STE WILLIAMS

University College London research student Shah Mahmood and Chair of Information Communication Technology Yvo Desmedt have told a conference of what they call a “zero day privacy loophole” in Facebook.

Details of the loophole, which the pair name “Deactivated Friend Attack” was presented at the IEEE International Workshop on Security and Social Networking SESOC 2012 in Lugano, Switzerland on March 19th.

The pair say the attack works like this:

“Our deactivated friend attack occurs when an attacker adds their victim on Facebook and then deactivates her own account. As deactivation is temporary in Facebook, the attacker can reactivate her account as she pleases and repeat the process of activating and deactivating for unlimited number of times. While a friend is deactivated on Facebook, she becomes invisible. She could not be unfriended (removed from friend’s list) or added to any specific list.”

Complicating mattters is the fact that, the pair say, Facebook users aren’t told when friends de-activate or re-activate accounts.

That means trouble if the account is re-activated, as the newly-re-activated friend regains access to anything their connections have posted. Once they’ve rummaged around, they can de-activate the account again and their friends will almost certainly not know what has happened or that they’ve shared information.

The pair label this behaviour “cloaking” and cannot resist explaining it with a Star Trek metaphor, writing “Badass Blink or Jem’Hadar has to uncloak (be visible), even if only for a moment, to open fire.”

The extended abstract of the talk asserts cloaking is a problem because many Facebook users aren’t very discriminating about whom they befriend on the service. Some could therefore Friend members whose only intention is to “cloak” their accounts and then “… activate her account at the moment least likely to be detected and crawl her victims profile for information, keeping an updated record.”

That’s bad because, the pair say, “Various groups of information aggregators including marketers, background checking agencies, governments, hackers, spammers, stalkers and criminals would find this attractive as a permanent back door to the private information of a Facebook user.”

The user would never know of that information-gathering effort, unless they happened to be paying attention to the temporarily uncloaked account.

To prove the approach works, the pair say the conducted a lengthy experiment in which a dummy account acquired many friends and conducted frequent cloaking and uncloaking without attracting much attention.

The fix, the pair say, is for Facebook to notify users of de-activations and re-activations, so that odd behaviour can be spotted. Flagging of accounts that cloak is another option, as is removing re-activation features altogether. ®.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/20/facebook_deactivated_friend_zero_day/

An appeal for help from the programming community has allowed antivirus analysts to classify the unknown language used to develop key components of the Duqu Trojan.

Duqu creates a backdoor on compromised SCADA-based industrial control systems. The malware is closely related to the nuke plant centrifuge-busting Stuxnet worm and was probably developed by the same group. Security researchers at Kaspersky Lab found that Duqu uses the mystery code to communicate with its command-and-control (CC) servers from infected machines. Unlike the rest of Duqu, the so-called Duqu Framework is not written in C++ and it’s not compiled with Microsoft’s Visual C++ 2008.

The code was not written using Delphi or .Net, other virus-writing favourites, either. Hardcore VXers use assembler to write malicious code but it wasn’t that either.

After going some way in unraveling the mystery language used by the Duqu Framework, Kaspersky Lab researchers appealed for help from the programming community.

During a webcast on Monday, Kaspersky Lab chief malware expert Vitaly Kamluk said that a variety of programming languages had been suggested in response for this appeal for help, including Lisp and Ada.

However the suggestion that the Duqu Framework might have been developed using old-school Object Oriented C (OO C) hit the bullseye. Code compiled using C and Microsoft Visual Studio 2008 was a close match for the code in the Duqu framework, allowing Kaspersky researchers to conclude that the framework had been written using a custom object-oriented extension to C or plain C with a changed dialect, as Kamluk described it.

“It’s old school C. These are techniques used by professional software developers but not malware writers,” Kamluk explained.

Kamluk said the whoever created the framework had reapplied an approach most often encountered in professional Mac OS applications development to create Windows malware.

Using the approach offered several advantages compared to using conventional malware writing techniques, Kamluk explained. He said that the approach created code that was “more efficient, smaller, faster, more flexible and re-useable”.

Knowing the techniques used to develop the malware allows Kaspersky’s researchers to make better guesses about who might be behind the code. The security researchers said that the Duqu framework was probably created by old school professional developers who were well used to making software using Object Oriented C.

“The developers of the framework prefer to extend an ‘old-school’ language with contemporary techniques,” the Kaspersky boffins conclude. “The framework could have been reused from an existing software project. [The approach is] common for professional software developers, but unique for malware writers.”

“The code was written by a team of experienced ‘old-school’ developers who wanted to create a customised framework to support a highly flexible and adaptable attack platform. The code could have been reused from previous cyber-operations and customised to integrate into the Duqu Trojan,” said Igor Soumenkov, Kaspersky Lab malware expert. “However, one thing is certain: these techniques are normally seen by elite software developers and almost never in today’s general malware.”

Creating Duqu was a major project, so it’s possible that an entirely different team was responsible for creating the Duqu Framework, while others worked on creating drivers and system infection exploits. In this scenario it’s even possible that those who created the Duqu framework were ignorant of the real purpose of their work.

Compiling source code is a one-way transformation. Virus analysts are skilled at going from machine code to assembler but are unable to go any further. By experience the researchers can tell which language and compiler is likely used to write an item of malware, but the techniques used in the Duqu framework were not out of the regular VXer cookbook, hence the appeal for help from the wider programming community.

Researchers at Kaspersky were the first to find the “smoking code” linking Stuxnet and Duqu. A detailed analysis of the Duqu code by Kaspersky researchers, can be found here.

More on how the language behind the Duqu language was deduced can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/19/duqu_trojan_mystery/

In an astonishing blunder, New Zealand’s Crown Law Office and its police commissioner have admitted to a ‘procedural error’ when they seized cash, cars and other property from Megaupload chief Kim Dotcom.

According to the New Zealand Herald, Justice Judith Potter of the High Court has declared the first restraining order under which the seizures were made to be “null and void” and having “no legal effect”.

The slip-up happened when the police applied for the seizure of Megaupload assets during January, and was discovered within the week, with police making a revised application on January 30. However, the approach taken by NZ Police and the Crown Law Office had denied Dotcom a chance to mount a defense, the judge said.

The blog Talkleft has noted that the mistake was made despite NZ Police boasting that a team of five from the OFCANZ (New Zealand’s organized crime agency) had worked on the case, up to and including the seizures, hand-in-hand with the FBI.

Radio New Zealand reports that during the next week, Justice Potter will hold another hearing to decide whether or not the assets should be returned. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/18/nz_police_blunder_over_dotcom/

Researchers at Kaspersky Labs have found malware which, unusually, does not install any files on its victims PCs.

The researchers aren’t quite sure how unusual it is, describing it as both “unique” and “very rare”, but no matter how scarce this type of malware is it does sound rather nasty as it “… uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process.” That mode of operation means Windows and MacOS are both affected by the exploit, which is hard for many antivirus programs to spot given it runs within a trusted process.

Once under your machine’s guard, the malware tries to attack Windows User Account Control so it install the Lurk Trojan and connect to an associated botnet. That installation attempt is the malware’s key task, as living in RAM means fileless malware won’t survive a system reboot.

That the malware is able to do so is down to a known Java vulnerability, CVE-2011-3544 to be precise. Snoracle has long-since patched that hole. Another mitigating factor that will hopefully make this a short-lived attack is the fact Kaspersky picked it up in ads served only on Russian web sites. The security company has informed the ad-serving company and the offending code has been withdrawn.

But researcher Sergey Golavanov also warns “we cannot rule out that the same exploit and the same fileless bot will be used against people in other parts of the world: they can be distributed via similar banner or teaser networks in other countries. It is likely that other malware, not just Trojan-Spy.Win32.Lurk will be used in the process. that “we cannot rule out that the same exploit and the same fileless bot will be used against people in other parts of the world: they can be distributed via similar banner or teaser networks in other countries. It is likely that other malware, not just Trojan-Spy.Win32.Lurk will be used in the process.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/18/fileless_malware_found/

An alleged member of hacker group LulzSec appeared in a London court on Friday charged with conspiracy over cyber-attacks against websites maintained by the CIA and the UK’s Serious Organised Crime Agency.

Ryan Ackroyd, 25, of Oak Road, Mexborough, Doncaster, is also charged with breaking into systems maintained by the NHS and Sun newspaper publisher News International, the BBC reports.

At a hearing at Westminster Magistrates’ Court, district judge Howard Riddle granted Ackroyd, who spoke only to confirm his name and address and did not enter a plea, bail pending a case management hearing before Southwark Crown Court on 11 May.

Unemployed Ackroyd is accused of conspiring with Jake Davis, 18, Ryan Cleary, 19, and a 17-year-old lad to launch a string of denial-of-service attacks against websites between 1 February and 30 September 2011.

Bail conditions imposed on Ackroyd ban him from accessing the internet, The Guardian reports.

Ackroyd, who is accused of using the hacker label Kayla, also faces allegations in the US that he participated in hacks against the Fox Broadcasting Company, Sony Pictures Entertainment, and the Public Broadcasting Service. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/19/lulzsec_suspect_court_date/

The Metropolitan Police Service will use software from the 1980s to coordinate the command and communications of its policing operations during the London Olympic Games.

The software, known as MetOps, is installed in the force’s special operations room (SOR), the central control room providing communications support during more than 500 major incidents and events each year, according to a report (PDF) by the Met into the riots of August 2011.

MetOps, a messaging and recording system, was not designed for dynamic incident management, and means commanders have no simple way to view the latest situation during an evolving incident, the report says.

The age of MetOps system means that it is not linked directly to the software used in the force’s central communications centre, known as the computer aided dispatch (CAD) system. “This can result in the central communications centre being unaware of what is being dealt with within SOR, and conversely SOR being unaware of what is being dealt with through the CAD system,” says the report.

The system’s limitations contributed to a number of issues during the August 2011 riots, the report found, including the inability to monitor key incidents; slow communication with commanders on the ground; the lack of capability to hand over command to the oncoming team; and the inability to log key decisions and rationales for future review.

“These significant limitations coupled with the sheer scale of task around the flow of information, communication and coordination of resources posed an immense challenge for those within SOR, particularly on Monday 8th August,” the document says.

The process of replacing MetOps is under way and the force has also proposed some temporary solutions, including a new GIS system which is being trialled to assist with the coordination of resources. The Met is also considering adopting software currently used with live crime investigations for SOR.

The Met’s report also highlights the use of CCTV during disturbances. While the document says CCTV proved to be a critical to the investigation of offences committed during the riots, it also says that there were significant challenges because of the sheer volume of footage, an estimated 200,000 hours, that had to be examined.

The police’s response to social media is also examined in the report, which notes that a digital communications steering group has been set up by the Met in response to its struggle to monitor social media in real time during the riots. The group wants to use social media to help the police understand what is going on in the community.

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/19/met_police_will_use_1980s_software_during_2012_olympics/

Users of China’s hugely popular social media platforms must now register with their real-names if they want to be granted posting rights after a strict new government ruling came into force on Friday night, although reports suggest that the rules have yet to be enforced across the board.

The new system has been rolled out nationally on sites such as Sina Weibo, Sohu and Tencent ostensibly to eradicate zombie follower accounts and prevent “harmful” rumours from spreading across the web, although critics fear it will usher in an era of even stricter censorship online.

ID card or mobile phone number are the two primary ways users are being allowed to register for such sites, the latter acceptable because in China users need to submit their ID card details in order to activate a new mobile SIM.

However, when The Reg checked on Friday afternoon on the Sina Weibo home page, only around 19 million users had registered with their real name details, well short of the site’s estimated 300m users.

With the deadline for registrations coming at midnight on the same day, it’s unlikely that even half of the users on the site are abiding by the new rules, something which chief executive Charles Chao has already warned could silence a massive number of Sina Weibo users.

Reports have emerged that users are able to post on the sites despite not having registered with their ID details, although it could be that enforcement of the rules has yet to kick in.

Mark Natkin, managing director of Beijing-based IT consultancy Marbridge Consulting, told The Reg that at the moment there aren’t any real incentives for users to move forward with the real-name registration process.

“For those accounts that belong to real people, we expect broad real-name registration compliance only once the platform operators begin enforcing the requirement and closing loopholes for circumnavigating it,” he added.

“So far users who registered Sina Weibo accounts prior to the transition period are still able to post and forward without registering their real-name details and an account I registered using only a pre-paid mobile number in mid-February can also still post and forward.”

Critics have argued that the new rules are another nail in the coffin for free speech in China, just when social media sites were emerging as a genuine platform for web users in the People’s Republic to air their views.

The authorities have already introduced strict new rules governing what journalists can report in what was widely seen as an effort to discourage them from sourcing stories from social media. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/19/china_weibo_real_name/

A trio of Indian researchers have proposed a method of steganography which hides messages in by using non-random distribution of letters with or without straight lines.

Steganography is a group of techniques for hiding messages in plain sight. Microdots, tiny text written inside a full stop and only legible when magnified, are one steganography technique. Steganography is hard to detect and decrypt, so much so that this paper from the US National Science and Technology Council (PDF) wrings its hands about it’s potential use by terrorists.

The new method for steganography has been outlined by Shraddha Dulera and Devesh Jinwala, both from the Department of Computer Engineering at the S V National Institute of Technology in Surat, India, and Aroop Dasgupta of Gandhinagar ‘s Bhaskaracharya Institute for Space Applications and Geo-Informatics. The trio’s paper, Experimenting with the Novel Approaches in Text Steganography, suggests that the low signal-to-noise ratio required by many current steganography techniques makes for slow decipherment.

The trio’s alternative is a system based on the characteristics of letters in the Hindu-Arabic alphabet, which they group into those possessing straight lines and those possessing curved lines. Each group is assigned a value of either zero or one as the basis for a binary code.

One method for using this scheme is to “ … generate a random string that contains the single letters (from alphabet) as the cover text. Subsequently, whenever we want to hide a ‘0’ bit in the input text file, we use the letters from the group A amongst the letters generated; whereas whenever we wish to hide a ‘1’ bit, we use the letters from the group B amongst the letters generated.”

A second scheme sees curved or straight letters capitalised at the start of sentences, so that the sentence “All birds can fly. Ostrich is a bird. Ostrich can also fly” yields a binary value of 100.

The trio’s third scheme proposes to further divide the alphabet into letters with:

• Curves;
• A straight horizontal middle line;
• One vertical straight line;
• A diagonal line.

By doing so, it becomes possible to create a code in which capital letters can have a binary value of 0, 1, 10 or 11.

The trio assert that “Our analysis reveals that our approaches impart increased randomness and because of randomness, these approaches are noticeable but it cannot be decoded until a user is not aware about these approaches. In addition, the proposed approaches are also immune to retyping and reformatting of text.”

But they also warn that “… one of the weaknesses of the proposed approaches is that once their applicability is known, they can easily be attacked. Hence, it is essential to keep the application of a particular approach to a particular data set secret, while using them.”

Do you promise not to tell? ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/19/new_steganography_plan/

In an astonishing blunder, New Zealand’s Crown Law Office and its police commissioner have admitted to a ‘procedural error’ when they seized cash, cars and other property from Megaupload chief Kim Dotcom.

According to the New Zealand Herald, Justice Judith Potter of the High Court has declared the first restraining order under which the seizures were made to be “null and void” and having “no legal effect”.

The slip-up happened when the police applied for the seizure of Megaupload assets during January, and was discovered within the week, with police making a revised application on January 30. However, the approach taken by NZ Police and the Crown Law Office had denied Dotcom a chance to mount a defense, the judge said.

The blog Talkleft has noted that the mistake was made despite NZ Police boasting that a team of five from the OFCANZ (New Zealand’s organized crime agency) had worked on the case, up to and including the seizures, hand-in-hand with the FBI.

Radio New Zealand reports that during the next week, Justice Potter will hold another hearing to decide whether or not the assets should be returned. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/18/nz_police_blunder_over_dotcom/

Researchers at Kaspersky Labs have found malware which, unusually, does not install any files on its victims PCs.

The researchers aren’t quite sure how unusual it is, describing it as both “unique” and “very rare”, but no matter how scarce this type of malware is it does sound rather nasty as it “… uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process.” That mode of operation means Windows and MacOS are both affected by the exploit, which is hard for many antivirus programs to spot given it runs within a trusted process.

Once under your machine’s guard, the malware tries to attack Windows User Account Control so it install the Lurk Trojan and connect to an associated botnet. That installation attempt is the malware’s key task, as living in RAM means fileless malware won’t survive a system reboot.

That the malware is able to do so is down to a known Java vulnerability, CVE-2011-3544 to be precise. Snoracle has long-since patched that hole. Another mitigating factor that will hopefully make this a short-lived attack is the fact Kaspersky picked it up in ads served only on Russian web sites. The security company has informed the ad-serving company and the offending code has been withdrawn.

But researcher Sergey Golavanov also warns “we cannot rule out that the same exploit and the same fileless bot will be used against people in other parts of the world: they can be distributed via similar banner or teaser networks in other countries. It is likely that other malware, not just Trojan-Spy.Win32.Lurk will be used in the process. that “we cannot rule out that the same exploit and the same fileless bot will be used against people in other parts of the world: they can be distributed via similar banner or teaser networks in other countries. It is likely that other malware, not just Trojan-Spy.Win32.Lurk will be used in the process.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/18/fileless_malware_found/