back to article Brit authorities could legally do an FBI and scrub malware from compromised boxen without your knowledge

UK authorities could lawfully copy the FBI and forcibly remove web shells from compromised Microsoft Exchange server deployments – but some members of the British infosec industry are remarkably quiet about whether this would be a good thing. In the middle of last week the American authorities made waves after deleting web …

  1. Doctor Syntax Silver badge

    A better option would be the power to instruct the operators (the business owners, not the techies) to take it off-line forthwith until it's rectified. Add a backup power to tell the operator's ISP to remove internet connection if a response isn't forthcoming. Such a power would cover DDOS botnet members and the like. The downside is that it would give ammo to the "This is Microsoft" outfits but they need to be dealt with in any case.

    1. Paul Smith

      Fuck no! A company wants to publish information embarrassing to the government de jour and you want to give the authorities the power to take them down for an unproven threat?

      1. Doctor Syntax Silver badge

        "A company wants to publish information embarrassing to the government de jour"

        The issue is malware. I think you're stretching the definition of malware a little more than warranted to include publishing information embarrassing to the government.

        The alternative being posited was for the authorities to step in invasively to fix servers. Do you prefer that?

        1. Paul Smith

          No the issue is that you want to give authorities a mechanism of taking someone offline. This week it is malware, next week it will be something else, and you still haven't done anything that addresses the problem which is that it is 1) a profitable and low risk form of crime and 2) leaving servers unpatched is cost effective. Change that balance and the problem goes away.

          If some scumbag breaks into your home to fund their next fix, they are not prosecuted for the £25 they got for your stuff, they are prosecuted for the £1000+ damage they caused to you. And if you don't have locks on your door or don't bother using them, then you don't expect the insurance company to pay out. Apply the same to computer systems. Make the punishment slightly more sever then the current slap on the wrist and make the consequences of maintaining vulnerable systems not worth the savings.

          1. martyn.hare
            Thumb Up

            A 7 step program!

            What should happen:

            1) ISPs should police their networks for suspicious activity themselves, obviously

            2) Computers clearly spewing malware should be cut off from the Internet by ISPs

            3) Public computer systems should be registered to an owner which is documented

            4) Through the combination of 1, 2 and 3, owners will take steps to avoid being cut off!

            5) ISPs which don't do their part should be cut off by other ISPs who do their part

            6) To ensure ISPs fall in line, they should be audited by independent non-profits

            7) Five eyes countries should simultaneously implement legislation to enforce compliance

            Simples!

            1. Rich 11

              Re: A 7 step program!

              Simples!

              The moment someone writes this as part of anything other than a joke, it raises a flag. It usually indicates that the proffered solution is more likely simplistic than simple.

              For example, take no.7. Five different countries, three of them currently with right-wing governments not disposed towards market regulation and two with centre-left governments, are expected to coordinate introducing the same legislation in the face of industrial lobbying and each country's varying federal/non-devolved structures and legislatures. Not simples.

          2. Doctor Syntax Silver badge

            "you still haven't done anything that addresses the problem which is that it is 1) a profitable and low risk form of crime and 2) leaving servers unpatched is cost effective. Change that balance and the problem goes away."

            I haven't done anything to stop it? You are the one that's complaining about a mechanism to stop it. If you go back, look what I suggested and have a little think about it you'll realise that it makes patching servers cost effective. Keep the server patched and you don't have a problem, leave it unpatched and you do.

            Where's your suggestion to change the balance? Something slightly more severe than a slap on the wrist? Probably still cheaper that paying a good admin to keep an eye on things.

            The suggestion that "next week it will be something else" is pure fantasy on your part. What was suggested would need legislation. Legislation does not get changed to "something else" in a week nor does it get changed easily.

            And you still haven't said whether you prefer the authorities to break into the system to remediate which was what the article was about.

            1. Paul Smith

              You haven't changed the motivation to attack computers and you haven't changed the motivation to protect them. All your proposal achieves is to give a minister the power to take someone off line. As for the idea that extending such powers is fantasy, I suggest you read up on RIPA. https://en.wikipedia.org/wiki/Regulation_of_Investigatory_Powers_Act_2000#Agencies_with_investigative_powers

          3. Unoriginal Handle

            Not quite. They're prosecuted for burglary, which has no monetary value attached to it.

            And the monetary losses are, from my dim and distant memories as a probationer constable in the late 80s, subsidiary to the emotional distress caused by knowing a complete stranger has had free rein in your castle.

            https://www.cps.gov.uk/legal-guidance/theft-act-offences#:~:text=Section%209%20of%20the%201968,to%20inflict%20grievous%20bodily%20harm refers.

          4. FIA Silver badge

            No the issue is that you want to give authorities a mechanism of taking someone offline. This week it is malware, next week it will be something else

            By this logic the authorities already have the power to do whatever they want? as they can just change it at whim. Luckily the world doesn't quite work this way.

            If some scumbag breaks into your home to fund their next fix, they are not prosecuted for the £25 they got for your stuff, they are prosecuted for the £1000+ damage they caused to you.

            If someone is desperate enough to turn to burglary for 25 quid to satiate whatever desire they have, how is fining them an even larger amount even effective.

            Evidence would suggest it isn't; so maybe not the best modal to base things on?

            I hate to say it people, but it's probably time we had some kind of qualification system, either for meatsacks or systems. If I build a building the public use it has to follow various codes, why shouldn't my virtual building be the same?

        2. Allan George Dyer
          Black Helicopters

          National Security

          @Doctor Syntax - "The issue is malware. I think you're stretching the definition of malware a little more than warranted to include publishing information embarrassing to the government."

          It's not limited to malware, it only requires a minister to agree that exposing his fellow minister's wrongdoing would damage the economy.

          A minister would NEVER betray his position of trust, so we're all good, right?

    2. Anonymous Coward
      Anonymous Coward

      I agree. I have written to datacentre abuse e-mails to notify them of my IP address being constantly scanned by their servers, added the IP addresses to abuseipdb servers for all to see, and notified the datacentre of the prolific scanning by their servers as per abuseipdb entries.

      It had absolutely no effect, and their servers continue to scan. This was EU based servers scanning UK IP addresses.

      Given the decades the internet has been available, and the prolific scanning/hacking occurring, then why has it taken 20+ years for no process to be available to force datacentres to stop their servers from being misused, is quite bemusing.

    3. Anonymous Coward
      Boffin

      Options

      Force the server offline - far too destructive to a business with the potential to affect innocent businesses that rely on the offending business.

      Fine the business - like other IT fines this just turns it into a cost of doing business that the bean counters will assess.

      Punish the IT personnel - tempting, but it usually isn't their decision or fault.

      Punish management - personal fines for all members of the Board of Directors and the CEO would be good and daily fines for them until the problem was corrected would be even better.

      1. Peter2 Silver badge

        Re: Options

        I'd actually just go with "force the server offline".

        Did it affect business? Well, sorry. Couldn't leave a box flinging malware online. Did you lose money? Sue the company that didn't secure the box properly.

        If this started happening, then it wouldn't take too long for people to start asking "what sort of security precautions are you taking?" to make sure that their stuff stayed up.

        If it forced companies that didn't care out of business then would this really be such a terrible thing? Their business then goes to people who do care.

    4. ConsumedByFire

      Back in my 'very early' ISP days we were getting our outbound email traffic blocked by SMTP relay providers because we had been blacklisted because of SPAM eminating from our network. I can't remember the exact details but we were getting whole user subnets blocked I think til we killed the SPAMing customers (told them to cease and desist or find a new ISP).

      Wouldn't something similar work here? Just block email traffic to/from the offender til they cleaned their house? Might not work, my email infrastructure knowledge is rather rusty.

      1. Anonymous Coward
        Anonymous Coward

        I remember dealing with that at an ISP. It was found, after some research, to be caused by a lot of compromised hosts.

        The solution took three steps:

        1 - setup of an authenticated SMTP relay to be used by all

        2 - warning to all customers

        3 - shutting down email ports on the outbound routers

        Bonus: their bandwidth utilisation dropped significantly. Not unimportant in the days of dial up Internet.

  2. Mike 137 Silver badge

    Brit authorities could legally do an FBI

    "A better option would be the power to instruct the operators (the business owners, not the techies) to take it off-line forthwith until it's rectified."

    Thereby closing businesses down right left and centre. Getting your web server infiltrated is not voluntary, or, given the bug ridden nature of the code, even negligent. However assiduously you patch, there's always another attackable vulnerability waiting under the hood.

    What's really needed is for the NCSC to show some teeth to those who produce such total crap software. Security can never improved until, instead of forcing users to run on a treadmill of reactive response, vendors proactively take responsibility for the quality of their products.

    1. don't you hate it when you lose your account

      Re: Brit authorities could legally do an FBI

      While I agree with your assessment of the current state of both software and the Internet in general, that is no excuses to simply not mitigate against a known exploit. That just smacks of corporate can't be arsed

    2. big_D Silver badge

      Re: Brit authorities could legally do an FBI

      If they were "a day late" patching, fine. They should have time to respond in a controlled manner - even if active exploits started infecting Exchange servers on a large scale within hours of the patches becoming available (if not before, it was a zero-day, after all). But a month later? That is bordering on gross negligence.

      But we are talking about companies that have ignored the threat and just about every CERT, government and spy agency around the world telling them to patch, because servers are being scanned and infected at a high rate - something like over 600 known attacks using this bug-set alone, and a new set came out this month, we had the patches from MS last week and a day later, the BSI (German Government Department of IT Security) had already issued a warning to businesses to patch. I'd already informed my superiors the day before and we already had the update installed.

      A company that ignores multiple zero-days and then the next month also the new critical bugs, which probably have about 48 hours, before they will be openly exploited, needs its arse handed to it on a plate! They are a danger to themselves and to other Internet users.

      1. Yet Another Anonymous coward Silver badge

        Re: Brit authorities could legally do an FBI

        This is the classic difference between 'can I' and 'may I'

        The Brit authorities may hack servers to correct faults - but since it would involve contracting it out to Crapita the 'could' they is a bit more of a question

        1. Stuart Castle Silver badge

          Re: Brit authorities could legally do an FBI

          You forget Serco, who seem to suck up a lot of contracts, but as Serco generally sucks, the same applies.

        2. Flywheel

          Re: Brit authorities could legally do an FBI

          Or worse still, Crapita could/would "have a go" and then bugger it up.

          "We had a look at your server for you, and it's what we in the trade call 'broken'".

          1. Anonymous Coward
            Anonymous Coward

            Re: Brit authorities could legally do an FBI

            .. would you like to buy some consultancy to fix it?

            No, really, someone will try. Guaranteed.

  3. vtcodger Silver badge

    Fasten your seatbelts

    Given the dismal state of internet security and the fact that has become clear in recent months that it's wall to wall crackpots out there, it's not too hard to imagine a digital threat from some malicious agent(s) that needs to be dealt with **NOW** not six weeks from next Thursday. So, yes, the government probably needs to be able to step in and fix things sometimes. Can/will they abuse/botch that intervention sometimes? Probably.

    I don't think we've been told why the FBI felt they had to act immediately. They probably had reasons. Maybe good reasons. Or not. At least they got a court order. So they probably had at least a plausible justification.

    What to do about all this. I haven't the slightest. Neither, I suspect does anyone else. It's a serious issue I think. But it's not even in the top ten problems I think I see looming in this shiny new digital universe.

    It's going to be a bumpy night.

    1. big_D Silver badge

      Re: Fasten your seatbelts

      Whether it be the power to go in and "clean" the server - although, in the FBI's case, they removed webshells, but didn't patch the servers to stop the bad guys re-installing their webshells - or they take the servers off-line until the problem is resolved, something needs to be done to make people more aware of security problems and their responsibilities to deal with those problems.

      It is like a car manufacturer sending out an urgent and immediate recall that the brakes are faulty and will cause an accident and the owner/driver ignoring the recall and going on to cause a deadly accident, because they didn't get the brakes fixed.

  4. AW-S

    Works both ways

    If we let them scrub things from our systems, then we must also assume they can add things too. Lawyers will be using that defence in future for sure.

    1. DS999 Silver badge

      Not really

      Though full details have so far not been made available, all evidence is that all the FBI did was connect to the command server and give it a "shutdown and delete yourself" command which was present in the malware. They weren't hacking into servers, let alone doing so and then applying patches or manually deleting/changing files. This was functionality present in the already infected server that anyone could have accessed had they obtained a similar knowledge of how the malware operates.

      There's a HUGE leap from "tell malware to evict itself" and "hack in and force security updates to be applied". Even Microsoft wouldn't want them doing that, as they'd take some of the heat if the updates caused problems in some servers.

      1. Roland6 Silver badge

        Re: Not really

        >Though full details have so far not been made available, all evidence is that all the FBI did was connect to the command server and give it a "shutdown and delete yourself" command which was present in the malware.

        It has been a little irritating that very little detail has been released.

        I'm hoping they at least shared the information with the AV vendors so that their scanners can also perform this task.

    2. doublelayer Silver badge

      Re: Works both ways

      I think it might be possible to allow interventions like this, where the systems themselves aren't directly entered but the malware's control system is compromised. The major restrictions that are needed are A) they shouldn't be allowed to extract data from the system including telemetry about their removal, B) they must not push any binaries or scripts other than a removal, and C) they must publicize what they have done. If those restrictions were clear, I wouldn't mind actions to cauterize malware by invoking its self-destruct mechanisms.

      If the organizations concerned intend to spy on the operators of infected servers, they already know how to do it and they won't ask permission. This is a separate issue, but just banning something like this won't fix the problem because those agencies have already made it clear they're willing to break the laws. Meanwhile, if the agencies are investigating the operators for crimes, they can get legal warrants allowing them to collect information. So what is made possible by allowing this which wasn't already possible and frequently used?

  5. mark l 2 Silver badge

    The problem with the FBI or GHCQ taking it upon themselves to remove malware is that the system still remains unpatched and vulnerable to reinfection. So there is nothing to stop criminals reinfecting the box minutes after the malware was removed.

    It the same as if they had raided a drug den and removing all the illegal drugs but leaving the doors wide open when they left to let everyone back in afterwards.

    I also question why the FBI have decided to intervene only on this occasion when we have had plenty of other malware attacks they have not done any active removal of the malware. Could it be that some of these infected servers belong to business that have contracts with government dept and so the infections could potentially cause political problems if emails were to get stolen and leaked by the criminals?

    1. Version 1.0 Silver badge

      updates "applied"

      That's often not a problem because the next set of hackers will "update" the system to avoid any FBI/GCHQ issues.

  6. Wolfclaw

    So the <insert security agency here> have eyes on a person or company of interest, oh look they may or may not have security hole, lets get a court order, fix it, drop something else in its place and even have quick look around for something tasty. Paranoid, nah its exactly what they would do !

    1. MatthewSt

      As opposed to the current methodology where they could just put something on there anyway, without the faff of a court order or needing to fix something.

      If your argument is that they'll go beyond the remit of the court order, why is this scenario any different?

  7. James12345
    Black Helicopters

    Take the situation when someone sees a house burning down and calls the fire brigade. When they arrive and confirm the house is on fire, do they have to ask permission from the owner (how do they even know who the owner is, or verify the identity of the person claiming to be the owner?), or get a court order to put the fire out?

    What if the fire starts to endanger surrounding houses, but again those owners are not there to give permission to fight the fire when it spreads to their property? Even if the other house owners are present and give permission to the fire brigade to fight the fire, why do the fire brigade have to wait until the surrounding property is actually damaged before dealing with the threat posed?

    Why is a compromised computer system different to a burning house if it poses danger to people other than the owner of the system/house?

    Is it fair to prevent the fire brigade from doing anything at all, just because one of them may come back later and see what can be stolen from the house now the front door has burnt away, but there are bits of the house unaffected by the fire?

    I'm sure there are rules that are meant to stop firefighters from stealing property, but what if a rogue firefighter steals something. Is the best way of dealing with that to prevent any action being taken by all firefighters? What is the rogue firefighter started the fire in the first place and hoped the firebrigade wouldn't be called out, as it makes his dodgy activity a little harder to cover up?

    1. heyrick Silver badge

      "Why is a compromised computer system different to a burning house"

      Because usually people don't stuff drugs down the back of your sofa, set the garage on fire, call the fire brigade, and then wait for the forensics to discover the big bag of cocaine.

      Would you trust any of the letter agencies poking around in your system?

      1. James12345
        Facepalm

        If the system has been compromised, do you not think the agencies, if they wanted to plant evidence, can get in to anyway?

        If they want to screw you over, they don't need to wait until somebody else hacks you first.

  8. cantankerous swineherd

    so can the spooks get via the compromise, or can they just get in? article doesn't seem to clarify this?

  9. chivo243 Silver badge
    Coat

    Exchange owners

    Aren't these like cat owners who think they own the cat? Where in reality, the cat owns you!! You might thing you own Exchange...

    Some James Herriot novel in the pocket ;-}

  10. LenG

    Make them pay

    If companies had unlimited liability for any damage caused to third parties by their failure to apply a patch in a timely manner they might be more responsive to supplied security fixes.

    1. trindflo Bronze badge

      Re: Make them pay

      Exactly. If you don't trim your trees, the city will come in, do it for you, and hand you a bill at whatever rate the city costs its workers. Abatement rules would seem to be the way to go. The timetables between complaint and action would be different for an electronic age.

  11. Scott Broukell

    Lazyness and automation

    Personally I don't see anything terribly wrong with such periodical intervention by those well versed in security, especially when things are seen to be getting messy and dangerous. I would naturally want to see a document trail and various sign-offs from senior officials etc., with an additional nod perhaps from bodies such as Ofcom (in the UK).

    But I can't help thinking that the very nature of out interaction with 'connected' technology has progressively meant us becoming lazy with regard to security, in the sense that accelerating built-in automation and convenience blunts the end users much needed wariness. That is to say that if the masses of the great unwashed seem to care less and less about clicking on any blooming icon, pretty image or link that is presented to them on screen, such behaviours will also likely migrate into the mind set of those with actual responsibility for securing the back end hardware that drives the whole thing! Almost every aspect of our hurried lives is now touched by such connectivity and that means, no matter how reassuring and familiar the pretty icons etc., as end users we barely have time to consider the security of our information, let alone the responsibilities involved in looking after the information held on a corporate or public server involving thousands of individuals!

    A great deal of house work obviously needs doing with regard to internet security. For far too long things have been brushed under the rug and the longer it takes to sort it out the worse it will get. There is a lot of serious hard work that needs to be done I feel and if it takes such an intervention to alert us to such matters then so be it. We have only our selves to blame, collectively.

  12. Huw D

    I might be misremembering here, but wasn't there a vigilante white-hat a few years ago who stumbled upon a/some network(s) with vulnerabilities and fixed it/them? They then emailed to say what they'd done?

    People (again, if I remember correctly) thought that was a positive thing?

    1. Roland6 Silver badge

      If you know the command sequence the FBI used, then with the help of Shodan some white hats could collar a botnet and send the command sequence to all Exchange Servers Shodan lists...

  13. marcellothearcane
    Trollface

    Free tech support!

    No need to patch my own servers, FBI will do it for me. Now I can lay off all the IT staff.

    </sarcasm>

  14. Stuart Castle Silver badge

    I'd be surprised if our government didn't have the ability to do this. People often spout about the Computer Misuse act, but while I am no solicitor, I have spent hours studying various computer based legislation (I actually covered the law in the 1st year of my Computer Science degree), including the Computer Misuse and both 1998 and 1984 Data Protection Acts. Every one of them included some statement to the effect that under certain circumstances, the law did NOT apply to government departments.

    Note: I can't remember much more than that. I started my degree over 20 years ago, and I'm not going to look up the acts just for a comment.

  15. YetAnotherJoeBlow

    Same old...

    Does the Government need this tool? absolutely

    Will the Government abuse this? absolutely

    Will this end up a legal quagmire? absolutely

  16. Phil W

    Forced remedy to infection

    The only way this should be legally allowed to happen in the UK is if we also introduce mandatory vaccination against Covid-19 for everyone (unless there's a good medical reason not to). If you're going to allow the government to force remediation against computers being infected with malware, then you should damn well be ok with allowing them to force remediation against deadly infections. Lives aren't even at risk with the former, but they are with the latter.

  17. FlamingDeath Silver badge

    I got a better idea and it has a better outcome for all involved.

    Make, as in force, Micro$oft, to unfuck all of their shit code, for every affected organisation, at a cost to themselves, failure to comply should result in the company being broken up

    Maybe, just maybe, we’ll start seeing secure, well thought out, engineering, instead of the wildwest shitshow I see before me

    Are they selling software or are they selling license agreements? Maybe they should spend more time pandering to the code and less time pandering to the license agreement

    1. James12345

      You seem to be mistaken in the belief that only Microsoft write code with vulnerabilities.

      Please grow up, or are you actually a 5 year old?

  18. Cynic_999

    Next step

    Forcibly removing malware from Microsoft Exchange servers does not address the danger from PCs that are not running Microsoft Exchange but may nevertheless be infected with malware (e.g. making it a "zombie" PC in a "botnet"). So if the government gives permission for LEA to infiltrate a exchange servers, the logical next step is to allow LEA to infiltrate ANY PC that is connected to the Internet to check for undesirable code and make whatever changes it considers necessary. Obviously the OS would have to have a suitable backdoor access, but I'm sure that Microsoft will comply and include it in its next update. After all, it will be for our own good. Think of the children!

    And while sniffing around for whatever might be considered undesirable, they might as well have a nose around for anything else that might be of interest.

    1. James12345
      Facepalm

      Re: Next step

      "the logical next step" - no, it is not.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like