STE WILLIAMS

The vast majority of time Adobe spends patching zero-day vulnerabilities in its ubiquitous Reader and Flash Player applications is devoted to making sure the fixes won’t cause catastrophic crashes on end-user machines, the company’s security chief said.

“The last thing we want to do is ship a release that blue screens hundreds of millions of machines,” Brad Arkin, Adobe’s senior director of product security and privacy, told people attending the Qualys Security Conference in San Francisco on Friday. He was referring to the blue screens many computers display after suffering serious software errors. “This would be truly awful. That is something we absolutely can never afford to happen.”

Adobe’s senior director of product security and privacy, Brad Arkin

He said it takes Adobe developers anywhere from 20 minutes to eight hours to develop a patch once they’ve identified the code that’s being exploited in an attack used to remotely install malware on end users’ machines. The remainder of the time – typically about 6,000 man hours in the case of a fix for a zero-day vulnerability in Reader – is spent testing the new version on each operating system it runs on, to make sure there are no incompatibilities.

In early 2009, it took 10 weeks from the time Adobe learned a vulnerability was under attack to the date it shipped a fix. Since then, the company has worked on ways to shorten that span. It recently took the development team about 72 hours, a record, Arkin said.

With the vast majority of computers using Windows, OS X, Linux, and Solaris running Adobe software, there’s a lot riding on the security of Flash and Reader. A previously unknown vulnerability in Flash was the beach head attackers used to penetrate RSA Security in March and make off with sensitive data that reduced the effectiveness of SecurID tokens that 40 million employees to access sensitive corporate and government networks.

Arkin said Adobe is also working to make it easier to install security patches. In the next several months, the company will introduce a new update mechanism for Flash that will upgrade the application for all browsers. Currently, Windows machines with more than one browser must be upgraded twice, once for Internet Explorer and again for the other browsers. Arkin said that behavior was a hold-over from the days when most users had slow internet connections and wouldn’t tolerate larger file sizes that that would be required for an update that worked for all browsers. With faster connections now, that’s no longer a problem.

“The more users in the consumer environment that get updated effortlessly, the less attractive the target is to the bad guys who are investing money in the exploit,” he said. “Staying up-to-date is really absolutely critical for our users.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/03/adobe_security_updates/

A data logger pushed out by HTC to Android handsets has opened up a vulnerability allowing any app with internet permissions to access private customer information.

The vulnerability was spotted by Trevor Eckhart, who informed HTC about it and waited five days for a response. Following that he decided to go public and gave Android Police the details along with demonstration code and a video showing how an application that is supposed to see almost nothing can now see almost everything.

So an application that is supposed to be restricted to accessing the internet – a common ability requested by freebie apps to collect advertisements – can also access the user’s location and details of all their synchronised accounts, not to mention the list of running tasks, the state of Wi-Fi connections, and system logs.

The data is being collected by a system package called HtcLoggers.apk, installed by HTC onto a range of Android handsets for reasons that aren’t clear. That logging package accumulates data all the time, but it also has an accessible interface that other applications can use to request specific information – it even has a “help” command for those who don’t know what it is they want to know.

The information provided includes a load of system information as well as the account and location data, which is probably most sensitive, and the internet privileges requested also mean the application can send the data off to parts unknown, which is nice.

Eckhart has produced a demonstration app, and is asking those with HTC handsets to take a look and help establish how widespread HtcLoggers.apk is.

When looking closely at what HTC had installed he also stumbled across the scarily named androidvncserver.apk (VNC being a remote-control protocol), but hasn’t found any way to activate it as yet so this could be a red herring.

We don’t know because HTC isn’t saying. The company gave us a statement saying it is aware of the accusations and is looking into them, and that it is “taking customers’ security seriously”. But HTC received notification a week ago, and didn’t respond to that information until it was made public.

The breach is a serious one, particularly given that free apps so often ask for internet privileges to collect embedded adverts. Such an app could now harvest data for spear phishing or similar, and given the publicly available demonstration code it would be naive to think someone isn’t working on that right now.

So if you’ve an HTC Android handset then it’s probably worth laying off the free downloads, at least until HTC has something more useful to tell us. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/03/htc_android_security/

After discovering that BBM and their Twittery playthings fed straight into the hands of the cops, smartphone-toting revolutionaries have taken up a new type of instant messaging – Vibe.

Like Twitter in that it is open and lets you mass-message, Vibe is unlike Twitter in that all messages or “vibes” are anonymous. You can set how far you want them to be available too – from 15 metres to global.

The messages self-destruct after a set period of time: from 15 minutes to forever. That makes it much more attractive to those who want to bring down the Man via the medium of street protest, but don’t want the Man, or their mothers, or the police looking at twitpics of themselves jumping up and down on burning bin-bags.

According to the New York papers, Vibe is now the instant messaging app of choice for the protesters at Manhattan’s #OccupyWallStreet.

Though it is innocently described on the iTunes store as a good way to chat to other people near you at football games or conferences, developer Hazem Sayed is actively keen for his app to be adopted by the protesters – flying out to the Manhattan protest from California with leaflets about his app explaining its uses.

It seems to be catching on:

The NY Daily News interviewed protester Drew Hornbein, a member of the camp’s Internet Committee, who explained its uses to the paper:

“Let’s say you’re protesting and someone up ahead sees that the cops are getting ready to kettle people, they can send out this vibe that only lasts a few minutes that says, ‘Cops are kettling’,” said Hornbein.

“It’s anonymous too, so not only are you able to send out relevant information to a small radius, but it also disappears, there’s no record of it, so no one can come after the person who sent it.”

Another social media platform for Theresa May to worry about. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/03/vibe_anonymous_twitter_for_anarchists_occupy_wallstreet/

Ministers are preparing for a massive expansion in electronic tagging of offenders, with private security companies being invited to bid for more than £1bn worth of contracts in October, reports the Guardian.

The use of electronic tagging has grown rapidly since it was first used in 1999 by courts in England and Wales to enforce curfews. Now more than 20,000 offenders are monitored by private security firms on any given day.

The current eight-year contracts, which are held by G4S and Serco electronic monitoring services, are due to end shortly. The Ministry of Justice says more than 30 companies have expressed an interest in competing for the new contracts when bids are invited this October.

Fewer than 3,500 electronic tagging orders were made in 1999, a figure that rose to cover more than 70,000 people last year. It is estimated that more than 450,000 people in England and Wales have spent time electronically tagged over the past decade.

The justice secretary, Kenneth Clarke, is planning a further significant expansion in the use of tagging as part of his drive to improve public confidence in alternatives to prison. His sentencing and punishment bill, which is now before parliament, will give the courts powers to extend the tag curfew limit from 12 hours a day to 16. The bill also proposes doubling the length of a curfew order from six to 12 months.

The extension of tagging comes as G4S prepares to take over the Victorian inner city prison at Winson Green, Birmingham, this weekend, the first in the UK to be transferred from the public to private sector. Serco is about to start the first “payment by results” offender services pilot scheme at Doncaster prison with similar schemes to follow at eight more prisons. Plans for the largest-ever wave of jail privatisation with nine public sector prisons being put out to tender this autumn have already been announced.

Only last week the justice minister, Lord McNally, warned a Liberal Democrat conference fringe meeting of the danger of a “semi-monopoly” developing with the largest security companies, such as G4S and Serco, winning the majority of justice contracts.

The main form of tagging used in England and Wales involves the offender wearing a tag around their ankle or wrist which sends a signal back to a monitoring unit at their home address. A text message-style signal is sent to the company’s monitoring centre if the offender breaks the circuit by leaving home during the curfew hours. Tagging is used both as a community penalty and to monitor prisoners released early on home detention curfews.

The latest expansion in tagging comes despite official statements that electronic tags have no impact in reducing the reoffending rates of criminals or the number of contractual penalty payments of more than £273,000 over the past four years by G4S and Serco for service failures.

“The re-competition [sic] of these contracts offers the market an opportunity of significant scale (based on current spend, the total contract value is likely to be in the region of £1bn),” says the Ministry of Justice in its latest competition strategy document.

Ministers hope the new contracts will cut the current unit cost of £1,063 for a 90-day adult curfew and £1,935 for a 120-day juvenile curfew.

“The expected reductions in the unit cost of delivery are likely to provide significant opportunities for both savings and service improvement. This will also provide opportunities for greater involvement of small and medium enterprises – in this case, companies offering innovative tagging technology,” says the strategy.

Up until now more ambitious uses of electronic tagging, such as satellite tracking and voice verification to monitor an individual’s daily movements, have been limited by the impact of tall buildings on the patchy mobile phone networks the system relies on.

The Ministry of Justice has always maintained that tagging provides the courts with a credible alternative to prison. But ministers admitted to MPs two years ago: “Current evidence suggests that electronic monitoring has a neutral effect on reoffending. However, international research does suggest that it can be effective in helping to ensure compliance with other, more rehabilitative, community penalties.”

Harry Fletcher of Napo, the probation service union, said he was shocked that tagging had become a £1bn industry: “There is no evidence that tagging has any impact on reducing crime. It is also very expensive, with a 90-day tag costing £1,100 to the taxpayer. That is for an outlay of only £400 to £500 assuming only one call-out to the offender for each order. So there is a huge markup,” he said. ®

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/03/electronic_tagging/

Europe’s biggest Usenet provider News-Service Europe (NSE) says anti-piracy organisation BREIN has “killed Usenet”. The Dutch organisation this week lost a landmark case in which it was ordered to remove all pirated content or risk fine of €50,000 per day.

“It is technically as well as economically impossible to check the contents of the 15 to 20 million messages that are exchanged on a daily basis,” NSE said in a statement. “There is no automated way of checking whether Usenet messages contain copyrighted material or whether permission has been obtained for the distribution of such material. Consequently, we see no way of complying with this verdict. Furthermore, the verdict endangers our very existence as a company, and is a threat to Usenet itself.”

NSE CEO Patrick Scheurs says the verdict came as a big surprise. According to the Dutch Civil Code, internet service providers cannot be held liable for any copyright violations by their users, but the judge chose to ignore this legal framework altogether.

However, BREIN managing director Tim Kuik says the verdict affects a “major pillar” of Usenet. BREIN estimates at least 80 per cent of binaries shared through Usenet are illegal. “NSE knows this, but doesn’t want to invest in technology to remove illegal content. Which isn’t surprising, because this is what makes Usenet attractive.”

BREIN says it does not want to take down Usenet, just wants the large-scale copyright infringement to end. Earlier this year BREIN already won a case against FTD, the Netherlands’ largest Usenet community, which allowed its members to index the location of content on newsgroups. Now BREIN wants to form partnerships with payment processors such as PayPal in order to “strangle the finances of file-sharing sites”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/30/provider_claims_court_verdict_marks_the_end_of_usenet/

Users of Google’s Chrome browser are in an uproar after antivirus software from Microsoft classified it as virulent piece of malware that should be deleted immediately.

On Friday, a faulty signature update for both Microsoft Security Essentials and Microsoft Forefront incorrectly detected the Chrome executable file for Windows as a component of the notorious ZeuS trojan, one of the better-known pieces of malware used to steal victims’ bank account credentials. Microsoft fixed the problem a few hours later, but by then the false positive had left huge numbers of Chrome users without bookmarks and browser plugins they rely on to access commonly used webpages and services.

“Worst impact has been for people who are long-time chrome users, as all of their bookmarks and sessions are configured in chrome,” one affected Reg reader wrote in an email. “Most annoying is the required reboot which causes productivity loss, esp for people who run VMs and such on their desktop as it can take a while to get everything back up and going.”

The reader, who asked not to be named because his employer forbids him from speaking to the press, said Chrome’s beta version is unaffected, making it a suitable substitute until Microsoft can correct the error. A separate Chrome user said in this support forum that “Chrome users that do not send usage statistics to Google are unaffected.”

It was impossible to immediately verify those claims. A Google spokesman declined to confirm or provide any details, and a Microsoft statement also omitted details. A Microsoft advisory here reported that an “incorrect detection for PWS:Win32/Zbot” has been identified, but made no reference of Chrome. Zbot is another name used to identify ZeuS.

According to other people participating in the Chrome support forum, the false positive is causing plenty of teeth-gnashing in IT departments.

“Pleasepleaseplease someone come up with a solution to this!” a user with the alias maganam wrote. “The tech department in my office is stumped and I’m going crazy trying to work on Firefox!”

After this article was first published, a Microsoft spokeswoman released a statement that read in part: “We have already fixed the issue — we released an updated signature (1.113.672.0) at 9:57 a.m. PDT — but approximately 3,000 customers were impacted. Affected customers should manually update Microsoft Security Essentials (MSE) with the latest signatures. To do this, simply launch MSE, go to the update tab and click the Update button, and then reinstall Google Chrome. We apologize for the inconvenience this may have caused our customers.” ®

This article was updated to include comment from Microsoft.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/30/microsoft_nukes_google_chrome/

Nominet, the .uk address registry, has suspended hundreds of internet domain names as part of a global police crackdown on crime gangs peddling fake pharmaceuticals.

Operation Pangea IV saw almost 13,500 websites taken down and dozens of suspects arrested in 81 countries, according to Interpol, which coordinated the swoop.

Over 2.4 million potentially harmful counterfeit pills, worth about £4m, were seized in raids between 20 and 27 of September, Interpol said. Confiscated medicines included everything from diet pills to anti-cancer drugs.

Cops worked with customs agencies, ISPs, payment processors and delivery companies to close down the allegedly criminal operations, Interpol said.

In the UK, Nominet acted upon advice given by the Medicines and Healthcare products Regulatory Agency and the Police Central e-Crime Unit to suspend about 500 .uk domains, according to director of operations Eleanor Bradley.

While the domains were not “seized” as some have been in the US in recent months, suspending a domain stops it from resolving, essentially shutting down the associated website.

Bradley said that Nominet worked with its registrar partners to shut down the domains, which were all in “clear breach” of either Nominet’s or the registrar’s terms and conditions.

“If we didn’t think it was in specific breach of our terms of conditions, we would take no action against the domain name,” Bradley said.

As it has on previous occasions, Nominet was able to shut down the addresses because their owners had provided bogus contact information for the Whois records, in violation of the registration agreement.

Nominet is also in the late stages of a policy development process that will formalise the ways in which law enforcement agencies can ask for domain names to be taken down, without a court order if they are believed to be hosting criminal content.

The process could be completed, and a policy implemented, before the end of the year. A Nominet working group recently held a period of public comment before finalising its recommendations.

It is not currently clear whether domain registries in other countries also cooperated with their local law enforcement agencies as part of Pangea IV, or whether police worked with web hosting providers instead.

A spokesperson for VeriSign, the registry for .com and .net, which has previously enabled the US Immigration and Customs Enforcement agency to seize domains under court order, could not confirm or deny the company’s involvement in the crackdown in time for this article’s publication. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/30/nominet_suspends_fake_pharma_addresses/

The American Civil Liberties Union has compiled 381 information requests to establish who is slurping information from phone networks and what they’re finding out.

The initial data reveals huge disparities between operators when it comes to how much information is stored and what is made available to the authorities. ATT, for example, knows everywhere its customers have been since July 2008, and the details of every text message sent in the last five years, not to mention keeping videos of punters in its stores for a couple of months. All for the good of the people obviously.

Other operators clearly have smaller hard drives. Verizon deletes historical locations after a year, but does keep the contents of text messages for a few days. Virgin Mobile hangs onto text message content for three months, though it promises to only reveal them when presented with a search warrant. The other operators keep the details of the messages, but not the messages themselves.

In Europe, our rules on data retention are pretty standard: everything gets stored for six months and is available to the plod on request. That’s currently being challenged in Germany, but American operators work under no such mandated obligation. The details over who gets access to what information can be decided on a state-by-state basis, which is why the ACLU has had to ask so many organisations what they’re asking for and when.

The fact is that every one of us is voluntarily carrying a tracking device, all the time, as perfectly demonstrated by Malte Spitz who plotted his own movements on an interactive map having extracted them from his network operators. A mobile phone is now the second thing police pull from a corpse, yet it is more valuable than the wallet as it can establish movements prior to death, but concerns over misuse of the information are growing.

The ACLU has shown what operators know, and is in the process of finding out with whom they share that data, but it’s up to citizens to decide if they care enough to do anything about it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/30/aclu_phone_logging/

A switch with networking configurations and passwords for the UK traffic control centre was offered for sale on eBay, raising serious security concerns.

The £20 Cisco Catalyst switch was bought by security consultant Michael Kemp, co-founder at Xiphos Research Labs, who quickly discovered that it has been used at the National Air Traffic Services (NATS) centre in Prestwick by contractor Serco. Data on the switch included supervisor credentials, internal VLAN and other networking configurations and upstream switch addresses as well as domains, gateways and syslogs.

“For twenty quid, I have got full switching details (and creds) for a switch that was in use (managed by Serco) two years ago to help keep planes in the air at Prestwick,” Kemp explained. “Obviously this is a security fail, especially as the seller had 13 of the units that may well have come from the same estate.”

A screenshot from of the configuration screen of the kit bought by Kemp, with Serco branding clearly visible, can be found here.

Offloading kit with onto eBay with data pertaining to estates that mange critical national infrastructure is obviously undesirable and may have practical consequences, Kemp told El Reg.

“Practical consequences are hard to call,” Kemp explained. “But we have full details of their internal VLAN estate, SNMP community strings (read and write, named after aircraft funnily enough), some idea about password composition, VTP Trunk info and password, and details of upstream switching.

“Basically what that means is that we could wander up to Prestwick and be Serco for a bit, slot in our own switch (with no outside, adult help) and control all traffic that was switched over it.

“It’s bloody unlikely, but the configs in question basically give us a lot of data regarding the internal composition of Prestwick ATC,” Kemp concluded.

The problem wouldn’t have arisen if the configuration data on the Cisco switches, which is stored in flash memory, was purged prior to the sale. “It should be standard practice to overwrite all such data prior to appliances going out into the wild,” Kemp commented, adding that it was probable that laziness was behind the failure to follow adequate security procedures.

Kemp informed Serco of the breach several weeks before going public with its discovery. A NATS spokesman downplayed the significance of the breach, telling Channel 4 News that the data contained on the switch “in no way formed part of air traffic control operations”.

In a statement, NATS told Channel 4 News: “We have a contract with a specialist firm to handle the secure destruction and disposal of our equipment. We are investigating with them why equipment that we have a destruction certificate for was subsequently sold online.

“As soon as Mr Kemp alerted us to what he had found on the switch – which had been used only in non-operational and non-safety critical systems – we ensured that the integrity of our business systems was further enhanced. At no time were those business systems at risk.

“This equipment does not form part of our operational air traffic control systems.”

The switch bought by Kemp was part of a batch of 13. A NATS spokesman told Channel 4 News that unspecified actions taken since the breach came to light “negate anything on those switches”. Hopefully that means that air traffic control has changed its passwords and settings, hopefully to something more secure, as well as reviewing its kit disposal policies.

Kemp highlighted the incident as part of a presentation on critical national infrastructure protection at the GrrCon conference in Michigan earlier this month, entitled When I Grow Up I want to be a Cyberterrorist. Kemp bought the Cisco switch because he needed it to help run the network at his office rather than as part of a targeted research project looking at what pieces of interesting information might have been left on secondhand networking kit.

“Before installation I noticed the NATS label on the back, and thus investigated further,” Kemp explained. “It wasn’t bought to be reviewed, it was bought to be used but the universe dropped it in my lap.” ®

Bootnote

The security risks created by auctioning off secondhand PCs without wiping computer disks first are well documented. eBayed networking kit poses similar but less well publicised risks. Previous examples include an auctioned secondhand piece of networking kit that automatically connected to the internal network of Kirklees Council in Yorkshire, an issue that cropped up in 2009.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/30/nats_switch_fail/

Facebook’s international headquarters are in Dublin, Ireland, where the company just so happens to face a regulatory probe into the handling of personal data on the social network.

According to the RTE, the Irish data protection commissioner will carry out a privacy audit of the site in November.

That’s potentially a big deal, because Facebook’s presence in Dublin is much more dominant than anywhere else in Europe.

The company farms all the data it stores back to its spiritual homeland in the US, but a privacy audit in Ireland is significant as it’s not only Facebook’s major EMEA bolthole, but is also the nearest responsible data protection authority outside of the firm’s US head office.

It’s important to note, however, that Facebook isn’t breaching European law when it makes stealth changes to its technology that cause upset among its 800 million-strong stalkerbase.

Last week the company fielded lots of complaints from users unhappy with the latest redesign to Facebook, that included Mark Zuckerberg’s creepy concept of “frictionless sharing”, which means displaying an individual’s entire life history as chronicled on the network.

An Austria-based collective called Europe versus Facebook filed 22 complaints with the Irish data protection commissioner.

Among other things, the group griped about Facebook’s “Like” button that – it was revealed by Oz blogger Nik Cubrilovic – carried cookies that included unique information after people had logged out of the dominant social network.

Facebook said it had “quickly” fixed the issue, but insisted there was no privacy or security breach.

“Like every site on the internet that personalises content and tries to provide a secure experience for users, we place cookies on the computer of the user,” it told The Register earlier this week.

Irish deputy data protection commissioner Gary Davis told the FT that his office would investigate Facebook’s operation outside of the US and Canada.

“This audit will examine the subject matter of the complaint but also will be more extensive and will seek to examine Facebook’s compliance more generally with Irish data protection law,” he added.

According to the RTE, a report on the outcome of that probe won’t be published until the end of 2011.

Facebook’s European policy director Richard Allan has previously called on self-regulation and the development of industry standards rather than for people to get stuck on “a debate on principles about data protection law each time”.

Despite the howls of protest against the immensely popular network, Brussels has limited power over how Facebook operates in Europe while siphoning the data it gathers to the US.

Regulators hope to close the loophole with the reform of the Data Protection Directive, proposals for which are expected in early 2012.

Facebook underplayed the latest regulatory action taken against the firm:

“Facebook’s European headquarters in Ireland manages the company’s compliance with EU data protection law,” it said.

“We are in regular dialogue with the Irish data protection commissioner and we look forward to demonstrating our commitment to the appropriate handling of user data as part of this routine audit.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/30/facebook_ireland_data_protection/