STE WILLIAMS

HideMyAss has defended its role in handing over evidence that resulted in the arrest of a suspected LulzSec member last week.

UK-based HideMyAss, which offers freebie web proxy and paid-for VPN services, said it handed over potentially incriminating data to the feds only in response to a court order. It had been aware that its service was being used by Anonymous/LulzSec members for some time before this without taking any action, as a blog post headed LulzSec fiasco by the firm explains.

Cody Andrew Kretsinger, 23, of Phoenix, Arizona allegedly used HideMyAss.com’s web proxy service to hack into the systems of Sony Picture Entertainment as part of a hack that exposed the personal details of thousands of gamers. According to the court order, Kretsinger used SQL injection techniques that were run via HideMyAss’s anonymising web proxy service to launch the high-profile attack.

HideMyAss explains:

It first came to our attention when leaked IRC chat logs were released, in these logs participants discussed about various VPN services they use, and it became apparent that some members were using our service. No action was taken, after all there was no evidence to suggest wrongdoing and nothing to identify which accounts with us they were using.

At a later date it came as no surprise to have received a court order asking for information relating to an account associated with some or all of the above cases. As stated in our terms of service and privacy policy our service is not to be used for illegal activity, and as a legitimate company we will cooperate with law enforcement if we receive a court order (equivalent of a subpoena in the US).

HideMyAss, which bills itself as a leading online privacy website, adds that it does not condone illegal activity, saying that similar services that do not co-operate with law enforcement are “more likely to have their entire VPN network monitored and tapped by law enforcement, thus affecting all legitimate customers”. The service said it carries out session-logging, recording the time a customers logs onto and disconnects from the service as well as the IP addresses he or she connects to. It said it does not record the actual content of web traffic.

Twitter accounts affiliated with Anonymous were unsurprisingly vociferous in their criticism of HideMyAss’s business practices and assistance of a federal investigation, dubbing the service SellMyAss, and arguing that HideMyAss users are less likely to trust it and more likely to look for alternatives.

“Question @HideMyAssCom: Was it worth to rat out one guy who allegedly hacked #PSN in exchange for all your business? You will find out soon,” AnonymousIRC said.

HideMyAss, which was established in 1995, was set up as a way to bypass censorship on the web before moving on to offer commercial VPN services. It boasts of its recent role in allowing Arab Spring protesters to gain access to websites such as Twitter, which were blocked by the former Egyptian government of Hosni Mubarak. Privacy activists have accused HideMyAss of double standards over its handling of the Kretsinger case.

“The Hide My Ass VPN service is run by a bunch of hypocrites,” said Jacob Appelbaum, a core member of the Tor project, in a Twitter update. “They support revolution and circumvention when it suits their business image.”

In updates to its original blog posts, HideMyAss defended its stance on this point, arguing that it simply complies with UK law. It denied acting as a pawn at the behest of the Feds.

“We are not intimidated by the US government as some are claiming, we are simply complying with our countries legal system to avoid being potentially shut down and prosecuted ourselves.

“Regarding censorship bypassing, some have stated it is hypocritical for us to claim we do not allow illegal activity, and then claim our service is used in some countries to bypass censorship illegally. Again we follow UK law, there isn’t a law that prohibits the use of Egyptians gaining access to blocked websites such as Twitter, even if there is one in Egypt … though there are certainly laws regarding the hacking of government and corporate systems,” it concludes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/26/hidemyass_lulzsec_controversy/

With just a few hours until researchers unveiled an attack they say decrypts sensitive web traffic protected by the ubiquitous secure sockets layer protocol, cryptographers described a simple way website operators can insulate themselves against the exploit.

The recommendations published Friday by two-factor authentication service PhoneFactor, suggest websites use the RC4 cipher to encrypt SSL traffic instead of newer, and ironically cryptographically stronger, algorithms such as AES and DES. Google webservers are already configured to favor RC4, according to this analysis tool from security firm Qualys. A Google spokesman says the company has used those settings “for years.”

In stark contrast, eBay’s PayPal payment service favors AES, making the site at least theoretically vulnerable to BEAST, the attack tool scheduled to be demonstrated Friday evening at the Ekoparty security conference in Buenos Aires. Short for Browser Exploit Against SSL/TLS, its creators say it targets a long-documented vulnerability in some encryption algorithms that cryptographers previously believed wasn’t practical to exploit.

Researches Thai Duong and Juliano Rizzo said they’ve refined the attack enough to decrypt SSL-protected web traffic using a piece of JavaScript that injects plaintext into the encrypted request stream. They have said they plan to prove the attack is practical by using it to recover an encrypted cookie used to access a user account on PayPal.

The chosen plaintext-recovery at the heart of BEAST attacks algorithms that use a mode known as CBC, or cipher block chaining, in which information from a previously encrypted block of data is used to encode the next block. CBC is present in both AES and DES, but not in RC4.

“There have been several suggested mitigations that can be put into play from the perspective of the client, such as reorganizing the way the data is sent in the encrypted stream,” PhoneFactor’s Steve Dispensa wrote. “Servers can protect themselves by requiring a non-CBC cipher suite. One such cipher suite is rc4-sha, which is widely supported by clients and servers.”

The configurations followed by Google aren’t an absolute guarantee BEAST attacks won’t work on the site, since they allow vulnerable ciphers to be used in the event the connecting browser doesn’t work with RC4. That’s an unlikely scenario, but certainly within the realm of government and government contractor employees mandated to use the Federal Information Processing Standard.

As previously reported, Google has already released a developer version of its Chrome Browser that mitigates the damage that BEAST can wreak. It remains unclear just how much of a threat the exploit poses, but the web giant isn’t taking any chances. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/23/google_ssl_not_vulnerable_to_beast/

Mac malware creators are adopting Windows malware camouflage trickery in a bid to trick users into running their malicious creations.

Boobytrapped PDF files have long been a problem for Windows users. The OSX/Revir-B Trojan reapplies this approach towards Mac fans, who may be less familiar with the ruse.

The malware payload is an Macintosh application file that poses as a PDF. If opened, the file presents a Chinese language document concerning the disputed Diaoyu (Senkaku) Islands. Both China and Japan claim sovereignty of the disputed territory.

While users are perusing the text the malware attempts to install a backdoor Trojan horse.

The malware was submitted to VirusTotal, possibly after the original author tested to see whether it was detected by security firms. VirusTotal routinely samples files submitted through its service to security firms, who have began analysing the code.

“This malware may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a “.pdf.exe” extension and an accompanying PDF icon,” according to virus analysts at net security firm F-Secure.

“The sample in our hands does not have an extension or an icon yet. However, there is another possibility … extension and icon could have been lost when the sample was submitted to us. If this is the case, this malware might be even stealthier than in Windows because the sample can use any extension it desires.”

It may be that the malware was designed to be distributed via email but this is unclear.

Mistakes in the code means that the malware fails to execute, according to net security firm Sophos, adding that there is no doubt the file is malicious. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/23/mac_malware_pdf_disguise/

Hackers trying to cheat the Xbox Live game network have stooped to a new low: sending hoax emergency distress calls to police with the goal of drawing an armed response to the homes of Microsoft employees.

According to The Sammamish Patch news service, Eric Neustadter, operations manager for Xbox Live, was the latest Xbox enforcer to receive an emergency response from armed police. The report, and a follow-up article in The Seattle Post-Intelligencer said similar SWAT attacks have hit other Microsoft employees as well.

The latest incident happened in the early hours of August 29, when someone calling himself “eric” sent a text message to an emergency service for ATT cellphone subscribers.

“2 armed Russian males broke in and they shot my son,” it claimed. “They have claymores outside… my door is barricaded…pls hurry!”

Another message soon followed: “They are coming upstairs…pls hurry.”

When an ATT dispatcher responded by asking Eric for a phone number, he said his phone lines had been cut.

As deputies with the King County Sheriff Department took up positions outside Neustadter’s home a little after 4 a.m., a police operator finally managed to reach Neustadter on the phone.

He said everyone in his home was safe and that the emergency reports were a hoax, the websites reported. He went on to explain that his job responsibilities include shutting down Xbox Live players who cheat by exploiting vulnerabilities in the system, something that makes him unpopular with some hackers. He also said similar incidents have happened to “numerous other Microsoft employees in the past.”

Over the past few years such SWAT attacks – so called because their aim is to evoke responses from heavily armed Special Weapons And Tactics police squads – have become all the rage with some disgruntled hackers looking for an easy way to avenge perceived slights. The exploits require little skill on the part of the anonymous attackers, but they sure get the attention of their victims. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/23/xbox_live_enforcers_swatted/

Antivirus scanner firm Avast has acquired mobile phone theft protection and recovery company ITAgents. Financial terms of the deal, announced on Thursday, were not disclosed.

ITAgents specialises in technology for Android-powered smartphones. The Austrian firm’s Theft Aware technology is particularly in demand because “normal PCs just don’t get left behind in bars or fall out of pockets,” according to Avast.

It would probably be more accurate to say that PCs don’t get left behind in bars as often as smartphones, at least unless you’re an MI5/MI6 agent who made a bit of a habit of just this sort of malarkey a few years back (example here and another here).

Once installed, Theft Aware can survive a “hard” or factory reset. So the text message alert and GPS tracking features built into the technology ought to survive any attempt smartphone thieves might make to reset the device. Avast intends to revamp the technology with new features prior to a product release in Q4 2011.

Avast is not the only anti-virus security firm that has branched out into mobile security by way of an acquisition. AVG bought DroidSecurity last November in a move that added security-scanning software for Android smartphones into its portfolio. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/23/avast_buys_android_anti_theft_developer/

Microsoft has hit back at concerns that secure boot technology in UEFI firmware could lock out Linux from Windows 8 PCs, saying that consumers will be free to run whatever they want on their PCs.

Unified Extensible Firmware Interface (UEFI) specifications, designed to reduce start-up times and improve security, allow computers to verify digitally signed OS loaders before booting. The feature in UEFI, the successor to BIOS ROM, is designed as a countermeasure against rootkits and other bootloader nasties.

However computer scientists, including Professor Ross Anderson of Cambridge University, warned earlier this week that the approach would make it impossible to run “unauthorised” OSes such as Linux and FreeBSD on PCs. A signed build of Linux would work, but that would mean persuading OEMs to include the keys.

In addition since the kernel itself is part of the boot process, kernels will also have to be signed, a huge bureaucratic hurdle for developers that runs wholly against the grain of open source software development, as explained in more depth by tech blogger Matthew Garrett here.

If the draft for UEFI is adopted without modification, then systems with secure boot enabled simply will not run a generic copy of Linux. Disabling the feature would allow unsigned code to run. However Garrett argues that since “firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market” this may not be possible, a concern shared by Anderson.

“The extension of Microsoft’s OS monopoly to hardware would be a disaster, with increased lock-in, decreased consumer choice and lack of space to innovate,” he said. Anderson concludes that the approach is even worse than previous attempts to force feed Windows users with DRM technology.

In a blog post on Thursday, Microsoft attempted to address these concerns arguing that “complete control over the PC continues to be available” to consumers.

Secure boot is a UEFI protocol, rather than a specific Windows 8 feature, and “Microsoft does not mandate or control the settings on PC firmware that control or enable secured boot from any operating system other than Windows,” Microsoft’s Tony Mangefeste explains.

“Secure boot doesn’t ‘lock out’ operating system loaders, but it is a policy that allows firmware to validate authenticity of components. OEMs have the ability to customize their firmware to meet the needs of their customers by customizing the level of certificate and policy management on their platform,” he adds.

Mangefeste cites the example of a prototype Samsung tablet with firmware designed to allow customers to disable secure boot, an option that is open to OEMs.

Just how many OEMs will take this approach remains unclear. Microsoft has effectively batted the question over to its hardware partners and firmware suppliers. What both Microsoft and critics of UEFI seemingly agree on is that unless secure boot can be disabled then Linux can’t be run on Windows 8 PCs.

We asked the UEFI Forum to comment on the issue earlier this week but are yet to hear back from the industry group, which promotes and manages the UEFI standard. Members of the UEFI forum include Apple, IBM and BIOS giant Phoenix Technologies as well as Microsoft. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/23/ms_denies_uefi_lock_in/

Microsoft lawyers have sealed their victory over the operators of what was once the world’s biggest source of spam after winning a court case giving them permanent control over the IP addresses and servers used to host the Rustock botnet.

The seizure was completed earlier this month when a federal judge in Washington state awarded Microsoft summary judgement in its novel campaign against Rustock, which at its height enslaved about 1.6 million PCs and sent 30 billion spam messages per day. The complex legal action ensured that IP addresses and more than two dozen servers for Rustock were seized simultaneously to prevent the operators from regrouping.

Now the attorneys are turning over the evidence obtained in the case to the FBI in hopes that the Rustock operators can be tracked down and prosecuted. Microsoft has already offered a $250,000 bounty for information leading to their conviction. It has also turned up the pressure by placing ads in Moscow newspapers to satisfy legal requirements that defendants be given notice of the pending lawsuit.

According to court documents (PDF), the Rustock ringleader is a Russian citizen who used the online handle Cosma2k to buy IP addresses that hosted many of the Rustock command and control servers. Microsoft investigators claimed the individual distributed malware and was involved in illegal spam pitching pharmaceutical drugs.

“This suggests that ‘Cosma2k’ is directly responsible for the botnet as a whole, such that the botnet code itself bore part of this person’s online nickname,” the Microsoft motion stated.

In a blog post published Thursday, Microsoft said the number of PCs still infected by Rustock malware continued to drop. As of last week, a fewer than 422,000 PCs reported to the seized IP addresses, almost a 74 percent decline from late March. It also represented significant progress since June, when almost 703,000 computers were observed.

The Rustock takedown has been a rare bright spot in the ongoing fight against computer crime. After it was initiated, federal authorities waged a similar campaign against Coreflood, another notorious botnet estimated to have infected 2 million PCs since 2002. In a step never before taken in the US, federal prosecutors obtained a court order allowing them to set up a substitute command and control server that forces infected machines to temporarily stop running the underlying malware.

In June prosecutors declared victory in the case.

Taking down botnets is a good start, but it does little stop criminals from setting up new ones. Microsoft’s determination in tracking down Cosma2k and his cronies could go a step further, by showing would-be botherders there are consequences to their crimes, no matter where in the world they may be located. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/22/microsoft_refers_rustock_to_fbi/

Microsoft lawyers have sealed their victory over the operators of what was once the world’s biggest source of spam after winning a court case giving them permanent control over the IP addresses and servers used to host the Rustock botnet.

The seizure was completed earlier this month when a federal judge in Washington state awarded Microsoft summary judgement in its novel campaign against Rustock, which at its height enslaved about 1.6 million PCs and sent 30 billion spam messages per day. The complex legal action ensured that IP addresses and more than two dozen servers for Rustock were seized simultaneously to prevent the operators from regrouping.

Now the attorneys are turning over the evidence obtained in the case to the FBI in hopes that the Rustock operators can be tracked down and prosecuted. Microsoft has already offered a $250,000 bounty for information leading to their conviction. It has also turned up the pressure by placing ads in Moscow newspapers to satisfy legal requirements that defendants be given notice of the pending lawsuit.

According to court documents (PDF), the Rustock ringleader is a Russian citizen who used the online handle Cosma2k to buy IP addresses that hosted many of the Rustock command and control servers. Microsoft investigators claimed the individual distributed malware and was involved in illegal spam pitching pharmaceutical drugs.

“This suggests that ‘Cosma2k’ is directly responsible for the botnet as a whole, such that the botnet code itself bore part of this person’s online nickname,” the Microsoft motion stated.

In a blog post published Thursday, Microsoft said the number of PCs still infected by Rustock malware continued to drop. As of last week, a fewer than 422,000 PCs reported to the seized IP addresses, almost a 74 percent decline from late March. It also represented significant progress since June, when almost 703,000 computers were observed.

The Rustock takedown has been a rare bright spot in the ongoing fight against computer crime. After it was initiated, federal authorities waged a similar campaign against Coreflood, another notorious botnet estimated to have infected 2 million PCs since 2002. In a step never before taken in the US, federal prosecutors obtained a court order allowing them to set up a substitute command and control server that forces infected machines to temporarily stop running the underlying malware.

In June prosecutors declared victory in the case.

Taking down botnets is a good start, but it does little stop criminals from setting up new ones. Microsoft’s determination in tracking down Cosma2k and his cronies could go a step further, by showing would-be botherders there are consequences to their crimes, no matter where in the world they may be located. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/22/microsoft_refers_rustock_to_fbi/

Microsoft lawyers have sealed their victory over the operators of what was once the world’s biggest source of spam after winning a court case giving them permanent control over the IP addresses and servers used to host the Rustock botnet.

The seizure was completed earlier this month when a federal judge in Washington state awarded Microsoft summary judgement in its novel campaign against Rustock, which at its height enslaved about 1.6 million PCs and sent 30 billion spam messages per day. The complex legal action ensured that IP addresses and more than two dozen servers for Rustock were seized simultaneously to prevent the operators from regrouping.

Now the attorneys are turning over the evidence obtained in the case to the FBI in hopes that the Rustock operators can be tracked down and prosecuted. Microsoft has already offered a $250,000 bounty for information leading to their conviction. It has also turned up the pressure by placing ads in Moscow newspapers to satisfy legal requirements that defendants be given notice of the pending lawsuit.

According to court documents (PDF), the Rustock ringleader is a Russian citizen who used the online handle Cosma2k to buy IP addresses that hosted many of the Rustock command and control servers. Microsoft investigators claimed the individual distributed malware and was involved in illegal spam pitching pharmaceutical drugs.

“This suggests that ‘Cosma2k’ is directly responsible for the botnet as a whole, such that the botnet code itself bore part of this person’s online nickname,” the Microsoft motion stated.

In a blog post published Thursday, Microsoft said the number of PCs still infected by Rustock malware continued to drop. As of last week, a fewer than 422,000 PCs reported to the seized IP addresses, almost a 74 percent decline from late March. It also represented significant progress since June, when almost 703,000 computers were observed.

The Rustock takedown has been a rare bright spot in the ongoing fight against computer crime. After it was initiated, federal authorities waged a similar campaign against Coreflood, another notorious botnet estimated to have infected 2 million PCs since 2002. In a step never before taken in the US, federal prosecutors obtained a court order allowing them to set up a substitute command and control server that forces infected machines to temporarily stop running the underlying malware.

In June prosecutors declared victory in the case.

Taking down botnets is a good start, but it does little stop criminals from setting up new ones. Microsoft’s determination in tracking down Cosma2k and his cronies could go a step further, by showing would-be botherders there are consequences to their crimes, no matter where in the world they may be located. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/22/microsoft_refers_rustock_to_fbi/

Microsoft lawyers have sealed their victory over the operators of what was once the world’s biggest source of spam after winning a court case giving them permanent control over the IP addresses and servers used to host the Rustock botnet.

The seizure was completed earlier this month when a federal judge in Washington state awarded Microsoft summary judgement in its novel campaign against Rustock, which at its height enslaved about 1.6 million PCs and sent 30 billion spam messages per day. The complex legal action ensured that IP addresses and more than two dozen servers for Rustock were seized simultaneously to prevent the operators from regrouping.

Now the attorneys are turning over the evidence obtained in the case to the FBI in hopes that the Rustock operators can be tracked down and prosecuted. Microsoft has already offered a $250,000 bounty for information leading to their conviction. It has also turned up the pressure by placing ads in Moscow newspapers to satisfy legal requirements that defendants be given notice of the pending lawsuit.

According to court documents (PDF), the Rustock ringleader is a Russian citizen who used the online handle Cosma2k to buy IP addresses that hosted many of the Rustock command and control servers. Microsoft investigators claimed the individual distributed malware and was involved in illegal spam pitching pharmaceutical drugs.

“This suggests that ‘Cosma2k’ is directly responsible for the botnet as a whole, such that the botnet code itself bore part of this person’s online nickname,” the Microsoft motion stated.

In a blog post published Thursday, Microsoft said the number of PCs still infected by Rustock malware continued to drop. As of last week, a fewer than 422,000 PCs reported to the seized IP addresses, almost a 74 percent decline from late March. It also represented significant progress since June, when almost 703,000 computers were observed.

The Rustock takedown has been a rare bright spot in the ongoing fight against computer crime. After it was initiated, federal authorities waged a similar campaign against Coreflood, another notorious botnet estimated to have infected 2 million PCs since 2002. In a step never before taken in the US, federal prosecutors obtained a court order allowing them to set up a substitute command and control server that forces infected machines to temporarily stop running the underlying malware.

In June prosecutors declared victory in the case.

Taking down botnets is a good start, but it does little stop criminals from setting up new ones. Microsoft’s determination in tracking down Cosma2k and his cronies could go a step further, by showing would-be botherders there are consequences to their crimes, no matter where in the world they may be located. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/22/microsoft_refers_rustock_to_fbi/