Slashdot Mirror
Windows Flaw Allowed Hackers To Spy On NATO, Ukraine, Others
An anonymous reader writes: Reuters reports that a cybersecurity firm has found evidence that a bug in Microsoft's Windows operating system has allowed hackers located in Russia to spy on computers used by NATO, Ukraine, the European Union, and others for the past five years. Before disclosing the flaw, the firm alerted Microsoft, who plans to roll out a fix on Tuesday. "While technical indicators do not indicate whether the hackers have ties to the Russian government, Hulquist said he believed they were supported by a nation state because they were engaging in espionage, not cyber crime. For example, in December 2013, NATO was targeted with a malicious document on European diplomacy. Several regional governments in the Ukraine and an academic working on Russian issues in the United States were sent tainted emails that claimed to contain a list of pro-Russian extremist activities, according to iSight."
Said nobody.
Russians using American software to spy on NATO. The irony is mind blowing.
It's annoying and unnecessary.
Read here for a more detailed perspective
http://www.isightpartners.com/2014/10/cve-2014-4114/
1 - ISight claims this has been a five year campaign and then add that "hackers began only in August to exploit a vulnerability found in most versions of Windows". So where did the "five year" timeline come from?
2 - "Russian hackers target NATO, Ukraine and others" the article screams and then we find this wishy washy explanation from ISight's John Hullquist on his claim about the hackers being Russian:
"Your targets almost certainly have to do with your interests. We see strong ties to Russian origins here".
Sounds like a bunch of FUD to me
Bill has always (and rightly so) that Microsoft is *not* a security company,
and that security is the user's responsibility when using their products.
In the same light, Bill also said 640k should be enough memory for anyone
(I have the audio recording!)
All kidding aside, there's no evidence to suggest the this hasn't been used
by America on other countries...
CAP == 'speech!'
User clicks on a malicious PPT file, which installs a backdoor. Don't people check task manager for unscrupulous executables running on their systems?
Buck Feta. You know what to do.
has had this one on the shelf, without disclosing it?
Best Slashdot Co
Using foreign proprietary technology and using in particular Windows are retarded. What are they really expecting?
Naturally it's the Russians, because of espionage...
No US corporations have ever done that!
holy shit ! NATO uses Windows ??
it's "wasted" - not "waisted"
Yeah! Fuck Windows! If people only ran Linux, they wouldn't have to worry about security issues, like Shellshock and Heartbleed! ...oh, wait...
Womem in the Ukraine wear combat boots. Now you know.
Seems our computer (users) are in their oral phase: stick everything you find on the street in your mouth.
"I want everything to happen automagically when I stuff a random $USB_DEVICE in my box"
"I want everything to happen automagically when I open some $RANDOM_DOCUMENT I found on the intratubes"
"I want any $RANDOM_APP linked from some $MORE_RANDOM_WEBSITE to be automagically installed in my browser (which I also use for banking, ferchrissake) and to take over my life from then on"
Well, duh.
Now, don't take me wrong. This sounds a lot like "blaming the victim". While *I* do avoid many of the behaviours mentioned above, I'm painfully aware that I'm well whithin reach of a well-mounted social engineering attack of a determined and average-skilled attacker.
What I wanted to say is that we have a problem which won't go away just by wildly patching things right and left. Some part of the solution will have to be user education, and we are doing particularly badly in this deparment, in part due to Microsoft's and Apple's mantra of "our computers are so easy any idiot can use them".
It its not a 'Flaw' its a feature.
Did the bug somehow prevent NATO, Ukraine, EU and others from spying on Russia?
I would argue with you, but I don't want to get any stupid on me.
- Waisted money and time on security breeches and lost data
Are they high-waisted or low-waisted breeches?
Bill [Gates] also said 640k should be enough memory for anyone (I have the audio recording!)
Really? Please could you give a link to that. People have argued over and over whether he really said that. He denies it himself, so it would be very interesting if a recording exists and can be made public.
I'll take those two vulnerabilities in Linux instead of Windows' numerous ones (and undisclosed ones) anytime.
1) "So where did the "five year" timeline come from?"
Some Sandworm attacks also use five older vulnerabilities that have already been patched. The exploits are used to install various versions of BlackEnergy, a malicious tool used by cybercriminals. The tool gained notoriety in 2008 when botnets infected with the malware were used to launch denial-of-service attacks against systems in Georgia during a standoff between that country and Russia.
2) "wishy washy explanation from ISight's John Hullquist on his claim about the hackers being Russian"
Hulquist said he believed they were supported by a nation state because they were engaging in espionage, not cyber crime.
crime can be anyone, espionage is reserved for a very select set of parties. it's a mere matter of deduction but feel free to believe what you wish, just stop posting it.
Anons need not reply. Questions end with a question mark.
Spell-checkers can turn typos into ridiculous sentences.
Put your computers in a locked room.
Do not attach your computers to an external network.
If you don't trust your employers, don't attach your computers to any network.
Lock the door to the computer room and allow no one but trusted individuals entry.
Lock the door.
We knew this in 1975 when I worked at Burroughs. We knew this in 1973 when I was in charge of changing the paper tapes used for batch printing. Why don't we seem to know this today?
Article fails to mention that Kaspersky anti-virus maker themselves has been linked to Russian state security services and computers using Kaspersky may contain back doors accessible to FSB.
You know that they've been all in there for even longer than the "Russian hackers", but it's convenient to not mention them when trying to demonize Russia.
What's the news about this? It's not like the US hasn't used the same leaks, or any other country...
I'll take those two OpenSSL and Bash vulnerabilities any day! That's an important distinction, and not making it lulls anyone using OpenSSL or Bash on a non-Linux system into a false sense of security and may prevent them from patching. That's either a good or bad thing, depending entirely on the color of your hat.
Yes, Heartbleed and Shellshock both had the potential to be much, much worst than this bug. However, those were only exploited after being found and disclosed, and patches being made available, while this and other Windows flaws are only patched after being found, disclosed, and exploited for a while. Where there were patches issued for Heartbleed and Shellshock within hours of disclosure, this won't be patched until Patch Tuesday. Mind you, that's today, but it's still coming not only days after the disclosure, but months after active exploits.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
...work nicely for {NSA, GCHQ, BND, FAPSI, Unit 8200, Nork Long-Range Reconnaissance Division, Russkie Mafia}.
..what's your hourly rate at Burson-MarsTeller ? I might join you.
Please write to me at Slimebag762111@hotmail.com
I'll start with your last comment first. Your files, online and off, may have never been modified or deleted by someone other than yourself but that doesn't mean they haven't been hacked. A good hack leaves no trace and an expert hacker would copy your files without altering them.
Everything else you say... well... It's true that Linux often lags in support for the newest video and graphics cards, and some cheap shit scanners that only ship with binary blob drivers (I've experienced this and Linux was doing me a favor, when I got it working on Windows and saw the crap quality, I realized this), but it sure beats the pants off Windows in support for pretty much everything else. Cant' really beat CUPS for printer support, for example; at the office, we have a networked HP laser printer, pretty old but still functions flawlessly so why replace it? It's a good thing we're a Linux and OSX house, because our Win7 testing box doesn't have a driver for it. I don't have time to list every instance of this I've encountered, so I've provided one example on each side, take that however you will.
I'm not sure what 1990's technology you were running Linux on when you supposedly tried it in the past, but font rendering has been decent in most Linux distros for at least a decade. I haven't seen X eat CPU since I started using a supported accelerated graphics card (e.g. anything from Intel and anything not brand new from AMD or nVidia) and, honestly... you're gonna say Linux has ugly DEs while using that tiles interface? If you don't like your DE on Linux, you install a different one, or configure it however you want. Done. Don't like the Windows DE? Do what most people do, skip the upgrade and forego patches until MS releases something you do like again. Have fun with that.
As for hours, days, and weeks of wasted time on Windows, yes, if you're managing more than a handful of machines and aren't a super-competent admin, it happens. Look at any school or government IT department for examples. Of course, it happens with any OS; Linux has a decent enough community that you can usually find someone to help you out of a bind if you get stuck, though; maybe I wasn't in the right communities, but I never had that when I was a hardcore Windows user. Once you get your system set up the way you like, regardless of OS, you can image it so it's quick to clone or restore; upgrades are a bit easier with Linux, though, IMO, since a new release of your distro may introduce a new DE, but you're welcome to keep using the old one if you like it. Really nice after you've spent the time to customize it.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
NSA has to make sure U.S. computers dont have those bugs, but the rest of the world will get the exploitable version. THAT is probably what they did. Too bad anyone trusts Americans.
Time to ban this crap from computers.
I had both fixed with a simple yum update within minutes.
This round of Windows exploits (not just bugs... stuff exploited in the wild) I'm still waiting for the announced Windows patches to be downloadable. Shellshock was easy to take care of. It twas taken care of via the OS's update mechanism or copying a statically linked bash executable into place [1].
The funny thing is that I read about Linux exploits. When it comes to Windows, I read about successful intrusions on a supermassive scale. I'd rather deal with exploits that -could- be used, rather than stuff already taken advantage of on an enterprise level by the blackhats.
[1]: Yes, it does take up more space, but for something as important as a shell, it should be statically linked so it can be used even if no libraries are accessible. It also doesn't hurt to have busybox available for similar reasons. I've had cases where commercial software would glitch and unlink a library, and it is a lot faster to use busybox to get it fixed than to reboot the machine from OS media, relink, boot back.
Blimey, get with the times!
22 years ago at school we were all using Object Packager in Windows 3.1 to smuggle in arbitary EXEs - long before any of this current hoo-ha erupted. Of course, we were more concerned with smuggling in games rather than using it for spying...
The only surprising thing is that it's taken them over 22 years to realise that yes, allowing random EXEs to be packaged up isn't really a good idea!
I will counter that ridiculous argument with the fact that a good alien anal-probing also leaves no evidence behind. Moving on, while grandfathering old hardware can be an advantage, it's not a priority for everyone. Sorry, but both font rendering and the default selection of fonts included with most any Linux distro are still terrible. About the only "modern" DE I've seen is KDE and it still runs like a narcoleptic pig on even the fattest hardware. Among Windows and OSX users, you'll find little demand to run an entirely different desktop environment because both Apple and Microsoft have paid people to put in the time to create a polished interface. Let's not forget the bugs. Last time I tried KDE (just 2 months ago), I found that closing a minimized window from the task bars would make the window reappear so the closing animation could be shown. Really shoddy work. Or, my favorite, programs that just fail to start without any indication, requiring you to run the program from a terminal to get the error message you should have gotten in the first place. That's the problem with a "GUI second" approach. It's simply unacceptable in 2014.
Schools and governments aren't the best examples to use, since they often fail at properly administration things outside of IT. Since Windows is so ubiquitous, if you're having a hard time solving a problem using Windows, one would have to question your search engine skills. Linux will remain a niche OS for desktop use until at least one company buckles down and invests a whole lot of time and effort to not make yet another half-baked distro, but a full-on OS like Android. Set high standards, stick to them, and have a long term plan. Terminal input should be optional for ALL 99% of all operations, period. One polished, well-designed desktop interface that is moderately configurable yet uses sane defaults. Last but not least, a community with practical users that have no grudges against proprietary software and is free of zealots like Stallman and company.
> If you see a huge flashing "It's a trap!" sign [...]
In a way, you are right. Then, you ain't. It's a matter of perception. You (and me) might see the flashing and the red button, others just see a Powerpoint presentation from some "interesting source" which just wants to download this tiny thing to work properly.
We've been acclimatized to downloading & executing stuff from random locations (Javascript, anyone?). I do browse with no Javascript (tho the usual browsers make it more and more difficult to switch it of, yikes), but I'm sure that a determined hacker can mout something which deceives me too.
Now -- how do we solve this conundrum? I don't know. But one part will be user education. Another would be (keep on dreaming, hah) MUCH less "active content" out there, so that browsing is (most of the time) feasible without executing random stuff downloaded from The Tubes. But as long as The Tubes are fueled by the advertisment industry, and as long as ads resemble more and more advanced malware there'll be a financial incentive in keeping people gullible and their systems vulnerable.
Like diversity at the CIA they consider this a success...
If one uses Windows he deserves what he gets!
Ok. I'll bite.
- Hours, days, weeks of waisted time in Installations configurations and updates.
My system installs configuration updates at night or in the background and only reboots when I'm not using it, so no wasted time.
- Bad style, and ugliness
Subjective. I quite like the style and presentation of Windows all the way through Windowss 8.1 although Metro apps are a slight nuisance, but I've never used any open source tool that has better style than its Windows-equivalent, including Apache/Libre/Open Office, The GIMP, Firefox, nor anything made by Google (and if you try to claim Google Docs is somehow better than MSOffice, I guess everyone will now how full of shit you are).
- Slowness and retarded technology
Well, slowness is measurable, but as with your first false claim, it doesn't impact me in meaningful ways. "retarded" technology, however, is subjective and also not something someone should try to hold against MS given how many terrible, terrible OS tools exist.
- Limited devices and architecture support
Really? Really? OK. I'm done here.
Don't hold your breath. This guy knows he does not have an audio recording, I have googled high and low, and all you can find is the quote, which Bill Gates denies. Furthermore, MS was never in a position to dictate the memory on the system, that was decided by IBM who decided to use a 16-bit intel chip which is inherently restricted to 1024KB (640K for programs, 384K for VRAM and BIOS functions). It's merely propaganda, blaming IBM isn't Politically correct since they are now linux backers.
"...I think the Microsoft hatred is a disease." - Linus Torvalds
Doesn't even list hostnames or even IP addresses of the Sandworm C&C's, no matter how deep you dig into it and its source articles. That's totally substandard bullshit and useless.
I'll take those two OpenSSL and Bash vulnerabilities any day! That's an important distinction, and not making it lulls anyone using OpenSSL or Bash on a non-Linux system into a false sense of security and may prevent them from patching. That's either a good or bad thing, depending entirely on the color of your hat.
Yes, Heartbleed and Shellshock both had the potential to be much, much worst than this bug. However, those were only exploited after being found and disclosed, and patches being made available, while this and other Windows flaws are only patched after being found, disclosed, and exploited for a while. Where there were patches issued for Heartbleed and Shellshock within hours of disclosure, this won't be patched until Patch Tuesday. Mind you, that's today, but it's still coming not only days after the disclosure, but months after active exploits.
What is the point? For starters none of us have any idea who all has a stock of what 0-days for any platform.
Secondly CVE databases are loaded to the hilt with windows and Linux vulns.
Distinctions made are about as useful as an intelligence contest for the mentally retarded. Unsurprisingly everyone is failing ... badly.
The point is that failure to make the distinction between a bug only affecting Linux and a bug affecting a library or application (such as a shell) that can run on any arbitrary platform usually means that only Linux users of that library or application end up taking immediate action to correct the issue, leaving users of the library or application on other platforms vulnerable until the next time they apply system patches for another issue. In some cases it's a difference of days, in others it's weeks, months, or years, when it could have been hours had the distinction been made.
It's not about a pissing contest between platforms, it's about keeping people informed so they can act appropriately. Imagine yourself a FreeBSD user; if you heard of Heartbleed as a Linux bug, would you think to look for an OpenSSL patch? No, you'd laugh at the stupid Linux users and go about your day, remaining vulnerable. On the other hand, if you hear about an OpenSSL bug, and oyu know you're using OpenSSL, you're going to check regardless of platform. That's why the distinction is important.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
it's about keeping people informed so they can act appropriately. Imagine yourself a FreeBSD user; if you heard of Heartbleed as a Linux bug, would you think to look for an OpenSSL patch?
If your idea of being notified is hearing about it on CNN, ./, other "media" or social propagation your doomed.
Users should not be expected to know what supporting libraries are used by applications. Application vendors need to provide patches and make announcements for service effecting vulnerabilities in supporting libraries distributed with their applications no different than if source of error were their own code.
Operating system/package vendors need to provide patches and make announcements for vulnerabilities in the software and standard libraries they distribute.
There are established update/security notification channels for these things users need to be following... there is no need for anyone to be guessing or make incorrect assumptions and no excuse for depending on shit sources (mass media, blogs, friends) for security notifications.
If anything keeping people "informed" is doing them a disservice.
While I don't disagree with the point you are making in this post, I think you're greatly missing *my* point. As an informed user and sysadmin, I keep an eye on current CVEs use that information to know when to expect new patches, which allows me begin testing and applying them long before media or social circles pick up the information and, often, some time before vendor notifications or any automated update processes. Most sysadmins, and nearly all users, aren't as attentive and they do rely on media and social circles for this information; knowing this, it is extremely irresponsible to misrepresent facts relating to a vulnerability in such a way, especially knowingly.
If you can't get behind that, I sure as hell hope you aren't in a position even remotely related to system administration or securty.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
So, you're saying that just because something you don't believe happens (alien anal probes, which I won't argue) leaves no trace, that something else that leaves no trace also doesn't happen? I'm not sure you fully understand logic, but I digress.
You're approaching me as though you assume I'm a Linux user. Well, you're half right; my desktop of choice, at the moment, is OS X, I and maintain a couple of Windows boxes, but my servers all run Linux. I have to agree, KDE4 is garbage, but I loved KDE3 when I used it; Ubuntu's Unity DE isn't bad, but I'm not really a big fan. I could make KDE3 work on a modern distro (there's the choice bit I was talking about) and if I ever decide to run Linux as a desktop platform, I probably will.
Don't make me laugh by saying the current iteration of Windows isn't ugly as fuck, though; even Win7, which has IMO the best interface of any version of Windows, looks silly until you turn off all the eye candy, the Win8 tiles interface is ugly as hell by most peoples' accounts, and really only useful on a touchscreen. I say this as a Sony Vaio Duo owner. I don't mind the interface as much on the Duo's touchscreen, but there's a reason the Duo sits in my closet and it has nothing to do with the performance of the machine, itself; my Win7 machine does everything I need to do in Windows and the interface doesn't make me want to blow my brains out.
Seeing the direction OS X (again, my current desktop of choice) is heading, running the Yosemite beta, I sincerely hope MS heads back in the direction of Win7 before Apple's interface becomes really and truly obtrusive. If not, at least I can stick KDE3 on Ubuntu and roll with that as a primary desktop. Choice is good.
As an aside: Ubuntu really does come a long way toward what you're looking for from Linux; might I suggest you give it a try? They even have an app store now, just like Android, which you seem to think is the deciding factor when determining whether an OS is complete or not. I guess we didn't have a single "complete" OS until Apple released the first version of iOS to include an app store?
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Well, yes, the way in which I was right was the context of user education, which is the topic of the post to which I was replying. My point was that user education only works for users willing to be educated, and those users, by and far, don't need to be taught, because, like you and me, they've already taken the time to learn. In short, anyone who has these problems repeatedly has not only refused to ask how to prevent them, they've also refused to listen when told.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
An undocumented ability to spy on NATO countries? Sounds to me like a feature, not a bug.
Correction: spy back on NATO countries. I'm living in one of the snoopiest.
There's no time like the present. Well, the past used to be.
All the exact same can be said for Linux.
You're bias and/or naive if you think otherwise.