Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • An account credentials harvester was deployed as part of a targeted attack against the group who cracked certain editions of the FSLabs software.
  • A bill was introduced last October granting companies the ability to “hack back,” though this has not proceeded to a vote.

FSLabs, a company which makes add-ons for Microsoft Flight Simulator and Lockheed Martin’s Prepar3D simulation software, has received harsh criticism for including a utility in an installer that harvests passwords stored in Google Chrome.

The FSLabs product affected is the A320-X add-on for Prepar3D 4, which has a file named “test.exe” that appears to be the Chrome Password Dump tool from SecurityXploded. According to the technical analysis by Fidus Information Security, when the password retrieval tool is invoked, the output is encoded in base64 and transmitted to an FSLabs-controlled server over (an ostensibly unencrypted) HTTP connection. This routine is only run when a serial is detected as being counterfeit, though for genuine installs, the software username and information about installed graphics cards, CPU, total RAM, and operating system are sent through the same HTTP connection.

Fidus also found a forum post from October 2017 in which a user noted that anti-virus software is flagging the installer for including “HEUR:PSWTool.Win32.Security.Xploded.gen,” to which another user replied: “Many AV engines see our installers as a virus, which they are not (also known as a false positive).”

SEE: Auditing and logging policy (Tech Pro Research)

The initial explanation provided by FSLabs’ Lefteris Kalamaras indicated the measures were part of a DRM scheme intended to fight software piracy. The statement indicated that “there are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products,” but that “there is a specific method used against specific serial numbers that have been identified as pirate copies.”

Following further criticism, FSLabs removed the password-harvesting app from the installer. A further explanation indicated that these measures were taken following an examination of the A320-X add-on for Microsoft Flight Simulator X and Prepar3D 3.0. The group responsible for cracking that software was tracked by IP address, and they “had used Chrome to contact our servers so we decided to capture his information directly” in a targeted attack, which was described as being successful. Kalamaras apologized, calling the strategy an “overly heavy-handed approach,” noting that “we realize that it doesn’t justify even temporarily extracting [the tool] via the installer on people uninvolved with this situation.”

Can you hack back?

Presently, it is illegal for companies to “hack back” against parties they believe may be attacking them, as these actions would run afoul of the Computer Fraud and Abuse Act (CFAA). Recent proposals have been made to amend the CFAA to grant this power to private organizations. In 2015, former deputy national security advisor for counterterrorism Juan Zarate called for giving companies the ability to pursue hackers. According to Zarate–who worked in the George W. Bush administration–companies should be given license to “protect its system, to go and destroy data that’s been stolen or maybe even something more aggressive.”

Last October, a bipartisan bill was introduced in the House of Representatives which would permit hacking back. Former NSA director and commander of the US Cyber Command Keith Alexander, who served under both George W. Bush and Barack Obama, voiced his opposition to the proposal, telling Motherboard: “If it starts a war, you can’t have companies starting a war. That’s an inherently governmental responsibility, and plus the chances of a company getting it wrong are fairly high.”