton said. "They can actually get into the software code and say, .Here's > information on how it's being controlled.'"> > Perhaps Microsoft could clarify how exactly are they doing what they do, more > importantly, what information is being sent over the wire and to whom. Are they now > breaking code as well. Did the botnet authors go through the steps of encrypting code. We > know for a fact that traffic being sent from a compromised host to a controller is > encrypted, so what is Microsoft analyzing. What COULDN'T Microsoft have gained > from getting code for analysis say by working along with Symantec or someone else.> > Now before you shoot off an answer like "the code doofus, they're analyzing the code!", > think about it again. If they're in it to analyze solely the code, they could have worked > with AntiVirus vendors for samples as opposed to putting a tool on your machine which > collects YOUR DATA and sends it off to who knows where. A law enforcement agency, > or team Microsoft.> > I'll pause on this for now. How about the validity in stating: "Botnet Operator tracked via > IP". How legitimate is this argument given the fact (not presumption) that IP is a horrible > identifier. Let's put this in a practical example. Farmer Joe in Nebraska is using a DSL > connection that it always on. He uses Windows XP and doesn't know what a Windows > Update is so he's never used it. His computer is compromised, a botnet controller is > installed and attacks are launched from Nebraska. The attacker sanitized Farmer Joe's > machine to erase his tracks using multiple wipes with perhaps PGP. The end.> > For any business or law enforcement agency to claim they can track down via an IP > address, perhaps they've skimmed on the fact that there are far too many open WiFi > hotspots in the world to conclusively narrow a fact. We have an assumption that an > attacker is behind 10.10.10.159. Can we see them? No. All we know is the address. Being > I've used a private address, I won't bother diving into "but he came from ISP X in > Nebraska." Irrelevant. What you have is a fishing expedition.> > / SNIP> For more on this false sense of ID-via-IP: Well, let me ask you you think 171.70.120.60 > is. I'll give you a hint; at this instant, there are 72 of us.> > Here's another question. Whom would you suspect 171.71.241.89 is? At this point in > time, I am in Barcelona; if I were home, that would be my address as you would see it, > but my address as I would see it would be in 10.32.244.216/29. There might be several > hundred people you would see using 171.71.241.89;> /END SNIP> > I implore you to read a NANOG thread http://readlist.com/lists/trapdoor.merit.edu/nanog/6/33246.html> Professionals know, IP is an inaccurate identifier so why does it seem that Microsoft> along with LEO are relying on this. Makes a great baseline sure, but is certainly ripe> for abuse> > Again, please understand what I am stating, this is "not to say that its a horrible idea", its > a start, a baseline - but not a definitive measure of determining who is controlling a bot, > who created the botnet, etc.> > Looking at past history, unfortunately you have the tinkerers; so what happens to an up-> and-coming "security" buff who is getting into the field and stumbles upon a botnet. Sure > he was moronic to join an irc channel filled with bots, sure he was idiotic in downloading > the code for the sake of learning. Fact is he might have. Guess what will happen to him > when a Law Enforcement Agency raids his house? Guess what will happen when that > agency needs funding for a new uber Cyber(buzzword)Crime fighting department. You > guessed it. Hey "Up-and-coming security buff..." Kiss your terminal goodbye, and from > here on out, your dreams of becoming the next Bruce Schneier will be close to non-> existent. It happens.> > Anyhow, re-emphasizing... Shame on Microsoft for forwarding your data without telling > you. Shame on Microsoft for not asking you if you wanted to "PARTICIPATE" in > sending data. Shame on Microsoft for not explicitly stating: The data we are sneaking off > your computer will be sent to government agencies of our choice. Its a horrible practice > and a damaging breach of trust. Their action worries me as a security professional, will > they ever scour for data for profit. Why not, no one would notice or care anyway.> > J. Oquendo> sil @ infiltrated dot net> > -- > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+> J. Oquendo> SGFA #579 (FW+VPN v4.1)> SGFE #574 (FW+VPN v4.1)> > wget -qO - www.infiltrated.net/sig|perl> > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB> 
_________________________________________________________________
Windows Live SkyDrive lets you share files with faraway friends.
http://www.windowslive.com/skydrive/overview.html?ocid=TXT_TAGLM_WL_Refresh_skydrive_052008
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ