[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Microsot DID DISCLOSE potential Backdoor

To: "J. Oquendo" <sil@xxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Microsot DID DISCLOSE potential Backdoor
From: Aaron Kempf <aaron_kempf@xxxxxxxxxxx>
Date: Mon, 5 May 2008 16:24:59 -0700

more importantly-- 
this is just another symptom that 'Microsoft makes Windows run slower over 
time' to force us to buy a new version'.
 
If the software is doing things-- that it wasn't designed (advertised) to do-- 
that by definition is called BLOATWARE.
 
It's time for MS to make performance _JUST_ as important as security.
Performance is important-- I'm hoping that Microsoft wakes up one of these days 
and starts talking about the 'Software Performance Lifecycle'.
 
Personally; I'm sick and tired of MS forcing crapware / bloatware down our 
throats.
This software that you're talking about-- is just another symptom that MS 
doesn't give a crap about it's users.
 
-Aaron
 
 
 
> Date: Sat, 3 May 2008 22:45:41 -0500> From: sil@xxxxxxxxxxxxxxx> To: 
> bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx> Subject: 
> Microsot DID DISCLOSE potential Backdoor> > While you were sleeping and 
> focusing on COFEE...> > Microsoft Discloses Government Backdoor on Windows 
> Operating Systems> Wednesday, April 30th, 2008 @ 6:00 am | Privacy, News> 
> http://www.infiltrated.net/?p=92> > Microsoft may have inadvertently 
> disclosed a potential Microsoft backdoor for law > enforcement earlier this 
> week. To explain this all, here is the layman term of a backdoor > from 
> Wikipedia:> > A backdoor in a computer system (or cryptosystem or algorithm) 
> is a method of > bypassing normal authentication, securing remote access to a 
> computer, obtaining access > to plaintext, and so on, while attempting to 
> remain undetected. The backdoor may take > the form of an installed program 
> (e.g., Back Orifice), or could be a modification to an > existing program or 
> hardware device.> > According to an article on PC World: "The software vendor 
> is giving law enforcers > access to a special tool that keeps tabs on 
> botnets, using data compiled from the 450 > million computer users who have 
> installed the Malicious Software Removal tool that > ships with Windows."> > 
> Not a big deal until you keep reading: "Although Microsoft is reluctant to 
> give out details > on its botnet buster - the company said that even 
> revealing its name could give cyber > criminals a clue on how to thwart it"> 
> > Stop the press for second or two and look at this logically: "users who 
> have installed the > Malicious Software Removal tool" followed by " Microsoft 
> is reluctant to give out details > on its botnet buster - the company said 
> that even revealing its name could give cyber > criminals a clue on how to 
> thwart it", what? This is perhaps the biggest gaffe I've read > thus far on 
> potential government collusion with Microsoft.> > We then have the following 
> wording: "Microsoft had not previously talked about its > botnet tool, but it 
> turns out that it was used by police in Canada to make a high-profile > bust 
> earlier this year." So again, thinking logically at what has been said so far 
> by > Microsoft; "We have a tool called Malicious Software Removal tool...", 
> "we can't tell > you the name of this tool since it would undermine our 
> snooping...", "it's been used by > law enforcement already to make a 
> high-profile bust earlier this year."> > Remember a "Malicious Software 
> Reporting Tool" is a lot different from a "Malicious > Software Removal 
> Tool". Understanding networking, computing, botnets, let's put this > concept 
> into a working model to explain how this is nothing more than a backdoor. You 
> > have an end user, we'll create a random Windows XP user: Farmer John in 
> North Dakota. > Farmer John in North Dakota uses his machine once a week to 
> read news, send family > email, nothing more. He installed Microsoft's 
> Malicious Removal Tool. Farmer John's > machine becomes infected at some 
> point and sends Microsoft information about the > compromise: "I'm Farmer 
> John's machine coming from X_IP_Address".> > A correlation is done with this 
> information and then supposedly used to track where the > botnet's 
> originating IP address is from. From the article: "Analysis by Microsoft's > 
> software allowed investigators to identify which IP address was being used to 
> operate the > botnet, Gaudreau said. And that cracked the case." This is not 
> difficult, detect a DST > (destination) for malware sent from Farmer John's 
> machine. Simple, good guys win, > everyone is happy.> > The concept of 
> Microsoft's Malicious Software Removal tool not being a backdoor is > flawed. 
> For starters, no information is ever disclosed to someone installing the 
> Windows > Malicious Software removal tool: "Windows will now install a 
> program which will report > suspicious activity to Microsoft". As far as I 
> can recall on any Windows update, there has > never been any mention of it.> 
> > "But this is a wonderful tool, why are you being such a troll and knocking 
> Microsoft for > doing the right thing!". The question slash qualm I have 
> about this tool is I'd like to know > what, why, when and how things are 
> being done on my machine. It's not a matter of > condemning Microsoft, but 
> what happens if at some point in time Microsoft along with > government get 
> an insane idea to branch away from obtaining other data for whatever > 
> intents and purposes?> > We've seen how the NSA is allowed to gather any kind 
> of information they'd like (http://www.eff.org/issues/nsa-spying), > we now 
> have to contend with Microsoft attempting to do the same. Any way you'd like 
> to > market this, it reeks of a backdoor: (again pointing to the definition) 
> A backdoor in a > computer system ... is a method of bypassing normal 
> authentication, ... obtaining access > to ... , and so on, while attempting 
> to remain undetected. There's no beating around the > bush here on what this 
> tool is and does.> > This is reminiscent of the 90's with the NSA's ECHELON 
> program. In 1994, the NSA > intercepted the faxes and telephone calls of 
> Airbus. What resulted was the information > was then forwarded to Boeing and 
> McDonnell-Douglas in which they snagged the > contract from under Airbus' 
> feet. In 1996, the CIA hacked into the computers of the > Japanese Trade 
> Ministry seeking "negotiations on import quotas for US cars on the > Japanese 
> market". Resulting with the information being passed off to "US negotiator > 
> Mickey Kantor" who accepted a lower offer.> > As an American you might say 
> "so what, more power to us" but to think that any > government wouldn't do it 
> to its own citizens for whatever reason would be absurd. > There are a lot of 
> horrible routes this could take.> > What happens if slash when for some 
> reason or another the government decides that you > should not read a news 
> site, will Microsoft willingly oblige and rewrite the news in > accordance to 
> what the government deems readable?> > How about the potential to give 
> Microsoft a warrantless order to discover who doesn't > like a President's 
> "health care plan", or who is irrate and whatever policy; Will Microsoft > 
> sift through a machine to retrieve relevant data to disclose to authorities?> 
> > That doesn't include the potential for say technological espionage and 
> gouging of sorts. > What's to stop Microsoft from say, mapping a network and 
> reporting all "non-Microsoft" > based products back to Microsoft. The 
> information could then be used to say raise > support costs, allow Microsoft 
> to offer juicier incentives to rid the network of non MS > based products, 
> the scenarios are endless.> > Sadly, most people will shrug and pass it off 
> as nothing. Most security buffs, experts, etc., > haven't mentioned a word of 
> it outside of "the wonderful method to remove, detect, > botnets!" and I 
> don't necessarily disagree it's a unique way to detect what is happening, > 
> but this could have been done at the ISP and NSP level without installing a 
> backdoor. > Why didn't law enforcement approach botnets from that avenue? 
> Perhaps they have, this > I'm actually certain of which leads me to believe 
> this is a prelude of something more > secretive that has yet to be disclosed 
> or discovered.> > 
> http://www.pcworld.com/businesscenter/article/145257/microsoft_botnethunting_tool_helps_bust_hackers.html>
>  http://cryptome.org/echelon-ep-fin.htm (ECHELON MISHAPS)> > More on 
> Microsoft's *Potential* Government Backdoor> Thursday, May 1st, 2008 @ 7:21 
> am | Privacy, News> http://www.infiltrated.net/?p=92> > After reading through 
> Microsoft's comments repeatedly yesterday, I cannot come to the > conclusion 
> that Microsoft's "Malware Removal Tool" is not some form of backdoor. > Their 
> comments in the initial article are extremely disturbing and anyone using a > 
> Microsoft product should now be extremely weary about downloading new updates 
> if > even deciding to continue using Microsoft at all.> > So let's take a 
> look at the top botnets. Srizbi, Bobax, Rustock, Cutwail, Ozdok, Nucrypt, > 
> Wopla, Spamthru, Storm, Grum, Onewordsub; These are the top as reported by 
> Secure > Works. 
> (http://www.secureworks.com/research/threats/topbotnets/?threat=topbotnets) > 
> Guess what, eight out of eleven are all encrypted. Not that big of a deal 
> until you decipher > what Microsoft stated in their original quotes in 
> correlation to some facts.> > From the article: Microsoft security experts 
> analyze samples of malicious code to capture > a snapshot of what is 
> happening on the botnet network, which can then be used by law > enforcers, 
> Cranton said. "They can actually get into the software code and say, .Here's 
> > information on how it's being controlled.'"> > Perhaps Microsoft could 
> clarify how exactly are they doing what they do, more > importantly, what 
> information is being sent over the wire and to whom. Are they now > breaking 
> code as well. Did the botnet authors go through the steps of encrypting code. 
> We > know for a fact that traffic being sent from a compromised host to a 
> controller is > encrypted, so what is Microsoft analyzing. What COULDN'T 
> Microsoft have gained > from getting code for analysis say by working along 
> with Symantec or someone else.> > Now before you shoot off an answer like 
> "the code doofus, they're analyzing the code!", > think about it again. If 
> they're in it to analyze solely the code, they could have worked > with 
> AntiVirus vendors for samples as opposed to putting a tool on your machine 
> which > collects YOUR DATA and sends it off to who knows where. A law 
> enforcement agency, > or team Microsoft.> > I'll pause on this for now. How 
> about the validity in stating: "Botnet Operator tracked via > IP". How 
> legitimate is this argument given the fact (not presumption) that IP is a 
> horrible > identifier. Let's put this in a practical example. Farmer Joe in 
> Nebraska is using a DSL > connection that it always on. He uses Windows XP 
> and doesn't know what a Windows > Update is so he's never used it. His 
> computer is compromised, a botnet controller is > installed and attacks are 
> launched from Nebraska. The attacker sanitized Farmer Joe's > machine to 
> erase his tracks using multiple wipes with perhaps PGP. The end.> > For any 
> business or law enforcement agency to claim they can track down via an IP > 
> address, perhaps they've skimmed on the fact that there are far too many open 
> WiFi > hotspots in the world to conclusively narrow a fact. We have an 
> assumption that an > attacker is behind 10.10.10.159. Can we see them? No. 
> All we know is the address. Being > I've used a private address, I won't 
> bother diving into "but he came from ISP X in > Nebraska." Irrelevant. What 
> you have is a fishing expedition.> > / SNIP> For more on this false sense of 
> ID-via-IP: Well, let me ask you you think 171.70.120.60 > is. I'll give you a 
> hint; at this instant, there are 72 of us.> > Here's another question. Whom 
> would you suspect 171.71.241.89 is? At this point in > time, I am in 
> Barcelona; if I were home, that would be my address as you would see it, > 
> but my address as I would see it would be in 10.32.244.216/29. There might be 
> several > hundred people you would see using 171.71.241.89;> /END SNIP> > I 
> implore you to read a NANOG thread 
> http://readlist.com/lists/trapdoor.merit.edu/nanog/6/33246.html> 
> Professionals know, IP is an inaccurate identifier so why does it seem that 
> Microsoft> along with LEO are relying on this. Makes a great baseline sure, 
> but is certainly ripe> for abuse> > Again, please understand what I am 
> stating, this is "not to say that its a horrible idea", its > a start, a 
> baseline - but not a definitive measure of determining who is controlling a 
> bot, > who created the botnet, etc.> > Looking at past history, unfortunately 
> you have the tinkerers; so what happens to an up-> and-coming "security" buff 
> who is getting into the field and stumbles upon a botnet. Sure > he was 
> moronic to join an irc channel filled with bots, sure he was idiotic in 
> downloading > the code for the sake of learning. Fact is he might have. Guess 
> what will happen to him > when a Law Enforcement Agency raids his house? 
> Guess what will happen when that > agency needs funding for a new uber 
> Cyber(buzzword)Crime fighting department. You > guessed it. Hey 
> "Up-and-coming security buff..." Kiss your terminal goodbye, and from > here 
> on out, your dreams of becoming the next Bruce Schneier will be close to 
> non-> existent. It happens.> > Anyhow, re-emphasizing... Shame on Microsoft 
> for forwarding your data without telling > you. Shame on Microsoft for not 
> asking you if you wanted to "PARTICIPATE" in > sending data. Shame on 
> Microsoft for not explicitly stating: The data we are sneaking off > your 
> computer will be sent to government agencies of our choice. Its a horrible 
> practice > and a damaging breach of trust. Their action worries me as a 
> security professional, will > they ever scour for data for profit. Why not, 
> no one would notice or care anyway.> > J. Oquendo> sil @ infiltrated dot net> 
> > -- > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+> J. Oquendo> SGFA 
> #579 (FW+VPN v4.1)> SGFE #574 (FW+VPN v4.1)> > wget -qO - 
> www.infiltrated.net/sig|perl> > 
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB> 
_________________________________________________________________
Windows Live SkyDrive lets you share files with faraway friends.
http://www.windowslive.com/skydrive/overview.html?ocid=TXT_TAGLM_WL_Refresh_skydrive_052008

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Microsot DID DISCLOSE potential Backdoor
  - From: J. Oquendo

Prev by Date: [Full-disclosure] Novell eDirectory unauthenticated access to SOAP interface
Next by Date: [Full-disclosure] [SECURITY] [DSA 1569-2] New cacti packages fix regression
Previous by thread: [Full-disclosure] Microsot DID DISCLOSE potential Backdoor
Next by thread: Re: [Full-disclosure] Microsot DID DISCLOSE potential Backdoor
Index(es):
- Date
- Thread