STE WILLIAMS

Yesterday, we wrote about a new Heartbleed-like vulnerability in the Apache web server.

The new security hole can be triggered by a special sort of web request called OPTIONS, and it can leak, or “bleed”, data that isn’t supposed to be revealed…

….thus the name Optionsbleed.

(If one leakage is an optionsbleed, we don’t know what two of them are called: optionsbleeds, perhaps?)

Although the bug isn’t as dramatic or quite as dangerous as Heartbleed, it’s still a security vulnerability.

And any vulnerability by which you could give away data that you are supposed to keep private is a risk to your reputation, if not to your users.

We were asked if we could describe and discuss this bug in a short Facebook Live video, for those who find verbal explanations of technical topics easier to follow than dense written coverage.

So we did:

(Can’t see the video directly above this line? Watch on Facebook instead.)

(You don’t need a Facebook account to watch the video, and if you do have an account you don’t need to be logged in. If you can’t hear the sound, try clicking on the speaker icon in the bottom right corner of the video player to unmute.)

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Vhk1Q1vyUps/

Cops in Manchester, England, have 1,518 PCs running on Microsoft’s dusty operating system Windows XP, according to a Freedom of Information response.

This equates 20.3 per cent of the total PC fleet that GMP has in use, despite Microsoft ending support for the much loved operating systems back in April 2014.

A spokesman for GMP insisted it was reducing its reliance on XP “continually”.

“The remaining XP machines are still in place due to complex technical requirements from a small number of externally provided highly specialised applications,” a spokeswoman told the BBC.

“Work is well advanced to mitigate each of these special requirements within this calendar year, typically through the replacement or removal of the software applications in question.”

The FoI request about PC estates and the operating systems used was sent to numerous police forces across the UK but most refused to respond, citing security concerns.

The Register previously asked the Home Office to disclose its number of ancient ageing Windows devices, and received the same response. But in June the Met actually ‘fessed up that it was still running 18,000 Windows XP boxes.

Infosec expert Alan Woodward told us “security through obscurity” does not work as an effective measure against attacks.

“By running so many XP machines, the police is effectively leaving more door handles exposed for hackers to rattle. Hackers are not targeted, so not disclosing this information won’t prevent attacks.

“From what I know this proportion of machines still running Windows XP is endemic across public sector.”

Raj Samani, McAfee fellow and chief scientist, agreed. “The public sector is an increasingly popular target for cybercriminals. Its ample sensitive data provides large-scale opportunities to cause havoc, as was made evident this year with the WannaCry attack which targeted the NHS.”

Windows XP crashed too much to spread WannaCrypt

READ MORE

He added that around 6 per cent of all operating systems in the world are running XP, meaning it is not just a problem in the law enforcement agencies. “But it might be a bit misleading to say its running XP, ergo it is vulnerable. The question is what compensating controls are in place,” he said.

For example, it transpired that Windows XP machines weren’t necessarily the main vector in spreading the Wannacry virus, with many machines simply crashing rather than spreading the infection. Some researchers believe the bigger problem was unpatched machines on other versions of the operating system: Vista and Windows 7.

That said, running Windows XP still presents a potential security risk, say researchers.

Ross Anderson, professor of security engineering at the University of Cambridge, noted the cost of ensuring outdated operating systems remain secure is a false economy.

He said the fact Manchester is still running Windows XP doesn’t in itself indicate the level of the threat exposure.

“It’ll be down to what sysadmin they have in place, the firewalls and how they are configured… certainly no one should consider running unpatched machines.”

Christopher Boyd, lead malware man at Malwarebytes, said Manchester Police seem to be suffering from a common problem – reliance on custom applications which don’t work with other versions of Windows.

“Aside from the well known risks posed by XP, we must ask how healthy these apps are. Do the developers still even support them with security patches, or are they essentially ‘abandonware’ with no comparable equivalent available?”

Given budget constraints it seems they are being forced to slowly find replacements while dealing with increasing amounts of duct tape to keep everything ticking over, he said. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/20/manchester_police_still_running_1500_xp_machines/

An IT contractor who sabotaged a client’s website and demanded $10,000 to restore it was this week convicted of wire fraud and sentenced to four years behind bars.

Tavis Tso, 40, from Arizona, was also ordered by US District Judge David Campbell to pay $9,145 in restitution to the unnamed victim of his crime. Tso had previously pleaded guilty to one count of wire fraud.

In his plea deal, Tso admitted to providing IT services in June 2011 via a GoDaddy account. In May 2015, he was contacted by the company for account login information.

Instead of handing over the details, which he falsely told them he did not have, Tso accessed the account and changed the contact information in order to defraud the business.

That resulted in the company’s website being redirected to a blank page and the domain’s email becoming unavailable to the company’s staff for incoming messages.

After the company refused his blackmail, he subsequently redirected their website to www.teengaydick.com.

Visitors to the company’s website were redirected to the pornographic website for several days before the website was returned to normal. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/20/it_contractor_convicted_of_wire_fraud_for_defacing_website/

Thousands of companies may be susceptible to the same type of hack that recently struck Equifax.

The Equifax breach was the result of a vulnerable Apache Struts component. Software automation vendor Sonatype warns that 3,054 organisations downloaded the same Struts2 component exploited in the Equifax hack in the last 12 months. The affected version of Struts2 was publicly disclosed as vulnerable (CVE-2017-5638) on March 10, and was subsequently exploited at Equifax between May and late July, when the attack was finally detected.

Additionally, more than 46,000 organisations downloaded versions of Struts and/or its sub-projects with known vulnerabilities despite perfectly safe versions being available. Altogether, upwards of 50,000 organisations might be vulnerable to attack.

Why are developers still using vulnerable software packages when newer versions are available?

A variety of factors might be responsible, such as dependencies, old links in documentation, no time allotted to test newer versions, and simple fear of change. Compatibility is a big factor. “Over the years Struts versions have unsupported/broke features, plugins,” noted infosec consultant Kevin Beaumont‏.

Jason Coulls, a mobile app developer, added: “Technical debt. If you don’t keep up, compatibility will force you backwards.”

Why wouldn’t you patch?

Mike Pittenger, VP of security strategy at SecDevOps tools firm Black Duck Software, told El Reg that it could be that developers – whose work performance is generally judged by the functionality of their software rather than security factors – neglect to check whether the version of Struts they are using is secure or not.

Struts is a framework for web app development and the amount of work needed to patch a particular environment can vary widely. Sometimes there are valid reasons to defer patching. “Fixes could require API [program interface] changes or more testing to make sure you don’t break things,” Pittenger said.

Updating difficulty varies widely with vulnerability. A recent open-source security and risk analysis by Black Duck showed Apache Struts in 3.9 per cent of apps, 20 high-risk vulnerabilities per component.

Sonatype’s figures are based on analysis of data from the Maven Central repository, the largest distribution point for Java open-source components.

Sonatype’s 2017 State of the Software Supply Chain report found that 4.6 per cent (1 in 22) of the components used in production software have known vulnerabilities.

“Like people who accidentally bring expired milk home from the grocery store, companies that download and deploy known vulnerable open source components are simply not paying attention,” said Wayne Jackson, Sonatype chief exec.

“The Equifax breach highlights the fact that perimeter security alone is not sufficient to protect personal data when hackers can easily exploit applications by targeting known vulnerable software components.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/20/equifax_vulnerability_could_be_widespread/

More data records have been lost or stolen during the first half of 2017 (1.9 billion) than all of 2016 (1.37 billion).

Digital security company Gemalto’s Breach Level Index (PDF), published Wednesday, found that an average of 10.4 million records are lost or stolen every day.

During the first half of 2017 there were 918 reported data breaches worldwide, compared with 815 in the last six months of 2016, an increase of 13 per cent. A total 22 breaches in Q1 2017 included the compromise, theft or loss of more than a million records.

Gemalto estimates less than 1 per cent of the stolen, lost or compromised data used encryption to render the information useless.

Malicious outsiders (cybercriminals) made up the largest single source of data breaches (74 per cent) but accounted for only 13 per cent of all stolen, compromised or lost records. While malicious insider attacks only made up 8 per cent of all breaches, the amount of records compromised was 20 million, up from 500,000 in the previous six months.

North America still makes up the majority of all breaches and the number of compromised records, both above 86 per cent. The number of breaches in North America increased by 23 per cent with the number of records compromised increasing threefold (up 201 per cent).

Traditionally, North America has always had the largest number of publicly disclosed breaches and associated record numbers, although this may change somewhat next year when global data privacy regulations like the European General Data Protection Regulation (GDPR) and Australia’s Privacy Amendment (Notifiable Data Breaches) Act come into play.

Europe only had 49 reported data breaches (5 per cent of all breaches), a 35 per cent decline from the six months before.

The UK had the second highest number of reported incidents after the US, with 40 (down from 43). A total of 28,331,861 data records were compromised in the UK in H1 2017 (up 130 per cent from H2 2016).

Half of data incidents in the UK involved a malicious outsider (50 per cent), with 38 per cent attributed to accidental loss. Two-thirds of the breaches in the UK are classified as identity theft (65 per cent).

Government was the single biggest source of security incidents with 12 in H1 2017, ahead of technology firms (seven) and healthcare (six).

The Breach Level Index, which has been running since 2013, benchmarks publicly disclosed data breaches.

As new regulations such as the UK’s Data Protection Bill and GDPR come into effect, the numbers of disclosed breaches could skyrocket. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/20/gemalto_breach_index/

Lloyds Bank has admitted that unspecified technical problems affected the operation of its Cardnet payment system on Tuesday while denying suggestions relayed to a Reg reader that it had suffered a cyber attack.

The Register learnt of a potential issue after a reader got in touch to say that many chip-and-PIN terminals were not working for Spire/Hypercom point-of-sale machines because of what support staff had told him was a “cyber attack”.

In response to follow-up questions asking for more specifics, the tipster offered: “The terminals won’t contact acquirer blaming network error. Cardnet’s Spire support only said ‘cyber attack’. No specifics.”

One affected party took to Twitter to complain about an issue with Lloyds Bank Cardnet but there was no evidence of widespread problems and two independent UK payment systems security experts hadn’t picked up on any problems.

In response to queries from El Reg, Lloyds Bank confirmed a glitch in its systems but downplayed the significance.

We are aware that a small number of merchant terminals experienced issues yesterday as a result of a technical problem which has since been resolved. We have been providing guidance to merchants on how to resolve the issues with impacted terminals and are very sorry for any inconvenience caused.

Lloyds Bank, which is in the process of outsourcing data centre management to IBM, declined to answer follow-up questions on the number of merchants affected or the nature of the problem. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/20/lloyds_bank_cardnet/

Updated Media monster Viacom has been caught with its security trousers down. Researchers found a wide-open, public-facing misconfigured AWS S3 bucket containing pretty much everything a hacker would need to take down the company’s IT systems.

The data store, found by Chris Vickery, director of Cyber Risk Research at security shop UpGuard, contained 72 compressed .tgz files in a folder labelled mcs-puppet – which appears to be Viacom’s Multiplatform Compute Services division, which handles IT systems for the firm.

“The contents of the repository appear to be nothing less than either the primary or backup configuration of Viacom’s IT infrastructure,” Vickery revealed today. “The presence of this data in an S3 bucket bearing MCS’s name appears to further corroborate the Viacom group’s mission of moving its infrastructure onto Amazon Web Services’ cloud.”

The Amazon-hosted bucket could be accessed by any netizen stumbling upon it, and contained the passwords and manifests for Viacom’s servers, as well as the access key and private key for the corporation’s AWS account. Some of the data was encrypted using GPG, but that wouldn’t be an issue because the bucket also contained the necessary decryption keys.

Basically, had a hacker found this before Vickery, they would have had all the tools they needed to phish customers for their account details, spin up server instances that would accurately mimic Viacom’s legitimate systems for use as a botnet or for other nefarious purposes, or provide invaluable information to allow hackers to take a trawl through Viacom’s own networks.

Viacom is the sixth largest media conglomerate on the planet, controlling Paramount Pictures, MTV, Comedy Central and Nickelodeon. That’s a very juicy target indeed, and a successful hack could have seriously damaged the company and its customers. Viacom has yet to reply to requests for comment.

“The leaked Viacom data is remarkably potent and of great significance, an important reminder that cloud leaks need not be large in disk size to be devastating; when it comes to data exposures, quality can be as vital as quantity,” UpGuard stated.

“Analysis of the Viacom leak reveals nothing less than this: the keys to a media kingdom were left publicly accessible on the internet, completely compromising the integrity of Viacom’s digital infrastructure.”

This is the latest in a long line of open S3 buckets found by UpGuard, thanks to Vickery’s current crusade against the practice. A simple script searches for open S3 buckets and then he and his team take a poke around for interesting stuff. If security shops are doing this, then hackers are certainly following suit as well. ®

Updated to add

Viacom has sent us the following statement:

Once Viacom became aware that information on a server – including technical information, but no employee or customer information – was publicly accessible, we rectified the issue. We have analyzed the data in question and determined there was no material impact.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/19/viacom_exposure_in_aws3_bucket_blunder/

A contractor who tried to sell trade secrets on military communication satellites to the Russians has been sent down for five years. Incredibly, it could have been longer after prosecutors alleged that he was also planning to kill his wife.

On Monday, California District Judge George Wu threw Gregory Allen Justice, 50, behind bars in an American prison. Justice had pled guilty to counts of economic espionage and violating the Arms Export Control Act in exchange for a lighter sentence.

Justice was arrested last July in an FBI sting operation after he approached the Russian consulate in California proposing to sell secrets from his day job as an engineer working on GPS, the Milstar military communications network, and covert reconnaissance satellites. While he didn’t have access to classified material, he worked with documents covered by arms export agreements, at the unnamed military contractor that employed him.

FBI arrests satellite engineer on charges of espionage

READ MORE

After his approach to the Russians was noted, Justice was put under observation and an FBI operative posing as an agent of the Russian equivalent of the CIA – the Sluzhba Vneshney Razvedki – got in contact. Justice passed the agent USB drives containing trade secrets in exchange for cash payments of $500 or $1,000, according to court documents [PDF].

The information he provided was on the wideband global satellite communications system used by the US military for communications. It included details of the encryption systems it used, firmware code, and the anti-jamming defenses that the satellites use.

Justice claimed that he needed the money to pay his sick wife’s medical bills, but instead spent the money on wooing a woman he thought was an Eastern European who he’d met online. In fact, the woman was living in California and was simply catfishing him, accepting at least $21,420 in cash from Justice at the same time that he was telling his wife they would have to delay her treatments because he was short of money.

However, the prosecution also claimed [PDF] that at one of the meetings, Justice asked the agent for help in procuring a muscle relaxant called Anectine, which can be fatal if wrongly administered. Justice said it was to help his wife breath more easily and that she had been treated with it before.

One problem: Mrs Justice had never been prescribed Anectine. The FBI stated that in a post-arrest interview, Justice said he was aware of cases he’d seen online about the drug being used to kill people. In light of this, the prosecutors asked the judge to sentence him to at least seven years in prison for allegedly planning to murder her.

Judge Wu wasn’t buying it, however. He reportedly said that people occasionally fantasize about killing their spouses, but that doesn’t mean they would actually go through with it. Presumably the judge’s wife wasn’t thrilled with that statement.

Justice, who was shackled in the court room, expressed “regret and remorse” for his crimes, and said that while in jail he had had a religious epiphany. He stated that when he got out of prison he would devote himself to looking after his sick father. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/19/engineer_selling_secrets_to_russians_got_5yrs/

The ad industry is gnashing its teeth over Apple’s latest move to limit how we get tracked around the web.

They’re concerned about the new version of Apple’s mobile operating system – iOS 11 – which will hit phones and tablets today.

To be clear, the arrival of iOS 11 doesn’t mean that the Safari web browser will stop sites from tracking you around. No, there will be no advertising Armageddon for the way that sites track visitors’ browsing from site to site. Marketers will still be able to do things like try to sell you flip flops after you 1) check out an online shoe store and then 2) visit a site that has nothing to do with Maui.

Tracking via cookies won’t come to a screeching halt, but it will, in fact, be corralled, as Apple described in June when it announced a feature called Intelligent Tracking Prevention (ITP).

ITP uses a number of methods to try to cut back on ad-tracking, one being to limit the use of cookies for ad retargeting to 24 hours, and deleting a site’s cookies entirely if you don’t visit for 30 days. If you visit, say, your favorite flip flop emporium on one day, then show interest in that same site within 24 hours, the technology will allow that domain to track you as you visit other sites by planting cookies to follow you around. If you don’t go back to the flip flop shop after 30 days, it will lose the ability to track you.

Well, that might sound reasonable to Apple, and it might sound reasonable to people who don’t really want to see irrelevant ads for the rest of their lives after accidentally stumbling onto fill-in-the-blank-dot-com by accident (all too easy to do when you’ve got ads popping up on mobile devices, where the X button is too tiny to hit with any accuracy).

But it doesn’t sound reasonable to the advertising industry. In fact, it sounds like internet sabotage.

Six major advertising consortia have signed an open letter to Apple in which they claim that Apple is replacing the current model of user-controlled cookie preferences with its own set of “opaque and arbitrary standards” for cookie handling.

It’s going to hurt users by giving them generic ads, they say. Thanks, Apple, the consortia say: you’re popping a hole in the internet’s economic model.

From the open letter, published in AdWeek last week:

Apple’s unilateral and heavy-handed approach is bad for consumer choice and bad for the ad-supported online content and services consumers love. Blocking cookies in this manner will drive a wedge between brands and their customers, and it will make advertising more generic and less timely and useful. Put simply, machine-driven cookie choices do not represent user choice; they represent browser-manufacturer choice.

Yes, machine-driven: as Apple announced in June, Safari has been outfitted with machine learning, built into its WebKit browser engine.

When it comes to cookies, there are a few types.

First-party cookies are planted by sites that we visit and can only be read by that sites that set them. Third-party cookies typically come from resources such as Facebook Like buttons or tracking scripts that are included in the pages we visit but are pulled in from different domains.  Third-party cookies can be used to track us as we move across sites that share the same third-party resources.

A first-party cookie set when you visit facebook.com can become a third-party cookie when you visit another site that includes resources from facebook.com.

Apple haven’t done a great job of explaining how their machine learning is being used but so far as we can tell it’s there to figure out which first-party cookies are allowed to become third-party tracking cookies on other sites, and which aren’t.

Despite the advertising consortia’s letter, Apple’s sticking with the plan. It said in a statement that it believes that people have a right to privacy, and ITP is a good way to protect that privacy:

Apple believes that people have a right to privacy – Safari was the first browser to block third-party cookies by default and Intelligent Tracking Prevention is a more advanced method for protecting user privacy.

Ad tracking technology has become so pervasive that it is possible for ad tracking companies to recreate the majority of a person’s web browsing history. This information is collected without permission and is used for ad re-targeting, which is how ads follow people around the internet. The new Intelligent Tracking Prevention feature detects and eliminates cookies and other data used for this cross-site tracking, which means it helps keep a person’s browsing private. The feature does not block ads or interfere with legitimate tracking on the sites that people actually click on and visit. Cookies for sites that you interact with function as designed, and ads placed by web publishers will appear normally.

This isn’t the first time that the ad industry has sent up distress signals over checks on advertising. Two years ago, the issue was adblockers, and the economic “sabotage” was framed in a claim from Adobe and PageFair that adblockers would cost businesses $22,000,000,000. That’s not a typo: they really did say that adblockers would cost businesses $22 billion, with a B.

Our readers heartily disagreed.

…and our own Paul Ducklin said at the time:

[A]ds in the face of people who don’t want them will almost always only ever get clicked by mistake (easy on a mobile). We’ve all done it – and we all probably just backed out from the ad right away. But dud clicks of that sort represent a completely wasted cost to any legitimate company buying ad clicks. So you might just as well argue that ad blockers will *save* businesses $Xm during [the coming year], by helping to protect well-meaning companies from paying for other people’s mistakes.

Is restricting tracking, as Apple is doing with the iOS upgrade, the same as blocking ads altogether (or as much as possible, given Google’s and Facebook’s skill at evading adblockers) with an adblocker?

Yes, Apple is taking more control of cookies. It’s not stopping ads. Rather, it’s reining in the enormously rich profiles that marketers construct via tracking and which enable them to target-market us.

Will that cause the internet economy to collapse? It’s hard to imagine that it would. Will it limit the annoying ads that follow us around everywhere we go?

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NSFVuotg424/

Would SELinux have stopped Equifax breach?

Writing on the Double Pulsar site, infosec practitioner Kevin Beaumont suggests Security Enhanced Linux (SELinux) would have saved Equifax from the disastrous breach it disclosed earlier this month.

If you’re going to have Apache Struts facing the internet, SELinux is the way to go, he wrote, referring to the Apache Struts vulnerability the thieves exploited:

This is the #1 thing almost every organisation seems to miss. Security Enhanced Linux is very simple to deploy — usually just one command — and it beefs up security on processes. Correctly deployed, it stops Tomcat accessing the system — so stops unknown exploits.

The article goes on to describe how the absence of SELinux makes things easy for the bad guys, and how IT/infosec practitioners can get the best bang from it.

BBC: Finance director phished, then fired

The BBC has a cautionary tale for pretty much everyone who uses email. It’s the story of a finance director who was sacked after falling for a phishing scam disguised as a message from the boss. The name of the company and the players are anonymous in the story, but the BBC describes the sequence of events this way:

The email from the boss looked kosher. He said a new supplier needed paying urgently – £50,000 to secure an important contract. He wanted it done as soon as possible because he was on holiday and didn’t want to worry anymore about work. This rang true to the finance director because his boss had already posted a photo of his Greek island getaway on Instagram. His email address looked genuine too. But, of course, it wasn’t the boss.

It was a fraudster who’d done his research and was skilled at psychological manipulation. The small manufacturing firm – that wishes to remain anonymous – ended up losing £150,000 to the fraudster in the mistaken belief that he was a legitimate supplier. When the boss found out the bad news, he fired the finance director.

The article says to beware of three words in any email subject field: “urgent”, “payment” and “request”.

Proposed Security.txt standard resembles Robots.txt

Security researcher and web developer Ed Foudil has an idea he hopes the Internet Engineering Task Force (IETF) will go for: turning security.txt into a standard. security.txt is a file webmasters can host on their domain root and use to describe the site’s security policies. It’s a lot like robots.txt, a standard websites use to communicate and define policies for web and search engine crawlers.

The difference is that security.txt would be specific to security policies.

In his paper, Foudil says the following:

When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to properly disclose them. As a result, security issues may be left unreported. Security.txt defines a standard to help organizations define the process for security researchers to securely disclose security vulnerabilities.

According to Bleepingcomputer, it would work this way:

• A security researcher finds a security vulnerability on a website
• He/she accesses the site’s security.txt file for information on how to contact the company and securely report the issue.

Security.txt is currently labelled as an “Internet Draft”, the first IETF regulatory step in a three-stage process that also includes RFC (Request For Comment) and official Internet Standards.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dxH8OAEqrvk/