STE WILLIAMS

BETHESDA, Md., Jan. 8, 2014 /PRNewswire-USNewswire/ — SANS announces results of its 2013 Securing the Internet of Things survey, sponsored by Codenomicon and Norse, in which 391 IT professionals answered questions about the current and future security realities of the Internet of Things (IoT).

“The Internet of Things is not just a buzzword, nor is it merely a vision of the sci-fi future. It’s already happening, in every sector of the global economy.

Self-parking cars, autonomous drones, smart meters talking to smart appliances in the home, HVAC systems in commercial buildings, wireless-enabled medical devices and wearable fitness gadgets are all examples. Ubiquitous embedded software, often vulnerable and even unpatchable, enabled by 24/7 wireless connectivity, creates an unprecedented level of interconnectivity and complexity,” says SANS Analyst Gal Shpantzer. “This unique survey takes a look at the security community’s perception of the vulnerabilities in the IoT and the threats that would exploit them.”

In the survey, almost 60% of respondents fully understand and find the Internet of Things relevant to their companies and jobs; 43% of respondents are already actively working to secure some of these types of “Things” in their environments.

“The SANS Securing the Internet of Things survey results show that the security community is already aware of the challenges the IoT will bring and that those challenges will require both the evolution of existing security controls and the development of new security processes,” says survey author John Pescatore.

Survey respondents were most concerned about device connections to the Internet (50%), followed by vulnerabilities associated with the command and control channel to the device’s firmware (24%), with another 9% concerned about the firmware itself.

While it’s clear that most organizations are preparing to embrace the IoT, 50% of respondents were not ready to secure an ecosystem of “Things,” and while they acknowledge that their IT staff is responsible for securing their Things, they expect vendors to play a critical role in security of such devices as well.

Pescatore explains, “Security managers will hold the manufacturers of “Things”

to higher levels of responsibility for security than they required for PCs and servers.”

Results and insights surrounding security challenges for the IoT will be released during a webcast on Wednesday, January 15, at 1 PM EST. To register for the complimentary webcast please visit: http://www.sans.org/info/148160

Those who register for these webcasts will be given access to an advanced copy of the associated report developed by John Pescatore.

The SANS Analyst Program, www.sans.org/reading_room/analysts_program, is part of the SANS Institute.

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest source for world-class information security training and security certification in the world, offering over 50 training courses each year. GIAC, an affiliate of the SANS Institute, is a certification body featuring over 27 hands-on, technical certifications in information security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet’s early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community.

(www.SANS.org)

Article source: http://www.darkreading.com/sans-announces-results-of-its-2013-secur/240165261

CAMPBELL, Calif., Jan. 8, 2014 /PRNewswire/ — Barracuda Networks, Inc. (NYSE:

CUDA), a leading provider of cloud-connected security and storage solutions, today announced its new Backup-as-a-Service (BaaS) offering, which allows Barracuda Backup 190 and 390 to be purchased as an annual service that includes an appliance, Energize Updates, Instant Replacement and Unlimited Cloud storage.

This new service gives customers an alternate method of purchasing Barracuda Backup with a smaller up-front cost, while still providing the product’s award-winning functionality.

(Logo: http://photos.prnewswire.com/prnh/20131113/SF16521LOGO)

“Purchasing Backup-as-a-Service is a simple and more cost-effective way for customers to meet their backup needs,” said Rod Mathews, GM Storage, Barracuda.

“The BaaS program provides customers additional flexibility to purchase Barracuda Backup in the way that better suits their needs, from either their operational or capital budgets.”

This new service will also be available through Barracuda’s resellers including those resellers who provide managed backup services to their customers. Those partners will be able to provide an annual billing plan to customers to better align BaaS with their managed services.

Barracuda Backup-as-a-Service Subscription Highlights:

— Local appliance for fast backup windows and recovery times

— Site license for Barracuda software required to backup and recover data

— Unlimited Cloud storage – flat-rate pricing for Barracuda Backup cloud

storage (up to the limit of the Barracuda appliance)

— 24 x 7 x 365 award-winning phone and email support

— Next business day shipment of replacement in the event of a hardware

failure

— New appliance (same model) replacements for units that are four years

old and continually under a service contract

— Access to Cloud LiveBoot for offsite recovery of VMware virtualized

servers

The BaaS addition to Barracuda Backup 190 and 390 provides additional flexibility for customers looking for an integrated backup solution at an affordable price. Barracuda was recently recognized for its market share in the report Gartner Competitive Landscape: Backup and Recovery Appliances for Open Systems, Worldwide, 2013. For more information please read the press release:

https://www.barracuda.com/news/press_release/125

Pricing:

Barracuda Backup 190 and 390 service packages are available immediately in the U.S. Barracuda Backup U.S. list price starts at $1199 USD for an annual 190 service and U.S. list price starts at $2999 USD for an annual 390 service. Both packages include the appliance, Energize Updates, Instant Replacement and Unlimited Cloud storage.

Resources:

About Barracuda Backup

Barracuda Backup is a versatile, integrated solution that includes all the software, backup agents, and storage needed for physical, virtual and hybrid environments–at one affordable price. For more information, please visit www.barracuda.com/backup.

About Barracuda Networks, Inc. (NYSE: CUDA) Barracuda provides cloud-connected security and storage solutions that simplify IT. These powerful, easy-to-use and affordable solutions are trusted by more than 150,000 organizations worldwide and are delivered in appliance, virtual appliance, cloud and hybrid deployments. Barracuda’s customer-centric business model focuses on delivering high-value, subscription-based IT solutions that provide end-to-end network and data security. For additional information, please visit www.barracuda.com.

Article source: http://www.darkreading.com/management/barracuda-networks-launches-backup-as-a-/240165276

Intel CEO Brian Krzanich broke the news this week at the Consumer Electronics Show in Las Vegas that the McAfee brand name will be phased out and replaced with “Intel Security” for all of McAfee’s security products. The McAfee red shield will remain but with the Intel Security name instead, and McAfee will remain a wholly owned subsidiary of Intel, working “side-by-side” with Intel Security’s team.

Dark Reading spoke with Mike Fey, McAfee enterprise vice president, CTO, and general manager of corporate products, about the end of the McAfee brand name.

Dark Reading: Why did Intel decide to eliminate the McAfee name?
Fey: At a high level, it’s been a three-year journey for us. Over the last three years, we have marched with our product direction, and managed our directions with Intel’s directions so both sides met on common ground and strategy. Now it makes sense to join forces as Intel Security. It’s not just changing the McAfee brand, but augmenting what is the security force of Intel.

Dark Reading: Why did you keep the red shield from the McAfee brand?
Fey: As we did brand testing, the shield was a worldwide presence, as it were; it’s what people knew us as. If you go overseas, “McAfee” was difficult to pronounce in some regions, [so the name] wasn’t quite as strong as we wanted it to be. The Intel brand is one of the top 10 brands in the world. We thought it was a great opportunity to [have] the industry and customers “reunderstand” who we are. We’re not an AV company anymore. The bulk of our revenue doesn’t come from there. We are in every hot space in security. It felt like a good opportunity to rebrand and respond to the marketplace.

Mike Fey, executive vice president, CTO, and general manager of corporate products at McAfee

Dark Reading: Did the decision to change the brand name to Intel Security have anything to do with the infamous behavior and legal troubles of McAfee founder John McAfee?
Fey: It really didn’t. When he first started having his challenges south of the border [in Belize], we did spend a lot of energy checking with focus groups to make sure it wasn’t impacting the brand. We were surprised how little impact it had, especially on the enterprise side. But most know he has not been in enterprise IT for 20-plus years. Even consumers saw [him] as separate. As things became more outlandish, it had very little to do with the company. We weren’t really pressured by that … It didn’t drive our decision process.

Dark Reading: How will the change roll out?
Fey: As we hit each major rev, we’ll modify the branding look. The product names don’t really change. EPO, Antivirus, SIEM, Next-G Firewall names we use … Intel Security [now] goes in [the product names as well].

Security is a key pillar [for Intel].

Dark Reading: How will the two security teams interface?
Fey: We’ve divided and conquered where we want to deliver our solution sets. Where we want to join, we will work in a collaborative fashion. For example, with SIEM, we/McAfee drive this independently, with little input from the Intel side. But in identity, this is an area where we found synergy on the Intel side, so we can work together and strengthen a solution to bring to market. Intel has built great security innovations for years, but has not done the best job at bringing them to market because they thought of them as features for their chip families. We are working to make sure we build full solutions.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/qa-mcafees-cto-on-the-new-intel-security/240165263

PORTLAND, OREGON — January 9, 2013 — Tripwire, Inc., a leading global provider of risk-based security and compliance management solutions, and CORE Security, a leading provider of predictive security intelligence solutions, today announced a technology partnership and integration that provides comprehensive threat and vulnerability risk management to mutual customers. The integration unites vulnerability information with network topology from firewalls and routers, and then validates the vulnerability information and potential attack paths in live or simulated penetration tests. The collaboration is part of Tripwire’s Technology Alliance Partner (TAP) program, designed to allow a wide variety of vendors to collaborate with Tripwire to deliver innovative security solutions.

“We are looking forward to building on our relationship with CORE Security,” said Rod Murchison, vice president of product management and technology alliances for Tripwire. “Our integration with CORE Insight Enterprise makes it possible for enterprises to go beyond finding and fixing vulnerabilities to operating their vulnerability management programs at peak efficiency.”

Large enterprises need to gather, analyze and prioritize an overwhelming amount of vulnerability and network topography data and combine it with cyberattack domain expertise in order to gain a comprehensive understanding of the security risks facing their most critical assets. To decrease the cost and complexity of risk-based security management, enterprises need the ability to effectively prioritize threats in the context of business, regulatory compliance and operational metrics.

The integration combines vulnerability information from Tripwire IP360trade with detailed exploit and network topology data from CORE Insight to model threat scenarios and enable vulnerability validation and proactive remediation. With this integration, mutual customers gain the ability to:

Discover complex attack paths that expose vulnerability risks to other areas of the business.

Validate vulnerability findings with directed simulation and/or live tests of exploitable conditions.

Model the impact of remediation actions on the security posture of the business.

“The most common mistake organizations make is to take a reactive posture to imminent security threats to critical assets. Enterprises must go on the offensive by thinking like an attacker, and then they can preempt attacks rather than wait to deal with their consequences,” said Eric Cowperthwaite, vice president of advanced security and strategy at CORE Security. “We are very pleased to partner with Tripwire and help organizations of all sizes better protect themselves against outside attacks through the use of our combined technologies and processes, providing an even stronger solution to this problem.”

For more information about the integration between CORE Security and Tripwire IP360, please visit: http://www.tripwire.com/register/tripwire-ip360-and-core-insight-enabling-predictive-security-intelligence/.

About CORE Security

CORE Security is the leading provider of predictive security intelligence solutions for enterprises and government organizations. We help more than 1,400 customers worldwide preempt critical security threats throughout their IT environments, and communicate the risk the threats pose to the business. Our patented, proven, award-winning enterprise solutions are backed by more than 15 years of applied expertise from CoreLabs, the company’s innovative security research center. For more information, visit www.coresecurity.com.

About Tripwire

Tripwire is a leading global provider of risk-based security and compliance management solutions, enabling enterprises, government agencies and service providers to effectively connect security to their business. Tripwire provides the broadest set of foundational security controls including security configuration management, vulnerability management, file integrity monitoring, log and event management. Tripwire solutions deliver unprecedented visibility, business context and security business intelligence allowing extended enterprises to protect sensitive data from breaches, vulnerabilities, and threats. Learn more at www.tripwire.com, get security news, trends and insights at http://www.tripwire.com/state-of-security/ or follow us on Twitter @TripwireInc.

Article source: http://www.darkreading.com/management/tripwire-announces-technology-partnershi/240165266

The control centre of a nuclear power plant really doesn’t sound like the sort of place you’d want to see a malware infection.

So, when we hear that an infection is suspected to have hit a machine at a Japanese plant, it raises immediate fears of cyber-terrorism, or at the very least advanced state-sponsored espionage.

But in this case at least there seems to be not too much to worry about. This was no Stuxnet, and no first-strike superweapon cruelly targeting a nation already overburdened with nuclear tragedies.

From the sound of it, it seems like little more than incompetence and lack of proper caution in what is without doubt a sensitive setting, but is perhaps not quite as dangerous a place as it might at first sound.

Piecing together what little information can be gleaned from local news sources and specialist nuclear industry watchers, it would appear that the machine in question was one of eight in the control room at the Monju plant near Tsuruga, Fukui Prefecture.

Unusual behaviour was spotted by an admin on January 2nd, with over 30 unexpected connections made, thought to originate from South Korea.

Investigations are still ongoing, but it seems the system in question was not pivotal to the safety of the plant. The shared-use machine did however contain data including a large amount of employee email and training information which may have been leaked by the compromise.

Monju is a prototype sodium-cooled fast breeder reactor, commissioned in the mid-1990s, but only managed a few months of running before a sodium leak led to a major fire, following which the reactor was shut down for fifteen years.

A restart in 2010 was also short-lived, and the whole project has teetered between tentative restart plans and total abandonment ever since.

So, a non-serious infection on a non-crucial machine at a non-operational plant. But there may still be some lessons to be learnt here.

The suspected infection is said to have occurred “after an employee updated free software”, with the product in question elsewhere described as “video playback software”.

Of course, when we hear “video” and “update” in a malware context, we immediately think of the “fake codec” attack technique which was so popular 4-5 years back, but surely this can’t be a revival?

Either way, it seems like the plant’s IT is not too well protected, and is running freeware video software which any user can tinker with at will.

It’s probably fairly tedious work manning a long-defunct and slowly dying plant, and maybe the odd cat video can help kill some time, but that’s no excuse for sloppy security practices.

In any business setting, software should only be running if it is approved and maintained by IT staff, who should keep a close eye on any updates to make sure they don’t include any connecting-repeatedly-to-somewhere-they-shouldn’t components. This applies to all machines, however non-mission-critical they may be.

And even if your nuclear plant isn’t running at full speed, you can’t just put your feet up and ignore safety matters, Homer Simpson style.

There’s going to be all kinds of dangerous material around that needs to be properly monitored and maintained, so your IT setup still needs to be held up to higher standards than most businesses.

The Monju plant sounds like it has a pretty shabby record of safety, with reports of thousands of items of equipment being missed off checking schedules, and even attempts to cover up incidents.

A minor malware infection may not sound as serious as leaking radioactive material, but it should be seen as an indicator of potentially bigger problems to come.

It’s a sign that admins are not keeping a tight enough rein on their IT systems, and that users are not treating them with the respect and caution they deserve.

So, no cause for panic, but perhaps some cause for concern.

Follow @VirusBtn
Follow @NakedSecurity

Images of drunk woman courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3GaOrfuEZ8A/

Oh, the humanity: it was revealed on Monday that Guccifer, a notorious hacker with an inordinate fondness for celebrity targets, swiped the script for the fourth-season finale of rave TV show “Downton Abbey” sixth months before it aired in England.

Oh, what a spoiler-avoiding relief: he/she/they didn’t publish it.

The Smoking Gun, which has reportedly been talking with the hacker, on Monday received and published a star-studded roster of new Guccifer victims.

(Following The Smoking Gun’s lead, we’ll refer to Guccifer as “he” for the rest of the article.)

With apparently neither rhyme nor reason to explain the targeting, the list spans entertainers, industrialists, academics, diplomats, financiers, government and military officials, and journalists, the Smoking Gun reports.

Some of the names:

• Comedian Steve Martin
• Editor Tina Brown
• Ex-Nixon aide John Dean
• Author Kitty Kelley
• Actress Mariel Hemingway
• Three members of the UK’s House of Lords
• A former Air Force secretary
• The CEO/chairman of insurance conglomerate MetLife
• A Pulitzer Prize winner

Past victims have also included Corina Cretu, a Romanian journalist and former director of Romania’s domestic intelligence service, and former US Secretary of State Colin Powell.

In fact, Powell, who had his email breached when Guccifer doxed ex-president George Bush and then had his Facebook page defaced, found himself having to deny Guccifer-spawned allegations of an affair with Cretu.

The Smoking Gun reports that the archive Guccifed handed over shows that the hacker has accessed email correspondence, contact lists, phone records, personal photos, online storage sites, and a wide range of confidential financial documents, including credit card, banking, and investment statements.

From the Smoking Gun’s article:

Included in the archive are documents amounting to the hacker’s work product, such as text files recording an individual victim’s name, e-mail address, original account password, and the replacement password used by “Guccifer.” For instance, when the hacker broke into Powell’s email account, the password was changed to “ASSHOLEANON.” After breaching the Comcast email account of John Negroponte, a former U.S. ambassador to the United Nations, “Guccifer” reset the password to “hondbabykill1,” an apparent reference to Negroponte’s prior role as U.S. ambassador to Honduras, where American officials supported a military dictatorship suspected of killing and torturing dissidents.

The more Guccifer hacks, the wider Guccifer’s potential circle of targets: he has picked up cell phone numbers of Robert Redford and Warren Beatty, and the private email addresses for Nicole Kidman, Leonardo DiCaprio, and other celebrities, the Smoking Gun says.

The list goes on. And on. And on. For the full Hollywood/Washington/London who’s who victim roster, check out the news outlet’s article.

As far as how he managed to hack an array of email providers including Comcast, Cox, Gmail, Yahoo, AOL, Earthlink, Verizon, and the British-based Btinternet, Guccifer didn’t cough up any details.

But given that the Guccifer archive shows that he reviewed Wikipedia pages of prospective victims, the hacker likely made some good guesses to security questions, the Smoking Gun suggests.

Guccifer reportedly told the Smoking Gun that he turned over his archive “just in case I am busted.”

Will publishing the data help investigators to track him down?

Guccifer isn’t sweating it, as he told the Smoking Gun:

NO I am not concerned, i think i switch the proxies go to play some backgammon on yahoo watch tv, play with my family and daughter.

He also told the news outlet of buying a “new powerful computer” to help him keep hacking and get “back in business”.

The archive of the hacker’s targets show a dizzying array of entertainers, writers, and government and military officials, meaning that even more sensitive data (I know, hard to imagine anything more sensitive than a Downton spoiler) has been accessed.

That means, of course, that such sensitive data could still be published.

Guccifer’s sign-off for one email certainly isn’t reassuring.

To wit:

HAAAACKKKK!

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fJO0brd-mUo/

Welcome to another episode of Techknow, the podcast in which Sophos experts debate, explore and explain the often baffling world of computer security.

Botnets, short for robot networks, are more than just malware: they’re the money making machinery of modern cybercriminals.

In this episode of our Techknow podcast series, Paul Ducklin and James Wyke help you to understand the What, How and Why of this troublesome topic.

The result is an entertaining and educational podcast that’s suitable for everyone from sysadmins to home surfers.

Botnets typically make money by stealing your data for resale in the cybercriminal underground, and by “borrowing” your computer and your internet connection to aid and abet other cybercriminal activities.

Without getting bogged down in jargon or in technicality, Paul and James give you motivation and advice for fighting against these modern-day digital zombies.

Remember: bots take over your computer to attack other people, so if you aren’t part of the solution, you’re part of the problem!

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

Other episodes you might like

• Sophos Techknow – The End of XP
• Sophos Techknow – Understanding vulnerabilities
• Sophos Techknow – Two-factor authentication
• Sophos Techknow – All about Java
• Sophos Techknow – Understanding SSL
• Sophos Techknow – Patching: lead, follow, or get out of the way?
• Sophos Techknow – Busting Password Myths

Get this and other Sophos podcasts

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CoyT2Hk6qaA/

The real world is about to become a much more stalker-friendly place.

The makers of a new app, “NameTag,” say that their facial-recognition software is actually supposed to make the world a much more connected place, but given that the app can spot a face and wirelessly match it up to social media profiles, all without giving people the option to opt out, let’s go with stalker-friendly.

According to the app’s developer, FacialNetwork.com:

NameTag links your face to a single, unified online presence that includes your contact information, social media profiles, interests, hobbies and passions and anything else you want to share with the world.

But wait, you say – I can choose not to share my intimate details with every Glass-wearing and smartphone-wielding creep I meet, so what’s the big deal?

Yes, the app’s users can do that, but the rest of us are apparently sitting ducks.

The reason there’s no opt-out or opt-in is going to sound familiar to those who’ve read about other stalker-enabling apps such as Girls Around Me.

Namely, NameTag is drawing on publicly available information.

According to spokeswoman Jordan McGee, NameTag is going to function like a real-time online search that’s triggered by facial recognition, cross-referencing information across the web and compiling it into one profile that’s presented to smartphone app users or Glass wearers – sometimes known as Glassholes.

Compiling publicly available information will present users with an instant read of whether the person they’re ogling is single, for example, along with whatever embarrassing things they’ve written (or photos they’ve posted) on Facebook, Twitter, Imgur, Pinterest or other social media sites, she said.

As long as it’s been made public, it’s fair game.

FacialNetwork.com’s Kevin Alan Tussy told me that phone numbers and addresses won’t be displayed. At first, I thought he meant that when the app eyeballs a pretty woman on the street, her phone number and address wouldn’t be shown, even if publicly available.

But that led me to wonder whether the same privacy protection would be given to other intimate personal data, such as income, political affiliation, sexual orientation or the like.

He said:

We will never display those things unless a person specifically wants us to. Most of those won’t even have designated fields in our database. For example, if you want to show your income, you would have to type in the open notes field.

Unfortunately, it sounds as if the only way to control sensitive information is to join NameTag and create your own profile. The theoretical woman in the street, if she’s made her phone number or address public anywhere online, won’t be afforded that privacy control, in spite of never having opted in to this service.

Is this really the best way to handle privacy? To force the public to know about every startup that comes onto the scene, to join every one of them, to create their own profiles, and to then suppress that information, all manually, all on a site by site basis, service by service, startup by startup?

Yoinks. One would imagine not.

FacialNetwork.com is also working to allow the scanning of profile photos from dating sites such as PlentyOfFish.com, OkCupid.com and Match.com.

But wait. Online dating profiles are private. You need a password to access the profiles that contain the photos. How will NameTag get around that?

It won’t, but its users will.

Tussy said that users will be able to copy a photo from a dating site profile and then paste it into the app’s site to conduct an image search – similar to what people might do with an image search on Google.

The app is currently in beta for Google Glass users, and will soon be released as an app for iOS and Android.

Tussy said in a news release that “Making Real-Time Facial Recognition work on Glass hasn’t been easy,” but the developers managed it – all in spite of Google having announced that it’s not yet supporting facial recognition for Glass.

Undoubtedly, the developer said, this reticence is “due to pressure from privacy groups”, but FacialNetwork.com thinks that Google will eventually reconsider after it sees the “vast societal benefits” afforded by NameTag.

There are extremely good reasons for Google not to support facial recognition. What would make Google ignore the input from privacy groups and change its mind on this issue, I asked?

Tussy’s reply:

We bring Google+, Facebook, Twitter and all the other sites into real life social interactions, and we see that as the biggest reason for them to support us. NameTag has been created with a great respect for privacy and it is a tool that will greatly benefit our society and the lives of individuals. Our largest concern for our apps, especially our mobile apps, is balancing privacy with our new technology. We believe that we have found that balance and that Google and other mobile device providers will see that and allow us to officially utilize their platforms.

As far as I can tell, NameTag is balancing privacy and technology by giving its users the ability to control what information is displayed about them. The rest of us are left to our own resources and our own vigilance with regard to our images and our personal data.

So, use this as another excuse to check your privacy settings on all your social networks, and, as always, keep intimate photos and personal data as closely buttoned up as possible so that you’re not letting apps that feed on publicly available data gorge themselves on yours.

Follow @LisaVaas

Follow @NakedSecurity

Image of hidden face courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3pvZOBsWjmw/

A guide to transactional email

The X Window System, which today underpins Linux desktops the world over, has been around for more than two decades – and so have its bugs.

Sysadmins have a few days to patch libXfont to remove a newly discovered, 22-year-old privilege-escalation bug in the code before any tiresome users whip out an exploit. The flaw allows someone logged into a vulnerable machine to crash the X server, or possibly execute injected code as a superuser.

Hard on the heels of a Chaos Communication Congress presentation that found “hundreds” of bugs (discussed at the X.org mailing list here), the newly found bug is a textbook stack buffer overflow that dates back to 1991 – and is present in all versions of X11.

The bug is very straightforward, and will impact shared computers, but it is ideal to dissect to reveal how this sort of security blunder happens.

As the X.org advisory states: “A BDF font file containing a longer than expected string could overflow the buffer on the stack. Testing in X servers built with Stack Protector resulted in an immediate crash when reading a user-provided specially crafted font.”

The guilty party is this block of code in bdfReadCharacters() in libXfont/tree/src/bitmap/bdfread.c:

char charName[100];

if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
   bdfError("bad character name in BDF filen");
   goto BAILOUT; /* bottom of function, free and return error */
}

If you can’t already see the bug then we’ll explain. On-screen fonts can be stored in Glyph Bitmap Distribution Format (BDF) [PDF] files, which start with the following line to declare the format version the font is adhering to:

STARTCHAR 2.1

That’s all well and good if the loaded font has a short version number, expressed as a string, which in this case is “2.1”. That information is copied into the string variable charName by the sscanf() call in bdfread.c. The problem is, sscanf() is not told to limit the number of bytes read for the version number and will keep copying data from the file until it hits a white-space character.

The charName variable is declared as having a length of 100 bytes, so feeding it a crafted BDF font with a “STARTCHAR” version number longer than that will punch through the boundary of the variable’s allotted space in memory and into other data on the stack. This means an attacker could overwrite the memory that controls the processor’s instruction pointer on leaving the bdfReadCharacters() function, effectively hijacking the program.

And since the X server is usually run with superuser privileges, the normal user can start running code to take control of the machine if the attack is successful. Much more in-depth explanations on how stack buffer overflows can be exploited, despite some of the protections in place on modern systems, can be found here and here.

The fix for the bug is simple; you simply tell sscanf() to read at most 99 bytes, leaving one for the terminating NULL:

if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {

As the X.org announcement states:

As libXfont is used to read user-specified font files in all X servers distributed by X.Org, including the Xorg server which is often run with root privileges or as setuid-root in order to access hardware, this bug may lead to an unprivileged user acquiring root privileges in some systems.

In the December Chaos Communication Congress presentation, Ilja van Sprundel said he’d able to find 120 bugs in a couple of months, “and I’m not close to done”. Van Sprundel had already triggered a major X.org security update in May 2013, with tens of fixes needed because client libraries trusted servers to send valid data, and not sanity-tested what was sent.

The latest bug, discovered using the cppcheck static analyzer, is designated CVE-2013-6462; security updates should be available from all good package managers and repositories. ®

Quick guide to disaster recovery in the cloud

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/09/x11_has_privilege_escalation_bug/

A guide to transactional email

Yahoo has followed the lead of Google and Microsoft and enabled HTTPS encryption by default for all Yahoo! Mail users.

HTTPS by default safeguards privacy over an unsecured internet connection such as a public Wi-Fi network in a cafe or an airport. Done properly the technology also safeguards against state-backed snooping directed at webmail services accessed from home or work.

Default webmail encryption is a welcome step towards greater privacy but is undermined by Yahoo!’s failure to follow industry-best practices in rolling out always-on crypto, according to security experts.

Tod Beardsley, engineering manager for Metasploit at Rapid7, said flaws in the implementation leave Yahoo! webmail far more vulnerable to snooping by intelligence agencies such as the NSA and others.

“Yahoo’s announcement that it has enabled HTTPS encryption for all Yahoo Mail users is not only too little too late, but also quite troubling,” Beardsley explained. “It appears that Yahoo! is not supporting PFS (Perfect Forward Secrecy). This means that an adversary can record the encrypted session, and if they later get Yahoo’s private key, they can still decrypt the session.”

“In other words, an attacker can’t decrypt the session today because they don’t have the private key. But in the future, ‘retrospective decryption’ is possible by getting a hold of that private key through an exploit on the webmail provider’s servers, a weakness on the cipher itself, webmail operator cooperation, or through the power of a court-issued warrant.”

Applying Perfect Forward Secrecy – a technology applied by Google, Facebook, and Twitter is their comparable HTTPS implementations – gets around this problem. With PFS, another encrypted session happens before the HTTPS session starts, using temporary keys that aren’t used for anything else. Beardsley adds: “Even if an attacker got a hold of that temporary key, it’s only good for that session and that session only. They’d have to recover a new, unique key for every session they decrypt.”

Google, Facebook, and Twitter have all employed ECDHE (Elliptical Curve Diffie-Hellman Exchange), where they can generate a one-time key that makes it very difficult for an attacker to come in later with private keys to decrypt. There’s no good reason for Yahoo! not to have followed this approach to building out stronger crypto with its service, according to Beardsley.

“The fact that Yahoo! is ignoring the current wisdom on Perfect Forward Secrecy, which solves the retrospective decryption problem, is worrisome. I can’t think of a legitimate reason to prefer this weaker encryption strategy,” Beardsley concludes.

The shortcomings of Yahoo’s always-on webmail crypto don’t stop at the omission of Perfect Forward Secrecy. For example, some of Yahoo’s HTTPS email servers use RC4 as the preferred cipher with most clients. “RC4 is considered weak, which is why we advise that people either don’t use it, or if they feel they must, use it as a last resort,” said Ivan Ristic, director of application security research at cloud security firm Qualys, which runs the SSL Labs and SSL Pulse projects, ITWorld reports.

Microsoft and Cisco both recently phased out the use of RC4, which is considered unsafe.

Other crucial servers, such as login.yahoo.com, lack mitigations for the CRIME SSL attack, leading Qualys’ SSL Labs to downgrade its overall rating to a “B”.

Jeff Bonforte, SVP of communication products at Yahoo!, said that the web giant was committed to continuous security improvements in announcing HTTPS was now default in Yahoo! Mail. El Reg‘s security desk can only hope the web giant takes the well-intentioned criticism of security experts on board quickly in further improving the security of its service.

Bonforte said:

Anytime you use Yahoo! Mail – whether it’s on the web, mobile web, mobile apps, or via IMAP, POP or SMTP – it is 100 per cent encrypted by default and protected with 2,048 bit certificates. This encryption extends to your emails, attachments, contacts, as well as Calendar and Messenger in Mail.

Security is a key focus for us and we’ll continue to enhance our security technology and policies so we can provide a safe and secure experience for our users.

Gmail has offered HTTPS by default since 2010 while Microsoft’s Outlook.com webmail service launched with the feature in July 2012, at the time the service was introduced as a replacement to Hotmail. Facebook began rolling out HTTPS by default in November 2012. Yahoo! introduced full-session HTTPS for webmail users in late 2012 but users had to opt in to use a more secure version of the service, which only became the default option this week. ®

Quick guide to disaster recovery in the cloud

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/09/yahoo_always_on_crypto_unstrong/