Corrupt Internet Police | TechSNAP 140

Corrupt Internet Police | TechSNAP 140

The perfect crime, that’s Cloud enabled. The NSA gets caught with Google\’s cookies, and a new breed of corrupt Internet police.

Plus a fantastic batch of your questions, our answers, and much much more!

Thanks to:




Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

Flaw in Microsoft Office 365 allows ‘perfect crime’

  • The researchers who discovered the attack are calling it the ‘Ice Dagger’, because it left behind almost no evidence and it took months of effort by researchers and Microsoft’s Security Response Team to discover what had happened
  • in April 2013, a customer’s nodes analyzed an HTTP request that triggered a “high risk” heuristics alert
  • The request was for an MS Word document hosted on a TOR Hidden Service node ( address)
  • In this case, the request to the TOR service was not made by the user, but by MS Word it self, this elevated the incident to extremely suspicious
  • “Upon reviewing the metadata of the request, we noticed that its response had a WWW-Authenticate header with RootDomain=””, even though the request obviously wasn’t for a domain. At this point we started assessing the situation and treating it as a potential data theft”
  • The end user had received an email specifically addressed to them containing a link to an MS Word document hosted on the TOR Hidden service, a very specific spear phishing attack
  • When the user opened the link, it fired off the MS Office365 URL handler, ms-word:// and MS Word opened the document
  • Due to a bug in MS Word, when the malicious web server sent the same WWW-Authenticate header that Office365 would have sent, MS Word sent the user’s private SharePoint access token back to the malicious web server, even though it should only ever send that token to
  • With this token, an attacker can access every document in the Office365 environment, including SharePoint and SkyDrive, completely undetected
  • The attacker can copy all of the documents and then delete them, or make subtle modifications that could prove disastrous
  • The attack comes down to a few simple steps:
  • You get a mail asking you to review a document or visit a webpage. Some ideas: Maybe a document with coupons? Someone’s CV? A price quote? A contract? Obviously at least one employee out of hundreds will read the document.
  • You click on the link. The web page asks you to open the document in Word, just like SharePoint Online asks you (shown in step 2 above). Because this dialog is so common when using SharePoint Online, it’s really hard to believe anyone will refuse the request.
  • Word is now requesting the document from the malicious webpage. The malicious webpage asks Word for its Office 365 token and Word willingly gives it. The malicious webpage gives Word a legitimate-looking document in return.
  • The attacker now has your Office 365 token. You have a document which you will shrug off as meaningless and go on with your day.
  • The researchers provided their completed research to Microsoft on May 29th, 2013
  • The patch has finally been released as part of the December Patch Tuesday MS13-104 fixes CVE-2013-5054
  • Conclusions: This was A Perfect Crime. “There was no malware payload to reverse-engineer. No file hash we can trace through time. No IP address to locate and investigate. No servers to confiscate. The attacker simply gets away with your Office 365 token. For good. This is important in the context of understanding the limitations of your existing endpoint and perimeter defenses in the context of SaaS applications and cloud services.”
  • Microsoft also patched a WinVerifyTrust signature validation vulnerability in Windows that can be used to disguise malicious applications as trustworthy, signed executables. \”Exploits targeting this vulnerability have been seen in the wild, so deploy this patch as soon as possible\”
  • Additional Coverage: BetaNews
  • Additional Coverage: Network World
  • Additional Coverage: Information Week
  • Additional Coverage: SC Magazine
  • Additional Coverage: Softpedia

NSA using Google cookies to pinpoint targets for attack

  • The agency\’s internal presentation slides, provided by former NSA contractor Edward Snowden, show that when companies follow consumers on the Internet to better serve them advertising, the technique opens the door for similar tracking by the government
  • The slides also suggest that the agency is using these tracking techniques to help identify targets for offensive hacking operations.
  • According to the documents, the NSA and its British counterpart, GCHQ, are using the small tracking files or \”cookies\” that advertising networks place on computers to identify people browsing the Internet.
  • The intelligence agencies have found particular use for a part of a Google-specific tracking mechanism known as the “PREF” cookie.
  • These cookies typically don\’t contain personal information, such as someone\’s name or e-mail address, but they do contain numeric codes that enable Web sites to uniquely identify a person\’s browser.
  • This cookie allows NSA to single out an individual\’s communications among the sea of Internet data in order to send out software that can hack that person\’s computer. The slides say the cookies are used to \”enable remote exploitation,\”
  • Separately, the NSA is also using commercially gathered information to help it locate mobile devices around the world, the documents show.
  • These specific slides do not indicate how the NSA obtains Google PREF cookies or whether the company cooperates in these programs, but other documents reviewed by the Post indicate that cookie information is among the data NSA can obtain with a Foreign Intelligence Surveillance Act order. If the NSA gets the data that way, the companies know and are legally compelled to assist.
  • Google assigns a unique PREF cookie anytime someone\’s browser makes a connection to any of the company\’s Web properties or services. This can occur when consumers directly use Google services such as Search or Maps, or when they visit Web sites that contain embedded \”widgets\” for the company\’s social media platform Google Plus. That cookie contains a code that allows Google to uniquely track users to \”personalize ads\” and measure how they use other Google products.
  • Another slide indicates that the NSA is collecting location data transmitted by mobile apps to support ad-targeting efforts in bulk. The NSA program, code-named HAPPYFOOT, helps the NSA to map Internet addresses to physical locations more precisely than is possible with traditional Internet geolocation services.

British “Police Intellectual Property Crime Unit” attempts to censor the global Internet

  • We have covered a bit of this story in the past, but it seems to be getting worse, and we have a lot more detail now
  • “Today, a special police unit can decide that a certain website needs to disappear from the Internet, and threaten its domain name registrar into revoking the address “until further notice”, without any legal basis whatsoever.”
  • The PIPCU is claiming success in it’s Operation Creative, a three month campaign where they improperly seized the 40 domains they accused of copyright infringement. Some of the sites were shut down, while some simply moved to a different domain
  • The owners of the 40 domains, nor their registrars or web hosts were ever served with a court order
  • How the PIPCU works:
  • Investigators who work at notorious copyright trolls such as BPI (British Phonographic Industry) and FACT (Federation Against Copyright Theft) scour the Internet, looking for websites that share copyrighted content
  • They then forward this ‘intelligence’ to the PIPCU, which then decides whether or not it will attempt to take down the site.
  • The PIPCU will ask a network of over 60 advertisers to stop placing banners and bankrolling a pirate resource
  • Finally, after a certain period of time, the PIPCU will send a letter to the site’s registrar, asking it to suspend the domain name. Instead of a court order, this peculiar document refers to an outdated section of ICANN’s Registrar Accreditation Agreement, which states that such accreditation can be terminated if the organisation is found to have ‘permitted illegal activity in the registration or use of domain names’.
  • This scare tactic causes many registrars to suspend the domains, rather than risking their entire business by losing their ability to register new domains
  • One registrar has decided to stick up for its users, and the rest of the internet
  • EasyDNS posted the notice on their blog
  • Specifically “We have an obligation to our customers and we are bound by our Registrar Accreditation Agreements not to make arbitrary changes to our customers settings without a valid FOA (Form of Authorization). To supersede that we need a legal basis. To get a legal basis something has to happen in court”
  • Registrars are not ALLOWED to seize a domain without a legal basis. Registrars that complied with the shakedown may actually be in violation of ICANN policies
  • One customer who had their domain seized at another registrar then attempted to move to EasyDNS, however the ‘losing’ registrar, in violation of ICANN policy’, refused to release the domain
  • So EasyDNS requested that Verisign, the operators of the .com and .net registries, make a ruling and release the domain. However Verisign rendered a decision of ‘no decision’
  • Verisign’s reason for no decision? The losing registrar did not provide the requested documentation
  • EasyDNS has appealed the decision with ICANN and we are watching for further developments


3 days 4 hours left to buy

Round Up:

Question? Comments? Contact us here!