Comments

wiredogSeptember 2, 2015 9:55 AM

The whole series was pretty interesting, but it was published a couple of months ago.

Alien JerkySeptember 2, 2015 10:01 AM

Slightly off topic, but....

Apparently Microsloth is not content with Windows 10 being spyware, so they decided to update Windows 7 and 8 to be just as evil.

http://www.theregister.co.uk/2015/09/01/microsoft_backports_data_slurp_to_windows_78_via_patches/

All the updates can be removed post-installation – but all ensure the OS reports data to Microsoft even when asked not to, bypassing the hosts file and (hence) third-party privacy tools. This data can include how long you use apps, and which features you use the most, snapshots of memory to investigate crashes, and so on.
The updates are KB3068708 ("Update for customer experience and diagnostic telemetry" and mandatory) KB3075249 ("Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7") and KB3080149 (also an "Update for customer experience and diagnostic telemetry", both optional).

Slime Mold with MustardSeptember 2, 2015 1:12 PM

I found this article more depressing than informative.

@ Alien Jerky

I am generally opposed to going that far off topic. In this case...
THANK YOU!

Could you remember to get near the top of Friday's squid thread? I'll get it there if I have time.

d33tSeptember 2, 2015 1:55 PM

"failure costs them nothing"

and in government, failure will allow you to solidify your crisis, justify your existence and allow you unlimited budgets and an endless supply of "get out of jail free" cards.

Bruce SchneierSeptember 2, 2015 2:12 PM

"The whole series was pretty interesting, but it was published a couple of months ago."

I know. I just got around to reading it.

eCmGnZSeptember 2, 2015 3:42 PM

What a surprise. With qualified experts exposing and denouncing US government IT sabotage in probative conformity with the Federal Rules of Evidence and IOCE standards, the government cranks up Wisner's wurlitzer and Post hack Craig Timberg explains how it all happened because of those nasty ol' markets. Give Bezos another big cloud contract!

great_flatsbySeptember 2, 2015 4:21 PM

"They came to particularly ­disdain what they considered ­security-by-checklist, when companies declared a product safe"

I'm looking at you Oracle.

NameSeptember 2, 2015 5:01 PM

Bill Gates, with his wife and their B&M Gates Foundation, is dispensing a lot of money to fix otherwise intractable problems in the world, like malaria.

The common philosophy seems to be, "Well he was a bastard of a businessman in foisting tons of bad software on an unsuspecting and vulnerable world, but now he's compensating and making it look all worthwhile in the end as it finally justifies the means."

But that price tag of $20 BILLION for global cleanup of the ILOVEYOU worm, a single malware item in 2000... WAS it really worth it? I think we need a better answer than Bill Gates could offer. From that Foundation we need massive successes, not merely massive efforts, otherwise... WTF? In the bigger picture, isn't this a serious indictment of Capitalism? It certainly seems to be a fairly direct consequence of Capitalism.

AnuraSeptember 2, 2015 5:50 PM

@Name

In the bigger picture, isn't this a serious indictment of Capitalism? It certainly seems to be a fairly direct consequence of Capitalism.

It's evidence against the idea that the private sector always does best (more specifically, it's proof of the non-existence of Homo economicus). However, the government is currently intentionally putting security holes into software, so it's not as simple as that.

If we were a democracy with a government that represented the people, then you could see amazing things by having the government design, from the ground up, an entire platform from the hardware to the software to the protocols, to provide strong security with decent usability. Unfortunately, the government is largely controlled by people with money and those people are using the military industrial complex for nothing more than rent seeking, and the result is a government that is pushing a message of fear, and allowing people to have relative privacy is contrary to that message.

name.withheld.for.obvious.reasonsSeptember 3, 2015 12:43 AM

So disgusted by the state of the commercial environment, myself and three grad students, formed a company to explain, demonstrate, and propose solutions to distributed network systems and we achieved limited success. Our group was well ahead of the current art and a couple of us could be classified as hackers (hobbyist definition, not cracker). Today a few of us can be found at Google or heading major infoSEC concerns. Ironically, at the time we had been approached by NSA and we surprised their representative in stating how one would use cellular network parametric data to do simplex tracking. In all our meetings we were meet with astonishment and dismay, little has changed in the near two decades.

This article reminds me of the lost opportunity to build robust architectures that have resilience at its core. I remember the ads about the security and robustness of windows operating systems such as Windows 2000 and XP. Statements like "not having to reboot" and "the most secure windows platform" which I guess is correct--but information security is hardly about relativism. Platforms other than windows demonstrated more robust designs but failed to garner enough commercial success to survive or to be adopted.

Open VMS, VM, and Multics or Ultrixs offered far more in "completeness" though suffered from not having flashy UX displays. Pretty pictures seem to be more effective at selling complex systems than a thousand whitepapers. So one could say a GIF/JPG/PNG is worth a thousand whitepapers.

PeanutsSeptember 3, 2015 12:47 AM

Early Friday Squid post @ Alien Jerky
Re: The updates may and were found listed with alternate descriptions. On Windows 7 they are listed as follows, in installed Updates, hiding with vague different patch

descriptions as annotated with your original post below;

Discovered an additional telemetry implant being discussed in the same context as the 3 you posted. Thanks by the way.

KB3022345 (replaced by KB3068708) Update for customer experience and diagnostic telemetry - This update introduces the Diagnostics and Telemetry tracking service to in-market

devices. By applying this service, you can add benefits from the latest version of Windows to systems that have not yet been upgraded. The update also supports applications

that are subscribed to Visual Studio Application Insights. (Windows 8.1, Windows Server 2012 R2, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1)

In trolling your installed updates you wont find them listed descriptions noted.
>KB3068708 ("Update for customer experience and diagnostic telemetry"
>KB3075249 ("Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7")
>KB3080149 (also an "Update for customer experience and diagnostic telemetry"

The actual installed update descriptions are;
"Update for Microsoft Windows (KB3068708)"
"Update for Microsoft Windows (KB3075249)"
"Update for Microsoft Windows (KB3080149)"
"Update for Microsoft Windows (KB3022345)"

Here is a tip. Much easier than manually trolling your installed updates for matching descriptions, use the approach pre-installed made to accomplish that with no effort.

So to determine if one of the hinky telemetry spyware patches is installed, Enter either of the following commands in an elevated as administrator command prompt:
systeminfo | findstr "KB3068708 KB3022345 KB3075249 KB3080149"

no output is good, and may be indication of removal of the malware. Otherwise if the are still installed they will be listed in the command output.
Note The machine may need a post malware removal reboot.

Alternatively these commands have the same purpose to identify if the malware is present.

wmic QFE list full /format:texttablewsys | find "KB3068708"
wmic QFE list full /format:texttablewsys | find "KB3022345"
wmic QFE list full /format:texttablewsys | find "KB3075249"
wmic QFE list full /format:texttablewsys | find "KB3080149"

If you have teh malware, you may elect to remove "it" using the Control Panel, or by running the commands using an elevated command prompt:

wusa /uninstall /kb:3068708 /quiet /norestart
wusa /uninstall /kb:3022345 /quiet /norestart
reboot seems required then remove the next two
wusa /uninstall /kb:3075249 /quiet /norestart
wusa /uninstall /kb:3080149 /quiet /norestart


Housekeeping checks post removal additional steps. I can foresee someone will prophetically conclude a recommended step 5) Uninstall windows and install a secure *nix variant. Obligatorily mentioned in advance. Thanks.

An eye on post removal Hinkyness had some hits after removals and reboots.
1) Only two of the four uninstalled KB's reappeared as available optional "Update for Windows 7 for x64 based Systems (KB3075249) and (KB3080149), another reappeared as

Important "Update for Windows 7 for x64 based Systems (KB3068708)"

The important one was the "Update for customer experience and diagnostic telemetry" Important to who, NSA?

The "KB3068708" Update for customer experience and diagnostic telemetry" did not reappear as an available patch. It may be dependent on one of the other three removed bits

2) Before the uninstall, I had foresight to search the infected file system
for .manifest with a common namespace string called assemblyIdentity which is set to a string value "Microsoft-Windows-Authentication-AuthUI.Resources"

The before removal search listing files which matched the above search constraint yielded 62 matches in 52 manifest files.

The after removal search listing of files which match the above search constraint yields 74 matches in 64 manifest files.
Conclusion, the removal did not remove the manifest files pushed in the original infection.

3) IN a read of KB 3080149, it indicated it installed updated and the malware does use the file named utc.app.json

Before removal, the file file was found in 6 places on the infected filesystem
After "removal" the file exists in the same 6 locations, same filesize just waiting for re-use and reinfection.

To mitigate future infection, am considering removal alteration or perform a revocation of file permissions to utc.app.json and the hinky manifest files.

4)Re the connections the malware opened, which may or may not have Mitm certificate pinning mitigation. My personal opinion is to mitigate by locking access to the data ex filtration end points.

Firewall now blocks outbound access from your network to
vortex-win.data.microsoft.com
Name: VORTEX-cy2.metron.live.com.nsatc.net
Address: 64.4.54.254
Aliases: vortex-win.data.microsoft.com
vortex-win.data.metron.live.com.nsatc.net
vortex.data.glbdns2.microsoft.com

settings-win.data.microsoft.com
Non-authoritative answer:
Name: OneSettings-bn2.metron.live.com.nsatc.net
Address: 65.55.44.108
Aliases: settings-win.data.microsoft.com
settings.data.glbdns2.microsoft.com

Chances are that anything outbound to ".data.microsoft" should likely be blackholed if you opt out of the "Idiots Do Opt Having Pervasive Surveillance Patches" IDOH-PSP program for short.

Hope this helps to bring most of the malware workflow, as is early info on these kinds of things is usually incomplete.

Peanuts

Thomas_HSeptember 3, 2015 2:56 AM

@ Alien Jerky & Peanuts:

On top of the updates, it also seems the Windows 10 installer is downloaded onto your harddisk without notifying you (folder C:\$Windows.~BT , takes up 3-12 Gb of room). Details on page 4 of the Register article's comments.

I suspect that this update may also be downloaded onto business machines, into another location than what is listed above, as our workplace network was excessively slow for a whole day with no clear reason (but a multi-Gb file being downloaded on about 600 machines at the same time might explain it adequately...).

Slime Mold with MustardSeptember 3, 2015 10:45 AM

@ Peanuts
@ Thomas H
@ Alien Jerky

Thanks!
Had run across the first two somewhere before. My purpose in trying to get it posted everywhere is that, until Peanuts' comment, the information on this seems scattered in fragments across the internet. Given the number of machines affected, I believe the story belongs on the top of every general news site (i.e. Huffington Post, CNN...) not just the tech blogs.

Again, Thank You.

no use for a nameSeptember 3, 2015 11:36 AM

"Bill Gates, with his wife and their B&M Gates Foundation, is dispensing a lot of money to fix otherwise intractable problems in the world, like malaria."

Some would argue it's actually a scheme to extend Western intellectual property schemes into developing nations among other critical views, or a modern Trojan horse.

tyrSeptember 3, 2015 4:34 PM


The Gates foundation is a standard Public Relations scheme.
Once the public became aware of rapacious 1 percenters they
had to ameliorate the reaction.
The foundations have done some good in the world but it is
only to remove the stench from the enterprises that fund them.

Some attributed it to guilty consciences, but it is cynical
manipulation of a gullible public. The worst danger the 1%
face is widespread information about their businesses and
their effects. You can find Lippman and Bernays books at
archive.org to see how far back this type of scam goes.

Someone offered me a PDP-8 once. I had the good sense to
refuse to haul it away. If I'd had a bigger place I might
have taken it. The last time I saw Thompson he was busy
swindling widows with reverse mortgages on TV ads, so much
for government leadership on security.

The hardest fight anyone ever had was to get government to
acquire enough computer literacy to not be their own worst
enemies when it came to PCs. The fight was lost by general
lack of even being able to understand the arguments. I had
the temerity to question a mad scheme to back-up 60 PCs to
a mainframe by disk imaging when they were first purchased.
The mainframe boys had no conception of the kind of crap an
inexperienced micro user generates in the early learning
period. I watched an experienced secretary spend the last
three years of her working life before retirement reading
manuals for the latest, greatest word processor programs
without ever becoming fully competent in any of them. That
was the great leap forward into PCs in the office space.
The clueless led by the ignorant and inept and now all on
the Net spying on each other.

Comp security is like the lumberjack and chainsaw joke. He
asked the chainsaw salesman why it hadn't increased his
production. The salesman started the saw and the lunberjack
asked "what's that noise?".

At some point we have to get governments past the what's
that noise stage.

Dirk PraetSeptember 3, 2015 6:57 PM

@ Peanuts, @ Thomas H, @ Alien Jerky

Thanks for the research and the post, guys. Much appreciated.

PeanutsSeptember 4, 2015 12:05 AM

Update to early Friday Squid post,

Here are two additional windows 7 surveillance implants.
Detection - elevated command prompt
wmic QFE list full /format:texttablewsys | find "KB3021917"
wmic QFE list full /format:texttablewsys | find "KB2952664"

or alternatively detect with an update to the systeminfo command

systeminfo | findstr "KB3068708 KB3022345 KB3075249 KB3080149 KB3021917 KB2952664"

removal would be

start "title" /b /wait wusa.exe /kb:3021917 /uninstall /quiet /norestart
start "title" /b /wait wusa.exe /kb:2952664 /uninstall /quiet /norestart

Add the above (2) KB's to the prior posts (4) and that's the current known relevant to windows 7 set.


Windows 8 and 10 are designed primarily as opt in surveillance platforms.

It is a fools errand and faulty reasoning to conclude or think that by removing a few (chosen to be revealed surveillance) service packs that once can fix a very reasoned design. with lots of delivered success criteria.

Here is a list and updated DIY detection ready scripting for all 14 (currently known) Surveillance implants. Including Implants for windows 8 and later.

I guess they thought they could catch more fish with 14 baited lines.

Here are two batch files . run the larger script to see whats detected.

Open an elevated command prompt

create a batch file
Name: check-kb.bat

Add the batch script content

@echo off
echo ' Only the first parameter is used in the search, the rest display context.
echo '
echo '
echo Checking for %1 %2 %3 %4 %5 %6 %7 %8 %9 %10
@echo on
wmic QFE list full /format:texttablewsys | find "%1"
@echo off

Create a batch file, purpose is to check for currently known Implants.
Name: checkfor_NPI_patches.bat

Add the batch script content

@echo off
SetLocal
REM --- (as of 2015-08-26):
cls
call Check-kb KB3012973 - Opt in payload - Upgrade to Windows 10 Pro
call Check-kb KB3021917 - Opt in payload - Update to benchmark Windows 7 SP1
call Check-kb KB3035583 - Opt in payload - delivers reminder "Get Windows 10" for Windows 8.1 and Windows 7 SP1
call Check-kb KB2952664 - Opt in payload - Pre launch day push of payload for compatibility update for upgrading Windows 7
call Check-kb KB2976978 - Opt in payload - Pre launch day push of payload for Compatibility update for Windows 8.1 and Windows 8
call Check-kb KB3022345 - Opt in payload - surveillance Telemetry [Replaced by KB3068708]
call Check-kb KB3068708 - Opt in payload - Update for surveillance customer experience and diagnostic telemetry
call Check-kb KB2990214 - Opt in payload - Update that prepares payload to Windows 7 to add surveillance in later installed versions of Windows
call Check-kb KB3075249 - Opt in payload - Update that adds surveillance telemetry to Windows 8.1 and Windows 7
call Check-kb KB3080149 - Opt in payload - Update for CIP and surveillance with diagnostic exfil leveraging telemetry
call Check-kb KB3044374 - Opt in payload - Marketing Windows 10 surveillance payload to windows 8,8.1 devices
call Check-kb KB2977759 - Opt in payload - Windows 10 surveillance Diagnostics Compatibility Telemetry HTTP request response
call Check-kb KB3050265 - Opt in payload - Marking via Windows Update services opting in to Windows 10 surveillance Implant
call Check-kb KB3068707 - Opt in payload - CIP telemetry request response check in for Windows 7,8,8.1

Whatever Surveillance implants revealed in your machine, it can be removed with a customization of the wusa command, just replace the ??????? with the kb numbers reported.

wusa /uninstall /kb:??????? /quiet /norestart

kevinmSeptember 4, 2015 2:58 AM

Sorry, the preview looked OK but a line disappeared from my previous post, I'll try again...

Did anyone notice that:


$ curl --verbose http://l0pht.com/ 2>&1 | grep "Server:"
Server: Microsoft-IIS/6.0

I was quite surprised by this, either things have changed a lot or they are trolling us!

BoppingAroundSeptember 4, 2015 9:22 AM

Peanuts,
> Windows 8 and 10 are designed primarily as opt in surveillance platforms.

'Opt out', maybe? If all those switches there actually do anything except looking cosy.

'el James'oSeptember 4, 2015 10:15 AM

Ah, memory lane... I sure do miss L0pht Heavy Industries :( I almost went to work for @Stake in 99/00 (there about) but it was pretty obvious that it wasn't healthy just from my side of the interview - and it was clear that L0pht and @Stake had absolutely nothing whatsoever in common. So not a good fit.

Back then, script kiddy was a derision - now it's a job skill. These days I can't swing a dead cow and not hit a script kiddy who is also a certified security "expert" who can only pass tests and press buttons. I have never met an actual InfoSec expert (and I've met quite a few) that ever call themselves "expert", yet the kiddies will not hesitate to regale you with their certs and how they are a security expert. Anyone that says they're a security expert isn't - it's a red flag along with using the term "cyber security" (there are only two types of cyber: war and punks).

Jonathan WilsonSeptember 4, 2015 8:14 PM

I wonder how much of the crap gets installed on Windows 7 if you explicitly opt-out of (and remove/hide) the "please upgrade to Windows 10" nag BS like I did...

mooSeptember 4, 2015 9:06 PM

I don't understand how pushing stealth data-collection to people's computers under the guise of telemetry is even legal. I wonder if the EU will take MS to task over this a few years from now?

At any rate, its looking like continuing to use Windows in the future is going to require a firewall peripheral configured to block all of its spyware crap. Hard to believe we've entered an era where you can't even trust _your own computer_ not to surveil you. I'd love to know what Orwell would think of this world we now live in.

albertSeptember 5, 2015 12:55 PM

@Name,@et al,

In re Gates. Bill does what's good for Bill. The GF puts out lots of money to his buddies in other businesses. Ask him about those 500,000 shares of Monsanto stock. The GF is a for profit organization. You can read its tax returns on line. See who sits on the board, and who gets the 'donations'. If any 'good' comes of his projects, it's incidental to the primary goal of making money. The leopard hasn't changed his spots; never has, never will. It's all corporate theater. Mostly BS.
.
P.S. EFF Windows. It's way past the time to move on.
. .. . .. o

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.