Microsoft

Stories about Microsoft, Windows, Office and so on

Flaming certs

Today is Tuesday for me, but it’s not “second Tuesday,” so it shouldn’t be patch Tuesday.  But today my little netbook, which is set just to inform me when updates are available, informed me that it had updated, but I needed to reboot to complete the task, and, if I didn’t do anything in the next little while it was going to reboot anyway.

Yesterday, of course, wasn’t patch Tuesday, but all my machines set to “go ahead and update” all wanted to update on shutdown last night.

This is, of course, because of Flame (aka Flamer, aka sKyWIper) has an “infection” module that messes with Windows/Microsoft Update.  As I understand it, there is some weakness in the update process itself, but the major problem is that Flame “contains” and uses a fake Microsoft digital certificate.

You can get some, but not very much, information about this from Microsoft’s Security Response Center blog.  (Early mentionLater.)

You can get more detailed information from F-Secure.

It’s easy to see that Microsoft is extremely concerned about this situation.  Not necessarily because of Flame: Flame uses pretty old technology, only targets a select subset of systems, and doesn’t even run on Win7 64-bit.  But the fake cert could be a major issue.  Once that cert is out in the open it can be used not only for Windows Update, but for “validating” all kinds of malware.  And, even though Flame only targets certain systems, and seems to be limited in geographic extent, I have pretty much no confidence at all that the blackhat community hasn’t already got copies of it.  (The cert doesn’t necessarily have to be contained in the Flame codebase, but the structure of the attack seems to imply that it is.)  So, the only safe bet is that the cert is “in the wild,” and can be used at any time.

(Just before I go on with this, I might say that the authors of Flame, whoever they may be, did no particularly bad thing in packaging up a bunch of old trojans into one massive kit.  But putting that fake cert out there was simply asking for trouble, and it’s kind of amazing that it hasn’t been used in an attack beofre now.)

The first thing Microsoft is doing is patching MS software so that it doesn’t trust that particular cert.  They aren’t giving away a lot of detail, but I imagine that much midnight oil is being burned in Redmond redoing the validation process so that a fake cert is harder to use.  Stay tuned to your Windows Update channel for further developments.

However, in all of this, one has to wonder where the fake cert came from.  It is, of course, always possible to simply brute force a digital signature, particularly if you have a ton of validated MS software, and a supercomputer (or a huge botnet), and mount a birthday (collision) attack.  (And everyone is assuming that the authors of Flame have access to the resources of a nation-state.  Or two …)  Now the easier way is simply to walk into the cert authority and ask for a couple of Microsoft certs.  (Which someone did one time.  And got away with it.)

But then, I was thinking.  In the not too distant past, we had a whole bunch of APT attacks (APT being an acronym standing for “we were lazy about our security, but it really isn’t our fault because these attackers didn’t play fair!”) on cert authorities.  And the attacks got away with a bunch of valid certs.

OK, we think Flame is possibly as much a five years in the wild, and almost certainly two years.  But it is also likely that there were updates during the period in the wild, so it’s hard to say, right off the top, which parts of it were out there for how long.

And I just kind of wonder …

Michelangelo date

OK, having now had this conversation twice, I’ve gone back to the true source of all wisdom on all things viral, “Viruses Revealed.”  I got it off my shelf, of course, but some helpful vxer (who probably thought he was going to harm our sales) posted it on the net, and saved David and I the bother.  (Remember, this guy is a vxer, so that page may not be entirely safe.)

Michelangelo is covered between pages 357 and 361, which is slightly over halfway through the book.  However, since I guess he’s missed out the index and stuff, it turns out to be at about the 3/4 mark on the page he’s created.

Anyway, Michelangelo checks the date via Interrupt 1Ah.  many people did not understand the difference between the MS-DOS clock and the system clock read by Interrupt 1Ah. The MS-DOS DATE command did not always alter the system clock. Network-connected machines often have “time server” functions so that the date is reset to conform to the network. The year 1992 was a leap year, and many clocks did not deal with it properly. Thus, for many computers, 6th March came on Thursday, not Friday.

New computers – Windows 7 – printers and USB

C’mon, fess up.  Who did the discovery protocol for Windows Universal Plug and Play?

Was it supposed to work for USB?

Windows has always been annoying in regard to USB.  I’ve had it “forget” mice and jump drives (sometimes never to accept them again on that port).  I’ve had a port “locked” by an Adobe picture manager (which I hadn’t realized Adobe was installing while I was trying to upgrade Reader to get rid of the latest round of vulnerabilities) so that it never recognized my camera again on *any* USB port, and insisted that every jump drive I attached was a camera.  Windows has never been willing to specifically identify any USB port even if it reports a problem.

Recently our printer (yes, a Winprinter with a USB connection: these days, can you find any other type?) has been flaky.  Not the printer itself: it’s fine.  And, yes, I did install the correct Win 7 driver, thank you very much.  Not that either Microsoft nor HP were very helpful about that.  The computer started out just fine, for a few months.  Then it started not recognizing that it had a printer.  Then it started seeing that it had something connected, but couldn’t tell what it was.  And sometimes it would cycle between these states constantly, while I was working.  (I’d hear a rising double beep as it realized it had a printer, or a falling double beep as it lost it, or couldn’t recognize it.  It got so bad that I’ve had to turn the speaker volume down given the near constant clamour of beeps.)  We tried different things: rebooting, changing to another user, power cycling the printer, power cycling the printer and waiting a while before we turned it on, turning the printer on first, not turning the printer off when once it had successfully accepted a print job.  Sometimes they worked, sometimes they didn’t.  Recently it’s gotten a lot worse.

(And, yes, I did Google it.  And AltaVistaed it  Never found anything helpful.  Even when I added profanity, as I suspected would be the case with someone who had gotten as frustrated with it as I was.)

So, at Gloria’s suggestion, today I hauled the computer out of its nook and swapped the printer to another USB port.

She was right: after I changed it the queue printed.

I lost the keyboard, monitor (twice), mouse (twice).  Eventually got them back. And then the computer crashed.  I lost some bookmarks I had collected this morning, and some outbound email: don’t know what or how much.  As far as I can tell I still have access to other devices, but I got a report that the Passport drive has a problem and I’m currently running a check on it.

But the printer is still printing.  So far.

I could really get to hate Microsoft.  Very easily …

Help Desk Scams and Microsoft

Apparently when the coldcalling species of scamming maggot claims to be Microsoft or partnered with Microsoft, there really is sometimes a relationship of sorts lurking behind the scenes there, though that doesn’t mean that Microsoft are at all a party to the scam, of course.

I’ve been gnawing at that particular bone for quite a while now – see, for instance, http://blog.eset.com/?s=Harley+%2B+support+scam and http://go.eset.com/us/resources/white-papers/Hanging-On-The-Telephone.pdf and http://www.scmagazineus.com/supporters-club/article/199459/ – and the name Comantra has turned up time and time again in the context of site registrations, though I haven’t had the resources to confirm links with the company in terms of individual scam calls.

But somehow I’d never realized the company really was a Microsoft Gold Partner. Apparently Microsoft took some time to make the connection too. But they have, and Comantra is no longer a Gold Partner. According to PC Pro, a Microsoft spokesman said:

“We were made aware of a matter involving one of the members of the Microsoft Partner Network acting in a manner that caused us to raise concerns about this member’s business practices.Following an investigation, the allegations were confirmed and we took action to terminate our relationship with the partner in question and revoke their Gold status.”

Somehow, though, I doubt if this means the end of coldcall scams. There were lots of sites and lots of names registered for sites that were associated with individual scammers, and there seems to be no real pressure from law-enforcement in the regions where the calls are actually originating. And Comantra is claiming that it’s all to do with negative marketing from their competitors. Gosh, never heard that one before…

On the other hand, since I moved house a few weeks ago, I haven’t had a single support scam call, though there’ve been a few “we can help you sue your mortgage lender” calls with a reassuringly Indian accent. Still, I miss being told I’m leaking viruses all over Surrey. How long do you suppose it will take them to catch up with me?

David Harley CITP FBCS CISSP. And stuff.
Small Blue-Green World