STE WILLIAMS

A leading computer scientist has warned that the latest so-called Trusted Computing proposals may restrict the market for anti-virus and security software.

Cambridge University Professor Ross Anderson warns that the secure boot features in the UEFI firmware specification – understood to be required on certified Windows 8 machines – might even make it easier to smuggle state-sponsored trojans onto victims’ machines.

The secure boot system is designed to stop malware from being introduced into a computer’s boot sequence – but without the secret cryptographic keys, the firmware will also block non-harmful code, such as non-Windows OSes and legit anti-virus software.

“Building signed boot into UEFI will extend Microsoft’s power over the markets for AV software and other security tools that install around boot time; while ‘Metro’ style apps (ie, web, tablet and HTML5-style stuff) could be limited to distribution via the MS app store. Even if users can opt out, most of them won’t.

“That’s a lot of firms suddenly finding Steve Ballmer’s boot on their jugular.”

Anderson – who previously criticised UEFI (the Unified Extensible Firmware Interface) for making it “impossible” to run “unauthorised” operating systems such as Linux and FreeBSD on Windows 8 PCs – argued that the technology could make life easier for intelligence agencies at the expense of ordinary users.

“If the Turkish government compelled Microsoft to include the Tubitak key in Windows so their intelligence services could do man-in-the-middle attacks on Kurdish MPs’ Gmail, then I expect they’ll also tell Microsoft to issue them a UEFI key to authenticate their keylogger malware,” Anderson writes.

“Hey, I removed the Tubitak key from my browser, but how do I identify and block all foreign governments’ UEFI keys?”

The cryptoguru added: “Our Greek colleagues are already a bit cheesed off with Wall Street. How happy will they be if in future they won’t be able to install the security software of their choice on their PCs, but the Turkish secret police will?”

Anderson’s latest criticism of UEFI on the Light Blue Touchpaper blog is here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/25/secure_boot_criticism_reloaded/

Hackers have released software that they say allows a single computer to knock servers offline by targeting a well-documented flaw in secure sockets layer implementations.

A German group known as The Hacker’s Choice released the tool on Monday, in part to bring attention to what they said were a series of long-running deficiencies in SSL, which websites use to prevent social security numbers and other sensitive data from being monitored as they travel between servers and end-user computers.

“We are hoping that the fishy security in SSL does not go unnoticed,” an unnamed member of the group said in a blog post. “The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century.”

The THC-SSL-DOS tool allows a single computer with a modest internet connection to crash a much more powerful server with vastly more bandwidth, but only when the server supports what’s known as SSL renegotiation, Monday’s postings claimed. Renegotiation is used to establish a new secret key securing communications after an encrypted session has already commenced. Renegotiation was at the heart of a flaw in the SSL protocol discovered in 2009 that allowed attackers to inject text into encrypted traffic passing between two endpoints.

“Interesting here is that a security feature that was supposed to make SSL more secure makes it indeed more vulnerable to this attack,” a member said.

The tool allows a single laptop with a standard DSL connection to take down an average webserver. Bringing down a larger server farm that makes use of an SSL load balancer required about 20 laptops and about 120Kbps of bandwidth. Even when websites don’t support SSL renegotiation, they can still be toppled by THC-SSL-DOS, although the attack must be modified.

The tool is available as a Windows binary and Unix source code. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/24/ssl_dos_tool_released/

Google has poached Yahoo!’s long-serving policy chief to take charge somewhere within the company’s nascent social network.

Anne Toth, natch, confirmed she was moving on from the Sunnyvale Purple Palace to the Mountain View Chocolate Factory in a Google+ post on Friday.

She starts work with Google today.

“Come Monday I’ll get to spin my own propeller,” Toth wrote late last week.

“Excited to be joining Google and the Google+ team next week. Today I’m enjoying my one, solitary day of unemployment. I love everyone who told me to take time off between jobs but I’m too Type-A for my own good.”

Google already has a privacy overlord in the shape of Alma Whitten and she’ll continue in that role.

In March this year Google agreed with the US Federal Trade Commission to undergo regular privacy audits for the next 20 years after bolting its ill-conceived Buzz social network on to Gmail in early 2010 without first seeking the consent of its users.

It’s unsurprising then to see the company rope in a privacy wonk specifically to herd its social network developers around Google+.

Toth’s departure from Yahoo! and arrival at Google was greeted with a slow handclap from some critics of her work.

“After her stellar work not delivering HTTPS to Yahoo Mail users, and blocking support of Do Not Track, Yahoo privacy chief heads to Google,” said security and privacy researcher Christopher Soghoian. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/24/anne_toth_yahoo/

Microsoft’s YouTube channel got hacked over the weekend by pranksters who replaced corporate videos with cartoons.

One of the uploaded videos, titled Bingo, showed a character from the LA Noire video game shooting another animated figure in the head. Other videos called on ‘Tubers to “post video responses, create new background images for the channel or provide sponsorship”, net security firm Sophos reports.

By the time of writing on Monday the channel had been restored to ‘normality’ – which mainly appears to be models gesticulating wildly in front of tellies.

It’s unclear how miscreants managed to gain control to Microsoft’s YouTube account, though poor password security by a Microsoft worker is one obvious possibility. One YouTube user suggested that the channel was first established by a Microsoft fan before it was handed over to the software giant. “The flaw is that this account was probably still linked to this kid’s email and Microsoft forgot to change it or whatever,” the punter suggests.

The Microsoft YouTube channel hack comes a week after hackers broke into the Sesame Street YouTube channel to post hardcore porn clips in place of child-friendly content.

In other internet hijacking news, LG’s Australian website was defaced by members of the Intra Web Security Exploit Team on Sunday night. “The attackers replaced the site with some lightly obfuscated JavaScript. The script pretends to be conducting an injection attack as you watch, whilst an expletive-laden track by nerdcore hacker-rapper BeWiz plays in the background,” Sophos reports. The hacked www.lg.au website was taken down prior to its return and redirected towards the apparently unsullied www.lg.com/au domain. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/24/ms_youtube_channel/

Members of hacktivist collective Anonymous are claiming credit for shutting down a deep underground child abuse site and outing its membership list.

Account details of 1,589 members of Lolita City were posted as part of Anonymous’ Operation Darknet, a wider effort aimed against abuse of the Tor network by paedophiles. Lolita City, said to be hosted by Freedom Hosting, alone housed more than 100GB of child pornography, according to a statement by Anonymous.

As well as providing anonymisation, the Tor network supports a private “dark” top-level domain, .onion. Sites on the “hidden” domain were only visible to Tor users or through Tor gateways, such as tor2web.org. Although some services, such as anything that uses UDP, are blocked, .onion sites are by no means immune to hacking – as the attack by Anonymous illustrates.

Anonymous members discovered links to child abuse images in a section called Hard Candy on a .onion site called The Hidden Wiki. Anonymous removed the links, which were reposted by a site administrator. After noticing that “95 per cent of the child pornography listed on the Hidden Wiki shared a digital fingerprint with the shared hosting server at Freedom Hosting”, the hacktivists issued a series of ultimatums, which were ignored.

Anonymous then began a series of denial-of-service attacks aimed at Freedom Hosting, and most particularly Lolita City. The user database of the site was extracted using a SQL injection attack, ars technica reports.

The Tor network is widely used by human rights activists and often used as a means to get around government-applied censorship controls, such as the Great Firewall of China. The service is also used to exchange pirated content or by paedophiles.

Tor activist Jacob Applebaum welcomed Anonymous’ action: “Anonymous pwned a bunch of pedos; huzzah,” he said via his ioerror Twitter account.

Security experts were more cautious: Sophos, for example, argues against such vigilante actions. “Their intentions may have been good, but take-downs of illegal websites and sharing networks should be done by the authorities, not internet vigilantes,” writes Graham Cluley of Sophos.

“When ‘amateurs’ attack there is always the risk that they are compromising an existing investigation, preventing the police from gathering the necessary evidence they require for a successful prosecution, or making it difficult to argue that evidence has not been corrupted by hackers.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/24/anonymous_fight_child_abuse_network/

How much risk can your IT department tolerate? There’s always going to be a certain amount of it. The trick is working out where to put it so that it causes the least damage. And to do that, you need to understand how risk fits into the broader world outside the IT department.

There are various types of risk facing a company, and a good IT manager will be aware of all of them, because they all touch the IT department, either directly or indirectly, whether operational, physical, financial, or reputation-based.

Operational risk can be divided into internal and external dangers. Internal operational risk revolves around people, process, and technology (what happens if your callcentre’s CRM application goes belly-up?), while external risk will often focus on partners (what happens if your cloud services provider collapses?).

Not all risk is digital. Physical risks can also have an impact on the IT department, and therefore on the broader business. If someone can easily tailgate their way into a building, then they are taking advantage of such a risk. So is someone who leaves a laptop unattended and asleep but logged in, in a drawer.

Risks in different categories, such as physical and logical, can often be interconnected and exploited by the wily to create attacks. Our tailgater might insert a USB key into a desktop PC and steal a collection of unencrypted customer details, or a thief may steal our unattended laptop, which may in turn trigger a governance and compliance risk.

These can be serious, incurring massive fines, or potentially restricting your operations. When Nationwide Bank was fined £980,000 for failing to secure sensitive customer data on a laptop in 2007, it was the result of a neglected compliance risk that created a financial risk. Other financial risks could be as simple as a set of invoices being duplicated, due to an accounting system bug, resulting in too many shipments, and over-stating of sales.

Brand risk is closely allied with both reputational risk, and intellectual property risk. If you’re Research in Motion watching your server infrastructure collapse, and your CEO has to publish a video apology admitting that he doesn’t know when people will be able to access their phones’ features again, that’s a threat to your brand stemming from reputational damage, which stems in turn from a computing SNAFU of royal proportions.

The smart IT manager will understand the holistic nature of these risks, and will also see that the worst risks occur at the edges of peoples’ responsibility. Who is responsible for encrypting data on a laptop? Is it the employee, or the person creating the central laptop build?

Running root cause analysis on the potential risks can help you to identify the roles and responsibilities necessary to mitigate them. IT will also help you to measure your existing processes against baseline performance metrics. If your software testing processes don’t measure up, then it may create an enhanced risk of software error that could feed through into financial risk for the company.

Brainstorming the potential risks and understanding what roles and responsibilities are necessary to mitigate them sets you up to deal with them. An enterprise risk management framework should ideally incorporate business units other than just the IT department. In an ideal world, a chief security officer for the organisation as a whole would be able to co-ordinate an ERM. They would be able to decide what tolerance existed for certain risks, which would give the business units, such as IT, something to work with.

An IT department properly versed in corporate risk tolerance can then chart the probability associated with certain risks, along with their impact on broader corporate risk. Not all risks are created equal: an older server may have a relatively high chance of failing, but the application running on it may not be critical to the organisation.

Understanding the criticality of each risk, along with the cost of mitigating it, empowers you to make a decision about how to plan for it. Do you avoid the risk altogether (which may be expensive and involve the use of redundant systems), transfer it to someone else (such as a partner, or perhaps a customer), mitigate it by understanding that it may happen but doing your best to prevent it, or simply accept it as a fact of life? Making this decision up front about the risks challenging your IT department will put you in a better place when it comes to IT governance, and accountability to the rest of the organisation.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/24/risk_tolerance/

Janis Sharp, the campaigning mum of alleged Pentagon hacker Gary McKinnon, has been shortlisted for a human rights award by Liberty.

The human rights charity recognised her efforts in battling for her son and against the Extradition Act; critics argue the law is one-sided.

“I’m incredibly honoured and hoping this will help Gary’s case further by bringing more attention to his plight and to the whitewash Extradition treaty review,” Sharp said on Friday.

“I don’t know yet who else has been shortlisted or who votes for the award,” she added.

The awards take place on Tuesday, 22 November at Purcell Room, Queen Elizabeth Hall, Southbank Centre, London.

The event will feature a special presentation to Kim Traavik, the Norwegian Ambassador to the United Kingdom, in honour of the victims of the Norway gun massacre in July and the “dignity and humanity of Norway’s response to that atrocity”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/24/ma_mckinnon_liberty_award_nom/

Muammar Gaddafi lookalikes are well advised to stay cautious in public if the recent experiences of a doppelganger for Saddam Hussein are any guide.

Mohamed Bishr was walking to a cafe in the Egyptian city of Alexandria when a group of three armed men forced him into the back of a van. He was beaten by the brigands, who sought to force him to perform in a sex film because of his striking resemblance to the late Iraqi dictator. The gang wanted to sell the resulting sex videos as ‘found footage’.

Bishr, a devout Muslim, refused.

This prompted the gang to abandon its plan by dumping Bishr out of the moving van, resulting in injuries that have left him hospitalised.

According to Bishr’s son, his father had been offered 2 million Egyptian pounds (US$333,000 or 208,000 quid) to impersonate Saddam in a porno flick by a group who spoke Arabic with an Iraqi or Syrian dialect.

“His son said that after the meeting his father had received several telephone calls threatening him with kidnap if he didn’t change his mind and shoot the Saddam sex tape,” English language Arab news site Ahram Online reports.

“It is believed his kidnappers would have tried to pass off the video recording they made as genuine and sell it to international media.”

Bishr senior has been beaten up in the past because of his resemblance to Saddam; the attacks that have forced him to move home four times.

Saddam used several doubles to make public appearances, partly because of assassination fears. “None are thought to have performed in adult films,” Ahram Online adds. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/24/saddam_double_kidnap/

Between 8:58 and 10:20 this morning we sent an email to 3,521 of you that contained the names and email addresses of 46,524 of our readers.

Obviously, this was an error. The two-stage send process that is the norm for all of our mailers was over-looked because someone was in a hurry.

We would like to offer our genuine and humble apologies for the error.

If you would like to vent at that someone, their email address is here: [email protected].

We are in the process of blowing the whistle on ourselves to the ICO over the matter. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/24/email_blunder/

One of the world’s more advanced pieces of malware has just gotten a makeover that could make it even more resistant to takedown efforts, security researchers said.

An analysis of recent updates to the TDL4 rootkit, which is also known as TDSS and Alureon, shows that components including its kernel-mode driver and user-mode payload have been rewritten from scratch, researchers from antivirus provider ESET blogged earlier this week. The code overhaul may mean that operators of TDL4, which is used to force keyloggers, adware, and other malicious programs onto compromised machines, may have started providing services to other crimeware groups.

The makeover includes changes to the way TDL4 attempts to remain undetected by antivirus programs and other defenses. Newer versions create a hidden partition at the end of the infected machine’s hard disk and set it to active. This ensures that malicious code stashed in it is executed before the Windows operating system is run.

It also protects the code from being removed. The partition is equipped with an advanced file system that checks the integrity of TDL4 components. If any of the files are corrupted, they’re removed.

Not that TDL4 wasn’t already among the most sophisticated pieces of crimeware available. When it emerged in 2008, it was virtually undetectable by most AV programs, and its use of low-level instructions made it hard for researchers to conduct reconnaissance on it. Its built-in encryption prevents network monitoring tools from monitoring communications sent between infected PCs and command and control servers.

It was among the first rootkits to infect 64-bit versions of Windows by bypassing the OS’s kernel mode code signing policy. That protection was introduced into 64-bit versions of Windows and allows drivers to be installed only when they have been digitally signed by a trusted source. In June, researchers at AV provider Kaspersky said TDL4 had infected more than 4.5 million PCs in just three months.

TDL4 also has the ability to communication over the Kad peer-to-peer network and to infect a the master boot record of a compromised PC’s hard drive.

The latest changes suggest that the relentless innovation of those developing TDL4 shows no signs of slowing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/21/stealthy_rootkit_overhauled/