Sophos Cloud Optix
If you follow the field of computer security chances are that you saw the warning issued by the FBI’s Internet Crime Complaint Center (IC3) this week about using hotel internet connections.
Here’s the full text of the advisory, with some responses sprinkled throughout from yours truly:
Malware Installed on Travelers' Laptops Through Software Updates on Hotel Internet Connections
Recent analysis from the FBI and other government agencies demonstrates that malicious actors are targeting travelers abroad through pop-up windows while establishing an Internet connection in their hotel rooms.
“Malicious actors”? Are we talking cybercriminal gangs and fraudsters or state-sponsored bad guys from an enemy nation?
“Travelers abroad”? So, you mean that this can’t possibly happen within the United States?
Why the coyness about naming countries? Is it because the FBI doesn’t know which countries this pertains to (other than it’s definitely not happening in the USA)? Is it because they have a list of countries, but they’re not sure if it’s a complete, exhaustive list? Or is it because the authorities don’t want to say which countries?
Recently, there have been instances of travelers' laptops being infected with malicious software while using hotel Internet connections.
“Malicious software”? Can you tell us what malicious software? Is it a particular malware family? Can you at least tell us what the malware is attempting to do?
In these instances, the traveler was attempting to setup the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely-used software product.
“A widely-used software product”? Why not name it? The FBI isn’t saying a variety of popular products, it’s saying “a widely-used software product”. Should it really be up to us to place bets as to whether it’s likely to be Adobe Flash or not?
If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.
Which operating system are we talking about here? Windows? Mac OS X? Linux? iOS? Might have been handy to mention..
The FBI recommends that all government, private industry, and academic personnel who travel abroad take extra caution before updating software products on their hotel Internet connection.
“Government, private industry, and academic personnel..take extra caution”? Hang on. What about the rest of us? Shouldn’t we also be careful if we’re taking our computers overseas, perhaps on vacation? Or is the un-named country where this is happening not the kind of place people go on holiday to?
Checking the author or digital certificate of any prompted update to see if it corresponds to the software vendor may reveal an attempted attack.
But is likely to be beyond the ken of the vast majority of users..
The FBI also recommends that travelers perform software updates on laptops immediately before traveling, and that they download software updates directly from the software vendor’s Web site if updates are necessary while abroad.
Sensible. No complaints with that. But the idea of business people travelling for weeks on end without installing security updates while they’re on the road sounds like it could backfire.
Anyone who believes they have been a target of this type of attack should immediately contact their local FBI office, and promptly report it to the IC3's website at www.IC3.gov. The IC3's complaint database links complaints together to refer them to the appropriate law enforcement agency for case consideration. The complaint information is also used to identify emerging trends and patterns.
What’s fascinating about the advisory is what it doesn’t say. And without more information it’s hard to know how computer users are supposed to take meaningful action to protect themselves other than follow the normal advice of running security software, being careful what you install, running a VPN to hide your browsing from snoopers, etc.
It’s certainly very peculiar that the FBI didn’t share more information in its warning, or mention where in the world it believes it has seen these attacks taking place.
By coincidence, earlier this week, for the first time in almost ten years, a Chinese defense minister visited the United States.
The day before the FBI’s warning was issued, US Defence Secretary Leon Panetta met his Chinese counterpart Liang Guanglie in Washington DC, and told the world’s press that the two countries must work together to avoid cyber war, and emphasised the importance of the relationship between China and the USA.
Maybe there was more that the authorities could have said about this hotel malware threat, but thought it undiplomatic to publicise.
Laptop in hotel room image, courtesy of Shutterstock.
Don't mess with FBI, please.
I think it is great that the FBI and IC3 have issued the warning.
It's not rocket science that traveling abroad poses risk to computers and I think most of us can guess the countries that pose a particular threat. To me the important take away from the warning is to continue to bolster user awareness while they are traveling. Sound logic! 😉
Don't kid yourself that you live in a safe country, you are just as much at risk every time you use public wifi.
I don't see why they can't post at least some stats of where they are coming from. It's definitely not just China… and, sadly, I suspect some of it isn't sophisticated or intentional. Just sloppy security by the hotel running the portal system.
Hmmm, I wonder if it could be related to this: http://justinsomnia.org/2012/04/hotel-wifi-javasc…
"In short, the [hotel] is using the [Revenue eXtraction Gateway] to inject JavaScript into the HTML of every webpage its hotel customers view for the purpose of injecting ads."
To the author of this article ( Graham Cluley ),
I have to wonder how involved in information security you really are, as it seems your focused on some kind of journalist conspiracy theory versus the reality of our current computing environments and users. User education is one of the biggest problems I need to address every day. No matter how many controls we impose and validate routinely the lack of user education, due to a resistance felt towards it, is my biggest issue I must tackle day in and day out. When our users travel to another location within our enterprise it's a constant battle to have them schedule time for me to assess their laptop prior to departure (my compliance letter is required by IA Officer in the other location for them to access that network); this mentality is because the user often has some sort of false sense of security in their own computing abilities (while lacking knowledge of the actual threats and proper procedures to defend against them).
It is undeniable that this kind of info describes a real threat, why would you question it? I'd rather it be generic as there are a huge variety of threats that the user doesn't understand – don't limit their understanding. Also, from an incident response stand point – why would the FBI release details of an incident currently under investigation? Did you even think before posting this, or did you just want to write something eye catching?
Don, you make it seem like the author has months to prepare these blogs. This is more like a day to day basis of things he is working with, and chooses one topice to discuss and write about. If not I am sure he can write you 10 different topics of things he has touched and researched for 1 day, and still not be through it all. I believe the article is about User Awareness.
Now lets discuss your User education. Oh wait we can't FBI gave no information to the threat to be worried about to educate your users.
These are every day blogs, so in less than 24 hours he has to have another blog post. This is what they read the other day, and I am sure there was some type of discussion, as a security company would like to know everything they can about the issue, and not have vauge information of nothing. What your saying is he should just write User Awareness every day, so your bored reading the same thing day after day, so you got something else to complain about.
That’s right: why would they release DETAILS about the investigation?
I mean, why would they even MENTION it?
That doesn’t make sense.
Why be vague? Because then its a warning for future versions. Declaring that its only X software in Y countries can lead to false sense of security. They could be in Z country getting an update and not think about it.
At least detailing a pathway to malware in a general overview should(hopefully) raise awareness to the method in general.
"At least detailing a pathway to malware in a general overview should(hopefully) raise awareness to the method in general." – It's very hard to agree with your logic. I can instantly guess two or three ways this attack was mounted; I also know very few other people in IT who could make even the wildest guess, based on the info in the advisory. In fact I spend a lot of time re-explaining the thing, as I'm sure we all do generally.
Since going into specifics might in turn jepoardise my own liberty, I'm not doing so. But if you don't know how such attacks work, and against which platforms, how will you mitigate?
Graham – heads up that another security vendor (Towerwall) just lifted your column in it's entirety (though they did give you credit) in an unsolicited email (subject line: Towerwall Security/Malware Alert Vol 14.17).
Very interesting read
You had me at “old man yells at cloud.”
Gee, they’re not being specific here. Might as well NOT bring any laptops with you when traveling.
For all anyone who clicks on these pop-ups knows, they can be getting scareware or
randsomware on their computer. Pure foolhardiness clicking on ANY pop-ups for an
update of ANY kind, regardless of your location. I bet they click on emails from an un-
known sender too, and download files from them getting their computers infected in
that manner as well.
They continue to violate one of the cardinal rules of computing- NEVER download ANY
software or updates from anywhere except by going to the legitimate website directly,
AND checking any and all security certificates presented for authenticity and validity.
I feel sorry for these people, then again it's their own fault NOT following safe and best
practices with their equipment wherever they are, including while traveling like above
and in the advisory warning.
You’re right that it’s their own fault if they get infected – but it’s us, the good guys, who get the spam.
Good thing the FBI knows about this malware threat, but does not want to share it with the rest of the world. It's like they wanted to say they did something for once, but everyone else will still get infected, as they give no details. Hope Sophos has something prepared to take care of this unknown threat. As for the "Rest of us" comment. The government has never cared about protecting your data, as they would rather just take it too.
I would be ashamed if this was the type of reports my government was giving out. It's as bad as an AV company saying "We found a virus but don't know what it does. Avoid clicking icons of widly used products incase you become infected."
My disgust at this pointless FBI warning stating that "water is wet" is only exceeded by the initial comments I see above. Makes me so glad I don't live in the "Land of the Free".
When a criminal investigation is launched, we all know that some evidence is released to the public, and some witheld – the reasons vary, but constitute sound OpSec in nearly all cases. However in this instance it's reached such an extreme that the value of the advisory is turned on its head, it creates uncertainty and fear, yet without specifics paranoia will be hard to avoid.
The solution is for copmpanies to stop using stupid self-signed certificates and such on their own updating services, and then ensuring their users can ONLY USE THOSE SERVICES for updates.
(And are any of you actually of the belief the investigation is continuing? On what possible basis, people? Perpetrator attribution by source IP address, no doubt? Outstanding. I'd suggest the FBI likely have many more important cases on the go, even in the technology area).
"'The FBI also recommends … they download software updates directly from the software vendor’s Web site if updates are necessary while abroad.'"
"Sensible."
If I allow a proprietary update module (as provided by Adobe, Apple, Google, Microsoft, and others), which I have consciously installed / enabled on my PC, to download and install an update to the relevant software, I presume that update module uses a secure channel to the company's servers (using encryption and handshaking).
By contrast, if I attempt to visit the "vendor's Web site", via the hotel's network, I can very easily be redirected to a malware-laden facsimile. (Choosing, as is the default set-up, to let the hotel router provide the DNS server makes redirection particularly achievable.)
Good security advice must be not to make direct downloads of any software over an untrusted network.
"I presume that update module uses a secure channel to the company's servers" – What kind of fool am I? – http://nakedsecurity.sophos.com/2012/06/04/flame-…
Giving this article to people with little computer knowledge may make them more cautious to just to automatically accept updates, or at least you hope. I agree that it is vague but sometimes being vague is helpful since it scares the pants off of people. I don't know if this warning would do much to those that think they know about computers since they feel they are too smart to be tricked.
Well said guys. I assume it wasn't sophos that was affected.. 🙂