Brit authorities could legally do an FBI and scrub malware from compromised boxen without your knowledge

Would move for The Greater Good™ actually be good, though?


Comment UK authorities could lawfully copy the FBI and forcibly remove web shells from compromised Microsoft Exchange server deployments – but some members of the British infosec industry are remarkably quiet about whether this would be a good thing.

In the middle of last week the American authorities made waves after deleting web shells from Exchange Server deployments compromised in the Hafnium attacks. The agency had gone to the US federal courts for permission, which it received.

The entire infosec world had been bellowing at IT admins to update and mitigate the vulns, which were being exploited by skilled and malicious people who found the remote-code-execution bug. Nonetheless, some laggards still hadn't bothered – and with compromised boxen providing a useful base for criminals to launch further attacks from, evidently the FBI felt the wider risk was too great not to step in.

The move didn't go unnoticed in the UK. Former National Cyber Security Centre chief Ciaran Martin praised it on Twitter:

Could NCSC have copied the FBI and done such a thing over here? Although the initial reaction of many would have been to say the Computer Misuse Act 1990 blocks it (either the section 1 "unauthorised access" offence or the 3ZA gotcha, which carries 10 years in prison if you're guilty of breaking into someone else's device while being "reckless as to whether serious damage of a material kind" is caused to "a system of communication"), tech lawyer Neil Brown of decoded.legal told The Reg that GCHQ (and the NCSC) could have done it with a warrant.

Brown pointed to section 5 of the Intelligence Services Act 1994. 5(2)(iii) read together with section 3(2)(a) (the latter being GCHQ's raison d'être) can be read as giving GCHQ the legal power to apply for a warrant to remove web shells from compromised Exchange Servers, provided a minister agreed that removing the malware was necessary for British economic well-being.

Brian Honan, infosec consultant and founder of Ireland's CSIRT, warned that "the road to hell is paved with good intentions," telling us: "The reasoning this action was allowed by the [US] courts was under the guise of 'national security'... What would have happened if the action taken by the FBI had resulted in downtime of some of the systems? We need to ensure there are appropriate legal, transparency, and accountability controls in place should this type of action or similar be considered again."

Honan is right: while it would be legal for NCSC to copy the FBI, it would open a large can of worms if it went down the same route. There is no framework GCHQ/NCSC could adopt to ensure that its use of any such powers would be proportionate and kept within lawful bounds.

One American commentator, ex-NSA lawyer Stewart Baker, reckoned that under US federal law the FBI were on sound ground unless someone popped up with proof that the feds had caused damage:

While the NCSC declined to put anyone up for interview, in a brief statement the agency said it had stopped short of scrubbing infected servers clean without their owners' knowledge: "The NCSC has gone above and beyond to support vulnerable and compromised Exchange owners with the removal of webshells, including working with partners and proactive outreach."

"Organisations can greatly reduce the threat of being compromised by applying the latest security updates, such as recommended in Microsoft's latest guidance to Exchange owners," it added. Clearly, new chief exec Lindy Cameron's interventionist approach to British infosec stops short of doing industry's work for it.

Representatives of the CyberUp campaign, which aims to reform the Computer Misuse Act, declined to comment when The Register asked if they supported or opposed any moves to amend the act and make it easier for the authorities to pull off web-shell-scrubbing moves in future. While easing the path for UK.gov to unilaterally interfere with your web-facing infrastructure would be hugely controversial, coming out for the status quo on that point couldn't do any harm either.

Still, with lots of cyber-earmarked cash set to be thrown at industry, perhaps nobody wants to be seen to be thinking too publicly about government policy. ®


Other stories you might like

  • DuckDuckGo tries to explain why its browsers won't block some Microsoft web trackers
    Meanwhile, Tails 5.0 users told to stop what they're doing over Firefox flaw

    DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

    Security researcher Zach Edwards recently conducted an audit of DuckDuckGo's mobile browsers and found that, contrary to expectations, they do not block Meta's Workplace domain, for example, from sending information to Microsoft's Bing and LinkedIn domains.

    Specifically, DuckDuckGo's software didn't stop Microsoft's trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google's, are blocked.

    Continue reading
  • Despite 'key' partnership with AWS, Meta taps up Microsoft Azure for AI work
    Someone got Zuck'd

    Meta’s AI business unit set up shop in Microsoft Azure this week and announced a strategic partnership it says will advance PyTorch development on the public cloud.

    The deal [PDF] will see Mark Zuckerberg’s umbrella company deploy machine-learning workloads on thousands of Nvidia GPUs running in Azure. While a win for Microsoft, the partnership calls in to question just how strong Meta’s commitment to Amazon Web Services (AWS) really is.

    Back in those long-gone days of December, Meta named AWS as its “key long-term strategic cloud provider." As part of that, Meta promised that if it bought any companies that used AWS, it would continue to support their use of Amazon's cloud, rather than force them off into its own private datacenters. The pact also included a vow to expand Meta’s consumption of Amazon’s cloud-based compute, storage, database, and security services.

    Continue reading
  • Atos pushes out HPC cloud services based on Nimbix tech
    Moore's Law got you down? Throw everything at the problem! Quantum, AI, cloud...

    IT services biz Atos has introduced a suite of cloud-based high-performance computing (HPC) services, based around technology gained from its purchase of cloud provider Nimbix last year.

    The Nimbix Supercomputing Suite is described by Atos as a set of flexible and secure HPC solutions available as a service. It includes access to HPC, AI, and quantum computing resources, according to the services company.

    In addition to the existing Nimbix HPC products, the updated portfolio includes a new federated supercomputing-as-a-service platform and a dedicated bare-metal service based on Atos BullSequana supercomputer hardware.

    Continue reading

Biting the hand that feeds IT © 1998–2022