STE WILLIAMS

The web has a security problem: code libraries. Almost 88 per cent of the top 75,000 websites and 47 per cent of .com websites rely on at least one vulnerable JavaScript library.

As described in a recently published paper, “Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web,” researchers from Northeastern University in Boston, Massachusetts, have found that many websites rely widely on insecure versions of JavaScript libraries and that there’s no immediate way to eliminate this problem.

The web is full of JavaScript, the most popular development technology outside of the mobile world, at least by Stack Overflow’s measure. “Notorious for security vulnerabilities,” as the paper’s six authors put it, JavaScript has come to depend on a wide variety of libraries that extend its capabilities, such as jQuery, Angular, and Bootstrap.

These libraries simplify common development patterns like manipulating HTML page elements, providing application structure, and simplifying user interface construction.

Unfortunately, JavaScript libraries may not be kept up-to-date and there’s no agreed-upon system for ensuring that web apps don’t load vulnerable library code.

The researchers looked at 75,000 of the top Alexa-ranked websites and at 75,000 randomly chosen .com websites. They found at least 36.7 per cent of jQuery, 40.1 per cent of Angular, 86.6 per cent of Handlebars, and 87.3 per cent of YUI (the discontinued Yahoo! User Interface Library) implementations employ a vulnerable version.

“Alarmingly, many sites continue to rely on libraries like YUI and SWFObject that are no longer maintained,” the paper says. “In fact, the median website in our dataset is using a library version 1,177 days older than the newest release, which explains why so many vulnerable libraries tend to linger on the web.”

To make matters worse, many websites include multiple versions of libraries, thereby increasing the potential for vulnerabilities. And third-party modules that implement advertising, tracking, or social media functions may come with embedded JavaScript that loads more libraries, any of which could be out of date.

“If not isolated in a frame, these libraries gain full privileges in the including site’s context,” the paper says. “Thus, even if a web developer keeps library dependencies updated, outdated versions may still be included by badly maintained third-party content.”

The researchers say there’s no easy fix, noting that existing remediation strategies look doubtful because “less than 3 per cent of websites could fix all their vulnerable libraries by applying only patch-level updates.” For the rest, the update required would introduce incompatibilities that could break the application.

Many JavaScript libraries get served by content delivery networks (CDNs), some of which provide a way to serve the most up-to-date version of a library through a feature called version aliasing. This allows a developer to specify that either a minimum version of a library, or a more recent version, if available, gets served to a requesting application.

But the researchers found only 1.1 per cent of websites that depend on jQuery implement this capability.

The paper recommends greater use of systematic approaches to dependency management and of tools like Auditjs (for Node.js applications). But it suggests progress will be slow without a generally accepted mechanism to track and disseminate JavaScript library vulnerability information.

“Unfortunately, security does not appear to be a priority in the JavaScript library ecosystem,” the researchers conclude. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/14/outdated_javascript_libraries_weaken_web_security/

Last week, WikiLeaks chief Julian Assange said he would hand over the CIA hacking tools that fell into his lap to various technology companies before making the exploits public. We’re told he has at least reached out to one tech corp.

The so-called Vault 7 archive, dumped online by WikiLeaks on March 7, listed techniques used by the CIA to spy on computers, phones, networking gear, smart TVs, and IoT devices. The documents didn’t contain any significant malicious code – although there was this one dodgy JQSNICKER .reg file. It was essentially all descriptions of how the top-secret hacking toolkits could work.

After the Vault 7 release, the UK Ecuadorian Embassy’s record-breaking house guest promised the attack tools would be released. But before that could happen, the vulnerabilities that the tools exploit would have to be patched, and the silver fox said his organization would be working with corporate security teams.

According to sources close to the matter, WikiLeaks has opened a line of communication with Microsoft since the Vault 7 release. No actual files or other data has been sent in as yet, but talks are continuing.

“WikiLeaks has made initial contact with us via [email protected],” a Microsoft spokesperson told The Register on Monday.

Apple and Google haven’t replied to requests for comment on the matter yet, but it does appear that WikiLeaks will be playing by the rules of responsible disclosure on this one. Which is very good news for the rest of us.

As we’ve seen with previous attack tools and exploits releases, dumping working malicious code on an unsuspecting world is a field day for computer criminals and a massive headache for vendors. A recent RAND Corporation report suggested the average time to weaponize a new exploit was 22 days, but if the rewards are large enough you can bet the crims would pull out all the stops and go much faster.

Last year, Cisco engineers were forced to scramble when the leak of hacking tools from the Equation Group, thought to be an NSA hacking team, went up online. The toolkit exploited two serious vulnerabilities in Cisco’s kit, and Juniper and Fortinet also had to get patching.

In 2015 the Italian surveillanceware maker Hacking Team had its servers ransacked, and again the race was on. Vulnerabilities in Microsoft’s software were exposed, and at the Black Hat conference the following month, several Redmond staff expressed their frustration at the way the release had been handled.

Of course, even if WikiLeaks does release its code to manufacturers with enough time to get all operating systems and applications patched up, there are still going to be problems. Not everyone patches regularly enough, and there will be plenty of low-hanging fruit for malware users to harvest. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/13/wikileaks_cia_vault_7_microsoft/

Canada Revenue Agency (CRA) says its online services were taken offline over the weekend so it could patch the Apache Struts 2 vulnerability.

The vulnerability in the framework is trivial to exploit: just send an upload with an invalid Content-Type value, it throws an exception, and opens the target to remote code execution.

Shortly after the Struts 2 vulnerability was discovered last week, vulnerability researchers at Cisco’s Talos said they’d observed it under “active attack”.

The Canada Revenue Agency held a press conference in Ottawa Monday afternoon, and confirmed Struts 2 was the reason it took down its services over the weekend.

According to public broadcaster CBC, Treasury Board of Canada Secretariat deputy CIO Jennifer Dawson said the hackers only got as far as accessing already-public information on the CRA Website.

The Canadian government also says Statistics Canada’s Website was taken down last Thursday for the same patch.

Shared Service Canada COO John Glowacki said while forensic work is continuing, analysis of system logs mean SSC believes nobody “got inside” CRA’s systems.

“We will not speak for other countries, but we will say we have information that some other countries are having greater problems with this specific vulnerability,” he added.

Expect vendors to start issuing their own advisories about Struts 2. Cisco has posted its first product advisory, and so far there’s more “confirmed not vulnerable” than vulnerable products.

So far, only Cisco’s Identity Services Engine, Prime Service Catalog Virtual Appliance, and Unified SIP Proxy Software need fixing. There is, however, an extensive list of products still under investigation.

VMware’s also run up a warning flag, issuing an advisory reporting exposures in Horizon Desktop as-a-Service, vCenter Server, vRealize Operations Manager and vRealize Hyperic Server. Patches are pending. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/14/canada_struts_2_outage/

If you must give your devices names, please don’t leak them on the Internet.

That’s the advice of one Internet Architecture Board (IAB) member, a former chair of the organisation and a German computer science academic. In an IETF RFC entitled Current Hostname Practice Considered Harmful, the trio (Christian Huitema, a former IAB chair; current IAB member Dave Thaler; and Rolf Winter of the Augsburg University of Applied Sciences) argue that too many ‘net protocols leak sufficient information to make hostnames a privacy risk.

The “informational” RFC (meaning it’s not on the standards track) fits in the context of the IAB’s and IETF’s long work to make privacy the default stance of the Internet.

“Hang on!” cry the old-timers, “a hostname and a suffix are the basis of a Fully Qualified Domain Name! How can we properly locate myhost.example.com in the DNS without names?”

It’s not DNS naming that the paper proposes replacing, but rather, all the other ways people use names that can leak. As they explain, “it is common practice to use the hostname without further qualification in a variety of applications from file sharing to network management. Hostnames are typically published as part of domain names and can be obtained through a variety of name lookup and discovery protocols.”

Think instead of a device that might interest a spook – “Donald’s_Samsung_S3” or “Kellyanne’s_Microwave_Oven”. If those names leak to the Internet, it makes surveillance significantly easier.

Moreover, the phone carries that name with its owner, and as long as the WiFi is on, it advertises itself, meaning an attacker “can correlate the hostname with various other information extracted from traffic analysis and other information sources, and they can potentially identify the device, device properties, and its user”.

If you call your phone or your favourite cattle servers Mordor and Mirkwood, you probably think there are other Tolkien fans in the world and you’re anonymous.

But the RFC says the authors’ experiments at an IETF meeting showed that with enough hostnames in a database and access to other datasets – an LDAP server on the same network, for example – “the identification of the device owner can become trivial given only partial identifiers in a hostname”.

The paper identifies the “guilty parties” – protocols that leak hostnames – as DHCP, various aspects of DNS (DNS address-name resolution, multicast DNS, DNS-based service discovery), link-local multicast name resolution, and NetBIOS over TCP.

Some of these represent leaks “inside” the firewall rather than on the public Internet – but on the one hand, it’s not impossible to breach or monitor networks; and on the other hand, someone logging into the enterprise network over public WiFi is sniffable to the “identity” level even if they encrypt their traffic.

As well as avoiding naming hosts where it’s not necessary, the authors suggest applying the principles of MAC address randomisation to hostnames. However, as we reported last week, that technique needs an effective implementation and they’re hard to find.

Since it’s probably impossible to root out every protocol that assumes a host publishes its name somewhere, the three ‘net boffins suggest operating system makers – all the way to phones – allow hosts to have a “global” and a “per network” hostname.

That way, if it’s a named host on the Internet, that hostname doesn’t necessarily map to the “my” randomised hostname. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/14/naming_computers_endangers_privacy/

Your daily round-up of some of the other stories in the news

ICANN goes ahead with .africa TLD

We’re familiar with cities (.london), countries (.uk), regional identities (.cat) and of course types of organisations (.com, .gov) having their own top-level domains, but no continent has had its own TLD – until now.

ICANN, the body that oversees the internet’s namespace, is to go ahead with its .africa TLD after a court tussle between ICANN and DotConnectAfrica.

Registrations will be handled by ZA Central Registry, a South African company, and will open in July, the BBC reported.

Smart jacket gets a price – and a delayed launch

Just in case you don’t have quite enough smart devices to lug around with you during the day, you’ll be glad to hear that Levi’s smart jacket is one step further away from being vapourware and one step closer to being a reality.

The jacket, the strange lovechild of Google’s Project Jacquard smart fabric and venerable fashion brand Levi’s, was first announced at Google I/O last year. Project Jacquard lead Paul Dillinger and Levi’s global product innovation head Ivan Poupyrev told an audience at the SXSW festival in Austin, Texas at the weekend that the jacket will cost $350 – but that you’ll now have to wait until the autumn for it.

We’ll believe it when we see it – Project Jacquard is from the same Google brainwave incubator that produced the Ara modular phone idea, which was cancelled in September. What could possibly go wrong?

Human not required behind the wheel after all

Less than three months after Uber packed up its testing programme for self-driving cars in California and moved to Arizona, California has now relaxed the rules on self-driving cars.

Proposed new regulations from the Department of Motor Vehicles include dropping the requirement for a human being to be in the car while it’s being tested on public roads, and also rows back on the requirement for a steering wheel and pedals that would allow a human to take over the car, Bloomberg reported.

Draft regulations published in 2015 requiring pedals, a steering wheel and a carbon-based life-form had “gravely disappointed” Google, which has been at the forefront of developing driverless cars.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/LNiuJ-9M5NU/

The UK Ministry of Defence has spent around £200m rebuilding a jetty at HM Naval Base Portsmouth ready for the arrival of HMS Queen Elizabeth later this year. El Reg got invited to watch an American supply ship test it out.

As the picture further down this story shows, the planned exercise involving US Naval Service ship Robert E Peary was postponed because of fog – leaving a rather cold and soggy press pack standing around gazing at… well, damp concrete.

And what a load of concrete it was. The two new jetties for the UK’s two new aircraft carriers, HMS Queen Elizabeth and HMS Prince of Wales, has cost Blighty’s taxpayers the thick end of £100m. The one we were shown was built on top of various older structures dating back to the 1920s, as Captain Iain Greenlees RN, HMNB Portsmouth’s infrastructure lead told The Register.

VolkerStevin engineer Gerrit Smit added that around 220 piles had to be sunk into the harbour floor to support the giant concrete raft, which moves up and down an inch or so as the tide ebbs and flows. One of the new jetties will be used as a “pit stop” for the active carrier, while the other will be optimised for longer stays; the rough idea is that once each ship passes her sea trials, one will be deployed while the other sits in reserve. Extensive dredging work is still being done at Portsmouth to ensure the carriers can manoeuvre safely, with a German WWII bomb being fished up from the deep just three weeks ago.

Due to the planned arrival of the American ship, the jetty was being operated live as part of a full-scale dress rehearsal. This included two armed policemen toting Heckler und Koch MP7 sub-machine guns in the terminal building being used for the press event your correspondent attended, putting on their very best “I’m doing an important job” faces as the snap-happy press pack walked down the empty naval equivalent of the passport queue. There our press passes were checked by a studious BAE Systems dockyard worker before we were let out into a holding pen on the jetty itself. This was the inspiring sight that greeted our eyes:

It’s a Union Flag. And a mooring bollard. That was it

“It’s all about the people,” Commodore Jeremy Rigby, Naval Base Commander Portsmouth, told The Register. “A dress rehearsal is much more effective than doing it on paper.” Although USNS Robert E. Peary was still offshore, waiting for the fog to burn off and the tide to fall and rise again, Cdre Rigby emphasised how his people were nonetheless still gaining valuable experience needed to safely bring the 40,000-ton supply ship alongside – “how far out to anchor, harbour control, reconfiguring tides and ensuring she has a fresh workforce [on the jetty, the anticipated docking delay being in the region of six hours].”

Beyond the obvious, the jetty is one of the largest dedicated single mooring points in the UK. It includes auto-tensioning bollards for the carriers to be moored to – a first for the Royal Navy, we were told, removing the need for teams of sailors to slacken and tighten mooring lines as the tide rises and falls. The QE-class carriers will overhang the jetty by around five metres once snug against its fenders.

Along with the jetties come the brows (great big ramps) for moving people and equipment on and off the carriers. These will happily carry around 500 men per day while the ships are alongside, we were told, against 100 per day for the old Invincible-class aircraft carriers’ brows. The QE-class are almost double the size of the Invincibles. In terms of storing ship, BAE Systems’ Chris Alcock, support projects manager for the QE Class programme, assured the press pack that the brows would be capable of handling one 20-foot ISO container every six minutes. Simulated stress tests had also been carried out, with Hampshire Fire Brigade to be invited along for familiarisation training.

Like the dockyard equipment, a relatively large amount of automation is built into the brows, which will be self-levelling and self-adjusting, removing the need for teams of sailors to physically manhandle them after they are placed in position. All in all, it will need just 20 people on the dockside to bring a 75,000-ton QE-class aircraft carrier alongside.

The jetty also carries the final stage of the giant electrical supply cable which will power the carrier while she’s alongside and her own generating machinery is shut down. The supply is taken from the main National Grid feed into Portsmouth, at 11kV, and, via a local converter which takes it up from the standard 50Hz to the carriers’ 60Hz, plugs into a giant receptacle on the side of the ship. An automatic gantry carries the cable, paying it out and retracting it as the ship moves with the tide. The automatic retraction feature is disabled by software, we were told, if the ship sails with the cable still attached – a bit like a petrol pump cutting off if an absent-minded driver leaves the nozzle in the fuel tank while driving off.

“95 per cent of what we need in the UK comes by sea,” observed Cdre Rigby. While the £6bn total cost of the two carriers and the £1bn or so spent on infrastructure around the UK for the two ships seems like a helluva lot of cash, it is ultimately sea power which ensures that mobile phones, laptops, servers, even your mouse mat, reaches the UK on time and thus at a reasonable price.

Maritime shipping from the Far Eastern countries which make virtually everything our island nation depends on to function must pass through a number of choke-points (such as the Strait of Hormuz) that could otherwise be easily dominated by a nation wanting to make a point about Britain’s vulnerability, and once she is operational HMS Queen Elizabeth will be deploying to the South China Sea. This is partly to fly the flag in a part of the world the UK has traditionally had little presence in, partly a thank you to the US Navy for training the UK’s future aircraft carrier and F-35 crews (QE will be taking the place of a US carrier’s normal deployment), and partly to safeguard Britain’s own interests, keeping the seas open for lawful commerce to flourish.

As the UK leaves the European Union, keeping the lifeblood of commerce flowing freely will become more important than ever before. This otherwise uninspiring raft of concrete on the South Coast plays a vital part in that mission. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/13/new_aircraft_carrier_jetty_portsmouth/

The personal information of thousands of medical staff in Wales, UK, were stolen after an IT contractor’s server was hacked.

Details including names, dates of birth, national insurance numbers and radiation doses of radiography staff were stolen by hackers accessing the UK-based systems of global dosimetry company Landauer. It is understood that the breach will also affect NHS facilities in England and Scotland.

The total number of affected staff is 4,766. This figure includes 3,423 NHS Wales staff and former staff, and 1,343 non-NHS customers — including private hospitals and dentists, veterinary practices and airport screening staff.

The breach, which occurred in October 2016, affected the Radiation Protection Service (RPS) which is run by the Velindre NHS Trust in Wales. Velindre today announced the breach publicly, stating that it was itself only notified of the breach on 17 January this year, months after it had taken place, and that “the reasons behind this delay in notifying us of the breach are the subject of ongoing discussions with the host company.”

Landauer had not responded to The Register‘s enquiries as of publication.

Velindre reported the breach to the Welsh government and other regulatory bodies. A spokesperson for the Welsh government told The Register: “We are aware of this incident and will be expecting full details of the investigation and outcome.”

“This is an incident in a large global company holding data on individuals in many countries across the world,” stated the spokesperson. “This problem affects individuals in England and Scotland also. NHS staff have been made aware of the situation and appropriate measures have been put in place to support them.”

An ICO spokesperson said: “We are aware of this incident and are making enquiries. The organisations impacted should be informing staff if they have been affected. There are measures people can take to guard against identity theft, for instant being vigilant around items on their credit card statements or checking their credit ratings. There are more tips and information on our website.”

A spokesperson for the Betsi Cadwaladr University Health Board admitted that 654 of its own staff had been affected by the breach. “No patient information has been affected by this breach. Landauer provides ionising radiation monitoring for NHS Health Boards across the UK and holds personal information on NHS staff including names, radiation dose and in some cases, dates of birth and National Insurance numbers.”

We have contacted all the staff affected to reassure them that Landauer has acted swiftly to secure its servers and that, since the attack, it has undertaken significant measures in connection with its UK IT network to ensure that no further information can be compromised. Landauer has also arranged for the staff affected to have free access to the credit monitoring agency Experian for the next 24 months.

“We are also working closely with our Information Governance department and the Information Commissioner’s Office to ensure that the actions we have taken are in line with our requirements under the Data Protection Act 1998,” the spokesperson continued. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/13/thousands_of_nhs_staff_details_lost_in_breach_of_it_contractors_server/

The IoT has thrown up a fresh set of vulnerabilities, this time in a telepresence robot from Double Robotics.

Double Robotics Telepresence Robot offers a mobile conferencing device that allows the remote user to roam around an office for “face-to-face” conversations.

Security researchers at Rapid7 disclosed multiple vulnerabilities with the kit, largely divided into three categories:

• Unauthenticated access to data: An unauthenticated user can gain access to Double 2 device information including serial numbers, current and historical driver and robot session information and GPS coordinates.
• Status user session management: The access token that is created during account assignment to a robot never changes. If this is compromised, it can be used to take control of a robot without a user account or password.
• Unrestricted Bluetooth pairing: The pairing process between the mobile app and robot drive does not require the user to know the PIN. Once paired, a hacker with access to a high gain antenna might be to can take control of the drive unit from up to one mile away.

The vendor played down the impact of the research, led by Rapid7’s Deral Heiland, while thanking security researchers for their efforts.

Double Robotics’ co-founder and chief exec, David Can, said: “Rapid7’s thorough penetration tests ensure all of our products run as securely as possible, so we can continue delivering the best experience in telepresence. Before the patches were implemented, no calls were compromised and no sensitive customer data was exposed. In addition, Double uses end-to-end encryption with WebRTC for low latency, secure video calls.”

More details of the telepresence robot research can be found in a blog post by Rapid7 here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/13/telepresence_robot_hackable/

Facebook and its snap-sharing app Instagram have updated their terms and conditions to bar developers from scanning profiles for surveillance purposes.

On Friday a report from the US Department of Homeland Security (DHS) showed that border patrol officers had tried automatically scanning visa applicants’ social media profiles to catch terrorists. The DHS boffins admitted their software didn’t work properly, and that it was looking for companies to help improve the system.

With all that government contractor cash floating around, development outfits are no doubt gearing up to cash in. But they’ll have to do it without Facebook and Instagram’s data feeds.

“Developers cannot ‘use data obtained from us to provide tools that are used for surveillance.’ Our goal is to make our policy explicit,” Facebook said.

“Over the past several months we have taken enforcement action against developers who created and marketed tools meant for surveillance, in violation of our existing policies; we want to be sure everyone understands the underlying policy and how to comply.”

Facebook is coming a little late to this. Last year Twitter announced it was cutting off data feeds for such software after Chicago-based company Geofeedia began using the streams of tweets for an app that allowed police to track peaceful protestors. Civil and internet rights groups have also been calling on companies to protect their users.

“We depend on social networks to connect and communicate about the most important issues in our lives and the core political and social issues in our country,” said Nicole Ozer, civil liberties director for the American Civil Liberties Union in California.

“Now more than ever, we expect companies to slam shut any surveillance side doors and make sure nobody can use their platforms to target people of color and activists.”

Of course, that doesn’t mean much given the US government’s powers to demand data from Facebook via National Security Letters, or through the PRISM program and similar secret slurping activities. It also won’t stop Facebook and Instagram from mining everyone’s data and selling it to advertisers.

But the public stance by Facebook is a welcome one in increasingly worrying times for those concerned about internet privacy, or the lack of it. It won’t do much, but every little bit helps. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/13/facebook_social_media_surveillance/