STE WILLIAMS

One in six Windows PCs worldwide are hooked up to the internet with no basic security software, according to a study by McAfee.

The computer security firm’s study, conducted across 24 countries using data from an average of 27 to 28 million personal computers each month, found 17 per cent of machines were running with either disabled or nonexistent antivirus software and firewall defences.

The survey’s figures come from anonymised data voluntarily submitted by consumers around the world using the free diagnostic tool McAfee Security Scan Plus. The Windows-only software checks the user’s computer for threats, antivirus software and firewall protection.

Web surfers who install Scan Plus are likely to have a problem with their computers that prompted them to use the technology in the first place – so they might be less well protected than the general population. McAfee’s figures are thus probably best regarded as indicative rather than definitive.

The US ranked in the bottom five least-protected consumer PC populations, with 19.32 per cent of punters living without basic security, according to McAfee’s stats. The situation was much better, but still not exactly brilliant, in Finland where only 9.7 per cent of consumer PCs went unprotected.

The lack of antivirus software puts valuable documents, such as pictures and financial records, at risk of destruction if malware corrupts a system. A separate study found that consumers globally say 27 per cent of their digital files would be “impossible to restore” because they are not backed up properly.

McAfee has a clear self-interest in talking up the need for consumers to run antivirus suites. Along with Symantec and Kaspersky Lab, it is the main supplier of paid-for security software to consumers, after all. Many basic and perfectly functional antivirus packages for Windows are also available from the likes of Avira, Avast or AVG. Microsoft also supplies a basic antivirus scanner.

Each of these scanners are far from effective at blocking brand-spanking new banking Trojans or botnet agents, but they are the best defence (along with patching) punters have against ruthless hackers. So the question arises: if security software is important, why isn’t everyone running it?

McAfee reckons that some consumers avoid using antivirus software in the mistaken belief that they are unlikely to be hit by viruses.

“Many consumers still believe that by simply sticking to known ‘safe’ sites, they’ll be protected from all forms of malicious content,” McAfee comments in a blog post about its scan results, published on Tuesday.

“The fact is: the prevalence of sophisticated attacks is rising at an alarming rate. Furthermore, with the adoption of smartphones and tablets, mobile malware has become an immediate threat due to easily accessible personal data like financial and credit card information stored on mobile devices.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/30/unprotected_windows_survey/

Backdoored versions of a widely used privacy tool have surfaced in Iran, raising fears that its government is using the Trojanised software to spy on its citizens.

A free encrypted proxy tool called Simurgh – official website https://simurghesabz.net – is used by many Iranians to circumvent locally applied net censorship technologies. Recently a Trojanised version of the tool (Simurgh-setup.zip) has begun appearing on file-sharing networks and wares sites.

The real software works as a standalone tool that can be run off a USB stick at locations such as cybercafes and other public internet access points. By contrast, the Trojanised version requires installation on a client PC. Thereafter, the software tracks user activities including keystrokes and websites visited. This data is then uploaded to US-based servers registered to a Saudi Arabian organisation, human rights activist group CitizenLab.org says.

Morgan Marquis-Boire from CitizenLab.org was among the first to publicise the presence of malware in knock-off copies of a tool used by Iranian dissidents and others looking to safeguard their privacy or visit proscribed websites.

Both the Trojanised version of the tool and the real thing connect to a web page that confirms that users are surfing through a proxy. Developers at Simurgh are taking advantage of this behaviour to automatically detect if a surfer is using a Trojanised version of their software before warning them that they are in danger.

Iran’s internet censorship regime already blocks access to many foreign websites, social networks and other web services. Attempts to “phish” for social network usernames and passwords have been reported in Syria and Iran, as well as the use of false security certificates. More recently Iran rolled the capability to block https and the ports used by Virtual Private Networks, according to Reporters Without Borders (here).

The web has played a central role in recent campaigns of political dissent inside the country and free expression more generally – hence the ongoing push by the country’s rulers to tighten the screws on what its citizens can do online. This has stimulated interest in web proxies, such as Simurgh, designed to circumvent censorship controls, making the appearance of Trojanised versions of the tool all the more dangerous.

“This malware is targeting users for whom having their communications compromised could result in imprisonment or worse,” warns Chester Wisniewski, a senior security advisor at Sophos Canada. Wisniewski added that it is “almost always a bad idea” to download and run files from unknown websites, especially files from torrent and file-sharing sites. Computer users would do far better to go to a developer’s website for software download instead, he argues.

A blog post by Sophos explained the Trojanised Simurgh threat in greater depth can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/30/trojaned_privacy_tool_hits_iran/

Two separate “Timeline-removing” spam scams are doing the rounds on Facebook, security watchers warn.

Both ruses feature dodgy messages targeting users of the social network who happen to dislike the recently introduced feature, and are looking for a way to go back to the “old look”. In the first case, users who take the bait are encouraged to install a browser plug-in that supposedly removes Facebook Timeline from social networking profiles.

At the time of writing on Tuesday lunchtime, anti-virus vendor Sophos was in the process of evaluating what the software, available for download from a recently established website in Turkey, actually does. In the meantime it advises users to avoid installing the plug-ins.

Screenshots of the messages, and the browsers plug-ins they, err, plug, can be found in a blog post by Sophos here.

Timeline-exorcising browser extensions are also being offered via an application called “Facebook Timeline Remover”, Chris Boyd of GFI Software warns. However in this case no browser plug-in is actually on offer. Marks are instead invited to complete a collection of surveys, enriching dodgy marketing affiliates in the process. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/30/facebook_timeline_remover/

Is it something to do with Slavic names? The Register is quite accustomed to Eugene Kaspersky’s astonishing ability to escalate every threat into a “cybergeddon”; now Cambridge researcher Sergei Skorobogatov seems to have taken his lessons to heart.

Let’s pick up the high points of Skorobogatov’s story again: (1) a ‘military grade’ FPGA that is (2) manufactured in China (3) has a backdoor. With a combination like that, the headlines are guaranteed – even if the threat is nebulous.

First, as Errata Security points out, “military grade” does not have the “wow, spook stuff!” meaning that it’s been given in too many outlets. Here is Actel’s outline of specifications for the ProASIC3 series of chips, including the mil-spec device. The first table shows the difference between different devices in the series; the A3P1000 is the “military” version – which means that it has been tested to military temperature requirements.

“Military” doesn’t mean “this is a chip designed to protect military secrets.” It means “if you put this chip into a product it can stand temperatures from -55°c to 125°C.”

Errata Security also points out that “manufactured in China” does not mean “the Chinese tampered with the design to insert the backdoor”. Following the old rule that a stuff-up is more likely than a conspiracy, Errata suggests that the backdoor was probably an intentional feature that the designers forgot to disable when they committed the FPGA’s design to manufacture.

It’s also important to remember that even if the backdoor exists, and even if it’s malicious, it’s not a very useful backdoor. For example, it’s not likely to enable a remote attack allowing Boeing 787 Dreamliners to drop out of the sky.

FPGAs are attacked not by sending a packet over the Internet with the evil bit set. To interfere with the FPGA, you need physical access to the device, and the appropriate equipment and software to program it.

That puts into context another observation made by Errata Security: the purpose of the encryption that Skorobogatov has cracked. The encryption exists not to protect communication between the device and the Big Bad Internet (more on this in a second) – it exists to protect the design placed on the chip. In other words, the threat is not that “military secrets will be stolen”, it’s that your design (and therefore your intellectual property) will be copied. At worst, if that particular chip was in something like a military drone, and if it were captured by an enemy, and if they were able to reproduce the attack – then the design might yield useful information about the drone’s design.

There is, of course, a scenario in which the FPGA might communicate with the Internet: the design implemented on the chip might be a communications stack. Even in that case, the purely internal encryption, designed to protect the gate designs on the chip, has nothing to do with its relationship to the outside world.

Should sensitive users of the chip be worried? Certainly. They want their designs protected. There’s even a discernable risk to someone like Boeing, since it’s feasible that someone with legitimate access to FPGAs might be persuaded or forced to reprogram them with malicious code, or steal Boeing’s code.

For the rest of us, our time would be better spent defending ourselves against the thousands of threats that affect our security. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/29/researcher_trolls_internet_with_silicon_backdoor/

Analysis The exceptionally complex Flame malware, this week found on numerous systems across the Middle East and beyond, is likely to take months if not years to analyse.

Early indications suggest that Flame is a cyber-espionage toolkit that has penetrated computers primarily, but not exclusively, in Iran and Israel. The worm may have been in circulation for at least two years (and perhaps much longer) but only hit the news on Monday following a series of announcements by security groups and antivirus firms.

Iran’s National Computer Emergency Response Team published a warning about the data-stealing virus, promising an antidote: so far the malware has completely evaded detection by commercial antivirus scanners. Iranian researchers described the malware as a “close relation” to Stuxnet, the famously well-engineered nasty that sabotaged industrial control systems linked to Iran’s controversial nuclear programme.

Kaspersky Lab said the UN International Telecommunication Union had alerted it to Flame and asked for help analysing the malware, which was believed to be wiping information from Middle Eastern computers. Kaspersky said the unusually large virus has been spreading since March 2010.

However, Hungarian security researchers at the Laboratory of Cryptography and System Security (CrySyS) fear Flame may have been active for somewhere between 5 to 8 years. The Budapest-based lab published a preliminary analysis [PDF] of the malware, which it dubbed sKyWIper – the CrySys Lab realised the complex piece of malicious software that they had been analysing for weeks was clearly a build of Flame.

Other security firms have since waded in with their own observations and early analysis; confusingly, other researchers are calling the threat either Viper or Flamer.

There’s general consensus that Flame is the most elaborate malware threat ever uncovered, and that it was almost certainly developed by a state-sponsored team. The Hungarian team concludes that the malware was “developed by a government or nation state with significant budget and effort, and may be related to cyber warfare activities”.

How Flame spread its digital inferno

The 20MB virus compromises Windows-based PCs and stealthily installs itself before stealing data and passwords, taking screenshots and surreptitiously turning on microphones to record audio conversations. The malware sets up a backdoor and opens encrypted channels to command-and-control (CC) servers using SSL protocols.

Flame shares some characteristics with the early Duqu and Stuxnet worms, but also has a number of differences.

Like Stuxnet and Duqu, Flame malware can spread via USB sticks and across insecure networks. All three infect machines running Microsoft’s operating system. Flame contains exploits for known and fixed vulnerabilities, such as the print spooler’s remote code execution bug and the .lnk security hole first found in Stuxnet.

However, Flame is much more complex than either Stuxnet or Duqu: it is made up of attack-launching modules that can be swapped in and out as required for a particular job; it uses various open-source libraries including libz for compression; it is spread out over several files rather than as one executable; and most unusually it uses a database managed by the SQLite library.

It also executes a small set of scripts written in Lua – a programming language favoured by computer game makers such as Rovio for Angry Birds. These direct the operation of the attack modules.

Several Flame files claim to be Microsoft Windows components, but none are signed with a valid (or even possibly stolen) private key – unlike the signed files used by Duqu and Stuxnet.

Both Duqu and Stuxnet targeted industrial control systems, while Flame is far more promiscuous. Crucially, analysis suggests that while Stuxnet and Duqu use the same building blocks (a common platform most likely used by the same programming team), Flame is independent of this architecture.

“The threat shows great similarity to Stuxnet and Duqu in some of its ways of operation yet its code base and implementation are very different, and much more complex,” McAfee notes, hypothesising that Flame might be a “parallel project” to Stuxnet and Duqu.

Worm rears head after attacks on oil field systems

Over recent weeks, prior to Monday’s announcement about the malware, Iran reported intensified cyber-attacks on its energy sector, which they observed as a direct continuation of the Stuxnet and Duqu attacks. This may be linked to a decision last month to disconnect the main oil export terminal on Kharg Island in the Persian Gulf following a computer virus infection.

“Evidently, the threat has been developed over many years, possibly by a large group or dedicated team,” McAfee notes.

“We found publicly available reports from anti-spyware companies, and log files in public help forums, which could indicate infections of early variants of Skywiper in Europe and Iran several years ago (for example: March 2010). Skywiper appears to be more wildly spread than Duqu, with similarly large numbers of variants.”

Symantec agrees with its rival’s assessments that Flame was developed by a team, concluding that the “code was not written by a single individual but by an organised well-funded group of personnel with directives”. Unlike Stuxnet, Flame is not particularly targeted and has spread to civilians’ systems in many countries.

“Initial telemetry indicates that the targets of this threat are located primarily in Palestinian West Bank, Hungary, Iran, and Lebanon. Other targets include Russia, Austria, Hong Kong, and the United Arab Emirates. The industry sectors or affiliations of individuals targeted are currently unclear,” Symantec said.

“However, initial evidence shows the victims may not all be targeted for the same reason. Many appear targeted for individual personal activities, rather than their company of employment. Interestingly, in addition to particular organisations being targeted, many of the attacked systems appear to be personal computers being used from home Internet connections.”

David Harley, senior researcher at ESET, agreed with McAfee that Flame and Stuxnet are more different than they are similar.

“Whether it’s actually targeting a specific country is not clear: after all, Stuxnet is nowadays assumed to have been targeting Iran, but was originally detected over a very wide area,” Harley said. “While there’s speculation that Flamer is linked in some way to Stuxnet and Duqu, that seems to me to be purely speculative right now, as the code seems very different.”

Other than saying it’s likely the work of state-sponsored black hat coders, possibly in the employ of an intelligence agency, nobody is speculating who is behind Flame. A lot of the same caveats apply to Stuxnet, but circumstantial evidence does point towards some sort of joint Israeli-US operation.

Even though the full capabilities of Flame, much less who created it and why, remain a bit of a mystery, security firms can at least add detection for the malware now that samples are circulating among researchers.

“Other tricks that Skywiper/Flame might have up its sleeve may take some time to ascertain. It’s code more than twenty times larger than Stuxnet, which means it could take substantial effort to analyse it all,” writes Graham Cluley, a senior security consultant at Sophos. “Fortunately, complete code analysis is not necessary to add detection.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/29/flame_cyberweapon_analysis/

A pair of security researchers claim to have found a back door in a commercial field-programmable gate array (FPGA) marketed as a secure tool for military applications.

The FPGA in question is the Actel ProASIC3, a device manufacturer MicroSEMI recommends for use in “portable, consumer, industrial, communications and medical applications with commercial and industrial temperature devices,” but also comes in models boasting “specialized screening for automotive and military systems.”

Sergei Skorobogatov, a researcher at the University of Cambridge, and Christopher Woods of London’s Quo Vadis Labs have released a draft paper (PDF) describing a method whereby attackers can “disable all the security on the chip, reprogram crypto and access keys, modify low-level silicon features, access unencrypted configuration bitstream or permanently damage the device.”

The pair chose the ProASIC3 for their tests because, they say, it is a very widely used device, boasts of superior security and is known to have military users. Those qualities, the pair say, made it an ideal subject for a back door hunt.

The pair used the Actel’s own analysis tools and the Joint Test Action Group (JTAG) interface to analyse the silicon. That analysis yielded undocumented features, thanks to discovery of what the draft paper calls “command field and data registers.”

The pair also applied differential power analysis (DPA), a method of analysing variations in electrical activity that hint at tasks being performed in silicon, and “ Pipeline Emission Analysis (PEA)” to probe the device “in an attempt to better understand the functionality of each unknown command.” Just how PEA does so is not clear: the draft paper says PEA was developed by the “sponsor” of the research, but that entity is not revealed. Even the footnote describing the technique has been redacted so it reads “ Removed to comply with anonymity requirement for submission”.

But the paper hints PEA is a more sensitive version of DPA, describing it as follows:

“The outstanding sensitivity of the PEA is owed to many factors. One of which is the bandwidth of the analysed signal, which for DPA, stands at 200 MHz while in PEA at only 20 kHz.”

PEA seems to have done the trick, yielding evidence of a passkey that allows control of many features in the FPGA.

“Further investigation,” the paper says, “revealed that this is a backdoor function with the key capable of unlocking many of the undocumented functions, including IP access and reprogramming of secure memory.”

The paper is clearly marked as a draft and Skorobogatov promises to detail the exploit fully at the 2012 Workshop on Cryptographic Hardware and Embedded Systems in Belgium.

One imagines the presentation will be rather well attended. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/29/silicon_backdoor/

Google has proudly told the world its online productivity suite, Google Apps, has gained the ISO’s good cloudkeeping seal of security approval, in the form of the ISO 27001 security certification.

Eran Feigenbaum, Google Enterprise’s Director of Security let us all know the good news on Monday, US time, and named Ernst Young CertifyPoint as Google’s auditor.

The announcement was made without any of the recent unpleasantness over security for cloud apps which, as we reported earlier this month, saw Google and Microsoft swap accusations about just who’s cloud suites have achieved the FISMA certification required to win business from the US government.

Google has had that accreditation sewn up for a while now. With ISO 27001 also on its trophy shelf alongside SSAE 16 / ISAE 3402 certificates, the company now feels its security credentials are second-to-none and that “businesses are beginning to realize that companies like Google can invest in security at a scale that’s difficult for many businesses to achieve on their own.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/29/google_apps_iso_27001/

A pair of security researchers claim to have found a back door in a commercial field-programmable gate array (FPGA) marketed as a secure tool for military applications.

The FPGA in question is the Actel ProASIC3, a device manufacturer MicroSEMI recommends for use in “portable, consumer, industrial, communications and medical applications with commercial and industrial temperature devices,” but also comes in models boasting “specialized screening for automotive and military systems.”

Sergei Skorobogatov, a researcher at the University of Cambridge, and Christopher Woods of London’s Quo Vadis Labs have released a draft paper (PDF) describing a method whereby attackers can “disable all the security on the chip, reprogram crypto and access keys, modify low-level silicon features, access unencrypted configuration bitstream or permanently damage the device.”

The pair chose the ProASIC3 for their tests because, they say, it is a very widely used device, boasts of superior security and is known to have military users. Those qualities, the pair say, made it an ideal subject for a back door hunt.

The pair used the Actel’s own analysis tools and the Joint Test Action Group (JTAG) interface to analyse the silicon. That analysis yielded undocumented features, thanks to discovery of what the draft paper calls “command field and data registers.”

The pair also applied differential power analysis (DPA), a method of analysing variations in electrical activity that hint at tasks being performed in silicon, and “ Pipeline Emission Analysis (PEA)” to probe the device “in an attempt to better understand the functionality of each unknown command.” Just how PEA does so is not clear: the draft paper says PEA was developed by the “sponsor” of the research, but that entity is not revealed. Even the footnote describing the technique has been redacted so it reads “ Removed to comply with anonymity requirement for submission”.

But the paper hints PEA is a more sensitive version of DPA, describing it as follows:

“The outstanding sensitivity of the PEA is owed to many factors. One of which is the bandwidth of the analysed signal, which for DPA, stands at 200 MHz while in PEA at only 20 kHz.”

PEA seems to have done the trick, yielding evidence of a passkey that allows control of many features in the FPGA.

“Further investigation,” the paper says, “revealed that this is a backdoor function with the key capable of unlocking many of the undocumented functions, including IP access and reprogramming of secure memory.”

The paper is clearly marked as a draft and Skorobogatov promises to detail the exploit fully at the 2012 Workshop on Cryptographic Hardware and Embedded Systems in Belgium.

One imagines the presentation will be rather well attended. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/29/silicon_backdoor/

A new super-cyberweapon targeting countries like Iran and Israel that has been knocking around in computers for two years has been discovered by researchers.

“Flame”, a highly sophisticated piece of malware, was unearthed by the International Telecommunication Union (ITU) and Kaspersky Lab, which said it was more complex and functional than any cyber threat it had seen to date.

Because Flame is so super-complicated and because of the geography of the attack, Kaspersky Lab’s global research and analysis team head Alexander Gostev said he was in “no doubt” that it was a state-sponsored worm.

Flame is a cyber espionage program that steals data such as computer display contents, information about targeted systems, stored files, contact info and even audio conservations. Kaspersky Lab said that the worm’s features were different from Duqu and Stuxnet, but it matched up with them when comparing where it attacked, the software vulnerabilities it uses and the fact that only certain computers were targeted.

“Stuxnet and Duqu belonged to a single chain of attacks, which raised cyberwar-related concerns worldwide,” Eugene Kaspersky said in a canned statement. “The Flame malware looks to be another phase in this war, and it’s important to understand that such cyber weapons can easily be used against any country. Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case.”

Iran’s National Computer Emergency Response Team posted a warning about the malware on its site today and said a fix would be coming soon.

“At the time of writing, none of the 43 tested anti viruses could detect any of the malicious components. Nevertheless, a detector was created by Maher centre and delivered to selected organisations and companies in first days of May,” the site said.

“And now a removal tool is ready to be delivered.

“The research on samples implies that the recent incidents of mass data loss in Iran could be the outcome of some installed module of this threat,” it added.

Kaspersky Lab said it was currently doing deeper analysis of Flame, which has been in the wild since March 2010, and it would tell everyone what it learned on its blog posts.

“For now what is known is that it consists of multiple modules and is made up of several megabytes of executable code in total – making it around 20 times larger than Stuxnet, meaning that analysing this cyber weapon requires a large team of top-tier security experts and reverse engineers with vast experience in the cyber defence field,” the security firm said.

Gostev said that the malware was still stealing data.

“One of the most alarming facts is that the Flame cyber attack campaign is currently in its active phase, and its operator is consistently surveilling infected systems, collecting information and targeting new systems to accomplish its unknown goals,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/28/kaspersky_discovers_flame_worm/

A hard-up ex-engineer at Nokia Siemens swiped wireless routers worth thousands of pounds from his employer to refurbish and flog on eBay.

Dewaldt Hermann, 33, appeared at Swindon Crown Court to admit he was behind a spate of thefts some months after he started work at the firm, Newbury Today reports.

Tessa Hingston, prosecuting, said Hermann had trousered £6,000 from peddling the stolen goods by the time the police raided his garage to find more stolen kit.

Hermann was snared when he left his PC logged into his eBay account after leaving Nokia Siemens’ Kembrey Park office in Swindon, the court was told. A colleague using the machine found auction listings of equipment belonging to the firm.

The routers were estimated to have cost Nokia Siemens £28,000 when new, but had a scrap value less than a quarter of that tally. The units were stored in the firm’s office after being returned by biz customers, which Hermann believed were due to be dumped, said David Maudner, defending.

He said Hermann, a married father of two teenage step-children, felt financial pressures after his wife was forced to take part-time work, and pointed to his client’s clean criminal record.

After Hermann pleaded guilty to theft on 22 May, Judge Euan Ambrose told him “the items that you stole had a variety of different fates”.

“Some were repaired, refurbished and sold on eBay. In fact, your work had effect and they were sold at a greater value than they would have been worth. Some you still had in your garage,” he added.

Judge Ambrose said the total value of routers, which were taken in late 2010, was a little over £7,000.

He handed Hermann a one-year community order and told him to complete 300 hours of community service. Hermann, of Peregrine Road, Bishop’s Green, was also ordered to cough up £725 in court costs. The branch of Nokia Siemens that he was worked for has since closed and the firm was not seeking compensation.

It was revealed during the case that, after leaving Nokia Siemens, Hermann landed a job in September 2011 as a field networks engineer at 2e2. But a spokesman confirmed to El Reg that he has been “suspended” due to the court case. 2e2 made no further comment, Nokia Siemens did not respond to calls and Hermann was unavailable to comment. ®

Article source: http://go.theregister.com/feed/www.channelregister.co.uk/2012/05/28/hermann_court_case/