IT se­cu­rity no sim­ple task

A re­cent case of hack­ers tar­get­ing a Mi­crosoft pro­gram high­lights the com­plex­ity of pro­tect­ing users and com­pa­nies from cy­ber-crim­i­nals in time to pre­vent dam­age be­ing done. Joseph Menn re­ports

The National - News - Business - - Focus -

To un­der­stand why it is so dif­fi­cult to de­fend com­put­ers from even mod­er­ately ca­pa­ble hack­ers, con­sider the case of the se­cu­rity flaw of­fi­cially known as CVE2017-0199.

The bug was unusu­ally danger­ous but of a com­mon genre: it was in Mi­crosoft soft­ware, could al­low a hacker to seize con­trol of a per­sonal com­puter with lit­tle trace, and was fixed April 11 in Mi­crosoft’s reg­u­lar monthly se­cu­rity up­date.

But it had travelled a rocky, nine-month jour­ney from dis­cov­ery to res­o­lu­tion, which cy­ber-se­cu­rity ex­perts say is an unusu­ally long time.

Google’s se­cu­rity re­searchers, for ex­am­ple, give ven­dors just 90 days’ warn­ing be­fore pub­lish­ing flaws they find. Mi­crosoft de­clined to say how long it usu­ally takes to patch a flaw.

While Mi­crosoft in­ves­ti­gated, hack­ers found the flaw and ma­nip­u­lated the soft­ware to spy on un­known Rus­sian speak­ers, pos­si­bly in Ukraine.

And a group of thieves used it to bol­ster their ef­forts to steal from mil­lions of on­line bank ac­counts in Aus­tralia and other coun­tries.

Those con­clu­sions and other de­tails emerged from in­ter­views with re­searchers at cy­ber­se­cu­rity firms who stud­ied the events and an­a­lysed ver­sions of the at­tack code.

Mi­crosoft con­firmed the se­quence of events.

The tale be­gan last July, when Ryan Han­son, a 2010 Idaho State Univer­sity grad­u­ate and con­sul­tant at bou­tique se­cu­rity firm Op­tiv in Boise, found a weak­ness in the way that Mi­crosoft Word pro­cesses doc­u­ments from an­other for­mat. That al­lowed him to in­sert a link to a ma­li­cious pro­gram that would take con­trol of a com­puter.

Combining flaws

Mr Han­son spent some months combining his find with other flaws to make it more deadly, he said on Twit­ter. Then in Oc­to­ber he told Mi­crosoft. The com­pany of­ten pays a mod­est bounty of a few thou­sands dol­lars for the iden­ti­fi­ca­tion of se­cu­rity risks.

Soon af­ter that point six months ago, Mi­crosoft could have fixed the prob­lem, the com­pany ac­knowl­edged. But it was not that sim­ple. A quick change in the set­tings on Word by cus­tomers would do the trick, but if Mi­crosoft no­ti­fied cus­tomers about the bug and the rec­om­mended changes, it would also be telling hack­ers about how to break in.

Al­ter­na­tively, Mi­crosoft could have cre­ated a patch that would be dis­trib­uted as part of its monthly soft­ware up­dates. But the com­pany did not patch im­me­di­ately and in­stead dug deeper. It was not aware that any­one was us­ing Mr Han­son’s method, and it wanted to be sure it had a com­pre­hen­sive so­lu­tion.

“We per­formed an in­ves­ti­ga­tion to iden­tify other po­ten­tially sim­i­lar meth­ods and en­sure that our fix ad­dresses more than just the is­sue re­ported,” Mi­crosoft said through a spokesman, who an­swered emailed ques­tions on the con­di­tion of anonymity. “This was a com­plex in­ves­ti­ga­tion.”

Mr Han­son de­clined in­ter­view re­quests.

The saga shows that Mi­crosoft’s progress on se­cu­rity is­sues, as well as that of the soft­ware in­dus­try as a whole, re­mains un­even in an era when the stakes are grow­ing dra­mat­i­cally.

The United States has ac­cused Rus­sia of hack­ing po­lit­i­cal party emails to in­ter­fere in the 2016 pres­i­den­tial elec­tion, a charge Rus­sia de­nies, while shad­owy hacker groups op­posed to the US govern­ment have been pub­lish­ing hack­ing tools used by the Cen­tral In­tel­li­gence Agency and Na­tional Se­cu­rity Agency.

At­tacks be­gin

It is un­clear how the un­known hack­ers ini­tially found Mr Han­son’s bug. It could have been through si­mul­ta­ne­ous dis­cov­ery, a leak in the patch­ing process, or even hack­ing against Op­tiv or Mi­crosoft.

In Jan­uary, as Mi­crosoft worked on a so­lu­tion, the at­tacks be­gan.

The first known vic­tims were sent emails en­tic­ing them to click on a link to doc­u­ments in Rus­sian about mil­i­tary is­sues in Rus­sia and ar­eas held by Rus­sian-backed rebels in eastern Ukraine, re­searchers said. Their com­put­ers were then in­fected with eaves­drop­ping soft­ware made by Gamma Group, a pri­vate com­pany that sells to agen­cies of many gov­ern­ments.

The best guess of cy­ber-se­cu­rity ex­perts is that one of Gamma’s cus­tomers was try­ing to get in­side the com­put­ers of sol­diers or po­lit­i­cal fig­ures in Ukraine or Rus­sia; ei­ther of those coun­tries, or any of their neigh­bours or al­lies, could have been re­sponsi- ble. Such govern­ment es­pi­onage is rou­tine.

The ini­tial at­tacks were care­fully aimed at a small num­ber of tar­gets and so stayed be­low the radar. But in March, se­cu­rity re­searchers at FireEye no­ticed that a no­to­ri­ous piece of fi­nan­cial hack­ing soft­ware known as Laten­bot was be­ing dis­trib­uted us­ing the same Mi­crosoft bug.

FireEye in­ves­ti­gated fur­ther, found the ear­lier Rus­sian-lan­guage at­tacks and warned Mi­crosoft. The com­pany, which con­firmed it was first warned of ac­tive at­tacks in March, got on track for an April 11 patch.

Then what counts as dis­as­ter in the world of bug-fix­ers struck. An­other se­cu­rity firm, McAfee, saw some at­tacks us­ing the Mi­crosoft Word flaw on April 6.

Af­ter what it de­scribed as “quick but in-depth re­search,” it es­tab­lished that the flaw had not been patched, con­tacted Mi­crosoft, and then blogged about its dis­cov­ery on April 7. The blog post con­tained enough de­tail that other hack­ers could mimic the at­tacks.

Other soft­ware se­cu­rity pro­fes­sion­als were aghast that McAfee did not wait, as Op­tiv and FireEye were do­ing, un­til the patch came out.

McAfee vice pres­i­dent Vincent Weafer blamed “a glitch in our com­mu­ni­ca­tions with our part­ner Mi­crosoft” for the tim­ing. He did not elab­o­rate.

By April 9, a pro­gram to ex­ploit the flaw was on sale on un­der­ground mar­kets for crim­i­nal hack­ers, said FireEye re­searcher John Hultquist. The next day, at­tacks were main­stream. Some­one used it to send doc­u­ments booby-trapped with Dridex bank­ing-fraud soft­ware to mil­lions of com­put­ers in Aus­tralia.

Fi­nally, on the Tues­day, about six months af­ter hear­ing from Mr Han­son, Mi­crosoft made the patch avail­able. As al­ways, some com­puter own­ers are lag­ging be­hind and have not in­stalled it. When Mi­crosoft patched, it thanked Mr Han­son, a FireEye re­searcher and its own staff.

A six-month de­lay is bad but not un­heard of, said Marten Mickos, chief ex­ec­u­tive of Hack­erOne, which co­or­di­nates patch­ing ef­forts be­tween re­searchers and ven­dors.

“Nor­mal fix­ing times are a mat­ter of weeks,” Mr Mickos said. Pri­vately-held Op­tiv said through a spokes­woman that it usu­ally gives ven­dors 45 days to make fixes be­fore pub­lish­ing re­search when ap­pro­pri­ate, and that it “ma­te­ri­ally fol­lowed” that prac­tice in this case. Op­tiv is now com­par­ing the de­tails of what Mr Han­son told Mi­crosoft with what the spies and crim­i­nals used in the wild, try­ing to find out if the re­searcher’s work was partly re­spon­si­ble for the world­wide hack­ing spree, the spokes­woman said. The spree in­cluded one or more peo­ple who cre­ated a hack­ing tool for what FireEye’s Mr Hultquist said is prob­a­bly a na­tional govern­ment – and then ap­pear­ing to dou­ble-dip by also sell­ing it to a crim­i­nal group.

If the patch­ing took time, oth­ers who learned of the flaw moved quickly.

On the fi­nal week­end be­fore the patch, the crim­i­nals could have sold it along to the Dridex hack­ers, or the orig­i­nal mak­ers could have cashed in a third time, Mr Hultquist said, ef­fec­tively stag­ing a last clear­ance sale be­fore it lost peak ef­fec­tive­ness.

It is un­clear how many peo­ple were ul­ti­mately in­fected or how much money was stolen.

Nor­mal fix­ing times are a mat­ter of weeks Marten Mickos Chief ex­ec­u­tive of Hack­erOne

Swayne Hall / AP Photo

Mi­crosoft’s progress on se­cu­rity is­sues, as well as that of the soft­ware in­dus­try as a whole, re­mains un­even in an era when the stakes are grow­ing dra­mat­i­cally.

Newspapers in English

Newspapers from UAE

© PressReader. All rights reserved.