ste williams

Today, right on schedule, Microsoft’s monthly security patch bandwagon rolled into town with updates for Internet Explorer, Office and Windows – with Adobe bringing up the rear.

This latest instalment of Patch Tuesday addresses 33 bugs in a range of Redmond software, as revealed late last week. The flaws have been grouped into 10 updates: two marked critical and eight important.

One of the critical patches (MS13-037) fixes use-after-free vulnerabilities and information leaks in every version of Internet Explorer, from version 6 through 10. The other critical update (MS13-038) tackles a remote-code-execution hole in IE 8, which was first exploited by malicious code injected by hackers into a US Department of Labor website. The bug is also present in IE 9, but there have been no reported attempts to capitalise on the flaw.

“While no known attack vectors exist for Internet Explorer 9 in the default configuration, the vulnerable component still exists and is therefore receiving an update,” explained Marc Maiffret, chief technology officer at IT security outfit BeyondTrust.

Microsoft’s May patch batch contains eight lesser “important” updates; the most pressing is a denial-of-service vulnerability (MS13-039) in Windows 8, Server 2012, and RT. The other updates close holes in the instant-messaging app Lync, Visio, Publisher and Word. There’s also a fix for an authentication bypass in .NET and a security update for Windows Essentials – a bundled package of utilities. Lastly, there’s a patch to resolve an important privilege elevation flaw in Windows kernel-mode drivers.

Microsoft’s roundup of the security fixes is here, and there’s a graphical overview from the Internet Storm Centre here.

And it wouldn’t be a security update story without…

Not to be left out, Adobe published updates for three of its products: website development system ColdFusion, Flash, and PDF software Reader and Acrobat. The ColdFusion patch addresses a vulnerability already being exploited in the wild: the security hole was used to swipe sensitive data from the US’s Washington State Court System, which led to the exposure of 160,000 social security numbers and one million driver licence numbers.

The Acrobat/Reader update (APSB13-15) contains fixes for 27 security blunders, and targets all versions of Reader on Windows, Mac OS X and Linux. The update is critical for Reader/Acrobat 9 on Windows and “important” for other builds. All need patching sooner rather than later because Reader PDF vulnerabilities are such a hacker’s favourite.

The Flash update (APSB13-14) addresses seven vulnerabilities, all unearthed by Google’s security team. Commentary on Adobe’s patches, as well as the security updates from Microsoft, can be found in a blog post by Wolfgang Kandek, CTO at cloud security firm Qualys, here.

And in yet more patching news, Mozilla pushed out its latest version of its browser and a maintenance release for its Thunderbird email client. Firefox 21.0 fixes eight security issues, including three critical bugs all involving memory-related programming errors. For the completists out there, security commentary specifically focused on the Mozilla updates can be found in a blog post by Paul Ducklin on Sophos’s Naked Security blog here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/15/may_patch_roundup/

McAfee has launched an all-in-one cross-platform security suite for consumers that incorporates online storage through biometric authentication as well as a host of other security technologies. Equally importantly, the Intel security division is trying to shake up the way security software is sold to consumers.

The McAfee LiveSafe service features a cloud-based “safety deposit box” – Personal Locker – that allows online users to store their most sensitive documents, including financial records and copies of IDs and passports, providing they fit into the 1GB allocated storage space. Users would access their documents through biometric authentication – using voice, face, and device recognition technologies.

This is delivered through Intel Identity Protection Technology, a tamper-resistant hardware authentication mechanism, built into the latest Intel processors.

The cross-device service offers protection for a user’s PCs, Macs, smartphones, and tablets against the latest malware and spam, along with a host of other security technologies, including McAfee Anti-Theft. This aspect of the technology gives consumer the means to remotely lock, disable or wipe a device as well as an ability to recover some data if a device gets either lost or stolen.

The software also offers simplified password management through a facility to securely store usernames and passwords, offering users a means to log into websites with one click.

Intel is trying to make the inclusion of security technologies part of laptop and PC purchasing decisions rather than an afterthought, with big discounts for bundled versions of the technology.

The LiveSafe service will be offered from July 2013 at a special introductory price of £19.99 with the purchase of selected new PCs or tablets. LiveSafe will come preinstalled on Ultrabook devices and PCs from Dell starting on June 9. By contrast, a 12-month subscription for consumers’ existing PCs and tablets will cost £79.99.

All this is a big change from offering security software to consumers as part of a 30- or 90-day trial package, offering free-of-charge basic security software packages before trying to get consumers to upgrade to paid-for products, or the frequently criticised practice of bundling trial versions of anti-virus software with third-party security patches.

Despite the new offer, McAfee has no plans to discontinue its traditional consumer and home-office security-suite and anti-virus product lines. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/15/mcafee_livesafe/

Is Microsoft “snooping” on Skype text conversations, or merely protecting users from malware URLs?

German publisher Heise Online has given that question prominence with the accusation that Redmond is snooping, as the result of receiving return visits from Microsoft IP addresses if they send URLs through Skype text chats.

In essence, untangling the syntax that Google Translate applies to German – I think it passes through a couple of other languages on the way to English – Heise reports that if two Skype users send a URL through text chat, they get an “unannounced visit from Redmond”.

The issue was raised by a reader, the report says, whose network protection took the tap from a Microsoft IP address as a replay attack.

To test the report, the researchers sent URLs – one of them including HTTPS credentials – via Skype, and then watched the logs of the servers identified in the chat messages. The servers then received visits from the Redmond machine (IP address 65.52.100.214) using the same URLs (including the credentials, Heise claims).

Redmond’s response to Heise’s inquiry was that it is scanning URLs to make sure that users aren’t (accidentally or stupidly) passing around malware or phishing links. The publisher retorts that instead of using an HTTP GET, Microsoft is calling the URLs using HTTP REQUESTS HEAD. As a result, it says, Microsoft isn’t actually reviewing the pages it’s requesting.

The Register isn’t so sure that the HEAD request is useless: it could offer a quick and automated way to see if a page’s header matched a signature for known malicious pages. However, repeating requests that include sign-on credentials would appear, at first blush, to be a risky behaviour. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/14/skype_snoop_or_phishing_defence/

So: the person alleged to have described himself as the “leader” of LulzSec was arrested for what, exactly?

There’s been a lot of noise flowing around, and the odd tip-off (including some to The Register in an extensive phone call on April 29). Since we try to avoid jumping ahead of the court process, we have kept our traps shut.

However, with one Matthew Flannery having appeared in the Central Local Court in Sydney today, it is now on the public record that the charges he’s facing are for defacing the Website of the Narrabri Shire Council.

Without wanting to downplay the seriousness of the trouble “Aush0k”, as Flannery is alleged to have called himself online, is in – if convicted of the attack he could spend is 12 years in the slammer – news of the target means there’s plenty that doesn’t ring true about this csase.

Here is your elite hacker, world: someone of whom the Australian Federal Police originally said:

“Police will allege the man was in a position of trust within the company, with access to sensitive information from clients including government agencies.

“The AFP believes the man’s knowledge and skills presented a significant risk to the clients of the company for which he was employed had he continued his illegal online activities.”

It’s very difficult to reconcile “leader of LulzSec”, “significant risk”, “knowledge and skill” with “defacer of Narrabri Shire Council”.

I would be the last to make fun of Narrabri – it is, after all, home to the Australia Telescope Compact Array. However, with a total population of 14,000 and low Internet penetration (by national standards), it’s quite possible that narrabri.nsw.gov.au would have days on which most of its traffic comes from search engines’ crawlers.

Narrabri, target of the l33t

Defacing Narrabri Shire Council is hardly a bragging-rights attack. Australia’s democracy failed to teeter on the edge of collapse when it happened; in fact, Australia failed to notice it happening. Whatever the attack entailed, it had even less impact that when Anonymous dumped the Mosman Shire Council site to Pastebin in 2011.

So the Australian Federal Police’s huge bragging-rights coup, the arrest of the “alleged leader of LulzSec”, was to catch someone defacing a ColdFusion/Dreamweaver site on a Windows server at GoDaddy in Singapore.

It’s almost enough to make me believe in the theory that Flannery was set up: because you’d have to be an American script kid to think that this target was worth your effort.

The case returns to court on August 6. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/15/narrabri_shire_ash0ks_target/

Claims that a Saudi mobile network is attempting to spy on citizens emerged after the telco apparently tried to recruit top cryptographer Moxie Marlinspike – who promptly went public.

The cryptography expert and former hacker, who left Twitter’s security team in January, said he had been asked to help Mobily in its state-backed project to monitor encrypted chat sent by Twitter, Viber, WhatsApp and other third-party smartphone natter apps.

Just two months ago, the Saudi telecommunications regulator was reported to have warned that encrypted messaging services including Skype, Viber and WhatsApp could be blocked if they did not provide the government the means to monitor the apps. Saudi papers at the time said the affected firms had been given one month to respond.

Marlinspike has published emails exchanged between himself and someone who appears to be a high-ranking executive at the mobile telco, who apparently tried to hire the noted software engineer. The network is investigating the claims, we’re told. A spokesman told the WSJ that Marlinspike’s “account of of his contacts with Mobily ‘is not 100% accurate’.”

Mobily, one of two telecom operators in Saudi Arabia, is believed to be under pressure from a regulator within the kingdom to wiretap the aforementioned apps. Its bosses, it is claimed, sought technical knowhow from Marlinspike, who created a tool that intercepted secure web traffic to highlight shortcomings in HTTPS and SSL.

But the expert would have been a rather poor recruitment target: he co-founded Whisper Systems, a company which provided free encrypted cellphone comms technology to dissidents in Egypt during the time of the Arab Spring uprising. And he devised the Convergence SSL system to strengthen the bedrock of cryptography HTTPS web browsing is built on.

Whisper was bought by Twitter in 2011, and Marlinspike worked on the social network’s software security team after the acquisition. All of this makes Marlinspike a highly unlikely recruit for a state-sponsored surveillance project.

Nonetheless, according to the engineer and keen sailor, Mobily sent him an email titled Solution for monitoring encrypted data on telecom that outlined its requirements for the dragnet lawful interception project. Despite the telco’s apparent lack of communications security skills, with the funds available at its disposal, it will eventually come up with a mobile snooping system that works, Marlinspike lamented on his blog. He claimed:

One of the design documents that they volunteered specifically called out compelling a CA [Certificate Authority] in the jurisdiction of the UAE or Saudi Arabia to produce SSL certificates that they could use for interception. A considerable portion of the document was also dedicated to a discussion of purchasing SSL vulnerabilities or other exploits as possibilities.

Their level of sophistication didn’t strike me as particularly impressive, and their existing design document was pretty confused in a number of places, but Mobily is a company with over 5 billion in revenue, so I’m sure that they’ll eventually figure something out.

What’s depressing is that I could have easily helped them intercept basically all of the traffic they were interested in (except for Twitter – I helped write that TLS code, and I think we did it well). They later told me they’d already gotten a WhatsApp interception prototype working, and were surprised by how easy it was. The bar for most of these apps is pretty low.

The discussion between the Mobily employee and Marlinspike progressed until, we’re told, the SSL expert was asked for a price quote – at which point he declined stating he wasn’t interested in the job for privacy reasons.

Undaunted, according to the published emails, the Mobily pitchman responded that the project was needed in order to spy on the local jihadis, going so far to suggest that Marlinspike was “indirectly helping those who curb the freedom with their brutal activities” by not getting involved with the wiretap project.

Marlinspike has little doubt that other telecom providers in multiple countries are running surveillance projects similar to the one described above, hence his decision to publish the messages.

“I’m being rude by publishing this correspondence with Mobily, not only because it’s substantially more rude of them to be engaged in massive-scale eavesdropping of private communication, but because I think it’s part of a narrative that we need to consider,” he said. “What Mobily is up to is what’s happening everywhere, and we can’t ignore that.”

In his blog post Marlinspike went on to talk about changes in hacking culture, increased commercialism, governments and defence contractors splashing cash all over exploit marketplaces to becoming the biggest consumers of attack code, and private citizens becoming a principal target. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/14/saudi_arabia_misfiring_surveillance_recruitment_pitch/

More prescriptive regulation of the security posture in industry sectors like banking could have the paradoxical impact of reducing security, according to Andrew Dell, head of IT security services at the National Australia Bank.

“We have to become much more agile and proactive – how we look at, how we react to cybercrime. Our posture is changing from ‘observe and analyse’ to ‘detect and respond’,” Dell told the 2013 Trend Micro Evolve Security Conference.

Banks themselves need to be agile enough to respond to new threats. However, worldwide, Dell says governments are taking an increasingly prescriptive attitude to how important infrastructure is secured. This, he suggested, creates the risk that a focus on regulatory compliance can reduce a company’s ability to respond to security threats. Dell said too much focus on defining the detail of the security a bank has to implement can detract from its ability to respond to new threats.

“Regulation is increasing in its complexity each year, and keeps becoming increasingly prescriptive,” he said. “Government and regulators are getting more interested not only in how secure we are, but how we secure”.

As is so often the case, where prescriptions concentrate too much on what is known, they leave insufficient flexibility and encourage a compliance-based mentality. Dell cited a conversation with a colleague in an American utility, in which an Aladdin’s cave of security kit and software, implemented for compliance reasons, was so understaffed that it was ill-maintained and almost completely unmonitored.

At the same time, Dell said, user desires are increasingly at odds with good security practice.

Banks, he reiterated, have created rules such as “no links in e-mails” and “offer call-back” so as to help protect their customers from having their credentials stolen hijackers sending phishing e-mails. The problem is, this is starting to create friction with customers of the social era who expect to be able to get what they need in a Tweet or from Facebook.

In that context, he emphasised, customer education is a challenge, perhaps even more important than the persistent attention on how nation-state involvement in cybercrime is changing the threats. Dell says NAB is more concerned to know what is going on rather than trying to probe the attacker’s motivations, or work out whether the attack comes from individuals or a state.

“We’re seeing a definite shift in the threat that’s posed to our industry. The DDoS, phishing, malware compromises are still there – but the sophistication, ubiquity and agility are changing.

“Nation-state based activity – there has been a lot of discussion of nation-state attacks. I’m not concerned about whether it’s state-sponsored, I’m concerned about what the attack is.”

The malware itself may be sophisticated, Dell emphasised, but how it’s dropped into corporate networks is still simple: “through an e-mail, or a USB left in the carpark from someone to find”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/14/nab_warning_infosec_regulation/

Crooks hoping to empty company bank accounts are calling up the firms’ bean-counters to chase invoices packed with hidden malware.

Finance staff are tricked into opening the booby-trapped messages in phone calls from con men, who claim to have emailed in legit paperwork that needs urgent attention. The documents instead include a Trojan that, when activated on the victim’s PC, hands control of the Windows machine to the swindlers over the internet.

The social-engineering tactic has been used against staff at French organisations by miscreants posing as employees or business associates of the targeted outfits, reports net security firm Symantec. The scam has been used to spread Shadesrat, a remote access Trojan.

According to Symantec, “the attacks are currently localised to French organisations” and their subsidiaries in Luxembourg, Romania and other nations. The thieves have been distributing the Trojan as bogus invoices since February, but only last month started phoning victims ahead of time to lure them into opening the malware-laden accounting paperwork.

By targeting finance staff, the hackers can infiltrate their computers and swipe corporate banking login credentials and other information crucial to carrying out subsequent fraud.

“The attacker is well prepared and has obviously obtained the email address and phone number of the victim prior to the attack,” a blog post by researchers at the security firm explained. “The victims of these attacks generally tend to be accountants or employees working within the financial department of these organisations. Since handling invoices is something they would do on a regular basis, this lure has the potential to be quite convincing.

“It appears that the attacker’s motivation here is purely financial. Targeting employees who work with company finances likely provides access to sensitive company account information. These employees may also have the authority to facilitate transactions on behalf of the organisation; a valuable target if the attacker gains access to secure certificates that are required for online transactions or confidential bank account information.”

The Shadesrat Trojan can be licensed from underground cybercrime forums for as little as $40 to $100 a year. The software nasty is “under active development and clearly shows no indication of going away any time soon”, according to Symantec. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/14/vxers_phone_ahead/

NBN Co, the company building Australia’s National Broadband Network, has found itself having to refute reports in the finance press that its networks had been “penetrated” by “cyber gangs”.

While attacks and scans are the lot of any and every network administrator, the company says the reported Trojan infections never got past a couple of user desktops.

An Australian Financial Review economist has reported that NBN Co’s “networks” were infected by a Citadel-based Trojan (actually two or three individual machines were infected and discovered).

The report breathlessly says “NBN Co’s internal networks were penetrated by ‘trojans’ created by cyber criminals with “advanced capabilities” that avoided detection by its anti-virus software at least twice in 2012.”

(The AFR says the attacks “only hit NBN Co’s internal networks” rather than the “broadband infrastructure itself”. This is hardly surprising to Vulture South, since we are not currently aware of any trojans, even those written by the most terrifying Russian organised criminals, that are capable of infecting things like optical fibre or the specialised hardware that makes them part of the NBN.)

As an NBN Co spokesperson stated to The Register via e-mail – and without selective editing:

“We don’t believe that NBN Co was specifically targeted by the Trojans. By their nature these incidents tend to be random, and these are the types of events that a range of other companies would be detecting on their networks.

“The point is they were detected. NBN Co takes very seriously the security of its networks and information. NBN Co has adopted extremely high levels of newtork security, and as the response to the FoI indicates, those incidents which have occurred have beem of a low-level nature. The Trojans were detected before they were able to do any harm. They did not result in the release of any confidential information”.

NBN Co told Vulture South the incidents never went beyond individual machines – in other words, users’ desktops or laptops infected when they clicked on the e-mail attachment. The malware was spotted by NBN Co’s security systems when it started trying to contact its command and control servers.

The newsaper has complained that NBN Co heavily redacted its FOI releases stating that publishing its response information “could be used to identify potential weaknesses” in its security setup. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/13/nbn_co_hoses_down_silly_afr_hacker_story/

The Associated Press reports that government investigators seized two months-worth of telephone records from its staff last year and hid that fact until now.

“There can be no possible justification for such an overbroad collection of the telephone communications of The Associated Press and its reporters,” said CEO Gary Pruitt in a letter sent to Attorney General Eric Holder.

“These records potentially reveal communications with confidential sources across all of the newsgathering activities undertaken by the AP during a two-month period, provide a road map to AP’s newsgathering operations and disclose information about AP’s activities and operations that the government has no conceivable right to know,” Pruitt wrote.

Between April and May last year, the Justice Department obtained the outgoing call logs for over 20 work and personal numbers used by AP staff in its bureaus in New York, Hartford, and Washington. The news organization says it doesn’t yet know if data on incoming calls and their duration were also slurped, and says it presumes telephone companies handed over the data.

William Miller, a spokesman for Washington US attorney Ronald Machen, said his office followed “all applicable laws, federal regulations and Department of Justice policies when issuing subpoenas for phone records of media organizations,” while declining to comment on this case in particular. The cause of the investigation hasn’t been made public, but AP suggested it may be linked with a May 7 story last year about the CIA foiling an al-Qaida plot to blow up a plane heading into the US on or around the anniversary of the death of Osama Bin Laden.

The bomb in question was reported to be a more sophisticated version of that used by Umar Farouk Abdulmutallab (aka the failed underpants bomber) who is currently serving life without parole. The new bomb was non-metallic, making it easier to get past airport security.

At the request of the government, AP held off on publishing the story initially, after being warned it was a national security issue, but then declined to wait until the Obama administration had made an official statement on the matter. The FBI is currently investigating the leak.

“The irresponsible and damaging leak of classified information was made … when someone informed the Associated Press that the U.S. Government had intercepted an IED (improvised explosive device) that was supposed to be used in an attack and that the U.S. Government currently had that IED in its possession and was analyzing it,” said CIA Director John Brennan during congressional testimony in February.

AP said that five of the journalists involved in researching and writing the story, and their editor, were all known to have used the phone lines under investigation. In all, over 100 journalists may have used the monitored lines.

“Obtaining a broad range of telephone records in order to ferret out a government leaker is an unacceptable abuse of power,” said the director of the ACLU Speech, Privacy, and Technology Project Ben Wizner. “Freedom of the press is a pillar of our democracy, and that freedom often depends on confidential communications between reporters and their sources.”

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/14/government_takes_ap_phone_records/

Exclusive Apple is believed to have asked some online shoppers to hand over copies of their driving licence, passport and bank statements to verify their identity.

A concerned Reg reader alerted us to Apple’s data-slurp requests after she received one herself – and was told by her bank that they had never heard of private companies asking for this information.

After ordering an iPad for her young son, our reader – who works in the IT industry and does not want to incur the fruity firm’s wrath by revealing her name – received a suspicious email purporting to be from Apple, but looking like the sort of dodgy call for information we’re all told to strenuously avoid.

It read:

We perform security checks on our customers’ credit card orders due to the fact that the cardholder is not present to sign for transactions. The Apple Online Store’s Terms and Conditions state that Apple reserves the right to verify the identity of the genuine credit card holder by requesting appropriate documentation. Please note these checks are a security measure designed to protect your information.

The email continued:

Please scan a copy or take a photo of the following documentation in jpeg format and email it to eurofinance@euro.apple.com:

1. Card holders Drivers license or National Identity Card or Passport and 2. Recent Credit Card / Bank Statement showing card holder name, address and card number.

As our reader had scans of the documents to hand, she emailed over copies of them… and then immediately began panicking.

She phoned the police and her bank, who both told her the email was more than likely a fraud. She feared her identity was about to be stolen due to the amount of personal information she had just handed over.

But after Apple wrote back to her and told her they had checked the documents with a notary, she began to realise that it was a genuine, Cupertino-endorsed email. The letter said that Apple understood “her concerns” about sending over bank statements, but asked her to do it anyway, as well as ensuring her passport copy was in colour.

A quick scout through the Apple forum reveals similar complaints – and when we phoned the fruity firm’s customer services branch posing as a fanboi, they confirmed that agents did indeed ask for copies of customers’ driving licence, passport and bank statements.

The ability to do this is written into Apple’s terms and conditions, as mentioned in the letter quoted above.

Our source said: “When I found out this was a genuine Apple request, I immediately cancelled the order. They’ve basically turned me into a future Android user.

“Apple told me they carry out spot checks for security reasons. But I don’t think any private company should have the right to ask you to send over such personal documents by email.

“It’s Apple’s arrogant way of saying: ‘Tell us everything about yourself or we won’t sell you our products’. What’s next? Will they ask for my inside leg measurement or a chest X-ray?

“I’m so angry. After sending that information, I thought I had been hacked and spent days worrying. The police told me I had definitely been phished, whilst my bank told me they had never heard of private companies asking for this information. Then I found it was genuine, because Apple had the cheek to ask for a colour scan of my passport. I’m shocked by what they’ve done.”

El Reg recently wrote about a German court’s decision to make Apple tighten up the way it uses customers’ data. The ruling hinged around Apple’s policy of “global consent” to its terms and conditions over how personal data is gathered and used.

Campaigner Nick Pickles, director of privacy and civil liberties campaign group Big Brother Watch, believes that Apple is seeking far too much information from consumers under the auspices of combating fraud.

He said:

It’s very concerning that a private company feels entitled to demand and store sensitive identity documents for [users] to purchase something from Apple.

This is a totally over-the-top approach to fraud and I would be astonished if there isn’t a better way of combating fraud than intruding on people’s privacy like this. Customers are apparently allowed to black out “sensitive details” on the copied documents, according to our source. Apple appears to offer no detail on how long the data will be held for, nor offer the customer an alternative way of verifying their identity. This heavy handed approach only undermines consumer confidence that companies respect their privacy and potentially increases the risk of identify fraud or people stealing identity documents to facilitate purchases.

Apple told El Reg it does not comment on individual cases. Apple’s terms and conditions say: “We reserve the right to verify the identity of the credit card holder by requesting appropriate documentation.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/13/apple_passport_privacy/