Maintainers of the PHP scripting language are urging users to avoid an update released last week that introduces a serious bug affecting some cryptographic functions.
The flaw in version 5.3.7 involves the crypt() function used to cryptographically hash a text string. When using the command with the MD5 algorithm and some salt characters to help randomize the resulting hash value, the program returns only the salt, instead of the salted hash. The bug doesn’t appear to affect the crypt() function when the DES or Blowfish algorithms are used.
“If crypt() is executed with MD5 salts, the return value consists of the salt only,” a bug report published on Wednesday stated. “DES and Blowfish salts work as expected.”
Despite the advisory, PHP maintainers released the update the following day. It fixed several security vulnerabilities, including a buffer overflow flaw on overlog salt in the crypt() function.
On Monday, the maintainers advised users to steer clear of the update.
“Due to unfortunate issues with 5.3.7 users should wait with upgrading until 5.3.8 will be released (expected in few days),” they wrote.
PHP gives webmasters the ability to render dynamically generated web pages that are customized to hundreds of thousands of variables, including where a visitor is located, the type of browser he’s using, and when the pages are being accessed. The freely available open-source program is used by millions of websites, so a vulnerability in its source code has the ability to cause widespread security problems.
For those who can’t wait until the next release, fixes are available in intermediate versions available here and here. ®
The latest version of Skype for Windows contains a security vulnerability that allows attackers to inject potentially dangerous code into a user’s phone session, a German security researcher has reported.
The XSS, or cross-site scripting, vulnerability in Skype 5.5.0.113 is the result of the voice-over-IP client failing to inspect user-supplied phone numbers for malicious code, researcher Levent Kayan said. As a result, attackers might be able to exploit the bug to inject commands or scripts that hijack the machine running the program.
“An attacker could for example inject HTML/JavaScript code,” Kayan wrote in an advisory published on Wednesday. “It has not been verified though, if it’s possible to hijack cookies or to attack the underlying operating system.” An attacker might also exploit the vulnerability to remotely execute malicious JavaScript files on external websites, he said.
A screen shot from Kayan’s website showing the injection bug in action
The unsafe content is displayed when users view a booby-trapped profile. The malicious profile is created by inserting a JavaScript command or web address where a phone number is expected. The reported vulnerability is eerily reminiscent of an XSS bug Kayan reported in an earlier version of Skype last month. Skype representatives didn’t immediately respond to an email requesting comment on the persistent code injection vulnerability.
Such vulnerabilities open the possibility of creating self-replicating attacks if they can be used to target users contained in each victim’s contact list. As each new user is exploited, the worm spreads virally by attacking a whole new set of people. A vulnerability reported in May for Mac versions of Skype was described as wormable, though there are no reports it was ever exploited in the wild. It’s unclear if the current vulnerability is also self-replicating.
Microsoft is in the process of acquiring the popular internet-based phone service. ®
The German arms of Telefonica and Vodafone, along with Deutsche Telekom, have signed an agreement to take their virtual mpass payment platform physical, without the help of the banks.
The letter of intent, signed by all three companies, states that the mpass system will be set up as a jointly-owned-but-independent company handling payments made by customers of any of the network operators, and without having to pass on a cut to the existing payment processors.
That is in contrast to the rest of the world where mobile operators have been busy conceding the mobile-payments business to the existing providers (Visa, Mastercard and their ilk).
In the USA ISIS was set up to provide a similar mechanism, but has now scaled back plans to welcome in the existing players, while the UK operators have been busy creating a standardised advertising platform so that they can make money from NFC without having to worry about slicing the mobile-payment cake too thinly.
But German operators reckon they can do it, even if it means distributing new point-of-sale equipment to shops and, as NFC Times points out, delaying previously-scheduled launches of independent offerings:
“[Q]ueues at the supermarket will soon be a thing of the past,” says Deutsche Telekom’s ebullient Director of Marketing, espousing the benefits of pay-by-tap.
Mpass already operates in Germany, allowing payments authorised by SMS, and was even available (briefly) in the UK a decade or so ago, but despite its longevity it hasn’t proved very popular. Getting new terminals into every shop in the country will increase the visibility of the brand, but it is the cost of doing just that which has put off operators in so many other countries. ®
Erstwhile Met Police commissioner Sir Paul Stephenson and his one-time colleagues – John Yates, Andy Hayman and Peter Clarke – have all been cleared of misconduct during an inquiry by the cop watchdog into the phone-hacking scandal at News International.
The Independent Police Complaints Commission concluded that Stephenson, who resigned last month, had not committed any offence.
He walked from his job in July while insisting that his “integrity” was intact. Stephenson said at the time that he was stepping down due to the “excessive distraction” his presence at the helm was causing to the effective running of Britain’s largest police force.
“I… considered whether the public interest requires any other matter to be investigated by the IPCC, including Sir Paul’s acceptance of hospitality from a family friend at Champneys Medical, unconnected to his professional life, while he was on sick leave,” said IPCC deputy chair Deborah Glass in a statement issued this lunchtime.
The health spa was promoted by PR firm Outside Organisation, whose managing director was Neil Wallis – the former deputy editor of the News of the World.
Wallis was arrested on 14 July by Met police investigating alleged phone-hacking at the now-defunct Sunday tabloid.
“The public will make its own judgments about whether any senior public official should accept hospitality to this extent from anyone – or indeed about a policy which regards hospitality as acceptable merely because it is disclosed,” said Glass.
“But whether or not the acceptance of hospitality amounts to recordable conduct, I do not consider that it is necessary to investigate it further. Sir Paul Stephenson has given a public account of his actions and of course, has resigned.”
Scotland Yard’s assistant commissioner John Yates also quit his job at the Met last month, as revelations in the phone-tapping saga at News International, which is owned by Rupert Murdoch’s News Corp, continued to unravel.
Glass said today that given Yates had been questioned in six separate parliamentary grillings over his involvement in phone hacking, the IPCC could not see what any further probe would achieve.
“We would agree that he made a poor decision in 2009,” she said.
Last month, Yates told MPs that he regretted not re-opening the Met’s original investigation into phone-hacking claims in 2009.
“I felt the evidence had been followed,” he said at the time.
Yates, who stood down from his position on 18 July, spent one day in 2009 looking at the initial investigation into phone-hacking, but concluded that there was nothing worth pursuing further.
“He himself has acknowledged that, given what is now known, he made a poor decision for which he has now taken responsibility. Had no new investigation into phone hacking begun this may well have been a recommendation, but the current investigation which started in January 2011 makes this unnecessary,” said Glass.
She said she had also found no reason to carry out any further investigation into the conduct of Peter Clarke, who led the original phone-hacking investigation at the Met, which at the time was handling around 70 live operations relating to terrorist plots.
Glass noted that the Met’s ex-deputy commissioner Andy Hayman’s conduct had not been referred to the IPCC by the Metropolitan Police Authority.
“[H]is social contacts with News International and subsequent employment by the Times [which is owned by News International] have been criticised,” she said.
“While there are serious issues that need to be scrutinised about the extent of contact between senior police officers and the media – and particularly around hospitality – in the absence of any actual evidence of impropriety these are, in my view, for the inquiry to explore,” said Glass.
An independent inquiry has been launched by the police watchdog into claims that Yates had secured a job at the Met for the daughter of Neil Wallis.
The former Murdoch man’s Chamy Media company’s contract with Scotland Yard – offering up PR services to England’s largest police force between October 2009 and September 2010 – is also being investigated by the IPCC, said Glass.
The Commission is separately probing alleged police corruption linked to the phone-hacking scandal, which the Met is investigating as part of Operation Weeting.
“Should any further evidence emerge, through our investigations or from the Leveson Inquiry, of any impropriety by an officer, retired or otherwise of any rank, I would expect it to be recorded by the appropriate authority and referred to the IPCC,” Glass added.
“On this basis I will keep all of these decisions under review as the inquiry progresses.”
Yates said in a statement via the Met that he was “pleased” that the IPCC was no longer investigating him in relation to any involvement in the phone-tapping issues that had been flagged by the MPA.
“I am disappointed with the IPCC’s decision to investigate my peripheral involvement in recruitment process of Neil Wallis’s daughter,” said Yates.
“I strongly deny any wrongdoing and I am completely confident that I will be exonerated.
“I have been entirely open about this matter and I will cooperate fully with the investigation which I hope will be conducted swiftly,” he added. ®
Computer scientists have developed an Android app that logs keystrokes using a smartphone’s sensors to measure the locations a user taps on the touch screen.
TouchLogger, as their demo app is dubbed, allowed its creators at the University of California at Davis to demonstrate a vulnerability in smartphones and tablets that has largely gone unnoticed: While most of these devices lack physical keyboards that have long been known to leak user input, they nonetheless remain susceptible to monitoring through similar side-channel attacks.
Whereas eavesdroppers measure sound and electromagnetic emanation to capture input from traditional keyboards, they can monitor the motion of the device to achieve much the same result from a touch screen.
“Our insight is that motion sensors, such as accelerometers and gyroscopes, may be used to infer keystrokes,” the researchers wrote in a paper (PDF here) presented last week at the HotSec’11 workshop in San Francisco. “When the user types on the soft keyboard on her smartphone (especially when she holds her phone by hand rather than placing it on a fixed surface), the phone vibrates. We discover that keystroke vibration on touch screens are highly correlated to the keys being typed.”
User interface for data collection app
Applications like TouchLogger could be significant because they bypasses protections built into both Android and Apple’s competing iOS that prevent a program from reading keystrokes unless it’s active and receives focus from the screen. It was designed to work on an HTC Evo 4G smartphone. It had an accuracy rate of more than 70 percent of the input typed into the number-only soft keyboard of the device. The app worked by using the phone’s accelerometer to gauge the motion of the device each time a soft key was pressed.
With minor refinements, the researchers believe they can expand the effectiveness of TouchLogger, as well as the devices it will work on.
“The tablet has a larger screen, so hopefully we can get a higher accuracy rate on a qwerty keyboard,” said Liang Cai, a graduate student in UC Davis’s computer science department who collaborated with his advisor Hao Chen. “We didn’t really try it on a large scale of devices.”
Besides targeting devices with larger touch screens, the researchers said TouchLogger could also be improved by tapping other sensors built into the targeted device. Prime candidates include gyroscopes to measure the rate of rotation and a camera to further detect motion. The scientists noted that the W3C recently published a specification for web applications to access accelerometer and gyroscope sensors using JavaScript. They are in the process of extending their work into a full research project.
For now, they hope to get the word out that the motion detected by a smart device’s own sensors could expose highly valuable information, including passwords, social security numbers and credit card numbers.
“We hope to raise the awareness of motion as a significant side channel that may leak confidential data,” they wrote. ®
Hackers breached the website belonging to a police union and posted sensitive personal information for more than 100 officers who work for a San Francisco regional transit authority.
The breach of bartpoa.com was the second time in less than a week that websites affiliated with Bay Area Rapid Transit have been targeted by hackers. Over the weekend, people claiming to be members of the Anonymous hacking collective said they were protesting BART by publishing personal information for more than 2,000 passengers who had nothing to do with the agency’s management.
People claiming to be members of Anonymous took credit for the attack that exposed passenger data. It was less clear what role the group had in Wednesday’s breach.
“The leak today of BART officer data could be the work sanctioned by those who truly support anonymous, or agent provocateurs,” a tweet from AnonyOps said. “Stay skeptical.”
A later dispatch on the microblogging site said: “People who are against anonymous know they can do things under the name ‘anonymous’ and never be questioned. This is anonymous, defined.”
A posting on Pastebin.com listed the names, home and email addresses and site passwords of 102 BART police officers. At time of writing, bartpoa.com was inaccessible.
It’s unclear exactly how the hackers compromised the police officer data.
The hackers in the earlier attack claimed to access the passenger information by exploiting a rudimentary security flaw in MyBart.org, which is owned by BART. BART officials have declined to say whether the site was ever reviewed by outside security auditors.
The attacks follow a controversial move to disable cellular service in at least four San Francisco BART stations last week. BART management took that action to disrupt a planned demonstration that protesters were organizing online. BART officials said its decision to turn off the nodes that connected carriers to underground antennas was legal and necessary to prevent unsafe conditions in confined spaces. Critics have compared the move to those taken by former Egyptian President Hosni Mubarak to quash protests against his rule.
The BART demonstrations were protesting the fatal shooting by BART police in July of a homeless man who allegedly brandished a knife as he lunged at officers. ®
Security researchers have found that thermal cameras can be combined with computer algorithms to automate the process of stealing payment card data processed by automatic teller machines.
At the Usenix Security Symposium in San Francisco last week, the researchers said the technique has advantages over more common ATM skimming methods that use traditional cameras to capture the PINs people enter during transactions. That’s because customers often obscure a camera’s view with their bodies, either inadvertently or on purpose. What’s more, it can take a considerable amount of time for crooks to view the captured footage and log the code entered during each session.
Thermal imaging can vastly improve the process by recovering the code for some time after each PIN is entered. Their output can also be processed by an algorithm that automates the process of translating it into the secret code.
The findings expand on 2005 research from Michal Zalewski, who is now a member of Google’s security team. The Usenix presenters tested the technique laid out by Zalewski on 21 subjects who used 27 randomly selected PINs and found the rate of success varied depending on variables including the types of keypads and the subjects’ body temperature.
“In summary, while we document that post-hoc thermal imaging attacks are feasible and automatable, we also find that the window of vulnerability is far more modest than some feared and that there are simple counter-measures (i.e., deploying keypads with high thermal conductivity) that can shrink this vulnerability further still,” the researchers wrote.
A PDF of their paper, which is titled Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks, is here. ®
The Metropolitan police have arrested another man as part of its ongoing investigation into alleged phone-hacking at axed Sunday tabloid News of the World.
“On Thursday, 18 August, officers from Operation Weeting arrested a man [H], aged 38, on suspicion of conspiring to unlawfully intercept voicemails contrary to section 1(1) Criminal Law Act 1977,” said Scotland Yard in a brief statement this morning.
The unnamed man was cuffed by appointment at a London police station, where he remains in custody.
This arrest brings the total number of people allegedly associated with the NotW phone-hacking scandal to 13.
A Guardian report suggest that James Desborough, who joined the tabloid as a showbiz reporter in 2005 before being promoted to Hollywood editor in 2009, is the man currently being quizzed by police. ®
eBay-style outsourcing site PeoplePerHour says a rival firm faked emails which claimed to be offering the company’s customer database for sale.
The company initially feared that a disgruntled ex-contractor had swiped customer records and was offering them for sale to rival companies. The rivals declined the offer and tipped off PeoplePerHour.
Company founder Xenios Thrasyvoulou said: “We have now looked extensively into the matter, including getting the headers of the initial email that was sent to our competitors informing them that they have a database and contacting this supposed fraudster in India. We also got access to the email account via Google as we filed a fraud complaint with them.”
He said the email headers showed that the email could not have been sent from India where the contractor is supposedly based. Additionally the fake mails used an actual contractor’s name, but added a digit at the end.
Thrasyvoulou said: “So: all the evidence shows that someone (probably an envious competitor) got the name of a former contractor (which is very easy to get from places like LinkedIn etc), created a Gmail account in their name with a slightly different suffix and sent this out to competitors and the press. Its a lame attempt to hurt us.”
The company is confident no customer data was compromised.
The site is one of several offering “bid for a contractor” services to small businesses but we had no idea competition in this market was so cut-throat. ®
