Monday, June 30, 2014

i wouldn't bet on it

last year cryptography professor matthew green made a bet with mikko hypponen that by the 15th of this month there would be a snowden doc released that showed that US AV companies collaborated with the NSA. he has since accepted that he lost the bet to mikko, but should he have?

i mentioned to matthew the case of mcafee being in bed with government malware writing firm hbgary and mikko chimed in that hbgary wasn't an AV company and being partners with them wasn't enough to win the bet. aside from the fact that this is the first time after all these years that i've seen a member of the AV industry publicly comment on the relationship between mcafee and hbgary (i guess managing matthew's perception of AV is more important than managing mine), something about mikko's response rang hollow.

one way to interpret the situation with hbgary is to view them as government contractors whom mcafee endorsed, advertised, and helped get their code onto the systems of mcafee's customers (hbgary makes a technology that integrates with mcafee's endpoint security product). that certainly would have given hbgary access to systems and organizations they might have had difficulty getting otherwise. i have no idea if that access was ever used in an offensive way, though, so this line of thought is a little iffy.

another way to interpret the situation is to directly contradict mikko and admit that hbgary is a member of the AV industry. after all, they make and sell technology that integrates into an endpoint security product. they may only be on the fringe of the industry, but what more do you have to do to be a member of the industry than make and sell technology for fighting malware? the fact that they also made malware for the government makes them essentially a US AV company that collaborated with the government in one of the worst ways possible.

i feel like this should be enough to have won matthew green the bet, at least in spirit, but the letter of the bet was apparently that a snowden doc would reveal it and the revelation about mcafee and hbgary actually predates snowden's leaks by a number of years. 

so, the question becomes are there any companies that happen to be members of the AV industry and also happen to have been fingered by a snowden leak? it turns out there was (at least) one. they were probably forgotten because they're not just an AV vendor, but AV vendor does happen to be one of the many hats that microsoft wears (plenty of security experts were even advising people to drop their paid-for AV in favour of microsoft's offering at one point in time), and microsoft was most certainly fingered by snowden docs. the instances where microsoft helped the government may not have involved their anti-malware department, but the fact remains that a company that is a member of the AV industry was revealed by snowden documents to have collaborated with the government.

i imagine mikko could find a way to argue this doesn't count either - i admit it's not air-tight - but given how close it meets both the spirit and (as i understand it) the letter of the bet, i think mikko should match the sum he had matthew pay to the EFF and pay it to an organization of matthew's choosing. i won't bet on that happening, though.

Saturday, June 14, 2014

confessions of a twitter worm victim

as some of you may know, this past wednesday someone released a self-retweeting worm on twitter that exploited an XSS vulnerability in the popular twitter client tweetdeck. i happen to be a tweetdeck user and i got hit by the worm, not once but twice. since i believe in owning up to my mistakes in order to serve as an example to others, i figured it was important for me to write this post.

this isn't the first time i've had to do this. four years ago it was discovered that there had been a RAT bundled with the software for a USB battery charger sold by the energizer battery company (it had gone undetected by the community for years) and i wrote about my experience then as well.

this was the first time getting hit with something that could spread to others, and spread it did. i know this because i got email notifications from twitter when other people's tweetdeck clients automatically retweeted the tweet that that my client automatically retweeted. that's actually one of the things i think i did right - i have twitter setup to send me notifications for as much of that kind of activity as i possibly can. the result is that i get what is essentially an activity log sent to my email in near real-time and that alerted me to the problem within minutes of it occurring.

that quick notification allowed me to undo the retweet before it propagated from my account again. that limited the extent to which i contributed to the spread of the worm. acting quickly to neutralize the threat in my twitter stream is another thing i believe i did right.

unfortunately i also did a number of things wrong. for example, i knew about the XSS vulnerability before i encountered the worm, i saw excellent preventative advice and even retweeted that, but i failed to follow it exactly. the advice was to sign out of tweetdeck and then de-authorize the app in twitter. what i did instead was close the tweetdeck tab in my browser and de-authorize the app. i took a shortcut because i didn't believe anyone i followed would actually tweet anything malicious. i didn't anticipate that they might do so involuntarily - the possibility of something like the samy worm from years past never occurred to me. and so when news spread that the vulnerability had been fix and that users needed to log out and back in again to apply the fix i re-opened the tab, re-authorized the app (because that was the first prompt i was presented with) and then went hunting for the logout button. that's when i got the email notification that another user had retweeted one of my retweets.

however, i did not see the alert popup that was supposed to indicate the worm had executed. i didn't realize it at the time but that was important because it meant there was more going on than i realized. it meant that the worm had not executed in the client i was sitting in front of. what i had forgotten was that i had another tweetdeck client open on a computer at work and when i re-authorized the app the worm executed on the work computer rather than my home computer. it wasn't until i was on a bus to see an old friend that the significance of what had (and had not) happened clicked and then it wasn't for another several hours before i could get access to that work computer (where the alert popup was still patiently waiting for me) in order to log out and back into tweetdeck again, which i did without de-authorizing the app beforehand so the un-retweeted tweet got re-retweeted.

in short it was a comedy of errors.

what i've taken away from this is a number of things:

  1. i am once again humbled by the clear demonstration that i am not perfect. while i certainly knew conceptually that i wasn't perfect, i have had a surprisingly good track record with malware. having my ass handed to me made the appreciation of my imperfection much more visceral.
  2. i've gained a better appreciation for the value of de-authorizing apps in twitter. to a certain extent it can seem kind of abstract but what it's actually doing is isolating a vulnerable component from the rest of the network not unlike pulling the network cable out of an infected computer did back when worms that enumerated network shares or sent mass emails were prevalent.
  3. i've identified my failure to log out of things (not just tweetdeck but all sorts of sites) as a bad habit. it's pure laziness and it's not even rational laziness because there's almost no effort involved in logging in when you use a password manager. part of the reason i didn't post this sooner is because i wanted to see if breaking this habit was a reasonable expectation or whether saying i was going to improve was just wishful thinking. so far this improvement seems like an entirely reasonable expectation - i've had no problems logging out of things when i don't need the session open any longer.
at the end of the day, improvement is what sets an incident apart from a failure. the only real failure is a failure to learn from your mistakes and do better the next time. i'm not perfect (no one is) but each time i screw up i make sure i get better.