Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Government Security

German Parliament May Need To Replace All Hardware and Software To Stop Malware 189

jfruh writes: Trojan spyware has been running on computers in the German parliament for over four weeks, sending data to an unknown destination; and despite best efforts, nobody's been able to remove it. The German government is seriously considering replacing all hardware and software to get rid of it. From the ITWorld article: "After the attack, part of the parliament’s traffic was routed over the federal government’s more secure data network by the Federal Office For Information Security, Der Spiegel reported. Some Germans suspect that the Russian foreign intelligence service SVR is behind the attack. On Thursday, the parliament will discuss how to address the situation."
This discussion has been archived. No new comments can be posted.

German Parliament May Need To Replace All Hardware and Software To Stop Malware

Comments Filter:
  • Sure (Score:5, Insightful)

    by Travis Mansbridge ( 830557 ) on Wednesday June 10, 2015 @04:07PM (#49886401)
    They'll replace everything, then one person will plug in their phone over USB to put some emails on their new workstation and it'll begin all over again.
    • Re:Sure (Score:5, Insightful)

      by monkeyzoo ( 3985097 ) on Wednesday June 10, 2015 @04:19PM (#49886501)

      Seems they should track down the source of any possible hardware infections before replacing all hardware. A) So they can better understand the threat and how it was perpetrated. And B) So they can, as you say, make sure they don't reinfect themselves.

      It is hard enough to purge a single computer of tenacious malware, let alone an entire network!!

      • Re: (Score:3, Interesting)

        by mikael ( 484 )

        Given that it is possible implant spyware into the BIOS, the firmware of graphics boards and micro-controllers of hard disk drives, replacing hardware is the only solution.

        • or, you virtualize it??

          not sure if that's better or worse. maybe its just sideways. sometimes, that can be good enough, though!

        • by gweihir ( 88907 )

          Just replacing hardware is useless. It will just get re-infected (if it was infected in the first place...). You need to isolate and understand the malware first.

          • by rtb61 ( 674572 )

            Likely they do and they a pretty furious about it but for reasons of diplomacy they are saying nothing. They are making the issue quite public in a passive aggressive way to inform those responsible how much it will all cost and letting them know there will be repercussions. Problem with NSA back doors, once the show up in traffic other players can trace them back in, find and exploit the hole in security. Especially once the discover it in their own equipment and say nothing but seek to make use of it whe

            • by gweihir ( 88907 )

              While I actually doubt they understand it (the German BSI doing the analysis is not that competent with regards to technology and they are certainly not fast), I think you may be on to something with regards to what they are making public. Obviously, they are pissed, and they may be trying to tell everybody something along the lines "do this again, and forget any treaties or cooperation from us".

              Currently, they are saying it was eastern European, but they may be making that up. After all, the NSA will have

              • by rtb61 ( 674572 )

                Likely they have caught Russia and China listening in but they know they did not create the holes in the first place (so unauthorised traffic going all over the place). So you can imagine how frustrated they are right now, made to look stupid and incompetent by a so called ally. So the whole passive aggressive reaction of claiming they have to scrap the entire system and start again because that ally refuses to come clean and tell them about all the holes they created and how they were created and how to r

                • by ruir ( 2709173 )
                  At this time of the game, it does not matter anymore who planted the holes, and they coming forward to close them. I am quite sure once other players went in down that holes, they created another set of their own.
        • Yes, but which hardware/software!?!
          You need to figure that out first. Not only so you don't needlessly replace certain hardware, but also so you understand the source of the infection.
          You could replace every piece of hardware and get reinfected from a restored data file!!!!

        • Comment removed based on user account deletion
      • Re:Sure (Score:5, Insightful)

        by mlts ( 1038732 ) on Wednesday June 10, 2015 @06:12PM (#49887387)

        They need to look at their network's topology as well. One compromised network segment shouldn't allow an attacker complete and unfettered access to everything else.

        WAN-wise, they should look at building something like SIPRNet or NIPRNet so as little traffic as possible is on the Internet, even flying over a VPN. The ideal is physically separate cables and leased lines, coupled with some form of IPSec so that it would be very difficult for someone to set up a rogue machine and attack that network. Long term, it might be wise to even consider a different protocol than IP just because it would make hidden routers or bridges a lot more difficult.

        There are other tools that come to mind. App-V and Citrix for example, which would allow people to access and use an application, but not physically copy the data or access the OS directly on the application servers. Not a 100% solution, but it is a way to keep things separated.

        Reversing this concept, there might be offices that need to have no machines on the Internet, but workers can use App-V, RDP, or Citrix to access a terminal server so they can browse the web on a virtual desktop that cannot access the physical internal machines.

        There are a lot of security tools that are usable. VDI comes to mind as an extension to virtualization. Virtualization goes without saying because it separates what programs run on from the hardware, so if a VM is compromised, there is still a hypervisor to punch through before hardware can be re-flashed and attacked.

        The trick is defense in depth, be it at the desktop level (for machines that are terminals used by numerous people, a utility like DeepFreeze is useful), at the network topo level (so a compromise in Receiving doesn't trash Finance), at the network appliance level, the server level, and of course, the HUMINT factor with policies, and physical security.

        • by AK Marc ( 707885 )

          Reversing this concept, there might be offices that need to have no machines on the Internet, but workers can use App-V, RDP, or Citrix to access a terminal server so they can browse the web on a virtual desktop that cannot access the physical internal machines.

          Why not just run "Internet" on a program on the local machine that can't access anything on the local machine? Sure, in your way, they'd be more secure because nobody would write a generic virus for a customer Citrix over Appletalk application that connects to a terminal server that gets the Internet.

          • Why not just run "Internet" on a program on the local machine that can't access anything on the local machine?

            Isn't that how a browser is supposed to work?

            • by Mashiki ( 184564 )

              Sandboxes are so 1998. Just ask Adobe and Java.

            • by AK Marc ( 707885 )
              That's why a dedicated computer for a Citrix proxy of an internet browser is silly. If the browser is broken, fix it, don't put a know bad program on a computer, then lock down that computer, and have people remotely access the presumed compromised computer.
        • by thogard ( 43403 )

          If you need security and your local LAN network topology doesn't make one of your firewalls look like a ethernet switch, you are not doing it right. The days of a 3 zone Trust, DMZ, Untrust firewall model are long gone.

          For $5k I can buy a 34 port firewall. I've been using netscreen ^w Juniper SSG-140 with a bunch of 8 port ethernet cards with most things on their own zone. Too bad it looks like that line will soon be EOL and I haven't found anything to replace it at the right price point.

      • Re: (Score:2, Insightful)

        by guruevi ( 827432 )

        I think you misunderstood. There is no hardware infection, they're just having problems getting their machines (a certain software, created by Microsoft) under control so they're just throwing everything out and starting from scratch. They could also go along each machine with a Linux disk and wipe the thing.

        • Not so sure. Sounds like advanced malware is used that could hide in hard disk firmware or the BIOS. And reflashing is not an option as this requires co-operation from the firmware that is already on the disk, which could simply pretend that it has been overwritten.
        • I think you misunderstood. There is no hardware infection, they're just having problems getting their machines (a certain software, created by Microsoft) under control so they're just throwing everything out and starting from scratch. They could also go along each machine with a Linux disk and wipe the thing.

          Somebody probably figured out the cost of sending people around to each machine with a Linux disk versus an updated hardware refresh that is probably already on the budget anyway, and decided it will be cheaper to do the hardware refresh early rather than clean the computers, and then do the hardware refresh a few months later.

      • Seems they should track down the source of any possible hardware infections before replacing all hardware.

        "No! Shut them *all* down, hurry! Listen to them, they're dying R2! Curse my metal body, I wasn't fast enough, it's all my fault!"

    • They'll replace everything, then one person will plug in their phone over USB to put some emails on their new workstation and it'll begin all over again.

      Or a USB key!

    • by gweihir ( 88907 )

      Indeed. It also seems that some people are unwilling to let experts look at their computers. No surprise this is not stopping.

      It should also be noted that Germany is one of the countries where arrogance has long since replaced actual skill on government level.

      • I think that's from the Dictionary definition.
        Government: "where arrogance replaces actual skill"
  • by CrimsonAvenger ( 580665 ) on Wednesday June 10, 2015 @04:07PM (#49886405)
    Hmm, might make a bit more sense to have their IT guys discuss this. It's not like your average MP (or whatever they call them in Germany) knows squat about computer problems....
    • by Opportunist ( 166417 ) on Wednesday June 10, 2015 @04:34PM (#49886657)

      They'll probably outlaw trojans infecting government PCs and that solves the issue.

      • They'll probably outlaw trojans infecting government PCs, solving the issue once and for all.

        Yeah, but...

        ONCE AND FOR ALL!

      • There should be a law.....

        Isn't it funny that politicians actually do think like this, or at least act like they do? "Hey I helped pass a law that made it illegal for children to starve! I CARE about children!" No one seems to mind that all the law does is issue tickets and assess fines for children who choose to starve....

        • What they forget is that there is one important difference between politicians and engineers: Laws engineers come up with CANNOT be broken.

          • If you're an engineer and you can't break something, obviously you aren't trying.
    • by Sique ( 173459 )
      The Germans call them MdB (Mitglied des Bundestages).
    • by gweihir ( 88907 )

      The average MP in Germany is a lawyer or maybe a teacher. They do not know squat about anything concerning the real world. They also suck at being lawyers or teachers, otherwise they would not have switched careers.

  • Russia (Score:2, Funny)

    by Anonymous Coward
    Phew...I was worried for a moment it might have been the USA. Good to know they are limiting themselves to only tapping Merkels phone.
  • I can see why they'd be considering wholesale replacement, but I'm not sure it's going to be good enough for a long-term fix because of A) the scope of the problem and B) replacements that still have vulnerabilities. If the intruders have the level of access, time and resources that it sounds like and it's a "state sponsor" with substantial resources to dedicate, then they may have infected some systems at a hardware level that would be almost impossible to root out or detect.

    Some of the things that might b
    • Well darn.. I guess they will just have to replace the whole country then...

      Seriously, it may be hard to find, but SURELY there is somebody who has enough knowledge and skill to do it, no matter who is responsible or what's involved...

      • by Fencepost ( 107992 ) on Wednesday June 10, 2015 @08:04PM (#49888013) Journal

        SURELY there is somebody who has enough knowledge and skill to do it

        Absolutely there are people who could find all of it, and it may be possible to build or find a combination of tools to address all of the possible hiding spots they're able to think of. The problem is that those skilled people don't scale. As for the tool suite, while someone's attempting to assemble it, someone else is working hard at evading what's going into the suite - and even if they do put something effective together fast, how much confidence will there be that it actually got everything? It's like running a hastily cobbled together antivirus package on an already-infected system.

        XKCD 1425 [xkcd.com] is actually somewhat relevant here in that a cleaning solution is that research team project, but Germany doesn't have the time to wait for it - better to EOL some equipment 2-5 years early and replace it than to wait for a solution that won't be available until have of that equipment would be EOL anyway.

        And frankly, it's like something I tell my customers probably too often for my wallet's good: "I can fix it and I'd love to have you pay me to do so, but it's not worth you paying for my time to do so when we can replace it for around the same cost."

        • by bobbied ( 2522392 ) on Wednesday June 10, 2015 @08:19PM (#49888103)

          Maybe this is the best approach, but I'd be wary about just launching a wholesale "replace it all" approach unless I knew a couple of things first.

          1. What the problem was, exactly, and where did it come from in general...

          2. How it spreads around...

          3. That the thing is contained...

          Further, before I go and start ripping out stuff to replace it, I'd want to be 100% sure that the problem will NOT infect the new hardware and systems. So when someone starts saying we have to replace stuff to get rid of this problem that's infected it, I start to get dubious.. But if like you, they say something along the lines of "Well, we could remove it from your current equipment for X and it would take us y time, or we could just replace the old infected equipment with new for less. We suggest you just replace the old stuff, it's cheaper/faster/better."

          • I strongly suspect that if they're doing this kind of wholesale replacement they're going to be doing a lot more hardening of it, particularly in terms of communications between sites, etc.

            They know the current system is infected, that they can't clean it (because they can still see signs of the active infection), and that effectively they're reduced to paper or ad hoc replacements to avoid using the infected system.

            Given a choice between A) work with it as-is B) Let separate groups that can't do "A" come u
  • by WSOGMM ( 1460481 ) on Wednesday June 10, 2015 @04:25PM (#49886557)

    The reality of today is that, if you communicate any secrets, you must consider the possibility of your communications being tapped/intercepted. It is even possible that hardware is compromised before you even buy it [scientificamerican.com].

    With backdoors, BIOS hacking and packet sniffing being part of the daily talk on slashdot, you have to be prepared to communicate end-to-end with multiple levels of pre-planned encryption. That said, I don't think I've ever said anything that needs that much security, but a nation-state might have.

    • by Torodung ( 31985 )

      Yup. "State of the art" keeps moving forward in malware. It may well outpace security research. That's the reality. Who's next? Who can best address this issue? Do we need to fundamentally redesign computer systems with a security first mindset, and how long will that last against tomorrow's threats?

      I don't know who started the cyberwar, but I do know that the West is fully committed to perpetrating it, especially the US. Even against our own people. This was bound to come round and bite us in the ass. You

      • by TheGratefulNet ( 143330 ) on Wednesday June 10, 2015 @05:01PM (#49886903)

        you buy a cpu chip and you get the instruction set manual. you write code to that and your code runs.

        are you sure that you are talking to hardware, or is there a virtual jail you are in and can't even know it?

        some think that intel chips are like that and what 99.999% of us see is the virtual layer that we're 'allowed' to see.

        can you prove it one way or the other? can you be sure? intel (etc) pumps out so many variations of cpu and so often, who could know?

        more tinfoil: you might submit a chip design, but is that absolutely what you are getting back? for those that could tell the diff, is their allegiance bought off?

        things are too complex. we can't know many of these things. sad but true.

        you can't do anything about hidden layers but you can design apps, networks and storage so that you assume bad behavior and make sure that it does not ruin your day. currently, WE DON'T DO THIS, and I'm of the mind that we should. assume all hardware is booby trapped and go from there. there is no other way to be secure in your systems and data. and it will costs lots of redundancy and intentional variety (if you even can do that, I'm not entirely sure it can be done) but if we don't, we really can't say we have 'trusted' computing. not in the personal sense of trust.

  • by penguinoid ( 724646 ) on Wednesday June 10, 2015 @04:25PM (#49886563) Homepage Journal

    If you explain the situation, the NSA would be glad to give you some free computers for your parliament.

    • If you explain the situation, the NSA would be glad to give you some free computers for your parliament.

      Don't they have some now that their program has been scaled back?

    • If you explain the situation, the NSA would be glad to give you some free computers for your parliament.

      The computers were shipped a week ago - they overheard Ms. Merkel talking about the issue on her cell phone.

    • also, if you want some backups, they have them going back years. of course, the german intel service is the one who supplied them to the nsa...
  • TLA spyware is probably baked right into the hardware these days. Their hardware will probably run better and they won't generally detect it. Out of sight, out of mind, right?
  • Germans suspect that the Russian foreign intelligence service SVR is behind the attack. On Thursday, the parliament will discuss how to address the situation.

    So if this isn't enough, what constitutes an act of war these days?

    • Germans suspect that the Russian foreign intelligence service SVR is behind the attack. On Thursday, the parliament will discuss how to address the situation.

      So if this isn't enough, what constitutes an act of war these days?

      You got to say "I break with thee.. I break with thee!" and then throw doggy dodo on their shoes to make it official...

      (Anybody know where that quote comes from?)

  • by netsavior ( 627338 ) on Wednesday June 10, 2015 @04:35PM (#49886661)
    Getting a new computer to stop malware is like getting a new car because you refuse to buckle your seatbelt.
  • by godel_56 ( 1287256 ) on Wednesday June 10, 2015 @04:43PM (#49886747)
    From TFA:

    Parliamentarians will have to decide if they want to call in the help of counterintelligence experts from the Bundesamt für Verfassungsschutz (BfV), the domestic intelligence service of Germany.
    Some members of parliament have expressed concerns about the involvement of the BfV, Der Spiegel reported. Some are also refusing help from the foreign intelligence service, the Bundesnachrichtendienst, because the agency would gain access to the legislative process. Armin Schuster, a member of parliament for the CDU, criticized those concerns.

    Schuster told Der Spiegel that he thinks it is “crazy” that some would rather be spied upon by a foreign intelligence agency then letting their own agencies help.

    Heh, they're afraid that one set of taps would probably be replaced with another, which would probably be cc'ed to the CIA.

    • by Luckyo ( 1726890 )

      The problem is that BfV is hopelessly penetrated by US intelligence, as news in Germany has been in last few months. It's a huge scandal, where reporters blew in the open the fact that BfV was basically helping US intelligence spy on everything and everyone in Germany, ranging from Chancellor herself to straight up industrial espionage of German companies.

      There has been a massive government effort to sweep these news under the rug, which suggests that BfV managed to get some very heavy dirt on almost everyo

  • WTF? (Score:5, Insightful)

    by kosmosik ( 654958 ) <`kos' `at' `kosmosik.net'> on Wednesday June 10, 2015 @04:56PM (#49886867) Homepage

    This article is so full of WTF I just can't belive it. I guess it is some form of poor translation of german source.

    1) All software and hardware in the German parliamentary network might need to be replaced.

    So they will replace all servers, routers, switches etc.? Or just client machines?

    2) Trojans introduced to the Bundestag network are still working and are still sending data from the internal network to an unknown destination

    So maybe just fucking block all outbound traffic from the Bundestag network and enable it back on a white list basis like it should be anyway?

    3) In May, parliament IT specialists discovered hackers were trying to infiltrate the network.

    Just fucking WOW! Shouldn't it be an assumption (that hacker are trying to inflitrate government network) not a discover?

    4) Some are also refusing help from the foreign intelligence service, the Bundesnachrichtendienst, because the agency would gain access to the legislative process.

    I guess the legislative *process* should not be a secret to anyone?

    IMO this is just some bullshit article citing politicians not technical piece. I guess it is really hard to work for any central government bureau since *any* of your action no matter sane or stupid will be judged not by technical merits but by political fucking around. I really do pity the actual IT staff behind this mess.

  • by Virtucon ( 127420 ) on Wednesday June 10, 2015 @05:00PM (#49886891)

    I call BS. Their parliament is not partitioned and isolated behind firewalls so they can at least drop the malicious outgoing / incoming traffic at the perimeter?
    They don't have a spy agency capable of tracking this down and at least isolating it?
    There's no competent network/system admins?

    It's one thing to acknowledge you've been exposed, it's another to let it continue. Maybe they do deserve to be hacked.

    • > I call BS.

      I call it too.

      > There's no competent network/system admins?

      I was once working under a guy trained in CS at Bundeswehr (German Federal Defence) and I recall this guy as the most sane CIO I happen to work with. It may be just the one guy was sane or more likely that his training was OK. Nevertheless in such scenario you do not relay on belief that your staff is competent - you just hire external auditing/security company to assure you (or not) about that. And that is what that guy would to.

  • Should have used Kapersky..

    Oh, wait...nevermind [slashdot.org]

  • Sourceforge (Score:4, Funny)

    by sls1j ( 580823 ) on Wednesday June 10, 2015 @06:50PM (#49887595) Homepage
    So they downloaded the GIMP from Sourceforge I see.
  • by ChrisMaple ( 607946 ) on Wednesday June 10, 2015 @06:55PM (#49887631)

    Don't connect the computers to the internet. Eliminate all inputs to computers (except for desktop systems, where they hardwire the keyboard and mouse.) Requests for information outside the network are sent to IT, and IT sanitizes all data that goes into or out of the system.

    Government security means lives, this is no place for half measures.Legislators need to learn that they have to put up with the nuisances of a truly secure system.

  • by thogard ( 43403 ) on Wednesday June 10, 2015 @07:22PM (#49887787) Homepage

    If they can't remove it, it is because they can't find it. They can't find it because it is living in the boot processor code or the firmware of io devices or both.

    The best place to hide unremovable firmware is in the protected boot code of the boot processor that is only there to provide for security control for the DRM subsystem.

    There have been talks each of the last few years at Breakpoint about how broken the boot firmware is. Maybe now people will start to take notice.

    • by guruevi ( 827432 ) on Wednesday June 10, 2015 @11:29PM (#49888695)

      Or they're just incompetent. There is to date not a single virus in the wild that uses boot processor code or device firmware (plenty of proof of concepts). The problem being is that if you target a firmware, you a) have to know very well what you're doing and b) any platform differences across devices render your exploit unusable and c) it generally doesn't have a method of spreading itself. Works well if you're targeting an embedded platform and you know they're all the same (eg. PLC's for uranium centrifuges) but doesn't work very well for 10-years worth of every model Dell, HP, Acer and Gateway computer out there.

      It's simple incompetence solved by a boot disk that wipes the hard drive without interacting with it. But 'oh noes, save my documents because we haven't made backups for the last 2 decades' and the virus is right back the minute the user logs in.

  • by nickweller ( 4108905 ) on Wednesday June 10, 2015 @08:20PM (#49888105)
    'The Greens in the German parliament want the Foreign Ministry to revert back to open source software [europa.eu] solutions on its workstations. The ministry in 2010 abandoned its open source desktop strategy, pressured by staffers struggling with interoperability problems. The Greens are now asking the ministry to justify the proprietary licence costs it has made since then.'
  • If a component ever needs new firmware it should be provided by the operating system when subsystem is initialized never to be stored anywhere except the systems main persistent store.

    This is a no-brainer win-win for everyone. Manufacturers reduce risk associated with firmware updates and reduce costs from smaller bill of materials.

    Users win by retaining the ability to recover from ownage by wiping persistent storage.

    Also please enough of the computers within computers crap. I'm looking at you Intel. Ven

    • by guruevi ( 827432 )

      You really have no idea how complex the software is that runs on some embedded devices? A simple hard drive has an OS in and of itself just to maintain your high speed caches. Firmware is generally not the problem though, and it isn't here either. Reprogramming the firmware to do anything useful (streaming data out of a network port it doesn't have) is nigh impossible.

  • Hidden Malware (Score:5, Interesting)

    by Whiteox ( 919863 ) on Thursday June 11, 2015 @12:54AM (#49888907) Journal

    Ok so a machine came into the shop with a pile of BHOs and other malware. I did the normal scans, found 96 of them, cleaned them up and everything ok. A specific malware site came back. Now I did rootkit scans, in depth scans. Nothing found but Chrome and Firefox was clean, only IE 10 suffered.
    Busting my brains on this, I set home page to be null. Worked ok except when IE was restarted. Nothing in the registry, services, hidden files/folders that could account for this. Everytime I started IE, back it came.
    So thinking logically I realised that there was no malware on the system and that IE was calling it somehow when it loaded. A few minutes later I discovered that the shortcut link was appended with a http address to the malware site! A very simple infection that no amount of scanning could fix.

    • Holy shit!
      Thanks a lot for the explanation. This happened to my parents a month ago, and I couldn't understand why everything looked clean, but IE was somehow infected.
      I removed every link to IE I found, and put a big Firefox icons everywhere they could be looking for Internet.

  • Replacing all windows7 installs by new windows7 installs will for sure remove the possibility of the same malware hitting again. DOH!
    Maybe change platform.
    There are 2 other OS to consider, MacOS and Linux.

    An important organization should always have 2 completely different platforms.
    Not only 2 different browsers on the same OS, but different OS. And by different I don't mean a Microsoft-different who state the XP is not NT and is not Win7. It's all windows!
    Same goes for Linux, where redhat or debian is not different, it stays Linux. Sunos may be different.

  • Have they ever heard of Netstat, TCPDump, Wireshark, etc? Jesus Christ on a stick.
  • We all know this: IT setups vital to work but so unprofessional words fail to describe it.

    I would smack around the people responsible so hard, they would have their head still spinning when the IT setup has been completely redone.
    I consider it bizar that taxpayers money and national security is put to risk by idiots running the parliaments IT.
    This is material for some legal repercussions by the President of the Bundestag IMHO.
    He should shaft the MPs so hard they never dare to do something like this again.

    My

  • Seriously, they would be smart to have equipment from the west, and move to Linux. They already have done that elsewhere and know what it takes.
  • Stop using Windows. Problem 85% solved. Then work on the other 15%.

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Working...