STE WILLIAMS

The mysterious “toilet bomb case” which has held the city of Baltimore gripped since February has reached its close, as a jury found Duane Gerald Davis Senior not guilty of leaving a fake exploding toilet outside a courthouse.

Davis was charged by local law last February after depositing a modified lavatory “decorated with newspaper clippings, an electronic transmitter and a cellphone” outside the city’s County Courthouse, reports the Baltimore Sun.

Responding plods naturally decided that the terrifying electronics-enhanced dunny must be packed with a deadly cargo of explosives, rigged for remote detonation by phone or radio signal. The area was evacuated and robots sent in, followed up by trained explosives sniffer dogs. Hundreds of bystanders watched from a distance, doubtless fearing the start of a deadly string of detonating-toilet porcelain blast outrages across the city.

So great was the furore, in fact, that the case of the Baltimore bog-bomb became international news.

Only once the tin cops and their canine chums had reported back did it become clear that in fact the Toilet of Terror contained no explosives. Cops then charged Davis with a bomb hoax, still a serious matter.

However the Sun reports that the case was finally thrown out last week, with Davis’ lawyer stating that the judge had advised prosecutors that they had failed to meet their burden of proof.

Davis reportedly described the lavatorial escapade as “an exercise of his rights to protest and free speech”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/20/lavatory_bomber/

Disgraced digital certificate firm DigiNotar has filed for bankruptcy in The Netherlands.

Hackers broke into DigiNotar’s systems in June before creating forged digital certificates in the names of Google and other high-profile targets. The forged Google.com SSL credentials were used to spy on 300,000 Iranian internet users, according to a subsequent analysis of authentication lookup logs on DigiNotar’s systems. Comodohacker, the boastful Iranian black hat who had claimed credit for an earlier attack on digital certificate firm Comodo, also claimed credit for the DigiNotar hack.

The hack itself was bad enough but what really did for DigiNotar were two additional aggravating factors: the shockingly insecure set-up of its systems and its failure to promptly come clean on its problems. DigiNotar began revoking certificates in 19 July, after it realised it had been hacked but only got around to revoking the forged *.google.com certificate on 29 July. It only went public a month later, leaving browser makers and internet users ignorant of a huge security hole.

DigiNotar became a security pariah as a result of its handling of the affair, which led browser and operating system developers to bin its certificates in August. A DigiNotar-controlled intermediate was involved in issuing certificates as part of the Dutch government’s public key infrastructure “PKIoverheid” scheme.

The Dutch government initially said that PKIoverheid site certs issued by DigiNotar were still trustworthy, but then changed its mind after getting wind of a damning security audit of DigiNotar’s systems and ditching the firm. A preliminary reports from Fox-IT found that although DigiNotar boasted of state-of-the-art facilities, its security was childishly inadequate. Mistakes included a failure to run any anti-virus software on its servers and a lack of segmentation of its network that allowed hackers free rein to plant remote control trojans on its systems.

The certificate agency, which relies on trust to run its business, was never likely to recover from that, so its bankruptcy filing doesn’t come as the complete surprise it might otherwise have been.

In a statement issued on Tuesday Vasco (which acquired DigiNotar in January) acknowledged the bankruptcy of its CA subsidiary but maintained this would have no effect on its core authentication business.

“We want to emphasize that the bankruptcy filing by DigiNotar, which was primarily a certificate authority, does not involve VASCO’s core two-factor authentication business,” said Jan Valcke, VASCO’s President and COO.  “While we do not plan to re-enter the certificate authority business in the near future, we expect that we will be able to integrate the PKI/identity verification technology acquired from DigiNotar into our core authentication platform.

“As a result, we expect to be able to offer a stronger authentication product line in the coming year to our traditional customers,” he added.

Vasco is in the process of winding up DigiNotar’s business while it continues to assist the authorities in investigation the hack that took its subsidiary down. Vasco hopes the continuing value of the DigiNotar technology will help defray part of the write-off costs associated with the closure of the business. But it did admit that its losses may be substantial.

“While the losses associated with DigiNotar are expected to be significant, we do not expect, given the manner in which the acquisition of DigiNotar was structured, that the value of all of the intangible assets acquired will be fully impaired,” said Cliff Bown, VASCO’s executive vice president and CFO.

Security watchers at The Internet Storm Centre said other certificate authorities should learn lessons from DigiNotar’s demise.

“The CA business is all about selling trust,” ISC staffer Swa Frantzen writes. “After all a CA is supposed to be a trusted third party. Let’s hope all the remaining ones get the right message: it’s not about not getting caught being hacked. On the contrary: it’s about doing the right thing once you have been hacked. Let’s hope it leads to more transparency and public scrutiny of the CAs we trust explicitly or implicitly though the choice of some of our vendors.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/20/diginotar_bankrupt/

An NHS trust has told patients that it is acting to improve its data handling practices after a rebuke from the Information Commissioner’s Office (ICO) for losing a CD containing details on 1.6 million people.

Chief executive of NHS Kent and Medway Ann Sutton said that information is now more secure following the implementation of encryption systems to replace the use of floppy discs and CDs.

Last week the trust was handed an undertaking by the information watchdog after sending the personal information to a landfill during an office move in March. The ICO said the data contained the names, addresses, dates of birth, NHS numbers and GP details of those affected.

In a statement on the trust’s website, Sutton said that the data had not been recovered and that the trust had accepted the ICO’s report on the incident.

She said: “While the breach was unfortunate, I would like to reassure patients that the data stored in the filing cabinet was not current – the most recent information was from 2002.

Sutton added: “We have already strengthened our information governance policies, procedures and training on the basis of our internal investigation of the incident. The information commissioner’s recommendations to improve them further will be implemented fully.” ®

This article was originally published at Guardian Professional. Join the Guardian Healthcare Network to receive regular emails on NHS innovation.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/20/kent_nhs_data_loss/

If you use Skype on an iPhone or iPod touch, Phil Purviance can steal your device’s address book simply by sending you a chat message.

In a video posted over the weekend, the security researcher makes the attack look like child’s play. Type some JavaScript commands into the user name of a Skype account, use it to send a chat message to someone using the latest version of Skype on an iPhone or iPod touch, and load a small program onto a webserver. Within minutes, you’ll have a fully-searchable copy of the victim’s address book.

“I’m going to send a user on an iPhone a message, and when he sees the message, the exploit will run,” the narrator says. “When the exploit code is run, the victim’s iPhone will automatically make a new connection to my server to grab a larger payload instructing the victim’s iPhone to upload its entire address book file to the server.”

The attack exploits two oversights that just go to show that even elaborately erected walled gardens such as Apple’s can contain threats that menace its blissful inhabitants. The first is a failure by Skype to sanitize potentially dangerous JavaScript commands from the text that gets sent in chat messages. Skype for Macs recently succumbed to a similar XSS, or cross-site scripting, vulnerability that allowed attackers to commandeer a victim’s computer simply by viewing a malicious message.

The other lapse making Purviance’s attack possible was the decision by iOS developers to make the file storing address-book contents accessible to every app installed, including Skype. That means all that’s required to steal a full list of contacts is to find and exploit a vulnerability in a single program installed on a victim’s device.

In a Web 2.0 kind of world, contacts for many people aren’t exactly closely guarded secrets. For many others – say, attorneys and people who work with survivors of domestic abuse – the names, addresses and phone numbers of contacts are sensitive information.

It’s already been 48 hours since this vulnerability was first documented, and the vulnerable app is still available in the iTunes Store. It will be interesting to see how long it takes Apple and Skype to close the gaping hole. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/20/skype_for_iphone_contact_theft/

How to be a rogue trader

As a City headhunter I’m repeatedly asked to explain how lone traders find themselves flushing billions of dollars down the toilet. Rogue traders can pop up just about anywhere, and so I’ll share this curriculum for you to follow, which is not specific to any bank: this is just the way it works.

Being a rogue trader is a superior gig for an aspiring criminal; instead of all that hassle of rioting and having to carry home your nicked 42in TV (they’re heavier than they look, or so I’m told), a trader on £450,000 will have it delivered and installed by that nice man from Richer Sounds, which is a mere two-minute walk from the office.

You’ll also get to be played by Ewan McGregor in the inevitable film that dramatises your economic escapades, and millions of people will get the impression you bonked your way through the likes of Paris Hilton, which is better than a grainy CCTV image of you wandering around a trashed Dixons turning up on BBC London News.

An interesting question is how much of a coincidence it is that rogue traders don’t often come from top universities, however you define that. Is that an indication of motivations, or because if you’re just a bit smarter you’re much less likely to be caught?

In every rogue case I know of, the trader was smart enough to bend the IT systems to his will and went undetected by security until someone eventually noticed that enough cash to bankroll a small European nation had disappeared. When I first came into banking it was common for traders to have graduation from Sandhurst, the British military academy, as their top qualification. Routinely now, they are better programmers than many in the IT departments and several have written successful books on C++ and computational finance.

Why you need to go Rogue

No trading strategy is a sure win: you need balls to cope with the fact that between taking your position and the pay off, the price will go against you for a while. Bailing out early will cost real money and/or your job; the dictum that the first loss is the cheapest is for those without your insight.

The Back Office Monkeys (no, not a terrible pub band, the generic term for anyone not in trading) don’t understand your strategy; if they did, they’d be in front office. Just as bad, they stop you making as much money as you should by imposing limits when you know for a fact that twice as much money in would mean twice as much out because the market isn’t pricing the stock rationally. We all know that markets can remain irrational longer than you can remain solvent so much of your pain is caused by …

Risk technology

You might think some experience in Risk IT is useful to the plan, but it’s the worst paid and lowest status in any given bank. The risk office’s job is to help stop bad things happening, not to make money, so their IT people are in effect minions of managers who themselves are badly paid with little genuine respect. Yes, you will have access to systems, but you won’t ever get to be a trader.

You want a mid-office role, the kind that involves handling tactical reports and liaising between traders and the risk department. It’s the mid-office people who actually move the money and stocks. People outside the banking industry are often surprised that relatively junior people deal with telephone-number scale money, not unlike the armed forces where a £58,000-a-year officer has a key to launch nuclear weapons – albeit only one of a two-key set.

Banks follow the same pattern: traders decide where to move the money, but someone else does the moving.

Be a problem solver

Some of the smartest IT guys on the planet work in investment banks, but looking at the systems they use for risk and compliance you’d think their software had been developed in a joint venture between Capita and Accenture.

Their tools are being worked on constantly as new structured products are developed, pricing/risk models evolve, new issues are spotted, and as the regulators invent new rules that they pretend will make the markets safer.

That means practical skills in SQL and Excel VBA can make you look far more of a star than expertise in exotic technologies like FPGAs and GPUs or hardcore C++ because it gives you …

Visible productivity

Success in a bank is wholly based upon what your betters see you achieve and absolutely nothing else at all, not even slightly. Not one tiny bit.

I emphasise this because El Reg readers are mostly well-intentioned IT people who seem to genuinely believe that building a reliable system and making code elegant and bug-free is somehow useful.

You see, the path to rogue trading is not through worthy effort but through writing reports that need producing now and dealing with systems issues that stop traders trading. It is little bits of Excel that do useful calculations, or speeding up things that are too slow.

It’s not a coincidence that although Quants mostly use C++ for derivatives calculations, the three most important textbooks by Wilmott, Haug and Jackson Staunton all use VB and so should you.

Getting something working quickly and on a screen seen by an important person is far more valuable than an industrial-strength solution a few weeks from now in C++ or CUDA that lives on a server somewhere.

Excel may not be hardcore but it can make you look good. Do not completely fix anything. An IT pro fixes things the best he can, with success defined as never having to fix it again. Take the model of government IT projects as the perfection of what you should be doing instead: you need to fix enough that you are seen to succeed, but not enough that it won’t need fixing again.

Data downloads from something like Bloomberg are a good example. It’s possible to code a generic parser to cope with the way Bloomberg randomly changes its fields, but that’s a kill-once solution and takes longer. What you want is to hardcode the format in VBA so that when it changes you can come and fix it quickly, looking good and since it’s a VBA module, the IT department will flatly refuse to get involved since there is no UML diagramming tool to produce the bulky faux documentation they so love.

Getting data in and out of trading systems is thus a key goal: I can get Oracle, SQL Server and Sybase tables directly into Excel. You’re not impressed are you? You know DTS, bcp et al, but to many people this is necromancy. That you ‘get things done quickly’ is a good phrase to have said about you; indeed, you should discipline yourself to always mention that you’re getting things working again in passing conversation. Anything that shows you’re capable of using admin-level tools will lead you to gaining deep access.

There are information reporting systems you can master with a bit of effort; rarely are they properly documented so that low-grade skill actually looks good.

Traders are hostile to IT departments because they see them as black holes sucking money out of bonus pools and delivering little of any use any time soon. This is why front office want their own IT people.

Diagonal moves

As the person who deals with screwups and quick wins, you’ll know that if your rogue trading leaves traces, you will not only be able to hide them, you’ll also get an early warning that the game is up and it is time to run. Bear in mind that my work involves reassuringly expensive lawyers that you might need, so if the fan is hit you know where I am.

Quick wins are anything you can do in a day or two, or over a weekend; the hours of sin are not short, but following the visible productivity doctrine, make sure that you drop emails to decision makers that subtly let them know you were in Sunday afternoon. You can gradually add to your access permissions with some weekend work – either the permission holder has to come in and watch you all weekend or quietly adds you to the list. Maybe he takes you off after, maybe he doesn’t.

The developers of the systems leave debug manholes for quick and dirty fixes – you need to acquire these. There are two types of IT executive reading this: those that know and try to manage this, and those who genuinely believe there are none because the nice man from KPMG who did a system audit said so.

Next page: Moving to the desk

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/20/rogue_trader_howto/

Apple has dropped a couple of monumental password security clangers with the release on OS X Lion, according to security blogger Patrick Dunstan.

Dunstan, who posted an important piece on cracking Mac OS X passwords a couple of years ago, decided to revisit the subject with the release of OS X Lion (version 10.7).

He discovered Apple’s developers had made user security worse in two important ways: firstly, it’s possible to change the password of the current user without needing to know the original password, as Dunstan explains.

“It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user,” he writes. “So, in order to change the password of the currently logged in user, simply use: $ dscl localhost -passwd /Search/Users/bob.”

And that isn’t the only backward step. Previously only a user with root (admin) privileges to a machine was able to get at the password hashes for other users, which are held in so-called “shadow files”. With OS X Lion this restriction is easily circumvented.

“It appears in the redesign of OS X Lion’s authentication scheme a critical step has been overlooked,” Dunstan explains. “Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services.”

“All users on the system, regardless of privilege, have the ability to access the ShadowHashData attribute from any other user’s profile,” he adds.

None of the major brute force crackers support OS X Lion hashes because the OS was only released in late July. Dunstan has created a python script to do the job, which is intended for password auditing. The password security foibles discovered by Dunstan raise further questions about the overall security of Mac OS X Lion, already highlighted by earlier LDAP password security weaknesses.

Dunstan’s latest research is explained in greater depth in a post on his Defence in Depth blog here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/19/apple_password_security_exposed/

Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that’s passing between a webserver and an end-user browser.

The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust. Although versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he’s visiting.

At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they’re protected by SSL.

The demo will decrypt an authentication cookie used to access a PayPal account, Duong said.

Like a cryptographic Trojan horse

The attack is the latest to expose serious fractures in the system that virtually all online entities use to protect data from being intercepted over insecure networks and to prove their website is authentic rather than an easily counterfeited impostor. Over the past few years, Moxie Marlinspike and other researchers have documented ways of obtaining digital certificates that trick the system into validating sites that can’t be trusted.

Earlier this month, attackers obtained digital credentials for Google.com and at least a dozen other sites after breaching the security of disgraced certificate authority DigiNotar. The forgeries were then used to spy on people in Iran accessing protected GMail servers.

By contrast, Duong and Rizzo say they’ve figured out a way to defeat SSL by breaking the underlying encryption it uses to prevent sensitive data from being read by people eavesdropping on an address protected by the HTTPs prefix.

“BEAST is different than most published attacks against HTTPS,” Duong wrote in an email. “While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests.”

Duong and Rizzo are the same researchers who last year released a point-and-click tool that exposes encrypted data and executes arbitrary code on websites that use a widely used development framework. The underlying “cryptographic padding oracle” exploited in that attack isn’t an issue in their current research.

Instead, BEAST carries out what’s known as a plaintext-recovery attack that exploits a vulnerability in TLS that has long been regarded as mainly a theoretical weakness. During the encryption process, the protocol scrambles block after block of data using the previous encrypted block. It has long been theorized that attackers can manipulate the process to make educated guesses about the contents of the plaintext blocks.

If the attacker’s guess is correct, the block cipher will receive the same input for a new block as for an old block, producing an identical ciphertext.

At the moment, BEAST requires about two seconds to decrypt each byte of an encrypted cookie. That means authentication cookies of 1,000 to 2,000 characters long will still take a minimum of a half hour for their PayPal attack to work. Nonetheless, the technique poses a threat to millions of websites that use earlier versions of TLS, particularly in light of Duong and Rizzo’s claim that this time can be drastically shortened.

In an email sent shortly after this article was published, Rizzo said refinements made over the past few days have reduced the time required to under 10 minutes.

“BEAST is like a cryptographic Trojan horse – an attacker slips a bit of JavaScript into your browser, and the JavaScript collaborates with a network sniffer to undermine your HTTPS connection,” Trevor Perrin, an independent security researcher, wrote in an email. “If the attack works as quickly and widely as they claim it’s a legitimate threat.”

Next page: Mozilla and OpenSSL: ‘It’s terrible, isn’t it?’

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

Oracle broke with tradition with the publication of an unscheduled security update last weekend.

The fix – which addresses a DoS vulnerability in its Apache web server software – represents only the fifth time that Oracle has published a security fix outside the quarterly patch update batch it began at the start of 2005, net security firm Sophos notes. More specifically the patch provides an updated Apache web server, httpd, to Oracle’s Fusion Middleware and Application Server products. The former product includes Apache httpd 2.2; the latter includes Apache httpd 2.0.

The vulnerability, CVE-2011-3192, creates a means to trick a web clients into requesting multiple parts of the same file at the same time, causing systems to get hopelessly tied up in knots and crash. The Apache Foundation addressed the same underlying byte-range flaw first with an 2.2.20 update at the end of August. Last week it ironed out glitches in this bug fix with a further update, 2.2.21.

It isn’t clear which code base Oracle has used, although giving testing schedules and the like, the earlier (imperfect) patch seems more likely. Whatever code base it has used, Oracle is emphatic that sysadmins need to apply the patch sooner rather than later. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible,” it said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/19/oracle_out_of_sequence_apache_patch/

Japan’s biggest defence contractor, Mitsubishi Heavy Industries, has become the victim of a malware-based hack attack.

The firm said that the attack resulted in the infection of 10 of its sites across Japan, including its submarine manufacturing plant in Kobe and a facility in Nagoya which makes engine parts for missiles. In total 45 network servers and 38 PCs became infected with eight strains of malware, including Trojan horse programs, the Daily Yomiuri reports.

News of the security breaches emerged over the weekend. Mitsubishi said the circumstances of the intrusions – first detected in mid-August – are under investigation, with a report due by the end of the month. In the mean time the firm is playing down suggestions that the malware may have been used to successfully extract industrial secrets via compromised systems.

A Mitsubishi spokesperson told Reuters: “We’ve found out that some system information such as IP addresses has been leaked and that’s creepy enough.

“We can’t rule out small possibilities of further information leakage but so far crucial data about our products or technologies has been kept safe,” he added.

Attacks against defence contractors have appeared frequently in the news of late. Earlier this year Lockheed Martin and L-3 Communications said they had each come under attack via an assault that relied on data stolen during the earlier RSA megahack.

Presumed industrial espionage attacks against defence contractors and energy firms are often blamed on China, an accusation that the country strongly denies. Evidence that China is involved tends to come in the form of the origin of the attack (easily faked using a compromised system in China) or regional quirks and the languages used in hostile code (harder to spoof but still inconclusive). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/19/mitsubishi_malware_attack/

Hundreds of Go Daddy sites were compromised to point towards a site hosting malware last weekend.

The mass hack of around 445 sites involved the injection of hostile code into the .htaccess files of the sites. Go Daddy quickly removed the hostile code before working with its customers to take back full control of the sites, which were reportedly compromised by a password hack.

Go Daddy’s chief information security officer, Todd Redfoot, told Domain Name Wire: “The accounts were accessed using the account holder’s username and password.”

It’s unclear how the passwords needed to pull off the attack were obtained, but some sort of targeted phishing attack is one likely explanation. Go Daddy’s investigation into the attack continues but Redfoot suggested the blame for the mass hack was outside Go Daddy’s control.

“This was not an infrastructure breakdown and should not impact additional customers,” he said.

Web security monitoring firm Securi warned of the mass hack on Thursday. Its blog post about the attack suggests the malicious code was targeted towards surfers visiting the affected domains via Google or other search engines rather than those who had arrived directly. Such trickery is often part and parcel of search engine manipulation attacks designed to redirect surfers hunting for content related to items in the news towards scareware portals.

This kind of trickery often takes advantage of insecure WordPress installations and the like, so the apparent use of password-snaffling trickery in this case suggests the bad guys are becoming more aggressive in their hunt for sites they can abuse for their own malicious ends. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/19/go_daddy_mass_compromise/