STE WILLIAMS

Live event Every one of your users has a computer at home, maybe a laptop, definitely a phone, and likes to log in from someone else’s computer from time to time. They’re carrying your data around, but often not your security policy.

You know how hard it is to match policy form device to device, location to location. If only it were possible to create a single policy and apply it to multiple devices – but that is what Blue coat thinks it can do. And with the correct policy in place, it can actively monitor your security levels, so that your most secure day is not the day after you created your excellent new policy, just before the users break it. Sasi Murthy is flying in from Blue Coat in the US just to see the Reg’s famous studio. While she’s there, we’ll make her talk live about this, and answer your questions.

It sounds too good to be true. That’s why we have recruited an expert to tell us about the problems that Reg readers have with one policy, many devices: Andy “Too Good” Buss, from Freeform Dynamics.

Join us on September 20 at 11:00 BST for this free broadcast, by Registering here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/11/single_policy_event/

In McAfee’s latest survey of the celebrity searches most likely to lead to malware infection, Emma Watson – perhaps best known as Hermione Granger in the Harry Potter films – has taken the top spot, knocking off model Heidi Klum from last year’s most-likely-to-infect honors.

Be careful what you search for…

According to the security firm’s data, a search for Emma Watson runs you a 12.6 per cent chance of returning a link to a malware site, topping a list of ten celebrities – all of whom are women. Jessica Biel was the second most dangerous search, ahead of Eva Mendes, Selena Gomez, and Oscar (and Razzie) winner Halle Berry.

“Scammers know that this is a word that can get a lot of attention and will use this as a way to get to you,” said Robert Siciliano, online security evangelist to McAfee. “This year, when searching for ‘Emma Watson and “free” downloads’, and ‘Emma Watson and hot pictures’ and ‘Emma Watson and videos’ you run the risk of running into online threats designed to steal your personal information.”

It’s clear malware writers are still concentrating on men with prurient interests to click on dodgy search links, since only one male made it onto the Top 20 malware search terms: US comedian Jimmy Kimmel. From the look of the man, few people are going to be searching for “Kimmel AND Nude” but they may be misled by his infamous “F**king Ben Affleck” song.

Kimmel knocked out Brad Pitt and Piers Morgan (the latter being another search term few would associate with nudity) from the list. It’s the first time only one man has been in McAfee’s top-20 list since it started the helpful effort six years ago.

From a demographic perspective, the McAfee list shows the increasing racial mix of internet interest. Five of the top 10 dodgy celebrity searches are Latina actresses, although few black actresses made it onto the list.

In terms of popular appeal, noted Scientologist Tom Cruise failed to make it into McAfee’s top 50 dangerous celebrity searches for the first time in years, despite a high-profile divorce. Either Mr. Cruise’s celebrity appeal is dimming, or the dictator of the galactic confederacy Xenu is protecting him from bad publicity. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/11/mcafee_watson_dangerous_celebrity/

A lone hacker has claimed responsibility for an ongoing denial-of-service attack that may have knocked out as many as millions of websites hosted by popular domain registrar GoDaddy.

The attack began at around 10am Pacific time and appears to affect the registrar’s DNS servers. Any site that is hosted with GoDaddy could be affected, although as of 1pm Pacific the company reported that at least some service had been restored.

Claiming responsibility for the outage is a hacker who goes by the Twitter handle AnonymousOwn3r. Although that account’s Twitter bio describes the hacker as “Security leader of #Anonymous” and “Anonymous Official member,” a number of Twitter feeds affiliated with the hacker collective say that Anonymous was not involved, and AnonymousOwn3r himself has called for sole credit.

So far, no reason for the attack has been given, although speculation abounds. GoDaddy has earned its share of detractors for various reasons, ranging from its early support for the Stop Online Piracy Act (SOPA) in the US, to GoDaddy CEO Bob Parsons posting a video of himself shooting an elephant while on a Zimbabwe safari vacation.

According to AnonymousOwn3r, however, he “is not anti-GoDaddy” and the attack was not motivated by any of these reasons, but instead simply to point out flaws in the registrar’s security:

@film_girl I’m taking godaddy down bacause well i’d like to test how the cyber security is safe and for more reasons that i can not talk now

— Anonymous Own3r (@AnonymousOwn3r) September 10, 2012

GoDaddy customers were not generally impressed with this explanation, however, and many of them took to Twitter to voice their frustration that one individual was able to unilaterally take down their sites:

How can a hacktivist turn people off to their “cause”? Hack @godaddy, which millions of small business and artists rely on? Good job, idjit…

— Eco (@DJ_Eco) September 10, 2012

GoDaddy claims to have registered as many as 52 million websites, many of which are operated by small businesses. The company has not disclosed how many of the sites are included in the outage, though it is believed that the majority may be affected.

How long the outage will continue remains unknown. According to AnonymousOwn3r, when he launches a DDoS attack he might let it continue for “one hour or one month.” As of this writing, GoDaddy says it is still working to address the problem and that restoring full services is its top priority. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/10/godaddy_ddos_attack/

It seems both Apple and the FBI were telling the truth: the Apple UDIDs published last week didn’t come from either organization, with an American e-publisher posting a statement that the data was stolen from its systems.

The five-year-old BlueToad, based in Orlando, Florida, says the UDIDs that were posted to Pastebin matched its databases. In this statement, the company apologizes to its customers (complete with the usual bromide about “understanding the importance of protecting the safety and security of information contained on our systems”).

The company’s CEO Paul DeHart told NBC News the file posted by the crackers had a “98 percent” match with the company’s database (suggesting that the entries that didn’t match were added to the database before it was posted).

“That’s 100 percent confidence level, it’s our data,” he says in the NBC News interview, adding that the attack that obtained the data occurred within the last two weeks.

BlueToad now says it’s co-operating with law enforcement in the investigation, and that it apologises to its “partners, clients, publishers, employees and users of our apps”.

The publisher says it has discontinued the collection and reporting of UDIDs. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/10/bluetoad_source_of_stolen_udids/

A malware researcher’s website was nobbled last week by an automated bot that accused her of breaching copyright law.

Web storage biz MediaFire, which is used by Mila Parkour to host dozens of downloads for her Contagio blog, pulled the plug on her account because it contained three files that were flagged up for copyright violations. The alleged infringements were reported by a software bot that uses algorithms to search for copyrighted works and demand their removal under the US’s controversial Digital Millennium Copyright Act (DMCA).

It’s believed the action was triggered by blog posts about a Microsoft security patch and “an old malicious PDF attachment” that was linked to phishing email attacks two years ago. Mediafire acted in response to takedown requests from a bot run by French copyright enforcement firm LeakID, and it’s unclear who LeakID was acting for in this instance. It’s been suggested that, unless the action was a mistake, LeakID is enforcing the copyright of malware authors. LeakID also failed to identify the infringing work, a requirement under DMCA rules.

Parkour’s MediaFire account was restored soon after its suspension on Thursday, but only after her plight was highlighted by security biz Sophos. However, downloads have been suspended pending the outcome of Parkour’s DMCA counter-claim, which LeakID is obliged to respond to before a 16 September deadline. The blogger took issue with this procedure in this missive, which covered the suspension of her storage box:

I understand that that the claims came from LeakID and I do understand that all claims must be checked and it takes time to check them. However, I do not appreciate auto-enforcement of American laws by foreign (and American) robots who do not even follow the filing laws. I think accounts should be suspended after the claims are proven to be true not before.

Parkour adds that she is considering moving the blog’s encrypted downloads to an alternative host. Contagio, which is a popular resource among IT security bods, bills itself as a collection of the latest malware samples, threats, observations, and analyses.

Baseless software-generated takedown requests are not a new problem. The Electronic Frontier Foundation (EFF), among other organisations, has campaigned on the issue. Other recent victims of robo-takedowns have included US First Lady Michelle Obama and science fiction author Neil Gaiman. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/10/malware_research_blog_robo_takedown/

An Australian magistrate has ruled that an iPad owner acted lawfully when he used Apple’s Find my iPad app to locate his stolen fondleslab in a private home.

ABC News and the Canberra Times report that when a Canberra man’s iPad mysteriously disappeared he fired up the Find my iPad App. Doing so revealed, thanks to the fondleslab’s built-in GPS, that it was located in a nearby suburb.

The newly iPad-less man went to the location indicated by the app and heard his iPad making noises within a home.

At this point he called the Police, who happily entered the suspect home and found the iPad and other goods they suspected to be stolen. That find led Police to become rather interested in the occupant of the home where the fondleslab was found. So interested, in fact, that they sought an order to take his fingerprints as he was by now a suspect in other burglaries.

The fondleslab-filcher argued that order was not legal, as using Find My iPad constituted “e-trespassing”, while the fondleslab-owner’s prowl about the exterior of his home was the real thing.

Australian Capital Territory Chief Magistrate Lorraine Walker rubbished that argument, using analogies of a sniffer dog detecting drugs through the air or listening to a kidnap victim’s cries for help from within a home to explain her belief using the App is legal. She also said, that radio waves are in the public domain and that the fondleslab-deprived man was allowed to beam them wherever he wished in pursuit of his property.

The alleged thief must therefore submit to fingerprinting procedures.

Of course had the alleged thief turned off the iPad, removed its SIM, put it into flight mode or given it a factory reset none of this would have happened. You’d imagine someone creative enough to run the e-trespassing defence could figure that out. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/10/ipad_beats_etresspassing_rap/

Security researchers have traced a continuing run of zero-day attacks to the hackers who infamously hit Google and other hi-tech firms three years ago.

Symantec has kept close tabs on the hackers behind the so-called Aurora attacks ever since. No other group has used more zero-day vulnerabilities – eight – to further their malicious goals than the attackers behind Aurora (Hydraq) and other related attacks, the researchers said. Previous unknown vulnerabilities leveraged by the group have included Internet Explorer and Adobe Flash security bugs.

Identifying zero-day attacks takes hard graft as well as skills in reverse-engineering, a factor that means the group must be well-resourced.

“The group behind the Hydraq attacks is very much still active, with evidence indicating their involvement in a consistent and ongoing pattern of large-scale targeted attacks,” according to Symantec.

“Targeted sectors include, but are not limited to: the defence industry, human rights and non-governmental organisations (NGOs) and IT service providers,” it added.

Attacks used to be launched via targeted email (phishing) but over the years the group has moved on towards increased adoption of “watering hole” attacks – the “watering holes” being websites likely to be visited by the gazelle-like target organisation. Defence supply chain firms (suppliers of electronics and other sub components) of defence systems have been the prime target of these attacks. Suppliers are selected because they have lower security standards than tier-one defence contractors, who have been a prime target for cyber-espionage many years.

The attackers reuse components of an infrastructure Symantec has dubbed the Elderwood Platform. Most of the attacks have focused on either intelligence gathering or swiping valuable trade secrets from compromised computers, say the researchers.

“Although there are other attackers utilising zero-day exploits (for example, the Sykipot, Nitro, or even Stuxnet attacks), we have seen no other group use so many,” a blog post by Symantec security response concludes.

At the time of the 2010 hack, Google all but said the attackers behind the Aurora attacks were backed by the Chinese government. Symantec is more circumspect.

The number of victims, the duration of the ongoing attacks as well as their apparent goal of wholesale intelligence and intellectual property theft mean the group must be backed by a nation state or (less probably) a large criminal organisation.

A white paper by Symantec on the ongoing attacks by the group can be found here (PDF). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/10/elderwood_cyberespionage/

Australia has no data describing the sentences imposed upon criminals convicted of crimes enabled by phishing and similar scams and no guidelines for sentencing such crimes, leaving Judges with little guidance to fashion effective and appropriate punishments.

That’s the thrust of a paper from the Institute of Criminology, Sentencing scammers: Law and practice.

The paper considers only consumer frauds, but does cover “money transfer requests; banking, credit card and online account scams; golden investment opportunities and health and medical scams,” all of which are common crimes generated by unsolicited email. The research goes on to note that “there are no comprehensive data available in Australia on sentencing practices in relation to those convicted of carrying out a scam” and therefore little chance of assessing their effectiveness.

Judges therefore apply general sentencing principles when punishing scammers, considering if sentences are proportional, likely to act as a deterrent and/or punishment, and taking into account the magnitude of the crime and the criminal’s intentions and culpability in each matter.

The research also notes that it is hard to know if Australia’s different jurisdictions sentence scammers consistently. It also queries whether, in light of recent cases, sentences are sufficiently flexible to offer judges options that allow a response to particular crimes.

The research concludes that:

“What is required now, however, is greater guidance for criminologists and legal practitioners about how sentencers do and should respond to such cases. Research is therefore required on the types of sentences currently imposed in consumer fraud cases, including any jurisdictional variation.”

Further, the research points out, the UK has recently developed a fine model for sentencing fraudsters, and therefore recommends that:

“In light of the paucity of research and clear guidance in Australia this area, it may be of benefit for Australian researchers, policymakers, practitioners and judicial officers to collaborate in developing guidelines such as those [from the UK] …in order to promote consistency of approach in similar cases.”

But the research also says that while “a harmonised approach is particularly desirable, given the likely inter-jurisdictional nature of the offences” the need to tailor sentence for such crimes means it is “undesirable to set down any prescriptive mandatory minimum sentences.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/10/no_research_on_scam_sentences/

The good news is that Microsoft’s next Patch Tuesday, due on September 11, should be a breeze, bringing just two security updates. The bad news is that October’s Patch Tuesday will be a game changer, and Microsoft has cautioned Windows admins to take advantage of the lull to make sure their security houses are in order.

Beginning in October, the minimum RSA key length for certificates used in Public Key Infrastructure (PKI) will increase to 1024 bits for all supported versions of Windows, going back to XP Service Pack 3. That means admins may need to update the certificates on their secure servers to avoid widespread problems.

For starters, once the patch is applied Internet Explorer will block access to SSL websites that use certificates with keys less than 1024 bits long. Similarly, Outlook 2010 will not be able to connect to an Exchange Server that uses a key that’s too short, and it will no longer be able to encrypt or digitally sign mail using such keys. Applications and ActiveX controls that were signed with less than 1024 bit signatures may not install correctly, either, among other potential problems.

The change has been a long time coming. Microsoft first pledged to up its security requirements in 2011, and it issued a security advisory of the new policy this August. A patch has been available through the Download Center since August, too, for customers who want to get a head start.

But beginning with the October 9 Patch Tuesday, Redmond says it will push the patch out to all customers through Windows Update – ready or not – so admins better be sure their certificates aren’t signed with short keys. As Angela Gunn of Microsoft’s Trusted Computing division writes:

Though many have already moved away from such certificates, customers will want to take advantage of September’s quiet bulletin cycle to review their asset inventories – in particular, examining those systems and applications that have been tucked away to collect dust and cobwebs because they “still work” and have not had any cause for review for some time.

The fix for any related problems that arise will be to reissue new certificates to any servers that are currently running with certificates signed using 1024-bit or shorter keys. As Gunn points out, 1024-bit keys should be considered the new baseline standard, and most experts recommend keys of 2048 bits or longer.

The trick, of course, will be finding those old certificates before they start causing problems. According to Microsoft, one way to spot them is to use CAPI2 logging. But even if you have to check the length of each certificate’s key manually, the best plan is to find the bad ones before users start getting locked out of systems.

You have one month. Happy hunting! ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/07/microsoft_certificate_update_advisory/

Google has bought online malware-scanning firm VirusTotal and is pledging to keep the service open to support security software vendors.

“We’ve worked hard to ensure that the services we offer continually improve. But as a small, resource-constrained company, that can sometimes be challenging,” the security firm said in its “Inside VirusTotal’s Pants” blog. “So we’re delighted that Google, a long-time partner, has acquired VirusTotal. This is great news for you, and bad news for malware generators.”

VirusTotal was set up in 2007 and uses over 40 different antivirus engines to scan files and URLs for malware for free. Users can upload small files for checking, or just input a URL, to see if it’s on a blacklist, and VirusTotal shares its results with other security vendors to allow them to beef up their defenses.

The computer security industry is unusual in that its members share some of its most valuable data – malware signatures – with competitors. This ensures that new malware is tramped down quickly and the rising tide of security raises all boats. Even Microsoft shares its data, so Google’s confirmation is a good sign for the industry.

Google didn’t say how much it is spending to purchase VirusTotal, but it has pledged that it will continue to share information from the service with other vendors. It’s not saying how it will be integrating the VirusTotal technology, but safer searching and better malware security for its Apps platform look the most likely bets.

“Security is incredibly important to our users and we’ve invested many millions of dollars to help keep them safe online,” a Google spokeswoman told El Reg. “VirusTotal also has a strong track record in web security, and we’re delighted to be able to provide them with the infrastructure they need to ensure that their service continues to improve.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/07/google_buys_virustotal/