Sponsored by..

Monday 4 December 2017

Some random thoughts on Damian Green and those porn allegations

If you live in the UK then you might have noticed the somewhat bizarre furore over Damian Green MP and his alleged viewing of pornography on house his Parliament computer. Now, I don't know for certain if he did or didn't, but to put it in context his private email address also allegedly turned up in the Ashley Madison leak and on top of that there are sexual harassment allegations too. But let's stick to the porn for now.

Anybody who has been involved in forensic investigations of computers may well understand these comments:

Mr Lewis, who retired from the Metropolitan Police in 2014, said although "you can't put fingers on a keyboard", a number of factors meant that he was sure it was Mr Green, the MP for Ashford, Kent, who was accessing the pornographic material.

His analysis of the way the computer had been used left the former detective constable in "no doubt whatsoever" that it was Mr Green, who was then an opposition immigration spokesman but is now the first secretary of state.

"The computer was in Mr Green's office, on his desk, logged in, his account, his name," said Mr Lewis, who at the time was working as a computer forensics examiner for SO15, the counter-terrorism command.

"In between browsing pornography, he was sending emails from his account, his personal account, reading documents... it was ridiculous to suggest anybody else could have done it."  
To put this into context - the computer was seized in 2008 when Green was arrested over the suspected leaking of confidential material. Any investigation such as that will look at web browsing history, recently accessed or saved documents, cookies, bookmarks and stored documents and images. So, it is utterly credibly that the investigation would have found this type of activity if it had occurred.

Indeed, there seems to be no denial that this material had been accessed on the computer, but that Mr Green had not done so. But Mr Lewis's statement also says that things such as private email were accessed concurrently. If you were carrying out an investigation on behalf of a business, then this would indeed be enough to "place fingers on a keyboard".

But here is the surprise - why would this material be accessible at all? Nobody has claimed that it was not accessed, just that Mr Green himself did not access it. But any reasonably-sized business would usually have some sort of filter to stop this happening.

The House of Commons by itself employs over 2000 people. Add to that the staff of the House of Lords, the Lords themselves, MPs and other staff who are not directly employed by either House then you are looking at thousands of employees. That's quite a large organisation, and if there is no effective web filtering for any of them, then that introduces a serious security risk.

Anybody who works in IT in a relatively large organisation such as this will know that at least some of them will try to access pornography. My experience is that people who do this on their work computers are exclusively male, and there are 453 male MPs in the House of Commons. This is certainly a large enough group for some of them to be accessing porn, at least some of the time/


So we can surmise a couple of things - it certainly seems to be possible to access porn from a Parliament computer, and given the number of people working there it seems likely that somebody would try. The number of male MPs certainly seems enough for one of those to try to access porn. Given that it is likely that some of them try, there's no particular reason why it shouldn't be Damian Green. And if one MP is fired from his job because of porn, then you can bet there are other MPs who have done the same thing.

But why not implement some sort of filtering? The problem is that MPs are not employees - Parliament is the primary legislative body in the UK and it is essentially sovereign (despite there being a Queen). Imagine that you worked in an organisation where there were hundreds of C-level executives, and then try to police them from an IT point of view. MPs are probably amongst the worst users in the world to support.

As I said, most organisation of any size filter porn from corporate computers. Strategically, the main reason to do that is not to track down and fire errant employees, but to prevent embarrassment to that organisation. It's all very well to fire a low-level employee for viewing smut, but when it comes to the top of the food chain such terminations can also be damaging to the reputation of the organisation itself. If Parliament isn't filtering this sort of material then it is always likely to end up with this sort of scenario from time-to-time.

Mr Lewis's comments indicate that the material was found on the computer itself, not a proxy log or other external system. It's quite possible that whoever was accessing the material on Mr Green's computer could have saved themselves a lot of grief if they'd used private browsing (although a deep forensic investigation can often find artifacts even when this has happened).

Also, Nadine Dorries MP did state that she shared her password with staff who worked for her. This is terrible practice, and certainly in my organisation if you share your password and somebody abuses it, then you are liable for anything that they did.

Don't forget as well, the habit of porn sites infecting visitors with malware though malicious advertisements, and the habit of more "specialist" sites having been created specifically to infect visitor's computers. MPs might not think themselves to be important enough to hack, but they will have private correspondence with constituents and other parties that should remain private.. and not be leaked out.

Whatever the truth of Damian Green's surfing habits, it looks like Parliament is badly in need of proper regulation of its computer systems. But you really do have the nightmare users from hell in that job. I suspect it is going to take something more that one embarrassed MP to force a change.

Image credits:

Tuesday 31 October 2017

Wednesday 25 October 2017

Updated 3NT Solutions LLP / inferno.name / V3Servers.net IP ranges

 

[For the February 2021 version of this list, click here]

When I was investigating IOCs for the recent outbreak of BadRabbit ransomware I discovered that it downloaded from a domain 1dnscontrol.com hosted on 5.61.37.209. This IP belongs to a company called 3NT Solutions LLP that I have blogged about before.

It had been three-and-a-half years since I looked at their IP address ranges so I thought I would give them a refresh. My personal recommendation is that you block all of these, I have never seen anything of worth on any 3NT range. Note that inferno.name and V3Servers.net are the same outfit and I have included those too. If you know of any other ranges, please consider leaving a comment.

5.45.64.0/19
5.61.32.0/19
37.1.192.0/19
37.252.0.0/20
46.22.211.0/25
46.22.211.128/26
80.79.124.128/26
92.48.122.0/28
92.48.122.16/28
92.48.122.32/28
92.48.122.48/28
95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
130.0.232.0/21
184.154.38.40/29
185.4.64.0/22
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24


Tuesday 24 October 2017

Malware spam: "Order acknowledgement for BEPO/N1/380006006(2)"

A change to the usual Necurs rubbish, this fake order has a malformed .z archive file which contains a malicious executable with an icon to make it look like an Office document.

Reply-To:    purchase@animalagriculture.org
To:    Recipients [DY]
Date:    24 October 2017 at 06:48
Subject:    FW: Order acknowledgement for BEPO/N1/380006006(2)

Dear All,
Kindly find the attached Purchase order# IT/IMP06/06-17 and arrange to send us the order acknowledgement by return mail.

Note: Please expedite
the delivery as this item is very urgently required.


Regards,  Raj Kiran

(SUDARSHAN SS)  NAVAL SYSTEMS (S&CS)
BHARAT ELECTRONICS LIMITED  BANGALORE  PH:9180-22195857  BEL Website : www.bel-india.com SRM PORTAL :https://hpcrmp.iscodom.com/irj/portal



Every Sheets of paper is made from a tree.. Save trees... Conserve Trees.... Go Green .... Don't print this email or any Files unless you really need to!!!!
Confidentiality Notice


The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Bharat Electronics or support@bel.co.in immediately and destroy all copies of this message and any attachments.

Attached is a file Purchase order comfirmation.doc.z which contains a malicious executable Purchase order comfirmation.exe which currently has a detection rate of 12/66. It looks like the archive type does not actually match the extension..


If the intended target hides file extensions then it is easy to see how they could be fooled..

Incidentally, VirusTotal shows this information about the file:


Copyright: (c)1998 by RicoSoft
Product: System Investigation
Description: System Investigation for NT/9x
Original Name: SysInv2.exe
Internal Name: SysInv2
File Version:2.3.1.37
Comments: Freeware / Careware from RicoSoft

Obviously that's fake, but a bit of Googling around shows SysInv2.exe being used in other similar attacks.

The Hybrid Analysis for is a little interesting (seemingly identifying it as Loki Bot), showing the malware phoning home to:

jerry.eft-dongle.ir/njet/five/fre.php   (188.165.162.201 / Mizban Web Paytakht Co. Ltd., Iran)

Actually, the IP is leaded from OVH and claims to belong to dedicatedland.com in Birmingham, UK:

organisation:   ORG-MWPM1-RIPE
org-name:       Mizban Web Paytakht Mizban Web Paytakht
org-type:       OTHER
address:        55 Orion Building, 90 Navigation Street
address:        B5 4AA Birmingham
address:        GB
e-mail:         info@dedicatedland.com
abuse-mailbox:  info@dedicatedland.com
phone:          +44.7455017803
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
created:        2015-01-22T22:12:03Z
last-modified:  2015-01-22T22:12:03Z
source:         RIPE


The small 188.165.162.200/29 range is marked as "failover IPs".  The WHOIS for dedicatedland.com comes up with a bogus looking address in Massachusetts:

Registrant Email: info@dedicatedland.com
Registry Admin ID: Not Available From Registry
Admin Name: Mizban Web Paytakht LLC
Admin Organization: irnameserver.com
Admin Street: Newton Center 
Admin City: Newton Center
Admin State/Province: Massachusetts
Admin Postal Code: 00000
Admin Country: US
Admin Phone: +1.00000000
Admin Phone Ext:
Admin Fax:
Admin Fax Ext: 


However RIPE show them as being in Tehran:
Mizban Web Paytakht Co. Ltd.

No.43, North Ekhtiyariyeh St, Ekhtiyariyeh Sqr
1958743611 Tehran
IRAN, ISLAMIC REPUBLIC OF

phone:   +98 2122587469
fax:  +98 2122761180
e-mail:  info (at) dedicatedland (dot) com
Anyway, if you are not interested in sending traffic to Iran, Mizban Web Paytakht own AS64428 which comprises of 185.165.40.0/22 as well. I'll make a guess that the 188.165.162.200/29 range
may be insecure and could be worth blocking.

The email itself originates from 104.171.114.204 which is allocated as follows:

CustName:       jason Richards
Address:        121 main street
City:           suffolk
StateProv:      VA
PostalCode:     23434
Country:        US
RegDate:        2017-01-16
Updated:        2017-01-16
Ref:            https://whois.arin.net/rest/customer/C06298370


You probably don't need to accept .z attachments at your mail perimeter, and any decent anti-spam tool should be able to look inside archives to determine was is in there.

Tuesday 17 October 2017

Evil network: Fast Serv Inc / Qhoster.com

Checking these IOCs for this latest Flash 0-day came up with an interesting IP address of 89.45.67.107 which belongs to Fast Serv Inc aka Qhoster, probably of Bulgaria but masquerading themselves as a Belize outfit.

I came across Fast Serv / Qhoster a lot last year during the Angler EK epidemic, where they had entire ranges full of badness, often with no discernable legitimate sites at all. It turns out that I'd blocked the /24 a year ago as it was full of EK servers. The full analysis I did of Fast Serv / Qhoster Angler ranges can be found in these Pastebins: [1] [2] [3] [4] [5] [6] [7]

So, this Flash 0 day gave me a renewed impetus to identify these ranges and keep them the hell off my network. Luckily HE's BGP tool can identify most of the allocated IPs of a /24 size or larger [8] [9] plus a bit of infill from other sources.

I can't guarantee that these ranges are free of legitimate sites, but even a quick glance at some of the ranges (the BGP tool is quite good for this [10]) shows signs of obvious badness in almost all of them. Use at your own risk :)

Note that these ranges are across many different ASes and hosts, although AS201630 is allocated to Qhoster themselves.

5.104.105.192/26
37.157.253.64/26
46.102.152.0/24
46.102.252.0/23
85.204.74.0/24
86.104.15.0/24
86.105.1.0/24
86.105.5.0/24
86.105.18.0/24
86.105.227.0/24
86.106.93.0/24
86.106.102.0/24
86.106.131.0/24
89.32.40.0/24
89.33.64.0/24
89.34.111.0/24
89.35.178.0/24
89.37.226.0/24
89.42.212.0/24
89.43.60.0/24
89.43.202.0/23
89.44.103.0/24
89.45.67.0/24
92.114.35.0/24
92.114.92.0/24
93.113.45.0/24
93.115.38.0/24
93.115.201.0/24
93.117.137.0/24
93.119.123.0/24
94.177.12.0/24
94.177.123.0/24
103.197.160.0/22
138.204.168.0/22
141.255.160.48/28
146.0.43.64/26
168.227.36.0/24
168.227.37.0/24
168.227.38.0/24
168.227.39.0/24
176.223.111.0/24
176.223.112.0/24
176.223.113.0/24
176.223.165.0/24
185.77.128.0/24
185.77.129.0/24
185.77.130.0/24
185.77.131.0/24
188.213.204.0/24
188.215.92.0/24
188.241.39.0/24
188.241.68.0/24
220.158.216.0/22
2403:1480:1000::/36
2403:1480:9000::/36
2a05:6200::/32
2a05:6200:72::/48
2a05:6200:74::/48