STE WILLIAMS

The Road to Enterprise PaaS

Virtual private server firm ThrustVPS has taken the unusual step of admitting it had suffered a phishing attack.

Rather than taking the time-honoured solution of just pretending nothing had happened and correcting the issue on the sly, the VPS provider sent an email to customers ‘fessing up to the attack.

“The phishing attack came from our server,” the admin team wrote in an email to customers. “Upon further investigation the attacker had managed to gain access to the whmcs installation and upload his own files, namely a php shell and a mailer script. These have now been removed and the server has been secured.

We are also looking to introduction [sic] extra security to make sure we have no further repeat of issues you have experienced over the weekend.

As a precaution, customers were asked to login and update their passwords. They were reassured that ThrustVPS does not store any credit card information on its systems, so there was no chance of any financial disasters.

“Our apologies for any inconvenience this has caused and please let us know if there is anything we can assist with during this time,” the email continued.

The first mention of the problem came on Twitter, before a post was uploaded to Reddit warning of a “honeypot”.

On Twitter, one user questioned whether Thrust’s customer database had been compromised.

@thrustvps What I meant was, do you think the attackers had enough time to download a copy of the database?

— Gareth C (@gdude2002) January 20, 2014

Others had a predictable grumble:

Looks like @thrustvps have done a runner. Hacked, offline, no communication in 24hrs of downtime. No real business would operate like this.

— Luke Bennett (@developerluke) January 20, 2014

Others, however, praised them:

Big hand to @thrustvps for noticing a compromise and quickly telling customers and resolving. Great team!!

— Dan Bennett (@DanBennett) January 20, 2014

The firm, which has an outpost in Maidenhead, tweeted yesterday that all was now well within its walls. ®

The Benefits and Significance of Private Platform as a Service

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/21/thrustvps_penetrated_by_phishing_attack/

Our colleagues at SophosLabs pointed us at a interesting item of malware the other day, namely a data-stealing Trojan aimed at Mac users.

In fact, it was somewhat more than that: it was one of those “undelivered courier item” emails linking to a dodgy web server that guessed whether you were running Windows or OS X, and targeted you accordingly.

You’re probably familiar with “undelivered item” scams.

The idea is surprisingly simple: you receive an email that claims to be a courier company that is having trouble delivering your article.

In the email is a link to, or an attachment containing, what purports to be a tracking note for the item.

You are invited to review the relevant document and respond so that delivery can be completed.

We’ve seen a wide variety of courier brands “borrowed” for this purpose, including DHL, the UK’s Royal Mail and even, in one bewildering case, a made-up courier company called TNS24, with its very own website, featuring its very own amusingly ill-Photoshopped planes, ships and automobiles.

But a competently-executed courier scam can be fairly convincing, especially if the criminals behind it know enough about you to create what becomes a targeted attack.

Even a modest amount of detail (if that is not an oxymoron) can do the trick.

For example, the crooks will sound a lot more believable if they know your address and phone number; are aware of what you do in your job; and have a general idea about some of the projects you are working on right now.

Of course, if you open the attachment or click on the link in one of these scams, you are immediately put into harm’s way: the attachment might try to trigger an exploit in your unpatched copy of Word, for instance, or the link might attack an unpatched Java plugin in your browser.

Here’s what the emails looked like in this attack, with some details changed or redacted for safety:

We wish to inform you that we have a pending parcel for the past 10 days bearing your name Mr. Jonathan Sidebottom,with parcel number (MV-45-QA566). The parcel was sent for delivery on the below mentioned address but nobody was there to receive it. Your parcel content has a set of engineering documents, which was discovered during our security checks of parcels brought into our head office. So, we are sending you a scanned copy of that parcel. Give your positive response, if it belongs to you.

If you are a native speaker of English, you will notice that the wording of the email is clumsy and unidiomatic, and if you were to receive a message like this you might well be suspicious on those grounds alone.

But if Mr Sidebottom really is in the engineering business, and regularly deals with inbound documents from courier companies around the world, an email of this sort could easily pass muster.

The link, of course, doesn’t really lead to fedex.com.ch, but instead takes you to a domain name that is controlled by the attackers.

If you are on a mobile device, the server delivers an error message.

If you are using a desktop browser that isn’t Safari, you receive a ZIP file containing a Windows program detected by Sophos Anti-Virus as Mal/VBCheMan-C, a vague relative of the Zbot or Zeus malware.

But if you are using Safari, you receive Mac malware, delivered as an Application bundle packaged inside a ZIP file.

By default, on OS X 10.9.1 (the latest update to Mavericks, Apple’s most recent operating system version), Safari directly downloads the file, showing you an empty Safari window with the icon of the downloaded file in the Dock at the bottom of the screen:

Clicking on the download button shows you what looks like a PDF file:

There is no PDF file, as a visit to the Terminal windows quickly reveals.

Safari has automatically unzipped the download, producing an Application bundle (actually just a subdirectory tree with a special structure) that has deliberately been given a PDF icon:

As you can imagine, the temptation is to click on what looks like a PDF file to see what it contains.

OS X does try to advise you that you aren’t opening a document, although you can argue that the warning would be more compelling if it explicitly said that you were about to “run a software program”, rather than merely to “open” the file:

If you do click the [Open] button, nothing seems to happen: you end up back at the desktop with your email software open and an empty Safari window in front of it.

But a trip back to the Terminal shows that what looked like a PDF file is now running in the background as a process named foung:

As it happens, foung, like its counterpart delivered to Windows computers, is a bot, short for “robot malware”, detected by Sophos Anti-Virus as OSX/LaoShu-A.

LaoShu-A as good as hands control of your Mac over to the attackers, but its primary functions appear to be more closely associated with data stealing than with co-opting you into a traditional money-making botnet.

(You will often hear the term RAT, or Remote Access Trojan, rather than the more common term bot, used to describe this sort of malware.)

In other words, the attackers seem more concerned with digging around on your computer for what they can steal than with abusing your computer and your internet connection to aid and abet other cybercriminal activities.

Amongst other things, LaoShu-A contains code to:

• Search for files with extensions such as DOC, DOCX, XLS, XLSX, PPT and PPTX.
• ZIP those files.
• Upload (exfiltrate) them to a server operated by the attackers.

However, this RAT also knows how to:

• Download new files.
• Run arbitrary shell commands.

That’s why, in our recent podcast, Understanding botnets, SophosLabs expert James Wyke warned as follows:

Without analysing the full network capture of the entire interchange between a bot and the person controlling it, you can’t say for sure exactly what that bot might have done… [it] might go and download some completely different piece of malware which carries out a completely different set of functionality.

James went on to recommend:

Be more suspicious of things you get in e-mail. E-mail is still one of the most common ways people get infected, and it is predominantly through social engineering attacks… So when you receive an e-mail from someone you’ve never heard of before, or you’ve never communicated with before, and there’s some interesting attachment to the e-mail or [a link to click], …don’t do that! That’s one of the that most common ways people get infected.

(Audio player not working? Download to listen offline, or listen on Soundcloud.)

Let’s hope this malware reminds OS X users of a few simple truths that some Mac fans still seem willing to ignore:

• Mac malware is unusual, but not impossible.
• Data thieves are interested in what Mac users have on their computers.
• Mac malware doesn’t have to ask for a password before running.
• Mac malware can run directly from a download without an installation step.
• Bots and RATs are particularly pernicious because they can update and adapt their behaviour after you are infected.

As always, prevention is better than cure.

And that “undelivered courier item” almost certainly doesn’t exist.

Follow @duckblog

Free: Sophos Anti-Virus for Mac Home Edition

Sophos for Mac stops threats for Windows and Mac alike, protecting you and those you share files with.

Choose from blocking viruses in real time (on-access protection), scanning at scheduled times, or running a check whenever you want.

Free download, no registration required, no expiry date.

Image of forklift courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/HKJ6xF6T2Ik/

The Road to Enterprise PaaS

Google has pulled at least two Chrome extensions from its online store after spammers and malware merchants bought established software from developers and updated it to suit their own nefarious purposes.

The whistle was blown by developer Amit Agarwal, who spent a lazy hour or so coding a Chrome extension for the popular RSS reader Feedly; his handiwork soon garnered over 30,000 users. In a blog post, Agarwal recounted how he received “a four-figure” offer for the rights to the code, and considering that a good return for such little work, he accepted the offer and signed over the rights.

“A month later, the new owners of the Feedly extension pushed an update to the Chrome store,” he wrote. “No, the update didn’t bring any new features to the table nor contained any bug fixes. Instead, they incorporated advertising into the extension,” he explained.

“These aren’t regular banner ads that you see on web pages, these are invisible ads that work the background and replace links on every website that you visit into affiliate links. In simple English, if the extension is activated in Chrome, it will inject adware into all web pages.”

Agarwal said that while there is an opt-out function on the extension, it’s not set as the default and he advised users to switch to other options.

Another extension, Tweet This Page, is also on hiatus after following a similar route, and the development team behind yet another popular extension, Honey, has said that it was offered substantial sums to subvert their code.

In a Reddit conversation, the Honey team said it had received one offer worth “six figures a month” to feed data on its 700,000 users to a data-mining firm. Another offered a cash deal to replace Google ads on the extension with similar looking faux ads from the Chocolate Factory which could contain whatever the hirer wanted.

“I’ve spoken to a few on the phone and they sound just like normal people proposing a business deal,” said the Honey team leader.

. “I’m sure they’ve justified what they do in their own mind so they don’t sound shifty or unsure at all. Mental gymnastics is an amazing thing.”

Google has declined to comment on the matter directly, but the firm tightened up the terms and conditions of its extensions policy in December to try and crack down on code that includes nasty little surprises. It also warned about code subversion in October, and has been steadily locking down its distribution channel for extensions.

People close to the matter said that this problem isn’t going to go away soon, however, and expressed fears that we might be on the cusp of a new malware vector similar to that seen with the boom in spyware apps 20 years ago.

The solution is to check applications automatically or by hand to see if there are any unpleasant additions to seemingly innocuous apps, but that’s a massive task, say sources. End users are going to be the first responders if something does happen, but it seems Google is planning a major investment in systems to clean up any infection points as soon as they occur.

The company could, of course, take the Apple route and lock down its software distribution to a single store where all apps are tightly checked before release. But this goes very much against Google’s open-code ethos, and is rather expensive and restrictive to boot.

In the meantime it’s a case of buyer beware and keeping vigilant. Developers might also want to consider any offers for their code if they are to avoid besmirching their long-term reputations for short-term profit. ®

The Benefits and Significance of Private Platform as a Service

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/20/google_pulls_chrome_extensions_after_new_owners_subvert_web_tools/

The Road to Enterprise PaaS

It was probably inevitable: a group of RSA Conference refuseniks have established a rival conference within walking distance of the original.

The one-day TrustyCon, to be held on 27 February at the AMC Metreon Theatre in San Francisco, has drawn Mikko Hypponen as its keynote, giving “The talk I was going to give at RSA”. So far, the only other confirmed speakers are ISEC Partners’ Alex Stamos; Marcia Hofmann (EFA) and Christopher Soghoian (American Civil Liberties Union) who dropped out of the RSA Conference; Google’s Chris Palmer; and Black Hat’s Jeff Moss.

At the time of writing, that left three slots still open at TrustyCon. Microsoft and Cloudflare have both signed on as sponsors.

Momentum to abandon the RSA Conference has been building since a Reuters report emerged suggesting that the NSA had paid the company $10 million to put a backdoor in its encryption code in its Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG).

The report was denied by RSA in a blog post in December, but that wasn’t enough to mollify everyone in the security community, and in early January, Hypponen, Palmer, Hofmann and Soghoian were among seven others to cancel their appearances.

TrustyCon says the RSA revelation is a “call to action” that technology doesn’t only need to be secure, it also needs to be trustworthy.

The EMC-owned RSA still has something of an edge over the newcomers, with only a few gaps in its five-day conference agenda. ®

The Benefits and Significance of Private Platform as a Service

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/21/hypponen_leads_rsa_con_refuseniks_to_new_confab/

The Road to Enterprise PaaS

A group of Microsoft researchers has used supervised machine learning to try and improve detection of fraudulent user accounts.

With Skype as their test platform, the group say they were able to achieve 68 per cent successful detection of fake accounts within four months of activity, while keeping false positives down to 5 percent, while reducing “reduced the number of undetected fraudulent users active for over 10 months by a factor of 2.3.”

The aim, the researchers say, was to identify fraudsters “that have eluded the first line of detection systems and have been active for months”, drawing on static profile information such as age, active profile information such as the time series of a user’s calls, social behaviour (adding or deleting friend contacts), and social features (such as PageRank).

The researchers note that one of their statistical techniques, the application of hidden Markov models (HMMs) to this context is new (although, interestingly, one of the authors of the paper, Moises Goldszmidt, has previously used HMMs to help predict disk failure in data centres).

The research was based on a pool of 100,000 each of legitimate and fraudulent users (as nominated by Skype), which yielded a test pool of 34,000 accounts, based on accounts which existed for 4 months without being blocked.

To protect information about users whose account information was provided by Skype for the study, the paper states that:

• All Skype IDs were anonymized using a one-way cryptographic salted hash function
• The only usage data applied to the study was the number of days each month that a user accessed particular features, such as chat, Skype calls, video calls, and Skype In / Skype Out.
• Data was kept on a dedicated machine with restricted access, and the researchers planned to delete the data when their research was complete.

Although this work concentrated on Skype, “we chose not to rely on Skype’s informal intent in those definitions, nor on Skype’s software … in order to develop robust, self-contained methods.”

In other words, if the work proved valuable deployed to Skype, the researchers hope the techniques could be applied to other platforms as well.

Lead author Anna Leontjeva, who was an intern at Microsoft Research when she conducted the research, is an Estonian student from the University of Tartu. The paper was prepared for last November’s AISec’13 in Berlin, and is available here. ®

The Benefits and Significance of Private Platform as a Service

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/21/boffins_hammer_skype_spammers/

Make sure you’re up to date with everything we wrote in the last seven days – it’s weekly roundup time.

Watch the top news in 60 seconds, and then check out the individual links to read in more detail.

Monday 13 January 2014

• Patch Tuesday – get ready for the January 2014 Security Trifecta!
• Payment data hacked at US luxury retailer Neiman Marcus
• How your social media activity can torpedo your loan application
• Hacker hijacked YouTube channels to milk AdSense for money
• Target admits “there was malware on our point-of-sale registers”
• Half of UK people are not protecting themselves online, says government

Tuesday 14 January 2014

• Patch Tuesday January 2014 – Microsoft, Adobe and Oracle
• Anonymous Yelp reviewers must be outed, US court rules
• UK government urges small businesses to become more “cyber streetwise”
• SSCC 130 – Botnets, banking, breaches, patching and the Mavericks controversy [PODCAST]
• SEA hijacks Microsoft Twitter accounts, Xbox support blog and Technet

Wednesday 15 January 2014

• Is your car spying on you?
• Who’s to blame for security problems? Surveys say, EVERYONE
• And the results of our “How trustworthy is Facebook” poll are…
• Google pays $3.2 billion for Nest, a smart-home gadget maker

Thursday 16 January 2014

• Apple slapped with settlement over shabby sales security in the App Store
• Businesses are building shopper profiles based on sniffing phones’ WiFi
• Target issues apology letter – but includes some awful security advice
• Security warnings do better if they use scammers’ tricks, research finds

Friday 17 January 2014

• NSA sweeps up hundreds of millions of text messages daily
• Microsoft breathes a tiny bit of life back into XP – but still says, “Time to move on!”
• Jailed terrorist gets extra time for refusing to divulge USB stick password

Saturday 18 January 2014

• Oracle and Java, Apple and the FTC, Google and privacy – 60 Sec Security [VIDEO]

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_M006c4FKyY/

Last month, a panel of presidential advisors recommended that the National Security Agency’s (NSA’s) massive data trawling carry on, but that the data be kept in private hands for “queries and data mining” only by court order.

On Friday, US President Barack Obama gave a speech at the Department of Justice in which he called for just that: an end to the NSA’s maintenance of a database containing US persons’ phone records.

From his speech:

I believe critics are right to point out that without proper safeguards, this type of [telephone metadata bulk collection] program could be used to yield more information about our private lives and open the door to more intrusive bulk collection programs in the future. They’re also right to point out that although the telephone bulk collection program was subject to oversight by the Foreign Intelligence Surveillance Court (FISC) and has been reauthorized repeatedly by Congress, it has never been subject to vigorous public debate.

I believe we need a new approach. I am therefore ordering a transition that will end the Section 215 bulk metadata program as it currently exists and establish a mechanism that preserves the capabilities we need without the government holding this bulk metadata.

In other words, the bulk collection of phone metadata will continue, but the hands on the reins of that data will change, as the president’s panel recommended.

As pointed out by American Civil Liberties Union (ACLU) Staff Attorney Alex Abdo in an annotated version of the speech, the president only addressed changes to the bulk collection of telephone data while ignoring bulk collection of financial records, email metadata, or location information, among other data types.

And whose hands will take over?

Obama didn’t specify.

Saying the transition “will not be simple”, he left the details up to Attorney General Eric H. Holder Jr. and Director of National Intelligence James R. Clapper.

The intelligence review group had recommended that the current approach be replaced by one in which the telephone service providers or a third party retain the bulk records, with government accessing information as needed.

The president gave Holder and Clapper until 28 March to come up with somebody to whom the intelligence database buck may be passed and a new way to pass it.

So that’s one deadline.

But as the Washington Post noted, there’s another date, June 2015, that many in the administration are more worried about still.

That’s when Section 215 of the Patriot Act – the law that authorizes the bulk collection of Americans’ phone records – is set to expire.

Administration officials requesting anonymity told the newspaper that there’s little chance that the authority granted by that law will be renewed, given the ferocious backlash triggered by whistleblower Edward Snowden’s revelations.

The Washington Post quotes one official who wasn’t authorized to discuss the matter:

Congress’s deadline hangs over all of this.

But the authority granted by Section 215 certainly won’t die without a load of squealing.

Defenders of the data collection program issued a statement that played up Obama’s remarks about the importance of the program in supposedly thwarting terrorist plots.

From the joint statement from the chairmen of the House and Senate intelligence committees, Sen. Dianne Feinstein (D-Calif.) and Rep. Mike Rogers (R-Mich.):

The president underscored the importance of using telephone metadata to rapidly identify possible terrorist plots, a gap that existed on September 11, 2001, and which has been closed through the NSA’s collection of telephone metadata under Section 215 of the USA PATRIOT Act. As the president said, this is a capability that is ‘critical’ and must be ‘preserved’.

In Friday’s speech, Obama also said that the government will have to obtain a court order for each phone number it wants to query in its records database.

Also, the number of steps a given phone call is away from a terrorist organisation in order for it to be snoop-able is shrinking.

Before, intelligence analysts could review calls that were three steps away. Now, they’ll only be able to query calls that are two steps removed.

The ACLU’s Abdo notes that this is an “important narrowing” of the government’s phone-records program:

The so-called ‘three hop’ queries [intelligence analysts have] been using since 2006 likely swept up many thousands — or even millions — of innocent Americans. Two hops might not be the right answer, either, but it is certainly an improvement.

But it’s one seemingly unremarkable passage that Abdo singles out as the “single most significant passage of the speech.”

The passage from Obama’s speech:

During the review process, some suggested that we may also be able to preserve the capabilities we need through a combination of existing authorities, better information sharing and recent technological advances, but more work needs to be done to determine exactly how this system might work.

And Abdo’s interpretation of why this part matters more than anything:

If President Obama wants to end bulk collection – both by the government and through forced data retention by the companies – then individualized surveillance using existing authorities is the answer.The problem with bulk collection is that it puts the search before the suspicion.

Other parts of the president’s speech pertained to spying on foreign leaders.

In spite of the fact that every other country is spying on each other and they all know it, Obama said, and some countries privately thank the US for the benefits they get from its snooping, he said, the country will no longer eavesdrop on dozens of foreign leaders and governments that are friends or allies.

That move will, the administration is likely praying, appease a cadre of very indignant and much spied-upon foreign leaders such as German Chancellor Angela Merkel.

The president’s policy directive included a number of other facets, including getting input from a newly established panel of advocates from outside government to provide an independent voice in significant cases before the FISC.

Here’s the transcript of the full directive.

All in all, civil liberties groups were unimpressed by Obama’s directive.

Anthony D. Romero, the executive director of the ACLU, said in a statement that increased transparency for the FISC, improved checks and balances at the FISA (Foreign Intelligence Surveillance Act) court through the creation of a panel of advocates, and increased privacy protections for non-US citizens abroad are all “necessary and welcome reforms.”

But the continuance of the bulk data collection and retention is “troubling”, he said, and called on it to come to an end:

The president’s decision not to end bulk collection and retention of all Americans’ data remains highly troubling. The president outlined a process to study the issue further and appears open to alternatives. But the president should end – not mend – the government’s collection and retention of all law-abiding Americans’ data. When the government collects and stores every American’s phone call data, it is engaging in a textbook example of an ‘unreasonable search’ that violates the Constitution. The president’s own review panel recommended that bulk data collection be ended, and the president should accept that recommendation in its entirety.

Follow @LisaVaas

Follow @NakedSecurity

Image of Obama courtesy of Filip Fuxa / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3pDwvzLLN8A/

Starbucks got into and out of privacy trouble over the past week.

The brouhaha started when a US researcher named Daniel Wood went public on the Full Disclosure security mailing list, reporting a rather serious data leakage problem in the Starbucks iOS mobile app.

We’ve written (and spoken) about the shortcomings of mobile apps before.

Even organisations that take security seriously when you interact with them in your browser, such as financial institutions, have been found wanting when it comes to their mobile apps.

Starbucks, it seems, fell into the same trap.

Wood didn’t say in his Full Disclosure posting, but one news report suggested he went public to push Starbucks to act after getting the run-around for a couple of months from Starbuck’s customer service.

The main part of Wood’s complaint was that Starbucks was sloppy with the data it wrote into its log files, dumping usernames and passwords in plaintext.

Of course, app logs can be very handy, notably if something goes wrong with your software.

Mobile apps are on-line most of the time, so you can easily and efficiently collect logfiles after a crash.

Logfiles are really useful when you are debugging software that is used by millions of people in a myriad of different configurations on thousands of different networks.

Indeed, it looks as though the main purpose of the Starbucks logfile was to help the company’s developers, because the logs are created by a third-party software component called, amusingly, Crashlytics.

As Wood found out, even if you protected the Starbucks app with a PIN (thus inhibiting someone who snatched your phone from firing up the app and paying for their own coffee at a click), the logfiles were unencrypted and accessible to attackers who got hold of your device.

Of course, the most effective crash-busting logs are those that include useful information leading up to the crash, rather than merely what could be extracted from the app’s memory image after it has imploded.

In other words, even if an app doesn’t crash, it may be quietly squirreling away a hoard of information, including, in the case of Starbucks, your username and password.

But usernames and passwords constitute PII (personally identifiable information) and ought not to be stored unencrypted, not least in this case because anyone who acquires them can freely spend your money at Starbucks.

→ Starbucks offers an “auto-reload” feature that will grab money from your payment card to replenish your Starbucks account if it runs low, so that you will never be caught short at the checkout with a steaming Grande in your hand. If you have that feature turned on, your financial risk from a security blunder in the mobile app is, obviously, much greater.

Starbucks, it seems, has published an update to the app, and no longer logs the offending information.

Sadly, the company didn’t manage to avoid the now-traditional cliches, leading with the words, “Your security is incredibly important to us,” and claiming that the software update was produced “out of an abundance of caution.”

We’ll disagree with both of those statements, because they don’t explain why anyone thought it was appropriate to store the user’s raw password in cleartext the first place, for any purpose.

Here’s our advice:

• If your app must store actual passwords, for example so that users don’t have to type them in every time they grab a cup of coffee, use a secure storage mechanism such as the Apple Keychain (as the updated Starbucks app now apparently does).
• Never allow decrypted passwords to be written to disk, even to temporary files, or sent across the network except over a secure connection such as SSL/TLS.
• Never store the passwords for an online service on the server, even encrypted. You simply don’t need to. Use a salt-hash-stretch technique instead, and store one-way hashes that will validate passwords, but can’t be reversed to recover the actual password.

Further information

Learn more about SSL in our Techknow podcast, Understanding SSL:

(Audio player not working? Download to listen offline, or listen on Soundcloud.)

Learn more about server-side safe password storage in our Serious Security article How to store your users’ passwords safely:

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_GgOQayqw_Y/

Security and privacy problems seem to have grown bigger and badder over the last year, with ever larger breaches and data leaks, continual revelations on the depth and breadth of government snooping, worries about the efficacy of encryption techniques (even when properly applied), and gluts of software vulnerabilities building to a crescendo with the impending end of patches for one of the world’s most popular platforms.

For the most part our reaction to these developments is to plug leaks, implement workarounds, and make quick fixes.

But wiser heads need to be thinking further ahead, developing new protocols, processes and technologies that don’t stick a hasty patch over the latest problem, but push us towards a world where whole categories of problems are no longer a risk.

POS malware, XP end-of-life and data leaks

The recent massive data theft from retail chain Target appears to have been performed using point-of-sale (POS) malware infecting checkout systems in stores. The malware itself has been variously claimed to have Russian and Romanian origin, and may also have been involved in several other breaches.

POS malware has been a problem for a while, especially in the US thanks to the slow adoption of modern banking card security .

While not unbreakable, EMV technology and Chip and PIN offer a much better security against malware, usually requiring hardware-based attacks to get the data needed to clone cards.

So of course many people are pointing out that this upgrade is long overdue – both bankers and card makers have taken the opportunity to push for more speedy adoption, while others have gone even further, saying we should maybe think of dumping cards entirely in favour of fully digital solutions.

Banks have also been caught up in the XP end-of-life debacle, with apparently 95% of the world’s ATMs running XP and many of them unlikely to be upgraded in time for the final batch of patches.

Similar issues have been predicted in UK government and health service networks, with thousands of systems expected to miss the deadline for safe upgrading.

Again, why are we only doing this now? The “full” support period for XP came to an end in 2009, and it was pretty clear that we only had five years to plan our upgrade schedules. Many people are only now taking action, leaving too little time to organize a smooth and inexpensive transition.

Reactions to the biggest security story of the last year, the Snowden/NSA leaks, has been similarly overdue. Now that we know what’s been going on, we’re once again scrambling to fix the problem.

Big data security and zero-day exploits

The US may get some stricter rules controlling how much data spies can hoover up, while  governments are redefining how we expect software flaws and vulnerabilities to be treated.

Zero-day vulnerabilities should be patched to keep us all safe, rather than kept secret so that snoops can exploit them to sneak into any machine they feel like exploring.

Here too, we’re late to the table. It’s been well known for a while now that government agencies had deep pockets when it came to buying vulnerability info, but no one really tried to ensure they were buying them up for the right reasons.

As for the data gathering, of course such information will be of interest to spies, but there was never any real impetus to ensure it was properly controlled until the scandal broke.

Prevention is better than cure

So what’s our problem? Is it just our natural predilection for procrastination, putting off until tomorrow things that we really should have done quite some time ago?

That’s not a good way of implementing security or privacy controls. They need to be there as early as possible, well thought through and built in from the ground up in any system or process we use.

We can’t keep waiting for a disaster before we decide to put in disaster prevention procedures.

We need to start thinking further ahead, about what our potential weak points might be many years down the line, instead of scrambling to react to dangers as they emerge.

Follow @VirusBtn
Follow @NakedSecurity

Images of graph and pointing man courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/6A3lfIAW9b0/

In a press release on Thursday, the US Attorney’s office for Manhattan announced the forfeiture of 29,655 Bitcoins seized from Silk Road, a dark web marketplace that facilitated the trade of drugs and other illegal activity.

Prosecutors seized the virtual currency that allows buyers to remain anonymous, worth around $28 million (£17 million) at current prices, during a raid on a Silk Road server in October last year. Preet Bharara, the United States Attorney for the Southern District of New York, also confirmed that the Silk Road website itself will be forfeited along with the Bitcoins.

Bharara highlighted the fact that the Bitcoins were not seized simply because they were Bitcoins but because of their status as an asset in a criminal case, saying that:

With today’s forfeiture of $28 million worth of Bitcoins from the Silk Road website, a global cyber business designed to broker criminal transactions, we continue our efforts to take the profit out of crime and signal to those who would turn to the dark web for illicit activity that they have chosen the wrong path. These Bitcoins were forfeited not because they are Bitcoins, but because they were, as the court found, the proceeds of crimes.

The largest ever seizure of the virtual currency also saw authorities grab 144,336 Bitcoins from the personal computer of Ross Ulbricht, the alleged mastermind of Silk Road. Ulbricht, who it is claimed also went by the name of Dread Pirate Roberts, was arrested at the San Francisco Public Library in October following a federal investigation that began in 2011.

He has been charged with computer hacking conspiracy, narcotics trafficking conspiracy, and money laundering.

The future of Ulbricht’s stash, currently valued at around $130 million and in the hands of the FBI, is being contested:

Ulbricht has filed a claim in the civil forfeiture action, asserting that he is the owner of the Bitcoins found on his computer hardware, and contesting the forfeiture of those Bitcoins.

The government can only auction off Silk Road’s assets because they were “being used to facilitate money laundering”, so Ulbricht may be able to keep his Bitcoins if his civil case is successful in proving that those on his personal computer were not associated with the website.

Other individuals who may have had Bitcoins in the Silk Road wallet, for whatever reason, will have lost their virtual funds though. This includes Bitcoin fans who, according to Ars Technica, sent micro-payments to the wallet now held by the federal government in order to allow them to add publicly-viewable messages such as these gems:

Public Note: I THOUGHT OF SNIFFING FARTS WHILST SENDING THESE BITCOINS TO YOU

and

Public Note: hey computer geek, who control this address. ‘Ross Ulbricht’ is not the bad guy, you are a bad guy. Please open your eyes, dont be brainwashed, and think your self!!!

Just how the federal government will dispose of the Bitcoins currently in its possession is not known at this time, with Manhattan US Attorney Office spokesperson Jim Margolin telling Forbes that, “We have not yet determined exactly how the Bitcoins will be converted and liquidated,” before later suggesting that an auction will be held.

With Bitcoins currently valued at around $900 each, investors and other holders of the virtual currency may want to consider their positions, as it’s possible that any large-scale sale by the US authorities may push down prices for some time to come.

Follow @Security_FAQs

Follow @NakedSecurity

Image of sack of Bitcoins courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jTGjOYTMZkQ/