STE WILLIAMS

Tavis Ormandy to Microsoft: have another WIndows Defender vuln

Jun
26

Google Project Zero bug-hunter Tavis Ormandy has alerted the world to yet another way Microsoft’s anti-virus tool Windows Defender could be attacked.

Ormandy went public with the bug on Friday after Microsoft shipped its fix. He reported the issue to Redmond on June 9th.

The bug is in the non-sandboxed x86 emulator Windows Defender uses. The apicall instruction runs with system privilege, and Ormandy wrote a fuzzer to check it out.

What he found, in the post entitled “MsMpEng: mpengine x86 Emulator Heap Corruption in VFS API”, is “heap corruption in the KERNEL32.DLL!VFS_Write API” which he suspects has so far been ignored by fuzzers.

“I suspect the MutableByteStream object [is] getting corrupted with an unchecked memcpy, I’ve seen multiple different stacktraces including wild eip”, he writes.

After his initial post, Ormandy mulled the exploitability of the bug, and came up with a minimal test case for the bug:

MpApiCall("NTDLL.DLL", "VFS_Write", 1, Buf, 0, 0xffffffff, 0);
MpApiCall("NTDLL.DLL", "VFS_Write", 1, Buf, 0x7ff, 0x41414141, 0);

“The first call extends the length of the file to nOffset, but because the numberOfBytes parameter is 0 no space is allocated. Then you can read and write arbitrary data to an arbitrary offset to the MutableByteStream object buffer”, he writes. “This is a very powerful exploit primitive, and exploitation does not seem difficult.”

Microsoft has issued a fixed version of the Malware Protection Engine, version 1.1.13903.0. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/06/26/new_windows_defender_vulernability_found_patched/

UK parliamentary email compromised after ‘sustained and determined cyber attack’

Jun
26

The Parliament of the United Kingdom has admitted it experienced a “sustained and determined cyber attack” over the weekend and says 90 email accounts have been compromised as a result.

The event struck on Saturday and late that evening Parliament issued a ”Statement regarding cyber incident” admitting that “We have discovered unauthorised attempts to access accounts of parliamentary networks users and are investigating this ongoing incident”.

The Parliamentary IT team “temporarily restricted remote access to the network” and warned that “As a result, some Members of Parliament and staff cannot access their email accounts outside of Westminster.” The Register understands that the email accounts cover members of Parliament, from the prime minister down, plus thousands of salaried staffers. All other IT services continued to work well. Unlike the recently-hung Parliament. Boom-tish. Here all week. But we digress.

By Sunday the Commons Press Office updated the nation on the incident, as follows.

The Parliamentary Digital Service later weighed in and said “Closer investigation by our team confirmed that hackers were carrying out a sustained and determined attack on all parliamentary user accounts in attempt to identify weak passwords. These attempts specifically were trying to gain access to users emails.”

Which are, after all, a juicy target if they’ve left sensitive stuff if they left it in their inboxes, or if Parliamentary email credentials let attackers get deeper into Parliamentary resources.

Cutting off remote access appears to have stymied that attack quite quickly and effectively, while leaving the United Kingdom’s elected representatives tragically and undemocratically unable to respond to constituents concerns late on Saturday night and through a big slab of Sunday.

The UK’s cyber defence apparatus swung into action more or less as planned – the National Cyber Security Centre acknowledged the incident on Saturday night and and said “it is working around the clock with the UK Parliamentary digital security team to understand what has happened and advise on the necessary mitigating actions.” The Parliamentary Digital Service was also swift to explain matters.

Left unexplained is why Parliamentary staffers are able to set sub-standard passwords and what resources are available to those who manage. The Register has asked those questions and will update this story or pen a new one as information comes to hand. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/06/26/uk_parliamentary_email_compromised_after_sustained_and_determined_cyber_attack/

WannaCrypt blamed for speed camera re-boot frenzy, despite lack of ransom debands

Jun
26

A contractor in the Australian State of Victoria has managed to infect an unknown number of speed cameras with a virus, over sneakernet.

Details aren’t so much sketchy as they are confused: the virus has been identified as WannaCrypt, but the government’s been told it infected both Linux and Windows-based cameras; there was no ransom demand; the main symptom was repeated camera reboots, and; contractors apparently hoped to keep things quiet by patching cameras without telling anyone.

The lid came off on Friday, and Victoria Police decided to cancel 590 fines issued by 55 cameras infected by a contractor visiting the cameras to perform software upgrades with a USB drive that also carried something nasty.

The number of known infections rose to 97 out of the state’s total of 280 speed cameras, after one of the state’s speed camera contractors, Redflex, told the Department of Justice it had identified and patched a further 42 infections earlier in June.

In a weekend press conference, Victoria’s Police minister Lisa Neville said Redflex knew of the problem on June 15 and fixed the cameras on that day, but only owned up after Victoria Police’s first announcement on Thursday.

Redflex manages 150 of the state’s speed cameras; two other contractors the minister didn’t identify manage the other 130, yet a single individual infected devices under separate contracts.

She said the infections were spread by a single technician using a single drive. She and Deputy Commissioner Doug Fryer said the infection’s symptom was that cameras were repeatedly rebooting.

“Even the Linox (sic) system still uses a Windows operating system underneath it”, she told the press conference. “I’m not a guru in technology, but there is still a Windows component to it … on Thursday, I was being assured that Linox (sic) could not be infected by the virus.”

Announcing an investigation into what happened, the government said cameras were infected between June 6 and June 22, and claimed the system was cleared by June 23.

Neville said part of the investigation’s brief will be the speed camera program’s governance and management, since she only learned of the infection from a program called “The Rumour File” on Melbourne radio station 3AW. “That’s not a great way to brief ministers”, she said in her weekend press conference.

In excess of 7,500 fines issued between June 6 and June 22 are to be “quarantined” during the investigation, but may be reissued once the investigation is completed.

Neville told the press conference the infection didn’t spread beyond affected speed cameras, because the devices lacked any Internet connection.

Just who advised Victoria Police that the infection was WannaCry(pt) is unknown; during the ministerial press conference, Deputy Police Commissioner Doug Fryer made the identification but said there was no ransom demand.

He said “there has been no evidence” that the infected cameras were issuing incorrect fines. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/06/25/contractors_duck_and_cover_after_speed_cams_infected_over_usb/

Heaps of Windows 10 internal builds, private source code leak online

Jun
24

Exclusive A massive trove of Microsoft’s internal Windows operating system builds and chunks of its core source code have leaked online.

The data – some 32TB of official and non-public installation images and software blueprints that compress down to 8TB – were uploaded to betaarchive.com, the latest load of files provided just earlier this week. It is believed the confidential data in this dump was exfiltrated from Microsoft’s in-house systems around March this year.

The leaked code is Microsoft’s Shared Source Kit: according to people who have seen its contents, it includes the source to the base Windows 10 hardware drivers plus Redmond’s PnP code, its USB and Wi-Fi stacks, its storage drivers, and ARM-specific OneCore kernel code.

Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide. The code runs at the heart of the operating system, at some of its most trusted levels. It is supposed to be for Microsoft, hardware manufacturers, and select customers’ eyes only.

Leaked … Screenshot of a Beta Archives posting announcing on Monday, June 19, the addition of Microsoft’s confidential source code archive

In addition to this, top-secret builds of Windows 10 and Windows Server 2016, none of which have been released to the public, have been leaked among copies of officially released versions. The confidential Windows team-only internal builds were created by Microsoft engineers for bug-hunting and testing purposes, and include private debugging symbols that are usually stripped out for public releases.

This software includes, for example, prerelease Windows 10 “Redstone” builds and unreleased 64-bit ARM flavors of Windows. There are, we think, too many versions now dumped online for Microsoft to revoke via its Secure Boot mechanism, meaning the tech giant can’t use its firmware security mechanisms to prevent people booting the prerelease operating systems.

Also in the leak are multiple versions of Microsoft’s Windows 10 Mobile Adaptation Kit, a confidential software toolset to get the operating system running on various portable and mobile devices.

Netizens with access to Beta Archive’s private repo of material can, even now, still get hold of the divulged data completely for free. It is being described by some as a bigger leak than the Windows 2000 source code blab in 2004.

A spokesperson for Microsoft said: “Our review confirms that these files are actually a portion of the source code from the Shared Source Initiative and is used by OEMs and partners.” ®

Updated to add

Beta Archive’s administrators are in the process of removing non-public Microsoft components and builds from its FTP server and its forums.

For example, all mention of the Shared Source Kit has been erased from its June 19 post. We took some screenshots before any material was scrubbed from sight. You’ll notice from the screenshot above in the article and the forum post that the source kit has disappeared between the Microsoft Windows 10 Debug Symbols and Diamond Monster 3D II Starter Pack.

The source kit is supposed to be available to only “qualified customers, enterprises, governments, and partners for debugging and reference purposes.”

In a statement, Beta Archive said: “The ‘Shared Source Kit’ folder did exist on the FTP until [The Register’s] article came to light. We have removed it from our FTP and listings pending further review just in case we missed something in our initial release. We currently have no plans to restore it until a full review of its contents is carried out and it is deemed acceptable under our rules.”

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/06/23/windows_10_leak/

AES-256 keys sniffed in seconds using €200 of kit a few inches away

Jun
24

Sideband attacks that monitor a computer’s electromagnetic output to snaffle passwords are nothing new. They usually require direct access to the target system and a lot of expensive machinery – but no longer.

Researchers at Fox‑IT have managed to wirelessly extract secret AES-256 encryption keys from a distance of one metre (3.3 feet) – using €200 (~US$224) worth of parts obtained from a standard electronics store – just by measuring electromagnetic radiation. At that distance sniffing the keys over the air took five minutes, but if an attacker got within 30 centimetres (11.8 inches) of a device, the extraction time is cut down to just 50 seconds.

The research team used a simple loop antenna, attached it to an external amplifier and bandpass filters bought online, and then plugged it into a software defined radio USB stick they bought for €20. The entire cost of the setup was less than €200 and the device could be hidden in a jacket or laptop case.

They used this kit to record the radio signals generated by the power consumption of the SmartFusion2 target system running an ARM Cortex-M3-powered chip. By measuring the leakage between the Cortex processor and the AHB bus, the data showed the peaks and troughs of consumption as the encryption process was carried out.

By running a different encryption run on a test rig, the researchers mapped out how the power consumption related to individual bytes of information. That allowed them to take guesses at the 256 possible values of a single byte and the correct choice showed the highest power spike.

“Using this approach only requires us to spend a few seconds guessing the correct value for each byte in turn (256 options per byte, for 32 bytes – so a total of 8,192 guesses),” they wrote [PDF]. “In contrast, a direct brute-force attack on AES‑256 would require 2256 guesses and would not complete before the end of the universe.”

The electromagnetic signals drop off rapidly the farther away you are from the target, but the researchers still managed the extraction from a distance of one metre, even though it took much longer to do so. Spending more on the equipment, however, would increase the range and speed of the attack.

“In practice this setup is well suited to attacking network encryption appliances,” they wrote. “Many of these targets perform bulk encryption (possibly with attacker-controlled data) and the ciphertext is often easily captured from elsewhere in the network. This again underscores the need for deep expertise and defense-in-depth when designing high assurance systems.”

There are, of course, some caveats. The tests took place under laboratory conditions, rather than in a busy office or server room where other signals might interfere with the data collection. But it’s an interesting example of how an attack previously thought of as unfeasible due to cost and distance has been made easier by smarter and cheaper technology. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/06/23/aes_256_cracked_50_seconds_200_kit/

Not Apr 1: Google stops scanning your Gmail to sling targeted ads at you

Jun
24

Google has said it will no longer scan the content of Gmail messages to sell targeted adverts to users of the free service.

The Chocolate Factory made the announcement in a blog post on Friday touting the success of its G Suite, the cloud apps service for business. G Suite is ad-free and doesn’t scan content – for the obvious reason that businesses wouldn’t be very keen on that – and now Google says it will make the free Gmail service scanning-free too.

“G Suite’s Gmail is already not used as input for ads personalization, and Google has decided to follow suit later this year in our free consumer Gmail service,” it said.

“Consumer Gmail content will not be used or scanned for any ads personalization after this change. This decision brings Gmail ads in line with how we personalize ads for other Google products. Ads shown are based on users’ settings. Users can change those settings at any time, including disabling ads personalization.”

The Gmail scanning system was highly controversial ever since it was introduced in 2004, but the advantages of the service were clear. At the time, most webmail accounts offered pitiful amounts of storage – 2MB for Hotmail, for example – while Google was offering a gigabyte and promised to increase that later.

While people weren’t particularly enamored with the idea of having their emails automatically scanned, they certainly liked the storage enough to continue using it. Nevertheless, Microsoft’s advertising whiz kids used the practice as a stick to beat Google with – albeit to very limited effect.

Youtube Video

But Google’s not going to stop pushing targeted ads – it’ll just get the information to do this from your searches, YouTube watching habits, Android phone and every time you use any other Google service. And Google will still be doing some Gmail scanning to offer up its Smart Replies suggestions at the end of the messages. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/06/23/google_stops_scanning_gmail_messages/

32TB of Windows 10 internal builds, core source code leak online

Jun
24

Exclusive A massive trove of Microsoft’s internal Windows operating system builds and chunks of its core source code have leaked online.

The data – some 32TB of official and non-public installation images and software blueprints that compress down to 8TB – were uploaded to betaarchive.com, the latest load of files provided just earlier this week. It is believed the confidential data in this dump was exfiltrated from Microsoft’s in-house systems around March this year.

The leaked code is Microsoft’s Shared Source Kit: according to people who have seen its contents, it includes the source to the base Windows 10 hardware drivers plus Redmond’s PnP code, its USB and Wi-Fi stacks, its storage drivers, and ARM-specific OneCore kernel code.

Anyone who has this information can scour it for security vulnerabilities, which could be exploited to hack Windows systems worldwide. The code runs at the heart of the operating system, at some of its most trusted levels.

Leaked … Screenshot of a Beta Archives posting announcing on Monday, June 19, the addition of Microsoft’s confidential source code archive

In addition to this, top-secret builds of Windows 10 and Windows Server 2016, none of which have been released to the public, have been leaked among copies of officially released versions. The confidential Windows team-only internal builds were created by Microsoft engineers for bug-hunting and testing purposes, and include private debugging symbols that are usually stripped out for public releases.

This software includes, for example, prerelease Windows 10 “Redstone” builds and unreleased 64-bit ARM flavors of Windows. There are, we think, too many versions now dumped online for Microsoft to revoke via its Secure Boot mechanism, meaning the tech giant can’t use its firmware security mechanisms to prevent people booting the prerelease operating systems.

Also in the leak are multiple versions of Microsoft’s Windows 10 Mobile Adaptation Kit, a confidential software toolset to get the operating system running on various portable and mobile devices.

Netizens with access to Beta Archive’s private repo of material can, even now, still get hold of the divulged data completely for free. It is being described by some as a bigger leak than the Windows 2000 source code blab in 2004.

Spokespeople for Microsoft declined to comment. ®

Updated to add

Beta Archive’s administrators are in the process of removing non-public Microsoft components and builds from its FTP server and its forums.

For example, all mention of the Shared Source Kit has been erased from its June 19 post. We took some screenshots before any material was scrubbed from sight. You’ll notice from the screenshot above in the article and the forum post that the source kit has disappeared between the Microsoft Windows 10 Debug Symbols and Diamond Monster 3D II Starter Pack.

The source kit is supposed to be available to only “qualified customers, enterprises, governments, and partners for debugging and reference purposes.”

In a statement, Beta Archive said: “The ‘Shared Source Kit’ folder did exist on the FTP until [The Register’s] article came to light. We have removed it from our FTP and listings pending further review just in case we missed something in our initial release. We currently have no plans to restore it until a full review of its contents is carried out and it is deemed acceptable under our rules.”

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/06/23/windows_10_leak/

US Secretary of State: Я буду работать с Россией по вопросам кибербезопасности

Jun
24

Analysis US Secretary of State Rex Tillerson has expressed a willingness to work directly with Russia on cybersecurity and other issues.

The proposed partnership is surprising, given the continued controversy over allegations that the Russians interfered with last year’s US presidential election – a serious accusation at the center of an ongoing Congressional inquiry.

Secretary of State Tillerson reportedly wants to work with Russia on attempts to deescalate the Syrian civil war and North Korea’s missile program, in addition to cybersecurity. The first of these ambitions is particularly difficult in the wake of Russia’s belligerent warning that it was prepared to treat US warplanes as potential targets following a recent attack on a Syrian regime aircraft.

Tillerson’s efforts in attempting to mend fences with the former Cold War foe could help ease pressure on US cyber infrastructure, which many top officials and strategists consider vulnerable.

Bill Hagestad, a former US Marine Corps lieutenant colonel turned cyber conflict author and researcher, told El Reg that although “willingness to collaborate, communicate and cooperate at the cyber-strategic level” between the two super-powers would be a positive objective, the US still needs to tread carefully.

“The willingness to work together if stated as the commander’s intent at the Secretary of State level promotes positive tactical actions at all levels of both governmental agencies and the military – essentially a directive and guideline for future cyber cooperation,” Hagestad explained.

“The caveat is that both sides must mutually agree and abide by the rules of engagement, based upon trust in each other and confidence that in the absence of attribution confirmation, those on the front lines, eg, mouse and keyboard, will always strive to act appropriately.

“Conversely, if the strategic level is agreed upon, and one side or the other agrees but acts surreptitiously and in a deceitful way for exclusive self-gain – well then the whole concept of cyber cooperation is for naught,” Hagestad warned, saying that establishing trust in cyberspace, especially with Russia, is fraught with difficulties.

“In the case of Russia, any nation state must carefully be aware of their proclivity for taking advantage of such cooperation, especially in the cyber domain – and even more distinctly when it comes to the Russian use of cyber in conjunction with combined arms such as espionage, kinetic means, and physical invasion of a sovereign state – eg, Estonia and Ukraine.” ®

PS: President Obama ordered US government hackers to plant spyware in Russia’s key networks amid intelligence that the Kremlin was working hard on derailing America’s elections, it was reported today.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/06/23/tillerson_to_work_with_putin/

AES-256 crypto cracked in 50 secs using €200 of kit one metre away

Jun
24

Sideband attacks that monitor a computer’s electromagnetic output to snaffle passwords are nothing new. They usually require direct access to the target system and a lot of expensive machinery – but no longer.

Researchers at Fox‑IT have managed to crack AES (Advanced Encryption Standard) 256 encryption keys from a distance of 1 metre (3.3 feet) – using €200 (~US$224) worth of parts obtained from a standard electronics store – just by measuring electromagnetic radiation. At that distance cracking the keys took five minutes, but if an attacker got within 30 centimetres (11.8 inches) of a device, the cracking time is cut down to just 50 seconds.

The research team used a simple loop antenna, attached it to an external amplifier and bandpass filters bought online, and then plugged it into a software defined radio USB stick they bought for €20. The entire cost of the setup was less than €200 and the device could be hidden in a jacket or laptop case.

They used this kit to record the radio signals generated by the power consumption of the SmartFusion2 target system running an AMD Cortex M3 chip. By measuring the leakage between the Cortex processor and the AHB bus, the data showed the peaks and troughs of consumption as the encryption process was carried out.

By running a different encryption run on a test rig, the researchers mapped out how the power consumption related to individual bytes of information. That allowed them to take guesses at the 256 possible values of a single byte and the correct choice showed the highest power spike.

“Using this approach only requires us to spend a few seconds guessing the correct value for each byte in turn (256 options per byte, for 32 bytes – so a total of 8,192 guesses),” they wrote [PDF]. “In contrast, a direct brute-force attack on AES‑256 would require 2256 guesses and would not complete before the end of the universe.”

The electromagnetic signals drop off rapidly the farther away you are from the target, but the researchers still managed the crack from a distance of one metre, even though it took much longer to do so. Spending more on the equipment, however, would increase the range and speed of the attack.

“In practice this setup is well suited to attacking network encryption appliances,” they wrote. “Many of these targets perform bulk encryption (possibly with attacker-controlled data) and the ciphertext is often easily captured from elsewhere in the network. This again underscores the need for deep expertise and defense-in-depth when designing high assurance systems.”

There are, of course, some caveats. The tests took place under laboratory conditions, rather than in a busy office or server room where other signals might interfere with the data collection. But it’s an interesting example of how an attack previously thought of as unfeasible due to cost and distance has been made easier by smarter and cheaper technology. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/06/23/aes_256_cracked_50_seconds_200_kit/

Anthem to shell out $115m in largest-ever data theft settlement

Jun
24

Health insurer Anthem has today agreed to pay $115m to settle a class-action suit brought on by its 2015 cyber-theft of 78.8 million records.

The settlement fund will be used to cover damage costs incurred by people who had personal information including their names, dates of birth, addresses, and medical ID numbers stolen when, in 2015, Anthem was hit by hackers.

While credit card details and medical records were not accessed, the exposed personal information was serious enough that credit monitoring services have been given to affected customers.

Now, after two years of legal wrangling, a settlement package has been agreed on and put forward for court approval. Judge Lucy Koh will review the proposal and sign off on the deal or send it back to be re-written.

“After two years of intensive litigation and hard work by the parties, we are pleased that consumers who were affected by this data breach will be protected going forward and compensated for past losses,” lead attorney Eve Cervantez said.

As is usually the case with settlements, Anthem will not have to admit to any wrongdoing.

If you were one of those hit by the intrusion, don’t expect a big payout. Plenty of others will be getting their cuts first. According to the terms of the settlement, a full third of the package ($37,950,000) has been earmarked to cover attorney fees.

An additional $17m will be paid out to Experian, who is handling the credit and identity monitoring services for victims. Any taxes the government levies on the $115m payout will also be deducted from the fund itself.

After all that, people affected will be able to fill out the necessary forms to claim a share of the settlement, including coverage of out-of-pocket expenses they have incurred from the breach (but only up to $15m – beyond that no more out-of-pocket claims will be accepted).

The timeline for submitting claims will be decided after (and if) the settlement deal is approved. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/06/24/anthem_115m_largestever_data_theft_settlement/