STE WILLIAMS

Microsoft on Tuesday updated its Certificate Trust List (CTL) after private keys for an SSL/TLS digital certificate for Xbox Live were “inadvertently disclosed,” it said in a security advisory.

The *.xboxlive.com digital certificate could be used to attempt man-in-the-middle attacks, the company said.

In such an attack, the attacker could use the certificate to impersonate the xboxlive.com domain and intercept the website’s secure connection.

Tricked Xbox users might then hand over their username and password, potentially leading to yet more attacks on the user.

However, according to Microsoft, the certificate couldn’t be used to issue other certificates, impersonate other domains, or sign code.

Though Microsoft isn’t currently aware of attacks related to the certificate fumble, it says that the issue affects all supported releases of Microsoft Windows.

Windows users on supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, Windows 10, and Windows 10 Version 1511, and those using devices running Windows Phone 8, Windows Phone 8.1, and Windows 10 Mobile don’t have to sweat this, Microsoft said, given that their certificate trust lists are automatically updated.

For customers running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 and are using the automatic updater of CTLs, the update will also be applied without you needing to do anything.

For everyone else, make sure you update now!

Follow @NakedSecurity

Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/YX1Eax71m_o/

Facebook has broken ranks with the world’s major browser vendors, asking that the ancient SHA-1 has algorithm go out with a whimper rather than a bang.

As has been predicted for some years, computing power has long since caught up with SHA-1, and today’s best practice is to replace it with SHA-256.

Microsoft, Mozilla and Google have all either retired it already, or set down dates for its deprecation.

However, Facebook’s Alex Stamos argues here that too hard a cut-off will harm users in developing countries.

Stamos says between 3 and 7 per cent of browsers in use can’t handle SHA-256, and since these are disproportionately in developing countries, “the likely outcome in those counties will be a serious backslide in the deployment of HTTPS”.

He says Facebook has been experimenting with a graceful fallback, so that if a user agent can’t cope with SHA-256 it can still connect.

The solution is based on a TLS “termination edge” that supports certificate switching: if the browser can only handle SHA-1, it still gets an HTTPS connection, but for newer browsers the connection will use SHA-256.

“We should be investing in privacy and security solutions for these people, not making it harder for them to use the Internet safely”, Stamos writes.

To make this approach more broadly available, Facebook wants the CA/Browser Forum to create what Stamos calls a “Legacy Verified Certificate”.

A holder of that kind of certificate would be allowed to sign SHA-1 certs, but only if it demonstrates that it supports SHA-256 for modern browsers.

The company has also published the code it uses for certificate switching here, as part of its Proxygen HTTP library. ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/10/facebook_wants_a_kinder_gentler_end_for_sha1/

The Independent has become the latest big-name publisher to serve malware.

Trend Micro is warning that the UK news site’s WordPress-based blog section has been compromised.

The company says the attack seems to have begun on November 21, with a compromised page serving the Angler exploit kit, taking advantage of visitors with old Flash version to hit them with the Cryptesla 2.2.0 ransomware.

“The vulnerability involved in this particular instance is discovered to be CVE-2015-7645. This is also the latest vulnerability we detect to be added to Angler’s repertoire”, Trend fraud researcher Joseph Chen writes.

According to the BBC, The Independent says the site the attackers hit is a rarely-visited “legacy” site that gets less than 0.2 per cent as many hits as its total digital audience.

The publisher told the Beeb an advertisement may have been serving malware and claimed: “There is no suggestion or evidence that any of our users have been affected by this.”

It’s also investigating its third-party advertising suppliers.

Trend’s post says it’s seeing 4,000 redirects each day to Angler, but that’s across its whole network rather than just from The Independent.

CVE-2015-7645 is a Flash bug that emerged in October 2015. It was the exploit used in the Pawn Storm attacks, and has since been patched, as have dozens of other Flash vulnerabilities. ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/10/legacy_wordpress_blog_site_of_ithe_independenti_serving_malware/

The Government Communications Headquarters (GCHQ), Britain’s signals intelligence organisation, has revealed its Christmas card.

The boring bits of the card, which will come from director GCHQ Robert Hannigan, is a painting called “Adoration of the Shepherds” from the brush of one of Rembrandt’s students.

The interesting bits are described by GCHQ as “a grid-shading puzzle and instructions on how it should be completed.”

Here is said puzzle.

GCHQ’s Christmas puzzle. Bigger image at GCHQ’s site, if you’re game to visit it, here

Solving this puzzle, GCHQ says, “will create an image that leads to a series of increasingly complex challenges.”

At the end of those challenges, it seems there’s an email address one can use to notify GCHQ of your answer to the meta-puzzle. The agency suggests that anyone who enjoys the puzzle could do worse than to make a donation to the National Society for the Prevention of Cruelty to Children, a suggestion that works in any season. Whether revealing your cryptographic cleverness to GCHQ makes sense, given its ever-widening surveillance powers, is a question we can’t answer charitably. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/10/gchq_christmas_card_asks_you_the_questions/

The number of iOS threats discovered this year has more than doubled, from three in 2014 to seven so far in 2015, according to Symantec, with jailbroken devices being the focus of the majority of threats.

Of the 13 iOS threats documented by the technology security company in total, nine can only infect jailbroken devices.

Mac OS X threats are also on the rise, at least historically, according to the security giant. The number of new Mac OS X threats emerging is increasing year-on-year, rising by 15 per cent in 2014, according to Symantec.

This followed an increase of 44 per cent in 2013 and an increase of 29 per cent in 2012. Early indications are that the number on new threats on Apple’s desktop platform for 2015 may come out slightly lower than that in 2014 or 2013, but higher than in previous years.

However, the number of unique OS X computers infected with malware in the first nine months of 2015 alone was seven times higher than in all of 2014. This is partly driven by the increased popularity of Macs but mainly down to successful targeting by crooks.

Much of the spike is down to grayware, such as adware, or potentially unwanted or misleading applications, with threats from spyware and trojans also an increasing problem for Mac fans.

These threats stem from cybercrime gangs branching out to Apple platforms, as well as high-level attack groups such as the Butterfly corporate espionage crew infecting OS X computers in targeted organisations, and the Pawn Storm APT group creating malware capable of infecting iOS devices.

Symantec’s take on Apple desktop threats fits with a separate warning about a rising tide of Mac OS X malware from researchers at Bit9 + Carbon Black last month.

Bug count

The overall number of new Mac OS X vulnerabilities emerging has remained relatively steady in recent years, carrying between a low of 39 and a high of 70 per year. The number of new Mac OS X vulnerabilities has generally been lower than the number of Windows vulnerabilities.

The greater market share Windows continues to enjoy means that the platform is more closely scrutinised by attackers and security researchers, a factor that may go a long way towards explaining the difference.

Elsewhere, the volume of vulnerabilities affecting iOS exceeded those that were documented for its main competitor, Google’s Android between 2011 and 2014 (inclusive).

But that trend has reversed in 2015 so far, and new Android vulnerabilities have outpaced those in Apple’s iOS operating system for smartphones and tablets.

Although the total number of threats targeting Apple devices remains quite low compared with Windows in the desktop and Android in the mobile sector, Apple users can’t be complacent, as Symantec argues.

“Although still small in terms of overall numbers, the number of new OS X and iOS threats discovered annually has been trending upwards over the past five years,” Symantec researcher Dick O’Brien concludes in a blog post.

Users considering jailbreaking an iOS device should exercise caution, for example by educating themselves about the risks they may be exposed to, Symantec advises. The majority of iOS threats target jailbroken devices and unofficial app stores are more likely to host trojanised apps, Symantec advises, among other top tips covered in more depth in its blog post.

Symantec’s 32-page white paper on the Apple threat landscape, which puts the whole issue under the microsocope, can be found here (PDF). ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/10/ios_mac_osx_threat_trends/

Kiwicon Criminals can empty stolen credit cards with new-found stealth using payment gadget Coin, thanks to the device’s weak and pwnable authentication checks.

Hacker Peter Fillmore (@typhoonfilsy) of Melbourne, Australia, found Coin’s weak authentication scheme can be manipulated using man-in-the-middle attacks that allow fraudsters to load and verify stolen cards.

As Fillmore notes, pilfered cards are easy to buy from criminal sites like Rescator. Then they can be loaded and verified with Coin, and used at retailers.

It’s also a stealthy approach for fraudsters, since they no longer need to DIY-build possibly dodgy credit cards – instead using Coin at US retailers already familiar with the gadget.

Coin security boss and chief operating officer Russell Taga says the company is investigating the attacks.

“This is the first that Coin is hearing about what you’re sharing, so we’d need more information before fully responding,” Taga told Vulture South.

Fillmore says the fix will require an expensive overhaul of Coin’s authentication mechanism so it resembles that used in traditional payment terminals. It is a timely and costly repair that stands in stark comparison to his hack, which he says took a total of half a day to discover and write up.

Peter Fillmore. Photo: Darren Pauli / The Register

The payment card and fraud boffin tells Vulture South ahead of his talk at the Kiwicon conference in Wellington Friday it is also possible to load Coin with expired credit cards, or predictable American Express cards that have yet to be issued (via a separate hack detailed last week).

Fillmore says the hack is possible because the authentication request Coin pushes to processor Stripe can be intercepted and altered. That would allow an attacker to load a stolen or expired credit card, or yet-to-be-released American Express card, into Coin, and capture and alter the authentication check such that the dodgy card details can be replaced with the data of a card a fraudster owns.

Stripe would then see the fraudster’s card details and issue an approved token that Coin would apply to the stolen or expired card.

“You enter the stolen card data and if you put in a man-in-the-middle proxy, you change the details to a valid card, say a prepaid card, and they will place a charge check for say $1,” Fillmore says.

“Stripe doesn’t care how you send the credit card details – as long as it’s a valid credit card, they’ll send back a valid token. It’s a lot easier for a criminal using Coin because they don’t need to try to create a legitimate-looking credit card.”

Attackers can also directly edit the Coin app database to have the device accept dodgey credit cards. Then the Stripe authentication check would not even need to occur.

“Coin claims they are doing authentication checks – they’re not – they trust the local database,” he says. The local hack which can happen with phones placed in airplane mode needs more time to develop than Fillmore allocated to his quick and dirty exploit.

Attackers would need to work out the encryption key, which he says is achievable.

Fillmore says he has long considered Coin and similar devices as assets to fraudsters. He says Coin needs a significant redesign so that it would use expensive and proven authentication schemes like point-to-point encryption.

“Coin can’t fix this without a hell of a lot of work. They need to set up their own authentication service to ensure cards are correct.” ®

Youtube Video

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/09/aussie_hacker_flips_coin_into_fraudster_fob/

Hotel chain Wyndham Resorts has agreed to settle its long-running case with the FTC over its handling of customer data.

The US trade bod said on Wednesday it has agreed to a settlement deal [PDF] that will see Wyndham spend the next two decades under mandatory rules for securing and storing customer payment card information.

The deal settles a long-running case in which the FTC has accused Wyndham of failing to properly secure payment card information in the face of repeated data breaches and the loss of customer information.

The FTC first filed suit in 2012, alleging that the company’s lax security practices constituted a violation of the FTC Act and thus could be prosecuted by the trade commission. Wyndham appealed the decision, claiming the FTC had no authority to challenge its data security policies.

Earlier this year, a US Court of Appeals found in favor of the FTC and upheld the Commission’s standing to file complaint against companies who fail to maintain adequate security.

“This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” FTC chairwoman Edith Ramirez said of the deal.

“Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”

With the settlement, Wyndham not only drops its appeal to the FTC, but also agrees to a set of security requirements that will run for the next 20 years.

During that time, the resort chain will be subject to annual security audits to check compliance with PCI-DSS security requirements on all customer payment card data. Additionally, Wyndham will need to maintain secured connections between its hotels and corporate offices when customer information is transmitted.

No cash penalties were mentioned in the settlement, though further complaints and fines could be issued should Wyndham fail to uphold its end of the settlement deal. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/10/wyndham_hotels_settles_with_ftc/

Some of the biggest names in the security software business have been compromised by a serious flaw that could allow a hacker to use the commercial security code to infiltrate computers.

In March, researchers at security firm enSilo found a serious flaw in popular free antivirus engine AVG Internet Security 2015. They found that the software was allocating memory for read, write, and execute (RWX) permissions in a predictable address that an attacker could use to inject code into a target system.

enSilo got in touch with AVG and the flaw was fixed within a couple of days. But the team then went through other security suites and found that McAfee VirusScan Enterprise version 8.8 and Kaspersky Total Security 2015 were also vulnerable.

“We’ll continue updating this list as we receive more information,” said Tomer Bitton, VP of research at enSilo, in a blog post.

“Given that this is a repetitive coding issue amongst Anti-Virus – an intrusive product, we believe that this vulnerability is also likely to appear in other intrusive products, non-security related, such as application-performing products.”

This isn’t a theoretical attack vector. Google’s in-house hacker Tavis Ormandy found a similar issue with Kaspersky and wrote a blog post detailing how to exploit the problem.

Given the possible widespread nature of the problem, enSilo has created a free checking utility called AVulnerabilityChecker and stuck it on Github for anyone to use. Intel, owner of McAfee, and Kaspersky have now fixed the issue, but users are advised to check that they have all the latest updates. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/10/kaspersky_mcafee_avg_vulnerable/

Kiwicon American hardware hackers have ruined Christmas cooks ups across Australia, revealing gaping and pwnable vulnerabilities in Internet-connected barbecues.

Hardware hackers Matthew Garrett and Paul McMillan revealed how the Internet-of-things CyberQ exposed its remote administration facilities and could be owned over the internet./

Garrett told the Kiwicon conference in Wellington today the barbecues can be found using Google and pwned by getting users to visit a malicious page.

“It works by port forwarding its server through your router to the Internet, and if you ask Google if there are severs that contain the [CyberQ admin] web page, the answer is yes,” Garrett told the conference without specifying the what appears to be a large number of exposed barbies.

“It is very practical to get someone to visit a webpage and click an innocuous link.

“This allows you to generate a post request to their barbecue controller and destroy their feast.”

Paul McMillan (left) with Matthew Garrett. Photo: Darren Pauli / The Register.

In jest the open source champions crowned their attack ‘OMG BBQ’.

It’s the epitome of Internet-connected-garbage, Garrett said, a phrase that was the title of his talk which covered horrid and pervasive security flaws in the architecture of Internet-of-things things.

“[Internet-of-things] are almost exclusively terrible, a very bad idea,” Garrett says “The code is mostly bullshit; there is a lot of software and the more software a device contains the more bugs it has.”

He says internet-of-things devices largely run a mix of tiny operating systems and Linux, but not BSD because “no-one runs that”. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/10/american_hacker_duo_throws_pwns_on_iot_bbqs_grills_open_admin/

November’s high-profile Java deserialisation bug has bitten Cisco, with the company announcing vulnerabilities across the board in its huge product line.

The problem is so pervasive that it reaches into the most trivial activities of the sysadmin, such as serial number assessment services.

The original advisory made by FoxGlove Security focussed on the Apache Commons Collections (ACCs), but a few days ago, SourceClear warned that it appeared in a lot more libraries than originally believed.

Cisco agrees: in its advisory, it notes that “Any application or application framework could be vulnerable if it uses the ACC library and deserializes arbitrary, user-supplied Java serialized data”.

Under investigation are products in its collaboration software, endpoint client software, network acceleration, network content and security, network management and provisioning, switching and routing (including various versions of IOS), unified computing, unified communications, video, telepresence and wireless products.

Cisco’s cloud services are also getting the hard eye to see if the ACC bug affects them.

We’ve included below Cisco’s table of products so far confirmed vulnerable.

The Borg says it is now working on software updates. ®

Vulnerable products so far

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/10/cisco_java_deserialisation_bug/