STE WILLIAMS

“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess,” is how xkcd puts it*.

That’s probably why people don’t change their passwords unless someone forces them to, which is the unsurprising finding emanating from a PayPal-sponsored study by the ANU-hosted Centre for Internet Safety.

The study also finds the widespread probably-delusional belief that “my password is hard to guess”, with 90 percent of the study’s 1,000 respondents comfortable that their variation on pet’s name and child’s birthday is safe.

Perhaps surprisingly, most users reported that they don’t put any personally identifying information in their passwords; but since they believe their password is safe, they then use the same password across multiple sites (63 percent of respondents, and 77 percent between the ages of 18 to 24 years old).

Mirroring behaviours overseas, we’re also slack about protecting the password, with the survey finding that 41 percent of respondents has shared their password with a friend, family member or colleague without changing the password afterwards.

The “xkcd effect” is present in our password behaviours: hard-to-remember passwords are written down by 46 percent of respondents, while younger users prefer to store their passwords on mobile phones.

In more reassuring news, the study found that most users – more than 95 percent – don’t want Websites to remember their passwords. Well, it would be reassuring, except that more than a third of users get around the forgotten password by leaving their computers logged into online sites, rising to 76 percent among the youngsters.

The paper is published by PayPal, here.

*The comic in question is here. I can’t vouch for ‘Randall’s’ math, but it would be a life-changing experience for most of us if he’s right.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/22/password_habits_slack_says_paypal/

Software used to breach the security of a Japanese maker of sensitive weapons systems contained simplified Chinese characters, making it difficult for those who don’t speak the language to carry out the hack, Japan’s biggest daily newspaper reported.

A computer screen used by attackers to remotely control infected computers inside Japan’s Mitsubishi Heavy Industries included simplified Chinese characters for words such as “automatic,” “catch,” and “image,” The Yomiuri Shimbun reported Wednesday, citing unnamed sources. Investigators with Japan’s Metropolitan Police Department now consider the hack an international espionage case.

In all, the attack infected 83 computers and servers at 11 locations, including MHI’s Tokyo headquarters, factories and research and development centers, a separate article in the same paper said. IHI Corp., another maker of heavy electronics, suffered similar attacks, the paper reported without elaborating.

So far there’s no confirmation the attackers accessed confidential blueprints of sensitive weapons systems, but no one inside the company has ruled out that possibility. MHI manufactures a variety of US-designed weapons for Japan’s Self-Defense Forces, including F-15 fighter jets. The breach happened in August but didn’t come to light until earlier this week.

According to The New York Times, United States officials have issued a stern warning over the attacks over Japan’s ability to handle delicate information. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/22/japan_military_hack_follow_up/

A high-profile cybercrook who masterminded the $9m RBS Worldpay ATM heist in 2008 has sold two of his St Petersburg flats to pay off his fines.

Viktor Pleshchuk received a six-year suspended sentence in September 2010. He avoided prison by agreeing to return his ill-gotten gains, a process he has continued with the sale of two swanky flats in Russia’s second city.

Auction proceeds were 10 million rubles ($330,000), about 20 per cent more more than anticipated – and were transferred straight to RBS coffers. Pleshchuk also sold two cars, according to wire reports.

Pleshchuk was the prime mover behind a scam that involved hacking into WorldPay’s systems and the forgery of payroll debit cards which had artificially boosted daily withdrawal limits. Mules associated with Pleshchuk’s gang used the cards in Europe, the US and Asia, in overnight “cashing out” operations.

Russia’s Criminal Code was altered recently so that economic criminals could avoid jail by compensating victims. The Russian Constitution explicitly excludes the deportation of Russian nationals – so a trial for Pleshchuk in the West was never on the cards. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/21/rbs_worldpay_hack_mastermind_sells_flats/

Google has prepared an update for its Chrome browser that protects users against an attack that decrypts data sent between browsers and many websites protected by the secure sockets layer protocol.

The fix, which has already been added to the latest developer version of Chrome, is designed to thwart attacks from BEAST, proof-of-concept code that its creators say exploits a serious weakness in the SSL protocol that millions of websites use to encrypt sensitive data. Researchers Juliano Rizzo and Thai Duong said they’ve been working with browser makers on a fix since May, and public discussions on the Chromium.org website show Chrome developers proposing changes as early as late June.

It’s hard to know how effective BEAST will be at quickly and secretly cracking the encryption protecting online bank passwords, social security numbers and other sensitive data, but Google appears to be taking no chances. Rizzo and Duong have released only limited details of their attack ahead of a presentation scheduled for Friday at the Ekoparty security conference in Buenos Aires.

Until recently, many cryptographers speculated it refined attacks described in 2004 and later in 2006 (PDF) by researcher Gregory Bard. In a series of recent tweets, Duong discounted these theories, saying he and Rizzo read Bard’s paper weeks after the genesis of BEAST. Instead, he said it was based on work by cryptographer Wei Dai.

Short for Browser Exploit Against SSL/TLS, BEAST performs what’s known as a chosen plaintext-recovery attack against AES encryption in earlier versions of SSL and its successor TLS, or transport layer security. The technique exploits an encryption mode known as cipher block chaining, in which data from a previously encrypted block of data is used to encode the next block.

It has long been known that attackers can manipulate the process to make educated guesses about the contents of the plaintext blocks. If the attacker’s guess is correct, the block cipher will receive the same input for a new block as for an old block, producing an identical ciphertext.

The change introduced into Chrome would counteract these attacks by splitting a message into fragments to reduce the attacker’s control over the plaintext about to be encrypted. By adding unexpected randomness to the process, the new behavior in Chrome is intended to throw BEAST off the scent of the decryption process by feeding it confusing information.

The approach is similar to one introduced in 2002 by developers of the OpenSSL package that many websites use to implement SSL. That change added empty plaintext fragments to the the cipher block chain before sending the actual payload. The technique was effective in preventing the cracking of SSL-protected data sent from the server to browsers, but not the other way around. It was never widely adopted because many Microsoft products weren’t compatible with it.

Like the unadopted change in OpenSSL, the Chrome fix is designed to protect SSL encryption against plaintext-recovery attacks while remaining compatible with TLS version 1. A quick review of Mozilla’s developer website showed no signs that a similar fix is being planned for the Firefox browser.

Most of cryptographers who know the details of Rizzo and Duong’s work have agreed not to disclose them ahead of Friday’s talk. One of them is Adam Langley, a security researcher for Google. On Monday, shortly after publications including The Register previewed BEAST, he posted the following comment to the Hacker News website:

I happen to know the details of this attack since I work on Chrome’s SSL/TLS stack. The linked article is sensationalist nonsense, but one should give the authors the benefit of the doubt because the press can be like that.

Fundamentally there’s nothing that people should worry about here. Certainly it’s not the case that anything is ‘broken’.

He didn’t elaborate, and so far Google has had nothing public to say about how BEAST might affect its users. With the discovery that the company’s developers have spent the past three months working on a fix, we have some explanation for their insouciance. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/21/google_chrome_patch_for_beast/

Adobe Systems has issued an emergency update for its ubiquitous Flash Player that fixes a critical security vulnerability that attackers are actively exploiting to hack end user machines.

Code exploiting the universal XSS, or cross-site scripting, bug “is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message,” Adobe said Wednesday in a blog post. It said the bug has been identified as CVE-2011-2444 and was reported by someone from Google, but it didn’t elaborate on the people or organizations being targeted in the attacks.

The unscheduled update came a day after Google released a new version of its Chrome browser that included “an update to Flash Player that addresses a zero-day vulnerability.”

Over the past couple years, Google has detected a variety of attacks on users of Gmail and other services. A spear phishing campaign disclosed in June targeted senior US government officials, military officials, and Chinese political activists. In March, the search giant warned that politically motivated attackers were exploiting a then unpatched vulnerability in all supported versions of Windows to spy on Google users.

The Flash vulnerability affects versions 10.3.183.7 and earlier for Windows, Mac, Linux, and Solaris and Flash 10.3.186.6 for Google’s Android operating system for mobile phones. Those using recent versions of Flash on Windows or Mac OS X can install the upgrade automatically after being prompted by an auto-update mechanism, or they can upgrade manually by installing a file downloaded here. In some cases, those using Flash with multiple browsers must update more than once. Those wanting to know what version they’re currently running should visit this page.

Android users can upgrade by browsing to the Android Marketplace on their handsets.

Wednesday’s patch fixes at least five other vulnerabilities that made it possible for attackers to remotely executive code or steal potentially sensitive information on machines running Flash.

Separately, Adobe on Wednesday unveiled several new privacy and security protections that will be added to Flash 11, the next major software upgrade, which is scheduled for release in early October. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/21/emergency_adobe_flash_update/

Computer scientists warn that proposed changes in firmware specifications may make it impossible to run “unauthorised” operating systems such as Linux and FreeBSD on PCs.

Proposed changes to the Unified Extensible Firmware Interface (UEFI) firmware specifications would mean PCs would only boot from a digitally signed image derived from a keychain rooted in keys built into the PC. Microsoft is pushing to make this mandatory in a move that could not be overridden by users and would effectively exclude alternative operating systems, according to Professor Ross Anderson of Cambridge University and other observers.

UEFI is a successor to the BIOS ROM firmware designed to shorten boot times and improve security. The framework, a key part of Windows 8, is designed to work on a variety of CPU architectures.

If the draft for UEFI is adopted without modification, then any system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux. A signed version of Linux would work, but this poses problems, as tech blogger Matthew Garrett explains.

Garrett writes:

Firstly, we’d need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It’s a grey area, and exploiting it would be a pretty good show of bad faith.

Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it’s still necessary to get our keys included by ever OEM.

There’s no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code. However, experience indicates that many firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market.

Garrett concluded that there is no need to panic just yet.

The upshot of the changes is that considerable roadblocks might be placed in the way of running alternative operating systems on PCs. Anderson describes this as a return to the rejected Trusted Computing architecture – which at that point involved force-feeding DRM copy-protection restrictions – which may be far worse than its predecessor.

The professor said:

These issues last arose in 2003, when we fought back with the Trusted Computing FAQ and economic analysis. That initiative petered out after widespread opposition. This time round the effects could be even worse, as ‘unauthorised’ operating systems like Linux and FreeBSD just won’t run at all. On an old-fashioned Trusted Computing platform you could at least run Linux – it just couldn’t get at the keys for Windows Media Player.

The extension of Microsoft’s OS monopoly to hardware would be a disaster, with increased lock-in, decreased consumer choice and lack of space to innovate.

Anderson concludes that the technology might violate EU competition law in a rallying call on Cambridge University’s Light Blue Touchpaper blog here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/21/secure_boot_firmware_linux_exclusion_fears/

A UK tech firm has denied supplying spyware technology to the former Egyptian government of Hosni Mubarak.

Documents uncovered when the country’s security service headquarters were ransacked during the Arab Spring uprising suggest that Egypt had purchased a package called FinFisher to spy on dissidents.

FinFisher, developed by UK firm Gamma International, is supplied exclusively to law enforcement and intelligence agencies as a surveillance tool. Trojans of this type – known as Remote Access Tools or RATs – are typically used to plant bugs on suspects’ PCs to monitor emails and instant-messaging conversations, or intercept Skype calls, as the pitch for FinFisher explains:

The remote monitoring and infection solutions are used to access target systems, giving full access to stored information with the ability to take control of the target systems’ functions to the point of capturing encrypted data and communications. In combination with enhanced remote infection methods, the government agency will have the capability to remotely infect target systems.

The recovered documents (pictured here) suggest the tool was licensed for a five-month trial at the back end of last year at a cost of €287,000.

During a BBC’s File on 4 programme, broadcast on Tuesday, Gamma International UK denied supplying the software to the Egyptian authorities. It added that it complied with UK export restrictions.

The sales documents in question appear genuine, though it’s hard to be absolutely sure especially since Gamma International has yet to respond to our request to discuss the matter. The supply of snooping technology to friendly but repressive regimes is a grey area.

William Hague, the Foreign Secretary, told the BBC he would like to see a ban on the export of goods used for repression, adding that he would “critically” examine export controls.

The File on 4 programme, entitled “Cyber Spies”, can be downloaded or streamed here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/21/egypt_cyber_spy_controversy/

Cars fitted with OnStar’s technology will be tracked even if the owners don’t sign up to the service, in a change to the company’s policy that will kick in come December.

OnStar is a service offered by General Motors USA, which inserts a mobile phone, along with telemetry tracking kit, into cars sold by the company. Owners are then offered the option to sign up to the navigation and automatic crash reporting, but in a policy change the company will start collecting data from drivers even if they haven’t signed up for the service.

In the notice being sent out to subscribers, and picked up by Wired, OnStar explains that from December this year it will start collecting information about everything from oil levels to mileage, and details of any accident in which the vehicle is involved – including direction of impact, seatbelt use and the location/speed of the vehicle at the time of the accident.

That is the critical part, to the insurance companies at least. Several US insurance claims have already been invalidated by cars which grassed on their owners, who proved to be travelling faster than they had admitted, and OnStar will hand over the data to the police when required to, and anyone else they deem necessary for “the safety of you or others”.

Until now, that data was only available where owners had been signed up to the service, which includes satellite navigation, but come December anyone whose car is fitted with the technology, and hasn’t explicitly opted out (by phoning OnStar), will be subject to monitoring by the company.

Earlier this month the European Commission formally adopted eCall, which requires all new cars sold within the EU to be fitted with automatic tracking, and an embedded cellular phone, by 2015. eCall will call up the emergency services in the event of a crash, but it will also put a mobile phone into every car in Europe, which opens up a host of options.

Cars are already getting over-the-air software modifications. Red Bend, specialists in remote software updating, send out software patches to various models over the GSM network; the company is looking forward to being able to reach out to every car to ensure they’re running the latest and greatest OS and applications.

In its statement (PDF, 10 pages but quite readable), OnStar explains it will also be collecting anonymous data for traffic and usage analysis, which is probably more valuable to General Motors than details about individuals. The same thing will no doubt apply to eCall-equipped cars when they come on sale.

Few people will bother opting out of such a service, which means that those who do will simply attract attention to themselves. All this is for your own safety and convenience, of course, but if you want to travel anonymously after 2015 then best get yourself an (eCall-exempted) motorcycle and read the small print carefully. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/21/onstar_ecall/

Directors of one of the internet’s biggest gambling sites have been accused of running a massive Ponzi scheme that bilked players out of about $330 million.

In court documents filed Tuesday, federal prosecutors accused those operating Full Tilt Poker of withdrawing more than $443 million from players’ bank accounts and diverting it to board members and owners. Director Christopher Ferguson received more than $87 million, while his colleague Howard Lederer got $42 million, they said. Directors Raymond Bitar and Rafael Furst allegedly received $41 million and $11.7 million respectively.

In all, Full Tilt allegedly owed players around the world $390 million, but had only $60 million in its bank accounts, despite repeated assurance that money they deposited for online betting was stored in segregated accounts and belonged to each individual player.

“Full Tilt was not a legitimate poker company, but a global Ponzi scheme,” Preet Bharara US Attorney for New York’s Southern District, said in a press release (PDF). “Not only did the firm orchestrate a massive fraud against the US banking system, as previously alleged, Full Tilt also cheated and abused its own players to the tune of hundreds of millions of dollars.”

Tuesday’s allegations were contained in court filing that amended a civil complaint filed in April against operators of Full Tilt and two other online poker sites. The earlier action charged them with violating the Unlawful Internet Gambling Enforcement Act of 2006, which prohibits illicit gambling operations from accepting payments. The site was shut down in June.

The new allegations surfaced in the course of the investigation. In some cases, the alleged scheme continued even after the original complaint and an accompanying criminal indictment were unsealed. Prosecutors cited email sent in June in which Bitar worried about a “run on the bank” and admitted “at this point we can’t even take a five million [dollar] run.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/20/full_tilt_poker_allegations/

It’s been more than a month since researchers reported two serious security vulnerabilities in Android, but so far there’s no indication when they will be purged from the Google-spawned operating system that’s the world’s most popular smartphone platform.

The first flaw allows apps to be installed without prompting users for permission. The permission-escalation vulnerability permits attackers to surreptitiously install malware in much the way a proof-of-concept exploit researcher Jon Oberheide published last year did. In that case, an app he planted in the Android Market and disguised as an expansion pack for the Angry Birds game secretly installed three additional apps that without warning monitored a phone’s contacts, location information and text messages so data could transmitted to a remote server.

“The Android Market ecosystem continues to be a ripe area for bugs,” Oberheide wrote in an email. “There are some complex interactions between the device and Google’s Market servers which has only been made more complex and dangerous by the Android Web Market.”

The second bug resides in the Linux kernel where Android originates and makes it possible for installed apps with limited privileges to gain full control over the device. The vulnerability is contained in code device manufacturer have put into some of Android’s most popular handsets, including the Nexus S. The bug undermines the security model Google developers created to contain the damage any one application can do to the overall phone.

Oberheide and fellow researcher Zach Lanier plan to speak more about the vulnerabilities at a two-day training course at the SOURCE conference in Barcelona in November. In the meantime, they put together a brief video showing their exploits in action.

A Google spokesman declined to comment for this post.

One of the hopes for Android a few years back was that it would be a viable alternative to Apple’s iOS, both in terms of features and security. With the passage of time, the error of that view is becoming harder to ignore. By our count, Google developers have updated Android just 16 times since the OS debuted in September 2008. The number of iOS updates over the same period is 29.

It’s a far cry from the approach Google takes with its Chrome browser, which is updated frequently, and has been known to release fixes for the Flash Player before they’re even released by Adobe.

Even more telling, when a new version of iOS is released, it’s available almost immediately to any iPhone user with the hardware to support the upgrade. Android users, by contrast, often wait years for their phone carriers to supply updates that fix code execution vulnerabilities and other serious flaws.

Owners of the Motorola Droid, for instance, are stuck running Android 2.2.2 even though that version was released in May 2010 and contains a variety of known bugs that allow attackers to steal confidential data and remotely execute code on handsets the run the outdated version.

Oberheide has more here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/20/google_android_vulnerability_patching/