Slashdot Mirror
Word Vulnerability Compromised US State Dept.
hf256 writes "Apparently hackers using an undisclosed (at the time) vulnerability compromised the State Departments network using a Word document sent as an email attachment. Investigators found multiple instances of infection, informed Microsoft, then had to sever internet connectivity to avoid leaking too much data!"
Well this should push everything towards open document formats a bit more, so it might just be a good thing...
It seems those hackers missed the Philippines and accidentally hit the state department instead
Quick everyone, the bandwagon is getting ready to leave. Jump on.
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
The fact that a simple Word document can cause such a big problem is really sad. How can you tell a few thousand of people not to open word document attachment? I mean, where I work, users receive tons of documents (pdf, office, autocad) files by email from vendors and such, I guess the only defense is good email filtering but still a 0-day attack would make that useless.
Queue the legion of Microsoft apologists, saying things like:
a) It's only because MS Office has the largest market share, this could of happened to any office suite!
b) It's not a big deal, obviously the state department's IT department is incompetent.
c) Damn Hackers, always trying to ruin a good thing!
d) Macs run on Intel processors now, so they're vulnerable too!
e) This is probably because the NSA sponsors SELinux.
f) In Soviet Russia, MS Office hacks YOU!
Did I miss any?
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
1) the attack, once found, would have a bevy of coders working on it (we hope, of course)
2) the testing and regression doesn't have the dependency matrix that Word does, and it's likely that if there was a link, it could be both understood and remedied quickly thru an open code supply chain
3) multiple hackers (oops, I mean coders) would likely offer variances of a patch, of which perhaps several would/could be part of the subsequent 'patched' tree
4) eight weeks is a travesty, and that the State Department of the United States of America didn't have an IDF that could detect the abberant traffic is just plain malfeasant. Heads should roll.
---- Teach Peace. It's Cheaper Than War.
The Commies are Coming !! The Commies are Coming !!
(bell done rung three times
Ahh, I remember the days when a virus spreading via email was just a silly joke that everyone knew was impossible.
Thanks Microsoft.
How we know is more important than what we know.
At first, the hackers did not immediately appear to try stealing any U.S. government data. Authorities quietly monitored the hackers' activity, then tripwires severed Internet connections
If you find evidence of a break-in, its possible the attackers are also connecting in a way you haven't yet detected. Hope they know what they're doing. Given their reputation, I doubt it.
...the system is down.
On a more serious note, FTA, "By opening the document, the employee activated hidden software commands establishing what Reid described as backdoor communications with the hackers."
This is why Word document software should not automatically run a scripting engine. Unfortunately, the article does not say what version of Word or Office were used. Should we assume all are suspectible?
Investigators found multiple instances of infection, informed Microsoft, then had to sever internet connectivity to avoid leaking too much data!"
Not only were they infected, they were infected multiple times! And then, completely delerious, they thought Microsoft was informed. And then--horror of horrors--they has to amputate their internet connection before they leaked.
Normally, i like the sob story, but this is TMD, Too Much Data.
Have you read my journal today?
meep
"...then had to sever internet connectivity to avoid leaking too much data!"
"Cap'n, we're having a wee bit 'o trouble in IT - we're leaking data down here like no one's bloody business - we may have to sever communications!"
"Scottie - is it really that bad...? Isn't there some alternative that will buy us more time??!! I need more time, dammit man!"
"Cap'n, I'm only a Star Fleet Engineer, not the Queen's magician..."
"Well, Engineer...see if you can pull a rabbit out of your ass and buy me five more minutes before you cut us off. That's all we need to make the jump, and after that you can cut your nuts off for all I care!"
"Aye, Cap'n...do me best - one shit-stained rabbit, com'n up - IT out!"
Anytime that applications are allowed to access files or capabilities beyond what is absolutely necessary to perform their function, there is a risk.
Microsoft has created some of the most powerful office tools by leveraging tons of existing code that wasn't exactly designed for the intended purpose.
For example, I love VBA (visual basic for applications)... it can make it very easy to turn a basic spreadsheet into a pseudo application. The problem is, VBA has too many ties to the OS.
That's where "sane" operating systems differ. User space and the OS are heavily separated, in fact, user space for each user is separated from other users, and almost all services run as a unique user. This intentional separation provides very robust security, and is absolutely necessary to creating a secure system.
I cannot blame anyone but MS for this... and not the MS Word or Office team. If the OS were properly designed so that user space applications were properly separated, issues such as this would not exist.
The best part is how long in coming the patch for this is... if these systems were running anything open source, a preliminary patch would be made in a matter of hours (assuming that it was posted immediately to an appropriate mailing list or IRC channel).
I can't wait until the saying is changed to "Everybody is getting fired for buying Microsoft"... because, IMO, any IT manager who gives a shit about the "INFORMATION" portion of their title should be fired for trusting it to MS's proprietary bullshit!
Sometimes the best solution is to stop wasting time looking for an easy solution.
I'm sorry, were the customers not at risk before? I don't understand. How could a security update expose more security holes, unless it were coded by a dumbass?
Oh, wait...
Well its a good thing the government standardizes on opendoc and does not cater to special interests like Microsofts lobbiests when making requirements for secure workstations.
http://saveie6.com/
I had an interesting discussion the other day with some colleagues and we came to a consensus that many Microsoft products were and still are, or at least inherit, a design philosophy similar to that of the Internet when it was first created. The Internet was built on a basis of implied trust and as we have seen in present times, particularly with e-mail and the SMTP protocol, this model of design is a poor foundation. To counter these issues we need to design more and cleverer countermeasures in an escalating war with miscreants; a parallel we also see in Microsoft products with never ending cycle of Anti-Virus and Anti-Spyware updates and patches required to deal with both programming flaws are poor design choices that assumed trust (recall the ILOVEYOU debacle). The real kicker is that you could argue that many of the problems we now face on the Internet are largely due to poor design in Microsoft software which as I noted parallels an original design methodology of the Internet. We've had several articles earlier in the week pushing a view that the Internet needed to be re-architected due to its flawed security design (although I think it's more about commerce and control but I won't go there for now) - is it not also time to re-architect Microsoft and their approach to developing products? Would we even have these problems if not for Microsoft? My two cents.
...rigged Excel spread sheet that wires money to ElQaida yet... ;)
Excuse me, but please get off my Pennisetum Clandestinum, eh!
...knowing that your products were banned from the State Department for some theoretical and highly unlikely exploit, while Microsoft Word continues to be used there despite a documented (no pun intended) security breach attributed to it.
In their determination to sucessfully match Office's rich features, Open Office has acquired similar vulnerabilities. One evaluation I saw some time ago concluded that Open Office was likely to be more vulnerable than Office.
If you want to be secure, run software that does what you need, and NO MORE! Rich functionality and extensibility are the attack points. Not many people want to restrict themelves to txt files or filtered html, let alone edit any longer with editors such as vi or microemacs. Due to their extensibility, pdf and postscript are suspect in the eyes of the truly paranoid, let alone the complex modern formats.
I really think it's overdue to wipe away to cronies and have a professional semi-nonpartisan bureaucracy.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
Are you implying that is not the case with windows??? A quick look in task manager shows some system processes running as your user account, some as "LOCAL SERVICE", some as "NETWORK SERVICE", (both restricted accounts) and some as "SYSTEM" (=root). And a quick look at top on my linux box sure doesn't show "almost all" services running as unique users.
And sure, its up to the administrator to configure it so the user account is not an administrator, but I've never seen a government system where a domain user account has local admin rights.
In the specific case of this vulnerability, the word document was able to run arbitrary executable code as the current user. This presumably allowed access to network shares, and then sending the data back out (via HTTP most likely). That sort of thing would be possible with any operating system.
The only area you are correct in is that on linux the flaw could be patched quicker... But in a large organization, it likely could still be preferable to block the exploit with IDS/firewall rules than by rolling out a client patch...
Most people who are not familiar with IT in the US Government have NO IDEA how dependent even the military is on MS products. Think MS based virii, worms and exploits aren't on classified networks? Networks that don't even share a common hardware link to the internet...
Off-topic, but...
Richard Stallman is giving his "Copyright and Community in the age of computer networks" lecture at Johns Hopkins tomorrow morning. For anyone who's heard it already: worth taking an early lunch to go hear? How long does it run?
Thank god there are no file sharing users/security risks at the State Department. It's better to populate an important governmental agency with drones as opposed to internet savvy employees who can't assist network administrators by giving them a slightly more informed heads up regarding odd or bizarre 'puter goings-ons. I hate my own sarcasm. Hate it.
According to MS, this is the normal course of operation.
Patents Drive Free Software as Hurricanes Drive Construction Industry
One of our clients email is setup so that if you send them an attachment without a particular second attachment, their firewall drops the attachment and only gives you the file. Lemme spell it out for the slow students in the class.
A customer needed an instruction for how to remove the lid from a specialty box. (for field support purposes, the field guys could be morons, so better to have something from the vendor)
He calls me and asks for it, I whip something up in PDF and shoot it over to him.
He calls me and says, got your email but not the attachment.
Me: Huh?
Him: When I send this email, reply to it and keep the attachment that's there and attach the ddoc again.
So, why is the US Govt not using the same thing? Can it really cost that much to implement (obv not)
2^3 * 31 * 647
Are you suggesting I don't read all my make install and
I review my scripts for correctness every morning before I kick off my kernel recompile and take my shower.
A sane email policy blocks executable files and archives containing executables, but allowing dot docs in is probably unavoidable.
I wonder then, if it might be possible to scan a Word document for stuff that's not needed. Treat all dot docs that have VB in them as executables and block them out. You might go so far as to attempt intelligent analysis of the document to make sure it consists only of code that would reasonably be generated by a human being. Perform sanity checks on certain variables and so on.
Too busy staying alive... ~ R.A.
If they needed to completely drop all internet access, it shows how poorly organised their internet services were.
Most people under similar circumstances would simply upgrade their firewall ruleset and if necessary adopt alternate internal policies to allow limited connection to the internet during the crisis - especially given that it was indicated that the problems dropping the internet connection caused was significant.
Simply unplugging the pipe to circumvent an internal threat is like turning the power off to an entire city just so someone can change a lightbulb... It's not necessary and it highlights the lack of Internet security skills available to some large government departments.
GrpA.
Enjoy science fiction? "Turing Evolved" - AI, Mecha, Androids and rail-gun battles. What more could you want?
And why does it need to send to the internet?
That isn't the job of a word processor.
So "privilege escalation" is *built in* to MS applications.
And in order to make using these privs easier for the user, they are run with often higher privs than necessary (especially since there's no "postmaster" account, or "apache" user, etc. Just "you", "root" and "admin").
For Linux/UNIX priv escalation is a mistake. For MS it's a "feature".
Ol' Condi Rice couldn't negotiate herself out of a paper bag...she's got three speeds of beligerance.
Blar.
Until then, this will be a SLOW and steady take away.
I prefer the "u" in honour as it seems to be missing these days.
Dude this is Micro$oft Windows not Linux
Win 95 to NT Who knows what the department is running.
The only sane windows connection is OFF (UNPLUGGED).
The IT guys at my work do that to, but all they really need to do is strip off everything except text/plain. At least that way we could keep working. They probably think emailing word documents to each other is normal and can't imagine not having it.
http://michaelsmith.id.au
-1 for subby for using the word "hacker" to describe the criminal(s) responsible. You'd think the /. crowd would know better.
Tom
Someday, I'll have a real sig.
And it doesn't have to be tied to a pro-active security scan, so your argument about the world economy grinding to a halt is just bogus. Even in the current reactive mode, where patches are triggered by vulnerability exploits, open source comes out ahead. A corporation using open source can run a particular exploit through a source code debugger to find out the offending code for themselves. This is nowhere near as labor intensive as a full scan of a product and still provides much more disclosure to the customer than is provided my MS or any other closed-source vendor.
We are the 198 proof..
Heads should roll
They did
-mcgrew
If you're re-imaging employee's systems if you can't figure out their problem in 15 minutes, my guess is you're the most-hated and lowest rated department on any internal customer service surveys.
"Sorry, Joe. I can't resolve your problem and the egg timer just went off, so I'm remotely re-installing Windows and destroying whatever customization you've done to the machine. Now, about that 'How is IT doing' survey..."
I bet there are a lot of support people who would love to work for an organization the solution is to nuke from orbit if you can't resolve the issue in some arbitrary time period. I'd also bet that for other employees attempting to use computers to get their work done, having you for a "support" organization is like having Hannibal Lecter for a physician.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
This isn't a story out of the early-1990s; they're talking about something relatively recent (last summer).
It has been well known, for a very, very long time, that Microsoft's applications basically treat what normal software would treat as passive content, as active code. Any time you open someone else's MS Word, MS Excel, etc document, you're running someone else's computer program. I can accept that responsible people might not have understood this 15 years ago, but in 2006? Geez, get real!
When people make such well-known and obvious mistakes like this, I can't really blame the software maker. If you still use Microsoft products, then you ought to know this by now. If you use those products on machines that have access to sensitive information, or if you use those products to load and execute code from untrusted sources, then the consequences are your fault, not Microsoft's. You used the wrong tool for the job. I don't blame a hammer for hurting me when I smash my head with it; the hammer functions exactly like I expect it to.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Why in the world would anyone with security concerns (and even the tiniest amount of sense ;-) allow the use of Word or any other proprietary, binary format, in email?
;-)
A fun example: A couple of years ago, a fellow hereabouts told the local linux/unix user group a funny story of how Word docs got banned at his workplace. It seems that a VP had written some missive, and decided that it was so important that everyone in the company would want to read it. So he mailed it out to everyone. It was a Word doc, and the people with unix-type workstations mostly couldn't read it, so they did the obvious thing. They fed it to the strings(1) command. The result of this isn't pretty, since it loses all the (binary) formatting and font markup, but the text was readable.
However, strings can't decode the binary stuff, and didn't know to honor the "deleted" tags on big chunks of the file. It seems that among the deleted stuff was a list of the salaries of most of the management. Ooops!
The unix users got a bit of a chuckle out of this, of course, and the news got back to the VP (and other managers) what he'd mailed out. After the inevitable finger pointing settled down, the message got through the mangers' thick skulls that Word docs can and usually do contain "deleted" stuff that hasn't actually been removed or blanked out, and any time they send someone a Word doc, they might be sending them pieces of any other Word doc that has ever been on their computer. And it's not just unix users who can read this "deleted" stuff; a clever programmer could fairly easily make it visible on Microsoft systems, too. You could just port the strings command to Windows.
So the word came down that Word docs were strictly forbidden in email. Especially email sent outside the company.
This problem is not exactly secret. Any organization that allows Word docs, or any other proprietary binary format, in emails is inviting exactly this same sort of problem. Even if you don't understand it or believe it, chances are that some of your competitors do.
It's especially astonishing that the US State Department would allow Word docs to be emailed. Don't they have any competent security people at all?
(Or maybe they do, but they are intentionally ignoring the advice of such people. That does seem to be how the US government works these days.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
... does the state department use word? Yes, in principle the same thing can happen on other systems, but Word, Windows, Office, and a fair chunk of other Microsoft applications are known for this kind of thing. If the electric circuitry of your house goes out time and time again, and each time it turns out to be your toaster, and no matter how often you send it back to be repaired it happens again. Would you eventually consider trying another brand or would you ask for your money back? Lets go further, suppose this was a known problem with the particular brand of toaster, and it happened to a large number of people, over and pver again, despite the repairs. Suppose it happened with every single modell of toaster this company made. Suppose the problem was well known and the company only made half assed efforts to fix it. Suppose every time your lights went out the people using a different modell would point and laugh at you. Would you keep paying $100 per toaster for this brand, knowing full and well that you would have to pay another $200 in three years time, or would you get a toaster from someone with an excellent track record in building them reliable, who gave it to you for free, gave you the full blueprints, was recomended by a number of certified electricians, and used half the amount of electricity as compared to your old toaster?
.. whatever. Heck, you could set up a system allowing you to boot either of the three ( or fifteen if you like to switch between different distros ) for the cost of the Mac alone. Private users can at least refer to the gaming industry, but the state department? I bet it would be cheaper for them to hire someone to develop whatever OS-specific software they needed rather than dealing with Windows.
It is indeed easy to blame Microsoft, but to be honest, it is the people who keep giving them money for developing this crap that allow them to continue to do so. Unless you are a hard core gamer ( and even if you are ) chances are you can find everything you need on another platform. Linux, Mac, BSD
Since OpenOffice has a spreadsheet program, a database program, and a program to make presentations with, I'm certain that there are Open Document formats specific to spreadsheets, databases, and "presentations."
There is a fine line between recklessness and courage... -- Paul McCartney
Quite common practice for sites with forensics capabilities.
What did the payload do on the system in question, or elsewhere on the Intranet?
Stopping incoming is not as important as stopping outgoing after a breach!
Former geek, now I can rest...