STE WILLIAMS

Apple has finally purged the imprimatur of disgraced web authentication authority DigiNotar from its Mac operating system.

In an update released Friday, Apple removed multiple DigiNotar root certificates from the Lion and Snow Leopard versions of Mac OS X. The move came nine days after the discovery that the Netherlands-based authority issued a counterfeit SSL certificate for Google.com that was used to spy on people in Iran. An investigation later revealed that DigiNotar had failed to warn browser makers that it issued at least 531 bogus credentials following a security breach that gave attackers free rein over its certificate issuance system for weeks.

Within hours of the discovery, Google and Mozilla issued updates that caused their browsers and email programs to reject most SSL certificates issued by DigiNotar. Users of Windows Vista and later versions of the Microsoft operating system were also protected, although it wasn’t until earlier this week that Windows XP users received the same defense.

Apple’s delayed response comes in sharp contrast. Not only has it taken longer to issue the update, but it didn’t utter a peep of warning to its users in the intervening time. At time of writing, there were no updates available that purged the untrustworthy DigiNotar root certificates from iOS, meaning iPhone and iPad users are still vulnerable to fraudulent DigiNotar certificates.

Users of Google’s Android OS for smartphones also remain wide open.

The threats Apple and Google have failed to protect their users against are by no means theoretical. At least one of the certificates has already been encountered by at least 300,000 people, mostly in Iran, as they accessed Gmail or other protected Google services. Trend Micro has more details about the certificate here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/09/apple_purges_diginotar_certificates/

Google tells Iranians: Change your Gmail password

And check for forwarding to the Revolutionary Guards

By John Leyden • Get more from this author

Posted in Security, 9th September 2011 12:43 GMT

Free whitepaper – WAN Optimization: The Key to Effective Private Clouds

Google has issued a blanket instruction advising Iranian users to check if their Gmail accounts might have been hacked before changing their passwords.

The move follows the compromise of Dutch SSL certificate authority DigiNotar. Hackers created fake SSL certificate credentials for Google.com and many other domains. These fake Google credentials were used to run man-in-the-middle attacks against Gmail users in Iran, according to an examination of authentication look-ups logs at DigiNotar and other evidence.

Parties who obtained compromised access to Gmail accounts as a result of the hack might have added instructions to forward all received messages to another account. For that reason, Google is asking its Iranian users not only to change their passwords but to review their account settings for any signs of unauthorised changes, including alterations to account recovery options. Other Google apps, such as Google Docs, also need reviewing, as net security firm Sophos notes. Its advice on how to guard against Gmail account hacking more generally can be found here. ®

Free whitepaper – The Real Story Behind Virtualization

• 5 commentsPost a comment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/09/gmail_diginotar_security_alert/

Would you trust someone else with your Facebook account, giving them enough access to post status updates on your behalf? What if that person was Al Gore and it was all for a good cause?

Yes, the latest frontier in online activism has been breached by Gore and the kids over at the Climate Reality Project, who want you to donate your Facebook and/or Twitter account so they can force your friends to be as active as you are in fighting the Green fight.

The donation would give the folks over there the opportunity to update and tweet from your accounts the day before, after and of the “24 hours of reality” event on 14 September, when the project will broadcast climate change stories at 7pm in every timezone from 24 cities around the world.

The event hopes to “bring the world together with a clear message: The climate crisis is real and the time to solve it is now”, project spokesperson Eric Young told The Reg.

But why do they want control of your Facebook and Twitter to do it?

The internet is a great way to get a following together and try to change some issue that’s getting under your skin. You don’t have to stand on the side of the street in the rain to get people to sign your petition, you can put it online and get people to sign it from their own homes, as initiatives like FixMyStreet.com or the government’s e-petitions let you do.

But this kind of activism usually lets the social machine promote it or not as it sees fit – something doesn’t trend on Twitter unless people are finding it interesting.

Young insists that the project is “hoping people tell their friends and use their social networks to spread the word” and that donating their accounts is just “one option” of how to post about the event. But a couple of talking heads and security guys, such as Graham Cluley at Sophos, are wondering if this is really such a good idea.

The first issue is security, you’re essentially handing over your Facebook or Twitter account, and the first rule of security is: definitely don’t give anyone control of your accounts.

Young says the project takes privacy concerns very seriously.

“Our staff will not have access to user accounts other than to publish updates about our event. On Facebook, we set up our ‘donate your status’ program using Facebook’s API and in accordance with their policies,” he said.

So you’re protected as much as you usually are with Facebook, not all that comforting a thought given the amount of fake and/or nasty apps out there. You’re also being asked to trust the staff of the project, which might be considered something of a leap of faith since some activists will use any and all means to get their point across – hacktivism, anyone?

Still, these are supposed to be the good guys, so if you are willing to trust them, there’s still point number two: is this a load of spam to be inflicting on your followers?

There’s also an issue of authenticity. If this is to become a widespread trend, how will you ever know that your mates on Facebook or the celebs you follow on Twitter are really care about these things or if they’ve given someone else license to speak for them?

Young says the program is “completely voluntary” and “any supporters that sign up are able to unsubscribe at any time”.

“We have been pleased and excited by the number of people that have chosen to sign up,” he said.

Authenticity online, and especially on social media, is a contested issue, but most people come down on the side of honesty is the best policy. Regardless of how one feels about Gore’s message, the Facebook takeover project risks overshadowing the issues with a very fake social media experience. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/09/al_gore_asks_people_to_donate_their_social_media_accounts/

The World Wide Web Consortium (W3C) has announced the creation of a Tracking Protection Working Group to address online privacy concerns, but the task of getting all the players to agree on what standards should be adopted could yet be a sticking point.

It said the group had ambitious plans to publish standards as early as mid-2012.

The first meeting of the collective takes place on 21-22 September.

“Our task here is to deliver a set of standards that enables individuals to express their preferences and choices about online tracking, and enables transparency concerning online tracking activities for users and the public alike,” said the W3C in a blog post yesterday.

“Mechanisms that enable the enforcement of these preferences will be another important element of the work. At the same time, many business models on the web as we know it rely heavily on advertising revenue.”

The group noted that data watchdogs in Europe and the US were asking online publishers and advertisers to agree on a so-called Do-Not-Track standard.

Microsoft and Mozilla have already been working on what some might consider to be “technical solutions” to the problem many netizens have with being tracked by ad outfits online.

The W3C said that Microsoft and Mozilla’s proposals would provide the basis for the group’s work.

However, as is so often the case with establishing standards industry-wide, not everyone agrees on the Do-Not-Track mechanism that’s already available, for example, in Mozilla’s Firefox 6 browser.

Google and Opera Software don’t support DNT.

“A critical element of the group’s success will be broad-based participation: we look forward to having browser vendors, search engines, advertising networks, regulators, civil society actors, and many other interested parties involved in the work that we’ll do,” said the W3C.

The Tracking Protection collective has taken on a pair of “industry-sponsored co-chairs” to lead the group.

It said that Aleecia M McDonald, who recently joined Mozilla as senior privacy researcher, had signed up to the task.

However, the other chair remains anonymous for now. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/09/do_not_track_w3c_working_group/

Typo-squatting domains might easily be used to intercept misdirected corporate emails, according to new research.

Domain typo‐squatting has long been used as a means to expose butter-fingered users who accidentally misspell a legitimate domain to malware. So-called doppelganger domains take advantage of an omission instead of a misspelling, for example missing the dot between host/subdomain and domain.

Security researchers at Godai Group profiled companies in the Fortune 500 for susceptibility to attacks based on this ruse, and found that 151 (30 per cent) were vulnerable.

Doppelganger domains open up the possibility of two types of attack. Attackers could passively set up email honey pots on such domains and wait for mistyped emails to arrive. In this scenario, attackers would configure their email server to vacuum up all email addressed to that domain, regardless of the user it was sent towards. Such catch-all email addresses would pick up email from both internal and external users.

The second type of attack would rely on actively trying to trick a targeted individual or group of individuals into sending email to doppelganger domains. Attackers would typically run the scam by posing as workers in the same company or their business associates. Purchasing doppelganger domains for both a targeted conglomerate and its business partners or bank creates a possible means to run man-in-the-middle (or Man‐in‐the‐MailBox) attacks, the researchers warn.

As an experiment, Godai Group registered doppelganger domains for Fortune 500 firms before passively collecting emails sent to mistyped domains. During a six‐month period, they collected more than 120,000 individual emails (or 20 gigabytes of data). All sorts of sensitive information appeared in this batch including trade secrets, business invoices, personal information of employees, network diagrams, usernames and passwords, etc. All the original data that was collected during the research period has been deleted.

“Essentially, a simple mistype of the destination domain could send anything that is sent over email to an unintended destination,” the GodaiGroup researchers explain.

Although this was outside the scope of the study, the team also noticed network service requests being sent to doppelganger domains. This means that by setting up a fake SSH server, for example, it would be possible to harvest remote access usernames and passwords.

After reviewing the WHOIS information from all Fortune 500 companies, Godai Group noticed of the many hi-tech firms had doppelganger domains registered to locations in China. Many of these domains are already associated with malware and phishing, it warns.

Godai Group suggests a series of steps firms can take to address the security risk posed by doppelganger domains. Corporates can purchase such domains or, if they have already been registered, file a domain registration dispute. Alternatively internal users can be prevented from sending mistyped emails to doppelganger domains by either configuring internal DNS not to resolve doppelganger domains or configuring email servers not to send messages to such domains.

More details of the group’s research on doppelganger domains – as well as details of its suggested mitigation tactics – can be found here (7-page/566KB PDF). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/09/typo_squatting_email_harvesting_risk/

Office and Windows fixes star in quiet Patch Tuesday

No criticals for once among the backdoor plugs

By John Leyden • Get more from this author

Posted in Security, 9th September 2011 09:38 GMT

Free whitepaper – WAN Optimization: The Key to Effective Private Clouds

September’s Patch Tuesday will include five bulletins, none of which are rated as critical.

The patch batch marks the first update in recent times that omits any critical bugs but that’s not to say it ought to be ignored.

Vulnerability scanning and security services firm Qualys says attention should be directed towards flaws in Microsoft Office which pose a code execution risk. Excel 2003 through Excel 2010 and Office 2003 through Office 2010 will need patching. Another high priority update covers an as-yet-unspecified remote code execution flaw in Windows XP, Windows Vista, Windows 7, Windows 2003 and Windows 2008.

Microsoft’s pre-alert announcement can be found here. Additional commentary from Qualys is here. ®

Free whitepaper – The Real Story Behind Virtualization

• 3 commentsPost a comment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/09/ms_sept_patch_tuesday_pre_alert/

Apple has patented software that will automatically log the visits of iPhone users to restaurants, stores and business and then use the number of visits by Jesus-mobe owners as an indication of how good/popular/worthy-of-a-high-search-ranking that business is.

We’ve known Apple logged our location before, but this is the first time we’ve seen software that connects you to the businesses you patronise, rather than just the GPS co-ordinates. Finally it seems to be a use for the vast amounts of detailed info Apple collects about where we go.

The patent – now spotted by AppleInsider – was filed by Apple engineers Jaron Waldman and Chad Richard on 3 May 2010 and published on 9 August this year. Where location services like Foursquare or Facebook Places require users to fire up an app and hit a check-in button to log their location, all the new Apple system needs to log your visit to Starbucks is for you to be there for a certain amount of time. You won’t need your maps apps open or even to kick the phone out of sleep mode for your visit to be logged. Sinister.

But this is no Foursquare or share-your-favourite-frappuchino-joint-with-friends venture. This is a way for Apple to improve its mobile search facility by harvesting data from its users. Apple will use the popularity of venues with iPhone users as a way to rank them in search results. The information will be anonymous and you can opt out of the system altogether.

Apple’s patent lays out the limitations of the current ways we have of organising location search:

“Search results ordered by proximity do not account for quality of the search result relative to the query. Search results ordered by average-user-ranking are based upon opinions of relatively few people whom take the time to review the location. Search results that are ordered based on advertising dollars also do not take into account quality or desirability and sometimes broaden the criteria for relevance beyond a desirable measure.”

Apple explain that they will ensure anonymity by assigning users a unique ID number. The server which tracks and logs your location will only know the ID number and not your identity. Though we imagine it wouldn’t be impossible to connect the two.

“Data can be anonymously recorded and tracked for individual devices by assigning the device a unique identifier that is separate from any user information. One way to do this is to alert the handheld communication device of its unique ID, and the handheld communication device can report data along with its unique ID. In this way, the server will only be tracking the movements of an anonymous user based on an ID.”

Note that Apple have made sure they are the only ones authorised to use the users’ unique IDs – this isn’t some open feature that app developers will be able to use. This will be a treasure trove of user behaviour information that will accumulate behind Apple’s closed doors.

It seems like an intelligent way to improve search, but a couple of questions occur – what if Apple decides to sell this information off? Chunked up and packaged this could be valuable. What if the police want to know something: will Apple be able to find and track the location of particular users? ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/09/apple_patent_will_use_iphones_to_check_into_venues/

Researchers have released a Firefox extension that demonstrates the risks of using Google search services on Wi-Fi hotspots and other unsecured networks: With just a few clicks, attackers can view large chunks of your intimate browsing history, including websites you’ve already visited.

The proof-of-concept addon is an extension of Firesheep, a Firefox extension released in October that streamlined the process of hijacking private accounts on Facebook, Twitter, and other websites. Neither plug-in exploits newly discovered vulnerabilities. Rather, their significance lies in raising new awareness about an architectural weakness that has plagued the web since its beginning.

The newly released addon automatically intercepts SID, or session ID, cookies that Google uses to personalize search results based on an individual’s previous searches. The file is transmitted each time a Google.com website is accessed while a user is logged into her account and can be used to retrieve on average 40 percent of her click history. The cookie is sent in plaintext – in some cases even when a user has deployed services such as HTTPS-Everywhere to force encrypted connections – making it easy to intercept on unsecured networks.

“We extended Firesheep to implement our information leakage attack,” researchers Vincent Toubiana and Vincent Verdot of the Alcatel-Lucent Bell Labs wrote in a recently released paper (PDF). “As a result, when a Google SID cookie is captured, the account name appears in the Firesheep sidebar. Double clicking on it starts the attack; double clicking again displays the retrieved list of visited links.”

A Google spokesman sent a statement that read in part:

We consider the concerns raised by these researchers to be fairly academic in nature and not a significant risk to users. Google Web History and our Web Search suggestion service are served over HTTPS, and we have encrypted the back-end server requests associated with the suggestion service as well. We look forward to providing more support for SSL technologies across our product offerings in the future, including changes that will specifically protect hijacked cookies from being used to access search data.

The researchers said users can protect themselves by logging out of their Google accounts while connecting over networks they don’t trust. Another countermeasure is to disable Google’s “visited” and “social” search filters. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/09/google_info_leak_exploit/

Mozilla has directed all web authentication authorities trusted by its software to conduct security audits to ensure they aren’t being abused to issue counterfeit secure sockets layer certificates.

Thursday’s note from Kathleen Wilson, who oversees the certificate authorities included in the Firefox browser and Thunderbird email client, gives all participants eight days to confirm their systems are secure from the same type of compromise that recently hit Netherlands-based DigiNotar. Hackers penetrated the authority’s certificate issuance systems and minted at least 531 counterfeit credentials, including one for a Google.com that was used to spy on Iranians accessing their Gmail accounts.

“Mozilla recently removed the DigiNotar root certificate in response to their failure to promptly detect, contain, and notify Mozilla of a security breach regarding their root and subordinate certificates,” Wilson wrote. “If you ever have reason to suspect a security breach or mis-issuance has occurred at your CA or elsewhere, please contact [Mozilla] immediately.”

DigiNotar’s omissions came as a personal affront to Mozilla, since one of the domains they imperiled was https://addons.mozilla.org/, home of tens of thousands of addons that add powerful capabilities to the default versions of Firefox and Thunderbird.

Wilson went on to direct all companies participating under the Mozilla root program to complete five actions, including auditing their certificate issuance systems for signs of intrusion, compiling a complete list of root certificates authorized to issue credentials, and to “confirm that multi-factor authentication is required for all accounts capable of directly causing certificate issuance.”

“Participation in Mozilla’s root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe,” Wilson wrote.

She gave them until September 16 to confirm completion of those steps or say when they would be completed. A Google spokesman said company representatives had no plans to send similar requests to the authorities trusted in the Chrome browser. A Microsoft spokeswoman didn’t say if CAs included in Windows will also be required to audit their security. Instead, she did issue a statement saying the company “is always evaluating its Certificate Authority Program and we will be distributing any new guidelines as needed.”

A Mozilla spokeswoman said 54 certificate authorities participate in its program using a total of 147 root certificates. See this spreadsheet for a detailed break down. ®

This post was updated to include comment from Microsoft.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/08/mozilla_certificate_authority_audit/

Cybercrooks are gearing up for the 10th anniversary of the 9/11 attacks with a range of malware traps and hacking attempts both on social networks and the wider internet, net security firm BitDefender warns.

The first wave of these attacks comes in the form of the newly established websites offering supposed content such as “Bin Laden alive”, “in depth details about the terrorist attack”, “police investigation results” and “towers going down” to attract the curious.

The sites are filed with links to scareware and phishing sites. Others have created fraudulent charity donation sites that serve only to line their greedy pockets at the expense of genuine gift-giving sites.

In addition, fraudsters are running fake auctions and sales of items supposedly linked to the devastating attacks such as shards of metal from the twin tower or even “commemorative coins” supposedly minted from silver collected at the attack site.

More scam, perhaps involving malware, can be expected to follow over the coming days.

“Because of the advancement of hacking and spamming technology over the past decade, plus the significance of the anniversary and increased media coverage, Sept 11 this year may prove hectic on the malware front,” said Catalin Cosoi, head of the Online Threats Lab at Bitdefender.

BitDefender says many of the scams likely to be on show are similar to those seen during anniversaries of the London bombings of July 2005.

Cybercrooks marked remembrances of the 7/7 attacks with fake donation requests, spamming of viruses disguised as supposed videos of the assaults and advanced fee fraud email scams. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/08/9_11_anniversary_scams/