STE WILLIAMS

Yet another web authentication authority has stopped issuing secure sockets layer certificates after discovering a security breach that allowed hackers to store attack tools on one of its servers.

Netherlands-based KPN Corporate Market said it was taking the action while it investigated the compromise, which may have taken place as long as four years ago. The breach came to light after tools for waging distributed denial-of-service attacks were found on its network.

There is no evidence that the compromise affects KPN servers used to generate the certificates that Google, eBay, and millions of other services use to cryptographically prove their websites are authentic, rather than easily created imposters. But the possibility “can not be completely excluded,” KPN officials said in a statement issued Friday (Google translation here).

The compromise underscores the fragility of an SSL system that’s only as trustworthy as its most insecure, or most corrupt, member. With more than 600 certificate authorities trusted by the Internet Explorer, Chrome, and Firefox browsers, all that’s required to mint a near-perfect replica of a credential for Google Mail, or any other website, is to pierce the defenses of a single authority’s certificate issuance system. And with some of the authorities residing in countries such as China, it’s not a stretch to imagine them being compelled to issue fraudulent certificates.

That fragility came into sharp focus earlier this year when attackers exploited shoddy security practices at another Dutch CA and generated hundreds of SSL certificates for a variety of sensitive sites, including one for Gmail used to spy on about 300,000 users located in Iran. Mozilla’s addons site, Microsoft’s update service, and Skype were also targeted.

At least half a dozen other CAs have also been compromised in the past year, although there’s no evidence the breaches led to the issuance of bogus certificates. Affected authorities include four separate resellers of Comodo, StartSSL, and GlobalSign. On Thursday, major browser makers said they were removing intermediate CA Digicert Malaysia from their wares following revelations it violated security requirements.

It was only two months ago that KPN officials told Reuters they had sold hundreds of new certificates in the days immediately following the DigiNotar debacle.

When the major browsers ex-communicated DigiNotar it was a relatively painless affair, because the authority had issued certificates for a relatively small number of domains. That meant the number of browser users inconvenienced by the corresponding error messages returned when they visited a site that relied on DigiNotar was also relatively small.

It’s unclear how KPN compares in size. What is certain is that the SSL system has too many single points of failure that endanger us all. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/04/ssl_still_hopelessly_broken/

Hacktivists mistakenly attacked a French rugby fansite instead of their intended target, the German stock exchange.

The misdirected assault meant the allezdax.com website, a fan site for French second division side rugby club Dax, was unavailable for two weeks. Meanwhile the hackers’ intended target, the German stock exchange (DAX) website, remained up and running as normal.

An administrator of allezdax.com told France Bleu Gascogne radio station that hackers had “insulted us copiously in German”. He added: “I only have one thing to say to them: leave us alone!”

The allezdax.com website normally gets around 700 hits per day, mostly (you’d imagine) from local rugby fans. Traffic volumes and visitors swelled during the attack, overwhelming the site’s limited resources, the Guardian reports.

The site has now been successfully returned online with a suitably defiant message about improved security. “Having been attacked full-on by a young, spotty Teuton, the site is back with more security,” it says.

The whole episode recalls the time last year that geographically mixed-up Algerian hackers defaced the site of Belvoir Castle, home of the Teddy Bear’s picnic, instead of their intended target, Belvoir Fortress – a Christian outpost during the Crusades. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/04/french_rugby_site_hacktivist_maul/

Facebook has fixed a flaw that may have allowed users to attach executables to messages sent to other punters on the social network.

Security blogger Nathan Power notified Facebook after finding the bug, which involved fiddling with messages sent between users who were not necessarily contacts. Facebook normally blocks the exchange of executable files – but Power discovered that by adding an extra space to the end of a filename, it was possible to get around these restrictions, as he explains in a blog post here.

These executable files could very well be laced with malware. Users can get infected if they are tricked into opening the malicious program on a vulnerable machine, something the bug (by itself) doesn’t do. Emails with malicious attachments have proved to be an incredibly successful attack vector for years so seeing this getting replayed in the venue of social networking gives El Reg the fear.

Facebook said last week that a fix was unnecessary before deciding to modify its systems this week after successfully reproducing the “undesirable behaviour” reported by Power in late September.

In a statement, Facebook said: “We were originally unsuccessful in reproducing the behaviour described by the reporter, as this behaviour does not occur for all browser and operating system combinations. Upon further investigation, we have determined which scenarios were behaving undesirably and have pushed a fix to ensure a consistent attachment experience across browsers.”

Despite the tweak, Facebook continues to insist that its users were never at risk. It said the social network has multiple layers of security to protect people from malicious files. “Facebook Messages does not rely solely on searching the plain-text of the file name to detect potentially malicious files but has antivirus protection that scans every message for malware and malicious links,” it said.

Facebook uses anti-malware technology from Websense to carry out this screening of binaries. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/04/facebook_message_security/

LCC comment On the first day of the London Conference on Cyberspace (LCC), an optimistic delegate stood up and prefaced his question to the panel with congratulations on the first steps in what he was sure would become known as “The London Cyber Process”.

It was an optimism the Foreign Office, which was hosting the summit, seemed to share to a certain extent before the event. The talk in the run-up to the conference was all about deciding the future of cyberspace, and Foreign Secretary William Hague’s opening remarks talked of “developing firm ideas and proposals with real political and diplomatic weight”.

Not that there weren’t cautionary words, too: when Hague first began to talk about the conference back in February it was all about “laying the basis for agreement on a set of standards”, which was a suitably vague political message that suggested it’d be great if something happened but no one was counting on it.

But in the end the conference didn’t seem to have even the beginning of any agreements on what should be done.

Everyone thought that the digital divide should be closed, but no one seemed to have any idea how to do it – other than hoping that service providers just get on with it themselves or wishing that countries that are poor, or where wealth was spread unevenly, would eventually get richer or fairer.

Everyone agreed that cyber threats were real and nasty – be they from terrorists, state-sponsored or criminal gangs – but their suggestions on what to do were just outlines of the existing debates: we should have more accountability and identification online or net users should be anonymous no matter what. Or even worse, there was the bit-of-both suggestion: we should have more accountability, but we shouldn’t get rid of anonymity. Well put, sir, but how exactly are we going to do that?

Law enforcement officials who spoke said they were getting some help from technology companies but they needed more, and the internet companies said they weren’t getting enough help from the police. Meanwhile, they all agreed that they all needed more training, more knowledge and more skills dealing with cybercrime.

The US and the UK were emphatic on their agreement that the web should be free and open, with keynotes from leaders including US Vice-President Joe Biden and UK Prime Minister David Cameron, but those who might have meaningfully disagreed with them – for instance Russian Prime Minister Vladimir Putin or Chinese President Hu Jintao – were nowhere to be seen.

And anyway, it didn’t matter what any government heads said because everyone agreed that governments were not, and should not be, in control of the internet. Which rather made you wonder what the point of them espousing on the issue was.

Not every viewpoint heard

There’s no question that the subject of the internet is a thorny one for governments, individuals and the private sector. Just like in the real world, which as conference speakers kept emphasising is exactly like the online world, there are so many viewpoints and considerations to take into account.

The real problem of the conference was that they didn’t take all these views into account at all. The usual liberal let’s-make-everyone-free-and-democratic-and-spend-lots viewpoint was represented and the arguments were focused on the best way to do that.

So not only did they not make much progress towards the end that most delegates said they wanted, they also ignored the great big swathe of people that will be coming online in the next decade who might not be allowed to want it – or more controversially, might not want it at all.

After all, is democracy working all that well? A lot of people in the enlightened West would say it wasn’t anymore: citizens are voting with their feet by not voting at all. And what was Hague, a former Conservative Party leader, doing sitting on the liberal side of the fence anyway? Oh that’s right, they’ve all decided to camouflage themselves as each other so as not to confuse the public with their differences.

And good old liberal capitalism, is that working out the way we all planned? Again, not too well recently, since the Euro might collapse any day now and there’s a good chance that much-publicised double dip is on its way, while tons of people are still out of work and no one’s spending much any more.

Not that tyranny or communism or socialism or autocracy or religious leadership are necessarily the answer either, but in a debate that doesn’t even make room for other viewpoints, it seems quite unlikely that any new viewpoint that could possibly provide the answer will be considered.

The best takeaway from the whole event was that cyberspace is like the real world, there’s no doubt about that. And like the real world, maybe it’s time for some new ideas rather than the tired rehashing of the old. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/04/no_great_progress_at_lcc/

China is none too impressed with being fingered by the US as a major source of cyber espionage.

The Office of the National Counterintelligence Executive (ONCIX) reported to Congress yesterday that both China and Russia were home to spies who hacked into US government and business networks to get access to its economic super-secrets.

The report did admit that just because an attack had come from an IP address within a country didn’t mean you could necessarily say that country was responsible, but the naming and shaming nonetheless annoyed Beijing.

A Chinese Foreign Ministry spokesman scorned the report in a daily news briefing today and said China wanted to help with cyber-security as much as the next country.

“Online attacks are notable for spanning national borders and being anonymous. Identifying the attackers without carrying out a comprehensive investigation and making inferences about the attackers is both unprofessional and irresponsible,” Hong Lei said, according to a Reuters report.

“I hope the international community can abandon prejudice and work hard with China to maintain online security,” Hong added.

According to the report, “US corporations and cyber-security specialists” have reported an “onslaught of computer network intrusions originating from IP addresses in China”, and they often allege that Chinese companies or the government are behind these attacks.

However, it acknowledges that the “intelligence community has not been able to attribute many of these private sector data breaches to a state sponsor”, often because the incident isn’t reported until ages after it has happened. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/04/china_upset_by_us_spy_claim/

The Cabinet Office’s newly installed digital captain has robustly defended the department’s plans to beef up an identity assurance scheme with the help of banks and internet companies.

Mike Braken, skirting over the fact that a new law will almost certainly be needed to be pushed through Parliament to make such a proposal a reality, is championing the cause.

In a puff piece on the Government Digital Service blog, the ex-Guardianista defended the “federated identity assurance model” by proclaiming that it was “essential for the ‘digital by default’ initiative”.

The main crux of his argument is that anonymous online transactions need to be flushed out to help build trust between taxpayers, the government and corporations.

Indeed, as highlighted yesterday with the launch of Google-backed Midata, the Cabinet Office is very keen to create a new digital biz sector with a scheme that, at its heart, is about offloading identity-handling to the private sector while being gift-wrapped in tantalising ‘open data’ goo.

“Many people have described this subject as ‘identity management’,” said Braken. “That is an organisation-centric phrase: a notion that organisations hold data about people and have the responsibility for maintaining it.

“We have to reset the subject around the user and recognise that in the digital age people assert identity in many different ways and contexts.”

But, don’t be entirely fooled, here’s the money shot:

The days of creating different user names and passwords for every new website are numbered, thank goodness. There is a strong desire to work collaboratively across the public and private sectors to develop solutions that meet users differing needs.

Braken then cites various examples of why this ID-dealing game isn’t isolated to British shores. It’s an international effort, and the Cabinet Office wants to play.

Many readers of these pages have questioned why Maude’s department is spending £10m and counting on ID assurance, given that there is already a federated model. Government Gateway was created in the New Labour Directgov era as one-login-to-rule-them-all for taxpayers to access gov-related services.

“[A] lot has moved on in the dozen years since Government Gateway was developed and we have a lot of work to do to develop solutions that work for users in the many contexts that they’ll need them,” said Braken.

Comment

This appears to ultimately mean bridging the gap between taxpayers’ usernames and, for example, banks and internet companies – and yes, we’re talking Google, Facebook and other big players in the ID arena.

But can such a vision truly be a reality? Let’s repeat Braken’s words again: “The days of creating different user names and passwords for every new website are numbered, thank goodness.”

Labour, now in opposition and still battle-scarred from its fight for the hated and now-abolished National ID card scheme, is silent about identity assurance for now. Perhaps that’s because it’s an idea dreamed up in the Cabinet Office that is yet to be tested thoroughly even by other government departments within Whitehall.

It’s going to cost Maude’s dept £10m to school the likes of the Departments for Work and Pensions and Business, Innovation and Skills in ID assurance. But what price to the British public if a cluster of “trusted private sector identity service providers” becomes the source of authenticating individuals who want to access gov services online? ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/04/mike_braken_id_assurance/

Microsoft, Google, and Mozilla will banish yet another web authentication authority from their software after learning that it issued secure sockets layer certificates that could be used to attack people visiting Malaysian government websites.

Digicert Malaysia, an intermediate certificate authority that was certified by parent authority Entrust, issued 22 certificates with weak private keys and other serious deficiencies, the companies said. The lapses, which also included a failure to include revocation details and EKU, or extended key usage, designations, constituted a breach of obligations all CAs are required to follow to ensure the security of the SSL system.

“There is no indication that any certificates were issued fraudulently, however, these weak keys have allowed some of the certificates to be compromised,” Jerry Bryant, a spokesman in Microsoft’s Trustworthy Computing group, wrote in a blog post. “The subordinate CA has clearly demonstrated poor CA security practices and Microsoft intends to revoke trust in the intermediate certificates.”

The public rebuke comes two months after software makers revoked the signing credentials of DigiNotar following revelations the Netherlands-based authority suffered a colossal security breach that allowed attackers to mint 531 bogus certificates for high-profile services. At least one of the counterfeits was exploited to spy on more than 300,000 Google Mail users in Iran.

In March, a security breach on a certificate reseller of rival CA Comodo resulted in the forgeries of credentials for many of the same domains, which in addition to Gmail, included Skype, Mozilla add-ons, and Microsoft update. Four months ago, another CA, Israel-based StartSSL, also said it was hacked, although the attackers were unable to obtain certificates that would allow them to spoof websites in a similar fashion. At least four other CAs have reported being compromised since June.

Entrust, the US-based CA whose imprimatur authorized Digicert Malaysia, said in its own blog post that it also planned to remove that trust. A separate advisory from Mozilla is here. This Chromium update indicates that Google is taking similar steps, and a spokesman confirmed the company also intend to revoke trust in the Malaysian CA.

The omissions of Digicert Malaysia appear to be a serious violation of CA security standards. Its use of 512-bit keys, for instance, stand in stark contrast to the minimum requirement that keys contain twice that length. What’s more, the lack of revocation information makes it harder to recall Digicert Malaysia certificates if they’re found to be flawed, and the failure to include EKU information allows them to be abused in ways that otherwise wouldn’t be possible.

“An attacker could use one of these weak certificates to impersonate the legitimate owners,” Mozilla’s statement warned. “This could deceive users into trusting websites or signed software appearing to originate from these owners, but actually containing malicious content or software.”

The 22 certificates belonged to a “mix of Malaysian government websites and internal systems.”

Digicert Malaysia’s banishment is effective Tuesday. It’s not clear if that means the certificates are susceptible to abuse until them. Digicert Malaysia has no affiliation to Digicert Inc. based in Utah. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/certificate_authority_banished/

The European and US on Thursday conducted their first ever cyber security exercises designed to coordinate responses to attacks on critical infrastructure.

Security experts from the US and 27 EU member states were involved in the drill, which simulated crises affecting national security. In the first scenario, a targeted attack burrowed into the network of an EU country and stole sensitive data there. In the second, an industrial control system used to manage machinery in a power plant was attacked, in an attempt to disrupt its operations.

The goal of the operation – which was organized by ENISA, or the European Network and Information Security Agency, and the Department of Homeland Security – was to identify weaknesses in critical infrastructure and learn how security professionals in different countries could rapidly develop an effective response. The exercise was similar to the Cyber Storm drills regularly run by the US and last year’s pan-European cyber security exercise.

ENISA has more here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/04/joint_us_europe_cyber_war_drill/

Microsoft has issued a temporary fix for a critical Windows vulnerability that has already been exploited to install highly sophisticated malware that targeted manufacturers of industrial systems.

In an advisory issued late Thursday, Microsoft said the previously unknown flaw in the Win32k TrueType font-parsing engine affected every supported version of Windows, including Windows 7 and Windows Server 2008, which are the most secure to date. The critical vulnerability was recently exploited to spread Duqu, malware that some researchers say was derived from last year’s Stuxnet worm that sabotaged Iran’s uranium enrichment program.

“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode,” the advisory warned. “The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The accompanying Fix it is designed to protect against exploits until a permanent patch is issued. The company didn’t indicate when that would happen, except to say it wouldn’t be before next Tuesday’s regularly scheduled security update release.

Jerry Bryant, a spokesman in Microsoft’s Response Communications and Trustworthy Computing groups, said here that the company has already shared technical details with security partners.

“This means that within hours, anti-malware firms will roll out new signatures that detect and block attempts to exploit this vulnerability,” he explained. “Therefore, we encourage customers to ensure their antivirus software is up-to-date.”

He went on to say risk of exploitation remains low.

“However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we’ve provided them to ensure protections are in place for this issue.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/04/duqu_vuln_fix/

Russia and China are using cyber-espionage to steal the US’s tech and economic secrets, according to a government report.

COLD WAR INTELLIGENCE REPORT (click to enlarge)

The Office of the National Counterintelligence Executive (ONCIX) presented the report (PDF) to Congress on Thursday, which claimed that both “adversaries” and “partners” were sticking their nose into government and business computers.

“Because the United States is a leader in the development of new technologies and a central player in global financial and trade networks, foreign attempts to collect US technological and economic information will continue at a high level and will represent a growing and persistent threat to US economic security,” the report said, eschewing any attempts at modesty.

The report, which was titled Foreign Spies Stealing US Economic Secrets in Cyberspace and covered 2009 to 2011, singled out China as a place where cyber intrusions often originated, although it didn’t specifically finger the country’s government.

“Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the intelligence community [or the IC as the report offhandedly acronyms it]* cannot confirm who was responsible,” the office said.

Russia was another country to be named and shamed by ONCIX for pervasive cyber threats.

“Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets,” the report pointed out.

However, “US allies and partners” weren’t above a bit of pottering about in US networks looking for the odd tidbit either.

“Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence [another lovely acronym – HUMINT] tactics. Some of these states have advanced cyber capabilities,” ONCIX said.

The office rather obviously pointed out that stealing secrets in cyberspace was a lot easier than attempting to sneak out of offices carting folders, and as a result the US was suffering millions of dollars in losses from thieved classified information.

And it is not predicting that things will get much better either. Cloud computing and the proliferation of devices connected to the internet are both a concern, and “the IC anticipates that China and Russia will remain aggressive and capable collectors of sensitive US economic information and technologies”.

The report said China would continue to be driven to espionage by its policy of “catching up fast and surpassing Western powers”.

It said an “emblematic” programme in this drive was Project 863, which according to China is intended to “boost innovation capacity in the high-tech sectors, particularly in strategic high-tech fields, in order to gain a foothold in the world arena”, and according to the report “provides funding and guidance for efforts to clandestinely acquire US technology and sensitive economic information”.

ONCIX also points to possible future risks from different countries “as a function of international economic and political developments” and the risks from non-state actors such as terrorist groups, hacktivists and hackers for hire.

Bootnote

* In case you’re wondering why the US might need an acronym for the intelligence community, it might be because of the dizzying array of groups that make it up. To put this report together, ONCIX gathered inputs and reports from “many US government agencies, including the Air Force Office of Special Investigations (AFOSI), Army Counterintelligence Center (ACIC), Central Intelligence Agency (CIA), Defense Intelligence Agency (DIA), Defense Security Service (DSS), Department of Energy (DoE), Department of Health and Human Services (HHS), Department of State (DoS), Federal Bureau of Investigation (FBI), National Geospatial-Intelligence Agency (NGA), National Reconnaissance Office (NRO), National Security Agency (NSA), and Naval Criminal Investigative Service (NCIS)”. And that’s just the ones it’s happy to name… ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/china_russia_cyber_spies/