STE WILLIAMS

Microsoft has detailed a method users of Internet Explorer can use to secure their computers from the recently discovered exploit allowing malicious code to run on a PC.

Microsoft has admitted to the bug, which it says hurts Internet Explorer versions 6 through 9, but leaves IE 10 alone. The flaw is described as follows:

A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

Redmond’s remedy is detailed in Security Advisory 2757760, which it says will there’s no outright fix for the issue at present, but that users can work around the threat by deploying the Enhanced Mitigation Experience Toolkit (EMET), described as “… a utility that helps prevent vulnerabilities in software from successfully being exploited by applying in-box mitigations such as DEP to applications configured in EMET.”

An EMET-ic of this nature will not be pleasant, as Redmond says the tool is offered in English alone and enjoys only limited support.

The cure may also induce other worries, as the workaround instructions suggest that applying EMET to IE will result in the browser issuing lots of security prompts to users.

“You will be prompted frequently when you enable this workaround,” MIcrosoft warns. “For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in “Add sites that you trust to the Internet Explorer Trusted sites zone”.

Redmond also recommends the following actions:

• Set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
•  Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones  This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

Microsoft says a formal fix is in the works and “… may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/18/microsoft_workaround_for_ie_bug/

Internet Explorer users have been told to ditch the application and switch to another browser, pronto.

The warning comes from Rapid7, which describes a hole that’s exploitable by visiting a malicious Website (and, of course, in the world of Twitter and shortened URLs, it’s so much easier to get users to visit such sites).

Visiting a malicious site gives the attacker the same privileges as the current user, according to Rapid7’s post, here. Although the published exploit targets XP, Rapid7 says the attack works on IE 7 through 9 running on XP, Vista and Windows 7.

The discoverer of the exploit, Eric Romang, says the zero-day drops a file, Exploit.html, on the target. This, in turn, creates files with img and swf suffixes, which IE treats as Flash.

Romang claims the exploit was created by the same group – Nitro – that recently released a Java zero-day into the wild.

Rapid7’s HD Moore, also chief architect of Metasploit, told Ars that he’s surprised to see the exploit work across Windows Vista and 7: “This is one of the few times that a vulnerability has been successfully exploited across all the production shipping versions of the browser and OS”, he said. The attack bypasses ASLR – address space layout randomization – that’s meant to help defend the newer operating systems against attack.

Microsoft is looking at the exploit now, and has stated that it will “take the necessary steps” once it has a fix ready. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/17/yet_another_explorer_zero_day/

BMWs and other high-end cars are being stolen by unskilled criminals using a $30 tool developed by hackers to pwn the onboard security systems. The new tool is capable of reprogramming a blank key, and allows non-techie car thieves to steal a vehicle within two or three minutes or less.

On-board diagnostics (OBD) bypass tools are being shipped from China and Eastern Europe in kit form with instructions and blank keys, says a news report linking the release of the tool to a spike in car thefts in Australia, Europe and elsewhere during 2012. Would-be car thieves need to grab the transmission between a valid key fob and a car before reprogramming a blank key, which can then be used to either open the car or start it, via the OBD system.

“Crooks only need to monitor a person using the key or interrogate the key fob to get enough information to decipher the key,” explained Professor David Stupples, of the centre for cyber security sciences, at London’s City University.

Weak cryptography combined with a security-through-obscurity approach in the OBD specification allows the tactic to succeed.

Other shortcomings of the OBD specification were detailed by Rob Van den Brink in a presentation (PDF) delivered at at SANS Technology Institute security conference earlier this year. Potential problems involving attacks on the OBD system of cars were first discovered by academics from the University of Washington and University of California-San Diego two years ago (PowerPoint slides here).

Police in the UK have also begun warning about the approach, which was highlighted by a recent BBC Watchdog investigation.

In response, BMW told the BBC that the carjacker/hacker technique was developed after its cars were designed and was limited to “older” BMW models – those built before September 2011. “Certain criminal threats, like the one you have highlighted, simply do not exist when cars are designed and developed. This does not mean the car companies have done anything wrong, neither are they legally obliged to take any action,” it said.

The German car giant added that the issue was not limited to BMW, and promised to help mitigate the attack, in a statement published last Wednesday.

BMW prides itself on its vehicle security systems and all BMWs meet all UK and global security standards. Our engineers and technicians review all aspects of our vehicles constantly, including security systems.

After extensive research we are clear that none of our latest models – new 1 Series Hatch, 3 Series, 5 Series, 6 Series and 7 Series – nor any other BMW built after September 2011 can be stolen using this method. However, as a responsible manufacturer we are looking at ways of mitigating against this new kind of attack.

We are now in the process of offering, to any concerned customers of targeted models, extra technical measures which will mean that their car cannot be taken using the equipment highlighted in these stories, although of course there is no such thing as an unstealable car.

The OBD pwn method of car theft has been documented over recent months by the Daily Mail and car enthusiast blog Pistonheads, both focusing on the CCTV footage depicting the theft of Steve Wood’s BMW 1M coupe from outside his home in Sutton Coldfields, in the West Midlands, as well as a steady stream of reports from much further afield, including a spate of thefts in Queensland, Australia.

A post on Pistonheads suggests that devices similar to those used in BMWs are also available for Opel, Renault, Mercedes, Volkswagen and Toyota cars. The relative exposure of the various car models from these manufacturers to theft via the technique remains unclear.

A spokesman for the Society of Motor Manufacturers and Traders, the UK trade association, said it was aware of the issue but wasn’t able to say how many other manufacturers were involved. “BMW [is] updating its systems and it could well be that other manufactures will do something similar,” he said, adding that although SMMT was working with UK police forces on the issue it didn’t have any information to hand on the scale of the problem.

Extreme Tech notes that basic OBD readers from the likes of CarMD, Innova, or Actron are readily available and are normally used for legitimate purposes. One significant issue in creating the problem in the first place is that OBD data needs to be open so that third-party garages, and not just a closed shop of authorised BMW merchants, for example, can diagnose a faulty spark plug.

Our man at SMMT confirmed that OBD systems need to accessible and programmable to allow access to third parties because of EU rules designed to allow open competition in the car trade. ®

Bootnote

Thanks to Australian Reg reader Ivan J for his pointers to many articles on this prevalent and disturbing crime.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/17/bmw_car_theft_hack/

Forensic analysis of two command-and-control servers behind the Flame espionage worm has revealed that the infamous malware has been around for longer than suspected – and as links to other mystery sophisticated software nasties.

Flame was built by a group of at least four developers as early at December 2006, according to freshly published joint research by Symantec, Kaspersky Lab and the United Nations’ International Telecommunication Union.

The malware, which infected Microsoft Windows computers across the Middle East, came to light in May when Iranian authorities found it siphoning off data to its foreign handlers.

Over the last six years, the team behind Flame used the command servers to communicate with the malware on the compromised machines and order them to launch attacks, using multiple encryption techniques and periodically wiping data from the PCs to hide its activities.

Despite these efforts, the well-funded Flame handlers left behind a number of clues. “The CC servers were disguised to look like a common content management system, to hide the true nature of the project from hosting providers or random investigations,” a statement by Kaspersky Labs explains. “The servers were able to receive data from infected machines using four different protocols; only one of them servicing computers attacked with Flame.”

“The existence of three additional protocols not used by Flame provides proof that at least three other Flame-related malicious programs were created. Their nature is currently unknown.”

The command-and-control infrastructure associated with Flame has since been dismantled.

“They [the command servers] are all dead,” Costin Raiu, senior security researcher at Kaspersky Lab told El Reg. “About 35 CC servers were active during the past 2 to 3 years, I believe 5 or 6 were active in May 2012.”

Flame’s control systems went offline immediately after Kaspersky Lab first unearthed the malware. All the command servers were running the 64-bit flavour of the Debian GNU/Linux operating system, virtualised using OpenVZ containers and disguised to look like a common web publishing system. Only the team behind the malware would have been able to read the heavily encrypted data uploaded there.

“It was problematic for us to estimate the amount of data stolen by Flame, even after the analysis of its command-and-control servers,” said Alexander Gostev, chief security expert at Kaspersky Lab. “Flame’s creators are good at covering their tracks. But one mistake by the attackers helped us to discover more data that one server intended to keep. Based on this we can see that more than five gigabytes of data was uploaded to this particular server a week, from more than 5,000 infected machines. This is certainly an example of cyber espionage conducted on a massive scale.”

There’s no evidence to suggest that Flame’s command servers were used to control other known cyber-weapons – such as Stuxnet or Gauss – but they were used to operate a mystery malware strain, codenamed “SPE” by its authors. Kaspersky set up a sinkhole to capture internet traffic generated by SPE, establishing that the malware was in the wild and attempting to communicate with the wider world. By contrast, the two other unidentified Flame-related malicious programs (SP and IP) were not generating traffic and generally inactive at the time of the May 2012 takedown.

A complete run-down of they main findings from the Kaspersky-Symantec analysis can be found here.

Eternal Flame

The Flame espionage campaign was unearthed in May 2012 by Kaspersky Lab during an investigation initiated by the International Communication Union. Flame stealthily takes screenshots and snoops on network traffic and keystrokes, and even records audio conservations, before uploading this sensitive data to servers. The malware spread across the Middle East, but most of the victims were located in Iran.

Flame weighs in at a monster 20MB – 40 times larger than Stuxnet, a lightweight itself by malware standards. This led to accusations that the spying toolkit was nothing more than boring bloatware until it emerged that the malware used a clever MD5 collision attack to create counterfeit Microsoft security certificates, allowing bogus operating system upgrades to be pushed under the guise of legitimate Windows Update downloads.

Unnamed US officials told the Washington Post that Flame was created as part of the same covert programme that spawned cyber-weapon weapon Stuxnet, codenamed Olympic Games. Flame was described as a reconnaissance tool that was used to map networks associated with Iran’s controversial nuclear enrichment programme. This information was used by Stuxnet to target its nuke centrifuge cyber-sabotage mission.

The joint Symantec and Kaspersky research shows Flame has been around for years, consistent with this theory while hardly proving it. The security research boffins would only say data suggests Flame was created by an advanced, nation-sponsored group with plenty of cash. A component in an early build of Stuxnet appears in Flame as a plugin. Despite this link Stuxnet and Flame are not regarded as close relatives. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/17/flame_analysis/

The view of the Information Commissioner’s Office (ICO) that businesses do not require individuals’ “explicit consent” in order to contract others to process their sensitive personal data is in contrast with the wording of data protection law, according to two experts.

A spokesperson for the UK’s data protection watchdog told Out-Law.com that it is the ICO’s view that there is “nothing within the Data Protection Act” that requires companies to obtain the ‘explicit consent’ of individuals in order to outsource the processing of sensitive personal data to other firms.

However, data protection law specialists Marc Dautlich and Christian Knorst of Pinsent Masons, the law firm behind Out-Law.com, have questioned the legal basis of the ICO’s view.

The comments follow an issue raised in a report by The Independent newspaper last weekend. The report detailed the concerns of medical practitioners that individuals had not consented to the processing of their benefits claims forms by Royal Mail staff on behalf of the Department for Work and Pensions (DWP). DWP is the Government department responsible for assessing individuals’ welfare and benefits claims.

According to the report, Royal Mail staff open and sort mail for DWP relevant to individuals’ benefits claims in order to direct the mail to the “appropriate processing centre”. The mail can contain information revealing sensitive health information about those individuals. The outsourcing arrangement is governed by a contract and a number of measures have been put in place to ensure data security requirements are met, DWP said.

The ICO told Out-Law.com that organisations do not need to obtain individuals’ explicit consent to outsource the processing of those individuals’ sensitive personal data. Such data refers, among other things, to details of individuals’ medical health or condition.

The watchdog has issued guidance on outsourcing of personal data processing. The guidance contains a number of ‘good practice’ recommendations for businesses but does not advise them to inform individuals if they contract others to processing those individuals’ personal data on their behalf. The guidance does not contain a single reference to ‘sensitive personal data’.

Under the UK’s Data Protection Act (DPA) all personal data must be processed fairly and lawfully and for specific, explicit and legitimate purposes only.

However, under the DPA organisations generally need the “explicit consent” of data subjects in order to be able to process those individuals’ sensitive personal data. This general rule is subject to a number of strict exceptions that set out circumstances in which consent is not required.

Rules around non-sensitive personal data processing are less restrictive. They provide organisations with a greater scope to process personal data without the need to obtain individuals’ consent to do so.

One example where consent to personal data processing is not required is where the activity is “necessary for the purposes of the legitimate interests” organisations are pursuing, as long as the processing is not “unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”

The ICO said that when organisations obtain individuals’ explicit consent to process sensitive personal data they can then outsource some or all processing activities to others without the need for individuals to consent to those arrangements.

The ICO said that businesses’ outsourcing arrangements must comply with sections 11 and 12 of the DPA.

Under the DPA data controllers are required to take “appropriate technical and organisational measures” to ensure against the “unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.

When outsourcing personal data processing to others, data controllers are required to select processors that can provide “sufficient guarantees” that they can properly meet the “technical and organisational measures” requirement and that they will “take reasonable steps” to “ensure compliance”.

The data controllers must establish a written contract with data processors specifying that the processor may only undertake processing activities that the controller tasks them with, whilst the contract must also hold the processors to comply with the “technical and organisational measures” requirements under the DPA. Data controllers are also responsible for any failure of processors in meeting those personal data security standards.

Further rules apply to outsourcing of personal data processing where that processing takes place outside the European Economic Area.

However, Dautlich and Knorst said that those sections contain rules governing the processing of personal data by contractors only, and do not account for the special rules around sensitive personal data.

“Whilst it is positive that the ICO has sought to take a pragmatic approach to the outsourcing of sensitive data, it is unclear upon what legal basis they have done so,” Dautlich said. “Before outsourcers rely on what seems to be a very pragmatic understanding and liberal interpretation they would be well advised to identify exactly what grounds they could rely on in order to outsource sensitive data without explicit consent.”

Christian Knorst, a data protection law expert based in Pinsent Masons’ Munich office, added: “It is fair to say that also under German law a transfer of health data without the explicit consent of the affected person may only be made under very strict preconditions. One cannot say that an outsourcing with respect to health data is in general possible without consent.”

The DPA in the UK and German data protection laws are based on the implementation of the EU’s Data Protection Directive. The Directive is set to be replaced by a new general Data Protection Regulation, but Dautlich said that the reforms, which are still being negotiated, are likely to require that businesses generally obtain individuals’ consent to outsource the processing of their sensitive personal data.

“It is difficult to see on current progress that the new Regulation could countenance such an approach even assuming that the ICO’s liberal interpretation is possible under the existing Directive and its implementation in the DPA,” Dautlich said.

DWP said that CCTV is used to monitor staff sorting mail, and that at least two staff must be present in order for mail to be opened, according to the Independent’s report. DWP said that it has a contract with Royal Mail that requires sorting office staff “abide by the same data protection and security checks as any DWP employee.”

However, Dr Tony Calland, chair of the British Medical Association ethics committee, criticised the processing arrangements and said the security measures in place were irrelevant, according to the Independent.

“We are very concerned that a Government department could even contemplate allowing such sensitive and confidential medical data to be handled by a third party without the person’s consent,” he said.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/17/ico_outsourcing_privacy/

Malwarebytes, the anti-virus firm best known for its freebie scanner software, branched out into the enterprise with the launch of corporate products on Monday.

Malwarebytes Enterprise Edition (MEE) is designed to catch malware that other anti-virus programs sometimes miss, including some strains of blended attacks (for example, malware with characteristics not only of viruses but also of Trojans or worms) and “polymorphic” threats – which are capable of morphing their own code to evade detection. The technology runs in batch mode and is designed to avoid conflicts with any regular anti-malware software already loaded on the same corporate desktop.

Malwarebytes achieves this by testing against all major anti-virus vendors as well as database whitelisting. The tech is designed to work in tandem with other security kit rather than as a replacement to existing anti-virus software.

“Modern malware is able to bypass many of the antivirus technologies currently deployed in today’s enterprise, posing a serious risk to corporate data,” said Malwarebytes chief exec Marcin Kleczynski. “MEE’s heuristic and behavior-based analysis engine adds a powerful second layer of defence to today’s corporate systems that more effectively safeguards sensitive corporate assets from the organised crime rings behind much of today’s malware.”

Not all anti-virus products catch all viruses, and this goes for Malwarebytes as much as anyone else. “Indeed, if it was 100 per cent accurate you would not need to run it alongside other anti-malware products,” explained Simon Edwards, technical director at Dennis Technology Labs.

A two-scanner approach can yield benefits, according to Edwards, who has clocked up years of experience in testing the effectiveness of various anti-virus products.

“One reason G Data’s desktop products perform so well in our tests is that they use two engines, one provided by Avast! and one from BitDefender. If one technology misses a threat, the second provides another chance to prevent an infection. There is inevitably a hit on performance when you run more than one real-time protection system, but that’s a trade-off customers can choose to make or not,” he said.

Malwarebytes is offering a anti-virus scanner, rather than an on-access, real-time system. “As such, as long as you don’t run a scan using more than one scanner at a time, performance should not be too much of an issue,” says Edwards.

Potential customers could use one of the more established products to protect their system and then use Malwarebytes to support it, to pick up the threats that escape detection by the main system. However this is little different to running different anti-virus products on different portions of a corporate network. For example, an organisation might run an anti-virus from one vendor on its firewalls, a different AV from a different vendor on its servers and yet another product line from another vendor on its desktops.

Malwarebytes has signed up SCC as a reseller. Other disties worldwide who will be flogging its kit include Grey Matter, DSolution (Canada), SHI, Insight, I Tech Trading and Computerworld Business Solutions.

Malwarebytes boasts that 150 million consumers worldwide have used its technology to either block or remove over five billion pieces of malware.

MEE supports XP, Vista, Windows 7 and Windows 8 operating system clients as well as Windows 2003, 2008 and 2008 R2 Servers. List prices start at $1,315 for a 100-seat licence, with special pricing available for government, education and non-profit organisations. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/17/malwarebytes_enterprise_launch/

Foreign journalists in Beijing have been bombarded with information-stealing malware in the past fortnight, as tensions rise before the much anticipated Communist Party leadership transition later this autumn.

The malware was delivered in a standard email attachment, with the attackers relying on tried and tested social engineering tactics to trick the recipient into opening the malicious files, according to Reuters.

Independent security expert Greg Walton told the news wire that the emails themselves purported to come from either a Beijing-based correspondent or a Washington-based think tank, with both referencing the upcoming Communist Party leadership handover.

They contained the same type of malware, designed to send encrypted info from the victim’s computer to an external server located in the UK, Reuters’ report said.

Chinese authorities’ response to news of the incident was vague.

“China manages the internet according to law and has engaged in cooperation with the international community to promote internet security. Internet security is a complicated issue,” Foreign Ministry spokesman Hong Lei told the news wire.

“China is also a victim of internet attacks. The source of these internet attacks is very difficult to determine. Reaching conclusions without sufficient evidence or fair and thorough investigations, it’s just not serious.”

Although the exact timing has yet to be revealed, it is widely expected that the Communist Party top brass will step aside this autumn and make way for a new intake of leaders. Such a transition happens every ten years.

Given the heightened political sensitivity in China at this time it’s not unusual to see spikes in malware targeted at specific groups like journalists and Party critics, coupled with a more vigorous approach to online censorship. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/16/journalists_china_hack_beijing/

A group of German researchers has taken a step closer to achieving quantum key distribution with satellites, receiving quantum keys transmitted by a moving airplane.

The experiment is described in this paper (PDF) presented to the QCrypt conference in Singapore last week.

Led by Sebastian Nauerth at the Ludwig Maximilian University of Munich, the researchers achieved a stable connection over 20 Km for ten minutes, and in that time achieved a key rate of 145 bits/s. While that’s far too slow for a data channel, this only refers to the rate at which the keys are transmitted.

However, if the system were to be made secure against eavesdropping, the authors note, the key exchange rate would fall to 5 bits/second.

The experiment was conducted just after sunset at Munich’s Oberpfaenhofen airport to avoid errors that could be introduced by sunlight. The researchers also had to create a mechanism of moving mirrors to compensate for the movement of the aircraft.

The qubits were encoded on the polarization of the beam transmitted from the aircraft (Alice) to the ground (Bob).

The kit the researchers used included a free-space laser terminal developed by the German Aerospace Centre (DLR), modified to implement the QKD transmitter communicating with a ground-based receiver on a DLR building. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/17/qkd_from_moving_airplane/

Hacking crew AntiSec claims it has published the credit-card details of 13 US government officials in retaliation for the arrest of self-described Anonymous spokesman Barrett Brown.

Brown was cuffed at his Dallas home on Wednesday hours after he published a rant against a named FBI agent. The arrest was recorded for posterity and uploaded to YouTube thanks to Brown’s friends, who were talking to him via a live video chat website when cops burst into the 31-year-old’s room.

Brown is being held in custody and is accused of making threats to a federal agent, according to Brown’s lawyer. The allegations relate to a 13-minute YouTube video in which Brown admits he is in the process of weaning himself off opiates and speaks of his paranoia after being targeted by the Mexican crime syndicate Los Zetas. In the vid, he also talks about his intention to mess up the life of an FBI agent and his family.

In response to Brown’s arrest, hacktivists revealed online 13 credit cards records along with names, addresses and a mix of .gov and navy.mil email addresses. The AntiSec crew’s claim that all the records are of FBI agents is dubious due to the fact that the email addresses aren’t @fbi.gov addresses – and that’s before other factors are taken into account.

A notice attached to the leaked information states: “This data could be potentially and underteminatedly [sic] false as FBI could potentially claim, they also would be a potentially different set than those we released from Stratfor and they could just potentially bring an underterminate [sic] amount of lulz. but what the hell, you are free to try them if u want. spend a lot!!!! send flowers to Barrett!!!” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/14/antisec_reprisal_brown_rant_arrest/

Twitter has succumed to threats of contempt of court charges and significant fines, and has handed over a trove of tweets from Occupy Wall Street protestor Malcolm Harris to a Manhattan Criminal Court.

The tweets had been subpoenaed by the Manhattan district attorney’s office, which demanded that Twitter provide it with access to Harris’ account and three months of tweets, which were no longer available online.

According to the BBC, prosecutors believe the messages will bolster their case against Harris, who has pleaded not guilty. In his defense, he claims that police had lured 700 protestors – Harris among them – onto the Brooklyn Bridge, only to arrest them for obstructing traffic.

Twitter had fought the subpoena, citing privacy laws, but buckled under on Friday, the deadline set by the court, after the company’s lawyers made one last plea to the judge to stay the order to hand over the tweets, which he refused.

Criminal Court Judge Matthew Sciarrino will keep the tweets under seal pending an appeal filed by Harris’ attorney, which is scheduled to be heard within seven days. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/14/twitter_hands_over_occupy_protesters_appeal/