Security: 2015q1 Concerns

Viruses, Worms, Vulnerabilities and Spyware concerns during and just prior 2015 Q1.

• [2015-03-07] Litecoin-mining code found in BitTorrent app, freeloaders hit the roof
  "μTorrent users are furious after discovering their favorite file-sharing app is quietly bundled with a Litecoin mining program. The alt-coin miner is developed by distributed computing biz Epic Scale, and is bundled in some installations of μTorrent, which is a Windows BitTorrent client. Some peeps are really annoyed that Epic's code is running in the background while they illegally pirate torrent movies and Adobe Creative Suite Linux ISOs, and say they didn't ask for it to be installed."
  
  
• [2015-03-06] FREAKing HELL: All Windows versions vulnerable to SSL snoop
  "Microsoft has confirmed that its implementation of SSL/TLS in all versions of Windows is vulnerable to the FREAK encryption-downgrade attack. This means if you're using the firm's Windows operating system, an attacker on your network can potentially force Internet Explorer and other software using the Windows Secure Channel component to deploy weak encryption over the web. Intercepted HTTPS connections can be easily cracked, revealing sensitive details such as login cookies and banking information, but only if the website or service at the other end is still supporting 1990s-era cryptography (and millions of sites still are)."
  
  
• [2015-03-05] Broadband routers: SOHOpeless and vendors don't care
  "Home and small business router security is terrible. Exploits emerge with depressing regularity, exposing millions of users to criminal activities. Many of the holes are so simple as to be embarrassing. Hard-coded credentials are so common in small home and office routers, comparatively to other tech kit, that only those with tin-foil hats bother to suggest the flaws are deliberate."
  
• [2015-03-05] Obama criticises China's mandatory backdoor tech import rules
  "US prez Barack ‪Obama has criticised China's new tech rules‬, urging the country to reverse the policy if it wants a business-as-usual situation with the US to continue. As previously reported, proposed new regulations from the Chinese government would require technology firms to create backdoors and provide source code to the Chinese government before technology sales within China would be authorised. China is also asking that tech companies adopt Chinese encryption algorithms and disclose elements of their intellectual property."
  
• [2015-03-05] Sales up at NSA SIM hack scandal biz Gemalto
  "Sales at the world's biggest SIM card maker, Gemalto, which was last month revealed to have been hacked by the NSA and GCHQ, rose by five per cent to €2.5bn (£1.8bn) in 2014. Following the hack, the company's share price fell by $470m last month. In February, it was revealed that the NSA and Britain's GCHQ had hacked the company to harvest the encryption keys, according to documents leaked by former NSA sysadmin, whistleblower Edward Snowden."
  
  
• [2015-02-24] SSL-busting adware: US cyber-plod open fire on Comodo's PrivDog
  "Essentially, Comodo's firewall and antivirus package Internet Security 2014, installs a tool called PrivDog by default. Some versions of this tool intercept encrypted HTTPS traffic to force ads into webpages. PrivDog, like the Lenovo-embarrassing Superfish, does this using a man-in-the-middle attack: it installs a custom root CA certificate on the Windows PC, and then intercepts connections to websites. Web browsers are fooled into thinking they are talking to legit websites, such as online banks and secure webmail, when in fact they are being tampered with by PrivDog so it can inject adverts. If that's not bad enough, PrivDog turns invalid HTTPS certificates on the web into valid ones: an attacker on your network can point your computer at an evil password-stealing website dressed up as your online bank, and you'd be none the wiser thanks to PrivDog."
  
• [2015-02-23] Psst, hackers. Just go for the known vulnerabilities
  "Every one of the top ten vulnerabilities exploited in 2014 took advantage of code written years or even decades ago, according to HP, which recorded an increase in the level of mobile malware detected. “Many of the biggest security risks are issues we’ve known about for decades, leaving organisations unnecessarily exposed,” said Art Gilliland, senior vice president and general manager, Enterprise Security Products, HP. “We can’t lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology; rather, organisations must employ fundamental security tactics to address known vulnerabilities and in turn, eliminate significant amounts of risk," he added."

[Chinese Virus Image, courtesy WatchChinaTimes.com]

• [2015-02-20] So long, Lenovo, and no thanks for all the super-creepy Superfish
  "Chinese PC maker Lenovo has published instructions on how to scrape off the Superfish adware it installed on its laptops – but still bizarrely insists it has done nothing wrong. That's despite rating the severity of the deliberate infection as "high" on its own website. Well played, Lenonope. Superfish was bundled on new Lenovo Windows laptops with a root CA certificate so it could intercept even HTTPS-protected websites visited by the user and inject ads into the pages. Removing the Superfish badware will leave behind the root certificate – allowing miscreants to lure Lenovo owners to websites masquerading as online banks, webmail and other legit sites, and steal passwords in man-in-the-middle attacks."
  
  
• [2015-02-15] Mozilla's Flash-killer 'Shumway' appears in Firefox nightlies
  "Open source SWF player promises alternative to Adobe's endless security horror. In November 2012 the Mozilla Foundation announced “Project Shumway”, an effort to create a “web-native runtime implementation of the SWF file format.” Two-and-a-bit years, and a colossal number of Flash bugs later, Shumway has achieved an important milestone by appearing in a Firefox nightly, a step that suggests it's getting closer to inclusion in the browser. Shumway's been available as a plugin for some time, and appears entirely capable of handling the SWF files."
  
  
• [2015-01-29] What do China, FBI and UK have in common? All three want backdoors...
  "The Chinese government wants backdoors added to all technology imported into the Middle Kingdom as well as all its source code handed over. Suppliers of hardware and software must also submit to invasive audits, the New York Times reports. The new requirements, detailed in a 22-page document approved late last year, are ostensibly intended to strengthen the cybersecurity of critical Chinese industries. Ironically, backdoors are slammed by computer security experts because the access points are ideal for hackers to exploit as well as g-men."
   
• [2015-01-15] Console hacker DDoS bot runs on lame home routers
  "Console DDoSers Lizard Squad are using insecure home routers for a paid service that floods target networks, researchers say. The service crawls the web looking for home and commercial routers secured using lousy default credentials that could easily be brute-forced and then added to its growing botnet. Researchers close to a police investigation into Lizard Squad shared details of the attacks with cybercrime reporter Brian Krebs. The attacks used what was described as a 'crude' spin-off of a Linux trojan identified in November that would spread from one router to another, and potentially to embedded devices that accept inbound telnet connections. High-capacity university routers were also compromised in the botnet which according to the service boasted having run 17,439 DDoS attacks or boots at the time of writing."

• [2014-12-14] CoolReaper pre-installed malware creates backdoor on Chinese Androids
  "Security researchers have discovered a backdoor in Android devices sold by Coolpad, a Chinese smartphone manufacturer. The “CoolReaper” vuln has exposed over 10 million users to potential malicious activity. Palo Alto Networks reckons the malware was “installed and maintained by Coolpad despite objections from customers”. It's common for device manufacturers to install software on top of Google’s Android mobile operating system to provide additional functionality or to customise Android devices. Some mobile carriers install applications that gather data on device performance. But CoolReaper operates well beyond the collection of basic usage data, acting as a true backdoor into Coolpad devices - according to Palo Alto.CoolReaper has been identified on 24 phone models sold by Coolpad."
  
  
• [2014-11-24] Regin: The super-spyware the security industry has been silent about
  "A public autopsy of sophisticated intelligence-gathering spyware Regin is causing waves today in the computer security world... On Sunday, Symantec published a detailed dissection of the Regin malware, and it looks to be one of the most advanced pieces of spyware code yet found. The software targets Windows PCs, and a zero-day vulnerability said to be in Yahoo! Messenger, before burrowing into the kernel layer. It hides itself in own private area on hard disks, has its own virtual filesystem, and encrypts and morphs itself multiple times to evade detection. It uses a toolkit of payloads to eavesdrop on the administration of mobile phone masts, intercept network traffic, pore over emails, and so on... Kaspersky's report on Regin today shows it has the ability to infiltrate GSM phone networks. The malware can receive commands over a cell network, which is unusual."
  

JavaScript: PDF Project

[Adobe PDF icon, courtesy Wikipedia]

Abstract:
Printing, fonts, and font rendering was standardized on the PostScript language. This grew into PDF, where individual pages would be rendered. Change continues to press on, with Adobe buying Frame Technologies, Oracle buying Sun Microsystems, and now Mozilla Foundation is moving web browsers like FireFox to render PDF natively via JavaScript.

[PostScript to bit map font, courtesy xaraxone]

History:
PostScript
PostScript language was born in 1976 by John Warnock. The first laser printers used it in Xerox PARC in between 1975-1976. Adobe was founded in 1982, Warnock a co-founder, and Steve jobs visited around 1984, and encouraged them to use PostScript to drive laerprinters. PostScript and Laser Printers merged, and the Apple LaserWriter was released in 1985.


[Adobe FrameMaker logo, courtesy Wikipedia]

Desktop Publishing:
Adobe, with desktop publishing packages (like FrameMaker, from Frame Technologies, later purchased by Adobe) creating the UNIX Workstation market. Quark's Xpress created the desktop Publishing Market, predominately under Apple systems. PostScript was embedded into the OS layer for displays on workstation vendors such as Sun Microsystems (NeWS) and NeXT (Display Postscript) and even a subset on PC's such as the Apple Macintosh (QuickDraw.)

[QuarkXpress Logo, courtesy Wikipedia]

Internet Publishing:
PDF was later created by Adobe, to allow the display of a page, instead of a document, allowing for better performance on long document rendering/printing, so multiple processors could work on multiple pages simultaneously.  This was at the beginning of documentation becoming electronic, instead of being paper driven. This was at the beginning of The Internet, when HTML was considered weak, but the potential was considered great.

[ISO Logo, courtesy wikipedia]

PDF:
PDF was created by Adobe in 1993. PDF became an open standard in 1998. The standard was published by the International Organization for Standardization as ISO 32000-1:2008. The Apple Macintosh was the first system to render PDF's natively at the OS layer. Only the newest PDF's require an OS plug-in. PDF viewing came natively to iOS devices like the iPhone, iPod Touch, iPad, and iPad Mini. Mozilla started moving towards native PDF rendering, making plug-ins unnecessary for all but the newest PDF formats.

[Mozilla Logo]

Mozilla:
Netscape:
Netscape Communications created in 1994 the first commercially viable web browser, web server, open secure transaction layer (HTTP encrypted over SSL, aka HTTPS) , client & server side scripting (originally termed LiveScript, later called JavaScript) - which is recognized as integral parts of The Internet today. All of this operated over an existing TCP/IP network.

In 1998, Netscape spun-off Mozilla, to create an open sourced network browser and other Internet tools, and many of it's commercial assets were consumed by Sun Microsystems.

PDF.js:
Mozilla launched the PDF.js project in 2011. The PDF.js project technology was recently released in Mozilla's FireFox browser. An example of the JavaScript based PDF viewer can be tried by anyone with an HTML5 compliant browser. This has been released in FireFox 19.0 Beta 1.

[Mozilla JavaScript rendering of PDF, courtesy Mozilla] 

Mozilla's FutureReleases blog discusses the new budding feature. It may be interesting to see JavaScript leveraged on the server side, with this library, to perform dynamic PDF content creation. 

Conclusions:
The Internet, a TCP/IP suite of applications, traffic protocols, documents, and media - which make up what is commonly called "the internet" today. Two decade old technology (HTML & JavaScript) seems powerful enough to now consume three decade old technology (PDF.) JavaScript will probably continue to grow ubiquitous, including servers side applications.

Thunderbird: On The Back Burner

Abstract:
Mail has long been the backbone of large organizations. Mail was considered such a critical function, it was enshrined as a responsibility of the Federal Government in the founding of the United States. Businesses had secretaries who took memos. Businesses built internal mail infrastructure. Speed became more critical, noting The Pony Express. Written communications became virtual, with the the telegraph. EMail became one of the first functions of networking on The Internet, with all other communications being called "snail mail". EMail was built into UNIX desktop workstations. EMail was unintuitively debundled with a separate fee by a dominate desktop vendor. EMail became bundled into internet HTML access. A new change is happening in the Open community, which the computing community should be made aware of, regarding Mozilla's Thunderbird, the off-shoot of the original integrated email & web browser, Netscape.

History:
Early, UNIX was the core of Internet, with text based email clients running with internet standard SMTP (Simple Mail Transfer Protocol.) UNIX workstations, such as the original Sun Microsystems, started bulding multi-media graphical email clients as part of their operating system (SunOS) and desktop environment (SunView), free of charge. With the investment from AT&T, Sun migrated to SVR4 base, and cooperated with AT&T on OpenLook - migrating their desktop application suite (including email) to make OpenWindows. Other vendors cooperated to build Motif. Open Systems vendors combined their efforts together to merge Motif with the Sun Desktop clients to become CDE (Common Desktop Environment) - which bundled the Sun desktop widget set, including the graphical email client.

AT&T did not offer a multimedia email client on their PC based Intel SVR4 OpenLook environment, but you could buy a Microsoft Mail server for AT&T UNIX SVR4. AT&T strangely decided to  "give up" the email market, which it was partially responsible in building through UNIX. Their mail would remain command line driven. Fact is stranger than fiction, sometimes - they will wind up funding other people's development, in the future.

The PC build a fee-based email client, fee-based email server, per-user client fee, fee for email product maintenance, and fee for their proprietary to standards-based internet gateway. For some, using graphical and multimedia email from the late 1980's, for 5 years, and having to revert to Microsoft Mail on a PC in the early 1990's was terribly painful, but proverbial "bean counters" thought paying for a non multimedia based email with proprietary internet gateway on a PC based client-server systems was less expensive than free on an integrated UNIX desktop. With unified communication on a modern early 201x desktop, it is not unusual to receive voice mail over the computer, but one now has to pay for a VoIP PBX, VoIP clients to call (and leave voice messages), and pay client licenses on the servers side - for a capability which existed under Sun Workstations from the late 1980's. More on this, shortly.

Microsoft bundled Microsoft Mail client briefly with their desktop OS, which would only work against their proprietary email system. Netscape created one of the first commercial browsers with integrated email as well as integrated web and email server. Internet providers started becoming more common, funded and bundled the Netscape integrated web client. The dominate desktop vendor, after effectively defeating UNIX open desktop workstations with their proprietary Windows operating system, drove Netscape out of business by making it impossible for system vendors to bundle the popular Netscape client software, and by distributing a free web browser on their OS client. Eventually, Microsoft pulled their half-featured desktop client and started selling an integrated email client called Outlook.

Netscape was purchased by AOL, assets were split between Sun Microsystems for back-end software, while the Mozilla Foundation receive the integrated email and web clients, and AOL received Netscape's on-line internet presence.) The integrated Mozilla integrated web client was split into various components: Firefox (browser), Thunderbird (email), Sunbird (calendaring.) There was virtually no market to fund innovation for the desktop clients, with dominance of proprietary email back-ends and free desktop clients.

Major internet presence companies such as AOL, Yahoo, Google, and (late-comer) Microsoft built increasingly integrated email and calendaring environments in the ever more complex (and capable) HTML standard language. The need for desktop clients started to disappear, as long as there was a reasonable desktop web client. The funding for the next generation of email and calendaring interfaces did not originate with selling software.

The new competition for email clients is no longer other email clients. People are increasingly turning to proprietary email solutions on embedded devices (ex. iPhone, iPad, etc.) where the hardware (or telco service fees) provide funding and integrated web based email clients, who find their funding stream via advertizing revenue.

Thunderbird News:

The Mozilla foundation, who divested the integrated Netscape client into Thunderbird and Firefox, started getting increasing pressure from large commercial internet presence, Google, with the creation of Chrome and the massive resources injected into a fast development cycle for their own namesake web browser, Chrome, which was bundled on their own popular embedded devices.

With the enhancement of internet clients, increasingly being bundled in vertical channels (Outlook for Microsoft Exchange, Internet Explorer for Microsoft Windows, Chrome web browser for Android Phones/Tablets, Apple Email/Safari for MacOSX/iPhone/iPad) and increasing investment by internet content providers (i.e. Yahoo, Google, Microsoft, AT&T, Verizon, AOL) of increasingly powerful web mail - pressure seemed to be placed on the entire Mozilla Foundation. The following delineated some of the most recent news regarding Thunderbird.

• Mozilla's Thunderbird, as was published a few days back by tech crunch, will soon be moving to the back burner
• It is expected that Open Source developers will need to pick up the slack, as Mozilla developers will move to more pressing projects.
• A simple governance model is being prepared, to take care of Thunderbird, in the future.
• Thunderbird ESR, or Extended Support Release, will not necessarily be impacted. Commercial and Education institutions will continue to get their critical support.
• The chairman of the Mozilla foundation posted an official blog response regarding the move. Community members involved in localization have contributed significantly, but other community members seem to be happy with what they have... with many people moving to web browser or vendor bundled proprietary email clients.
• Some consider the move to be a death knell for Thunderbird, wondering where people will move to next.

Network Management:
Some may be asking - what is the opinion of the Network Management team. If Mozilla will continue to keep Thunderbird on modern releases of the browser rendering engine, it might not be that significant. It seems community involvement has been lacking and there has not been much of a driver for innovation. As long as Microsoft is selling an email client, Thunderbird remains relevant.

What is little mentioned was Netscape's and Mozilla's Thunderbird NNTP (network news transfer protocol) integration. Usenet's net news integration in Netscape and Thunderbird was one of the key collaboration features, which is supported by Thunderbird, from which there is no other client. There are various web based NNTP gateways, but the Thunderbird client support was very robust.

With security fixes continuing to happen every 6 months, there will still be work ahead for the network management community. If you are a Thunderbird user,  it appears your long term investment will be maintained, but please get involved if you are interested in newer features.