Category Archives: News

US email hacker gets his “computer trespass” conviction reversed

This week’s fascinating Friday fable reaches back nearly a decade, and is a reminder of how hard it can be to decide what wrong has been done, if any, in court cases that deal with what most people would call “hacking”.

The story of the original court case is simply told, and it goes like this.

In late 2013, X was brought in as an IT manager for a city in the state of Georgia in the US, supposedly to “increase the reliability and efficiency of the City’s computer system.”

X seems to have decided that Y’s work wasn’t up to scratch, and “criticized Y’s work performance, which led to an argument and a loud outburst from Y.”

The outcome of this, it seems, is that Y had some of his IT powers reduced for security reasons, and sadly ended up getting fired in mid-2014.

A couple of months after Y’s departure, X received an email from another colleague, whom we shall call Z, and replied as he normally would…

…only to receive a “bounce” message (a delivery failure) from a mysterious external email address, Q.

An additional recipient

You can probably guess what was going on here.

Back in 2013, presumably before his administrator privileges were revoked but after their falling-out, Y had modified X’s email account settings so that a copy of all X’s incoming email messages would be sent to the mysterious outside address, Q.

Q, it transpired, was not only operated by Y but also had been “routinely accessed from his cellphone.”

As you probably know, abusing built-in mail forwarding rules in email systems is a common trick used by cybercrooks to keep tabs on what their victims are up to, especially in so-called Business Email Compromise (BEC) scams.

BEC criminals typically monitor messages to senior figures in a company, such as the CEO or CFO, so that they have first-hand information about major financial milestones.

When huge invoices are due (or, in one notorious case, when a multimillion dollar major league soccer transfer was about to conclude), the crooks make their play to get some or all of the money redirected to a bogus account.

The ruse revealed

In this case, the siphoning off of X’s emails had been orchestrated unsubtly enough that it eventually drew attention to itself when one of X’s reply-to-alls failed to reach the unexpected additional recipient.

Unsurprisingly, perhaps, Y was prosecuted, convicted by a jury of “computer trespass”, and sentenced to 10 years’ probation.

Given that there is no suggestion that Y didn’t actually do what was described above – namely, use his Administrator powers to get copies of his boss’s emails – this probably sounds like an open-and-shut case.

However, Y has very recently, nearly eight years after the incidents described above, had his conviction set aside by the Supreme Court of Georgia.

The legal report from the hearing makes fascinating reading, albeit that it is both lengthy (at 36 pages) and full of legal jargon, such as:

The fundamental rules of statutory construction require us to construe [a] statute according to its own terms, to give words their plain and ordinary meaning, and to avoid a construction that makes some language mere surplusage.

Obstruction and interference

In plain English, the judgment focuses on examining whether the plain English meaning of the words “obstruction” and “inferference”, as used in Georgia’s Computer Trespass law, actually apply in this case.

Did Y’s actions – siphoning off and looking at someone else’s business email, even after his employment at that company had ended – really amount to obstruction, given that no emails were actually impeded?

The court, it seems, decided that Y didn’t obstruct or interfere with anything, so that whatever he did, it wasn’t Computer Trespass, even though the judgement expressly notes that it is “[i]t is undisputed that Y did not have authority or permission to forward X’s e-mail.”

Ironically, the judgement mentions in one of its footnotes that Y could have been charged under a nearby part of Georgia law that uses rather different words, perhaps with a different final outcome.

That part of the Georgia computer crime statutes criminalises “us[ing] a computer or computer network with the intention of examining any employment, medical, salary, credit, or any other financial or personal data relating to any other person with knowledge that such examination is without authority.”

The dissenters

Interestingly, three of the judges on this case dissented from the majority opinion, remarking that:

By manipulating the data stream to give himself access to X’s e-mails, Y intermeddled in the affairs of others and the data intended to go to others with neither authority nor invitation. As such, there was sufficient evidence to support a finding that Kinslow interfered with the use of the City’s computer program and its data.

Additionally, the dissenting judges criticised the majority opinion with these intriguing words:

The majority opinion educates wrongdoers that they are better off from both a detection standpoint and from prosecution as a matter of law if they simply copy data rather than block its delivery.

We can’t help but wonder whether the dissenters were alluding to contemporary ransomware attacks here, where data is often both copied, or “stolen” as you or I might say (which does not prevent the owner of the data from continuing to use it), and scrambled (which does).

What do you think?


S3 Ep39: Paying the date, #SocialMediaDay tips, and a special splintersode [Podcast]

[05’32”] When you spend tens of pounds but get billed thousands because the system mistook the date for the amount.  [14’17”] Our tips to make #SocialMediaDay your safest day on social media yet.  [28’06”] A clip from a great new privacy splintersode we’ll be airing next week.  [33’46”] Oh! No! of the week

With Kimberly Truong, Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.


WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

PrintNightmare, the zero-day hole in Windows – here’s what to do

There’s a critical Windows bug out there that’s not only known by three different names, but also listed variously as having three different severities.

The first name you will see is the official MITRE identifier CVE-2021-1675, fixed in the Microsoft June 2020 Patch Tuesday update that was issued on 08 June 2021.

You’ll also hear and see the flaw referred to as the Print Spooler bug, based on the headline on Microsoft’s security update guide that describes the flaw as a Windows Print Spooler Vulnerability.

The bug was initially documented by Microsoft as opening up an EoP (elevation of privilege) hole in pretty much every supported Windows version, all the way from Windows 7 SP1 to Server 2019.

ARM64 versions of Windows, Server Core builds (minimalist installs of Windows Server products) and even Windows RT 8.1 made the list of affected platforms.

But on 21 June 2021, Microsoft upgraded the CVE-2021-1675 security update page to admit that the bug could be used for RCE (remote code execution) as well, making it a more serious vulnerability than an EoP-only hole.

Breaking in and taking over

As you probably know, EoP means that someone who has already compromised your computer, but is stuck with the sort of access that you would have yourself when logged on as a regular user, can promote themselves to a more privileged account without needing to know the password for that account.

An attacker who could promote themselves to the local SYSTEM account, for example, could do far more than just read or scramble your files (as bad as that would be on its own).

With access to the SYSTEM account, the attacker could capture all network traffic, load and unload kernel drivers, change security settings that are off-limits to regular users, scrape through the memory of every process looking for trophy data such as credit card numbers or passwords that never get saved to disk, and much more.

That’s bad enough, but RCE refers to a bug by which cybercriminals can break into your computer in the first place; if the bug then also permits EoP, then that’s even worse, because it essentially combines breaking in and taking over into a single security hole.

Of course, the upgrade in the severity of CVE-2021-1675 from EoP to RCE didn’t matter – or so everyone thought – as long as you’d already applied the Patch Tuesday update.

After all, closing a security hole protects you whether that hole is an EoP, an RCE, or both.

Not all bugs created equal

Apparently, what happened next was an unfortunate publication mistake.

Researchers from the cybersecurity company Sangfor, who were preparing to present a paper on Print Spooler bugs at a forthcoming Black Hat conference in August 2021, seem to have decided that it would be safe to disclose their proof-of-concept work earlier than intended.

After all, what harm in discussing and demonstrating the Print Spooler RCE bug openly, given that it was now publicly documented as an RCE, and had been patched two weeks earlier?

You can probably guess where this is going.

It seems that the newly-disclosed Print Spooler bug discovered the Sangfor researchers wasn’t actually the same security hole that was fixed on Patch Tuesday.

In short, the Sangfor crew inadvertently documented an as-yet-undisclosed RCE bug, thus unintentionally unleashing a zero-day exploit.

The researchers apparently took down the offending information once the mistake was figured out…

…but by then it was too late, because the exploit code had already been downloaded and republished elsewhere.

Pandora’s jar had already been opened, and it was too late to close it up again.

The new-and-unpatched bug is now widely being described by the nickname PrintNightmare: it’s a Windows Print Spooler Remote Code Execution Vulnerability, just like CVE-2021-1675, but it’s not prevented by the latest Patch Tuesday update.

Indeed, several independent researchers have published screenshots on Twitter showing the new exploit succeeeding on a Windows server that already has Microsoft’s June 2021 patches installed.

What to do?

There’s no official patch yet [2021-06-30T21:00Z].

We’re assuming that a fix will be released by Microsoft as soon as possible – perhaps even before next month’s Patch Tuesday updates are scheduled to arrive (12 July 2021), if a reliable patch can be created in time.

Watch out for a patch and deploy it as soon as you can once it’s out.

Until then, it looks as though disabling the Print Spooler on vulnerable computers is a satisfactory workaround.

If you have servers where you absolutely have to leave the Print Spooler running, we suggest that you limit network access to those servers as strictly as you can, even if it means that some of your users experience temporary inconvenience.

If you have servers where the Print Spooler is running but is not in fact necessary, turn it off and leave it off even after the patch comes out for this bug, on the principle of not exposing a larger attack surface than you need to.

Also, watch this space – more news as we have it!

PS. While you’re about it, please make sure that you have correctly installed the CVE-2021-1675 fix that came out on Patch Tuesday. There’s not much point in chasing after this new RCE bug for which there isn’t yet a patch if you are still exposed to the old RCE bug that does have a patch!


Colombian police arrest Gozi malware suspect after 8 years at large

More than eight-and-a-half years ago, we wrote about the US indictment of three cybercrime suspects.

The troika was wanted for allegedly operating a bank-raiding crimeware “service” known as Gozi, based on zombie malware that used a technique known as HTML injection to trick victims into revealing personal information relating to their on-line banking.

As we explained at the time [original text slightly edited]:

Adding to or altering the content of a bank’s online login form is tricky if you want to make the modifications on the server side or while the content is in transit. […]

But if you can plant malware on the victim’s PC, you can use what’s known as an MiTB attack, or “manipulator in the browser”.

Then, you wait until a suitable online transaction form has been securely delivered and decrypted for display in the browser. Only then do you inject content into the HTML in order to modify the form, for example to request additional security information that wouldn’t normally be needed at that point.

Finally, you exfiltrate the extra data entered by the victim by sending it somewhere other than the bank.

By leaving the genuine fields in the web form alone, and allowing data in the genuine parts of the form to flow to the regular banking site as usual, HTML injection attacks generally don’t interfere with the original transaction.

That means there is no tell-tale error message or failed transaction that the crooks need to disguise, and there is no tell-tale fake URL in the address bar that an observant user might notice.

Using the stolen data, the Gozi crooks could then raid the victim’s bank account, with the US Department of Justice (DOJ) noting at the time that there were at least 17,000 Gozi malware infections in the US alone, including 160 at NASA.

It seems that rocket scientists aren’t aren’t just people of interest to cybercrooks for the latest spaceplane plans – their bank account details are valuable, too.

The three defendants were accused of playing different roles in the overall scam, detailed by the 2013 charge sheet as follows:

Kuzmin was said to have been what you might call the COO of the “business”, hiring coders to write the Gozi malware and operating the Crimeware-as-a-Service (CaaS) business based around it.

Čalovskis was the HTML injection expert, coding up the HTML modifications used to trick the victims and steal their account information.

Paunescu allegedly ran what are known as “bulletproof hosts” for the enterprise – servers that are intentionally operated to be hard for cybersecurity defenders to identify and take down.

By 2016, Kuzmin – whom we assume was caught in the US despite himself being Russian, and who had been in custody for more than three years while his case dragged on – finally pleaded guilty, and was sentenced to “time served”, meaning that his 37 months on remand were considered incarceration enough.

He was also required to forfeit just under $7,000,000, which gives you an idea of how much money bank-raiding malware crooks stand to make off with.

Čalovskis was in Latvia, and sucessfully fought extradition to the US until 2015, having convinced a Latvian court that his likely sentence would be considered unreasonably harsh by Latvian standards.

(The DOJ routinely lists maximum sentences in its reports – 67 years in the case of Čalovskis, as shown above – even though maximums are rarely handed out.)

By 2015, however, the two countries had apparently reached a “reasonableness agreement” whereby Čalovskis, if extradited, would not appeal his conviction or sentence if he were to get no more than two years.

In the end, that’s what happened, with Čalovskis being sent to the US, pleading guilty and admitting: “I knew what I was doing was against the law.”

After 21 months in custody, he too was sentenced to “time served” while waiting extradition and sentencing, a period of less than two years, as agreed in advance.

Only Paunescu remained out of the DOJ’s clutches, apparently spared from extradition by a Romanian court.

Until this week, that is, when he was picked up at Bogotá International Airport by the Colombian authorities, who promptly contacted the US diplomatic service to see if it wished to begin extradition proceedings.

We’re not sure whether Paunescu was busted on the way in or on the way out; reports state just that he was “sporting a thick beard and wearing a red t-shirt.”

(A Wu-Tang Clan shirt, apparently, according to one image bearing the Colombian Attorney General’s logo.)


Police warn of WhatsApp scams in time for Social Media Day

You might be forgiven for thinking that every day is social media day, given how much gets shared each day via social media services.

For the past 11 years, however – yes, we’ve been addicted to social media for at least that long – the date 30 June has been given capital letters and referred to as Social Media Day, a 24-hour period when we are supposed to…

…well, we’re not entirely sure how you cheer about any one day of social media content more than any other, so we can’t advise you how to celebrate #SocialMediaDay.

But we do think that #SocialMediaDay is a great excuse to take a few minutes to stop and think about how to improve your safety and security on social media in general.

Indeed, police in London, UK warned only yesterday – on social media, of course! – about the resurgence of a WhatsApp scam designed to trick you into handing over 2FA (two-factor authentication) codes so that crooks can take over your account:

Hijacked accounts used for hijacks

We’ve discussed this scam before on the Naked Security podcast, because it’s a good reminder of how cybercriminals use one hijacked social media account to target others.

The idea is simple.

Closed-group instant messaging and social media communities don’t suffer from spam in the same way that your email account does, because you can set up your account so that only approved contacts such as friends and family can message you in the first place.

That means, however, that you’re more inclined to trust messages and web links that you do receive, because they generally come from someone you know.

You may have friends who try to shock you for a laugh, or rickroll you, or to tell you zany stories that you aren’t really interested in, but they’re unlikely to set out with the intention of tricking you into installing malware, filling in a fraudulent web form, or investing in an outright scam. In contrast, your email feed is probably littered every day with messages from unknown senders who are deliberately trying to pull of one or more of those very cybercrimes.

It’s not who you know

Strictly speaking, of course, you can’t always rely on the fact that social media messages in closed groups come from someone you know, but merely that they come from the account of someone you know.

And if you have ever had a password compromised, you will be well aware of the sinking feeling that comes with realising that someone else has control over one of your online accounts.

Suddenly, someone else gets to put words in your mouth, to post images that claim to be yours, to riffle through all your protected posts, to get in touch with your friends under your name, to root around in the profile data in your account, to decide who you’re following and who’s allowed to follow you, and much more.

Even worse, a crook who takes over your account may be able to reconfigure your security settings so that they’re in and you’re locked out.

If that happens, you will probably end up in lengthy back-and-forth negotiations with the social media service concerned in order to prove not only that your account was stolen in the first place, but also that you are, indeed, the rightful user to whom it should be restored.

And during the back-and-forth process to recover your account, the crook who took it over will typically retain control, giving them more than enough opportunity not just to harm your reputation or steal your personal data, but also to prey on your friends and family…

…who will be more inclined to trust any fraudulent messages they receive, for the very reason we mentioned above, namely the reasonable assumption that friends generally don’t foist spam messages, phishing tricks, malware attacks and scams on their own friends.

Need money urgently

You’re probably familiar with the “need money urgently” scams that have circulated for years via hacked social media accounts.

In these scams, crooks use an account they have taken over to pretend to be friend of yours who has mugged while on vacation (practically homeless, no ID or cards, please send a wire transfer at once!), or to be having trouble paying pack a payday loan (deadline is midnight tonight to avoid heavy interest, please pay this bill for me right now!), or some other reason that tugs at your heart strings.

Those scams go after your money, but a recent variant involves going after the accounts of people you know.

In this modern variant of the “mugged abroad/send money now” trick, a message will arrive from a friend’s account with a cock-and-bull story to the effect that this friend inadvertently copied-and-pasted your phone number into their own WhatsApp account.

As a result, the scammer will say, they are now on the point of being locked out of their own account because their 2FA (two-factor authentication) security codes will go to your phone instead of theirs from now on.

Would you be so kind, your “friend” will ask, as to forward the next security code you receive to them?

That way, they can “sort the mess out” and reset the phone number on their own account, so that you won’t get bothered by the SMS codes any more?

Never do this!

The only true part of this 2FA scam is that you won’t be bothered by SMS security codes any more – because the crook won’t be changing the phone number on your friend’s account (they’ve already done that), but will reset the phone number on your account instead.

You won’t be helping your friend retain control of their account; you will be actively particpating in compromising your own!

Once the crooks are in, they’ll then use your account to go after the accounts of your friends and family, and so on, and so on.

What to do?

  • Never share 2FA security codes with anyone. If you’ve turned on 2FA on your various accounts, good for you. It’s not a silver bullet, so it can’t guarantee that your account won’t get hacked, but it does make things harder for the crooks. Don’t play the ball back into their court by sharing those secret codes with other people, no matter how convincing their story sounds.
  • Regularly review the privacy settings on all your accounts. Unfortunately, each social media service typically has its own set of privacy menus and security options, so we can’t give you a generic tip that will work for all of them. But it doesn’t take long to explore the privacy and security menu of your various online accounts. We like to take screenshots of important configuration pages, which serve as a handy reference to find those settings again.
  • Never use the same password on more than one account. If crooks compromise one of your accounts (which needn’t be your fault, for example if a service suffers a data breach of its password database), you can assume they will try that password right away on all your other accounts, just in case they get lucky.
  • Guard your email account at least as strongly as any other account. That’s because your email service is often the route by which you reset passwords on your other accounts if something goes wrong. A crook who can take over your email account typically moves one step closer to controlling all your other accounts at the same time.
  • Never trust messages simply because they come from a friend’s account. Just as importantly, if a weird message from a friend’s account makes you think they’ve been hacked, don’t message them back via the same service to warn them . If you’re right, your real friend will never see the warning, and you will have tipped off the crooks that you are onto them. Contact your friend some other way instead.

go top