STE WILLIAMS

The security researchers who developed the infamous BEAST attack that broke SSL/TLS encryption are cooking up a new assault on the same crucial protocols.

Online shops, banks and millions of other websites rely on SSL/TLS to encrypt sensitive information sent by punters from their web browsers. The new attack is capable of intercepting these HTTPS connections and hijacking them.

Juliano Rizzo and Thai Duong are due to present their work, dubbed CRIME, at the Ekoparty Security Conference in Argentina this month. The CRIME attack revolves around security shortcomings in TLS, but details are being withheld ahead of the presentation. The researchers warn that all versions of TLS/SSL are at risk – including TLS 1.2 which was resistant to their earlier BEAST (Browser Exploit Against SSL/TLS) technique.

The CRIME vulnerability involves exploiting cryptographic weaknesses present in the protocol. The information leaked provides enough clues to decrypt a user’s supposedly protected cookies, allowing attackers to pose as their victims and hijack secure connections to websites.

“By running JavaScript code in the browser of the victim and sniffing HTTPS traffic, we can decrypt session cookies,” Rizzo told Threatpost. “We don’t need to use any browser plugin and we use JavaScript to make the attack faster, but in theory we could do it with static HTML.”

Last year’s BEAST attack was mitigated by reconfiguring web servers to use the RC4 cipher-suite rather than AES. CRIME enables miscreants to run in man-in-the-middle-style attacks and is not dependant on cipher-suites.

So far, Chrome and Firefox are confirmed to be vulnerable to CRIME, but developers at Google and Mozilla have been given a heads up on the problem and are likely to have patches available within a few weeks. Duong, who works as an information security engineer at Google, also worked with Rizzo to develop an ASP.NET “padding oracle” exploit, forcing Microsoft to rush out an emergency security patch for the popular web framework. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/07/https_sesh_hijack_attack/

Crooks have created what’s reckoned to be the first computer virus featuring the Irish language.

The malware – dubbed Gaeilge – is a strain of ransomware that locks up an infected computer and attempts to extort €100 from the user for an unlock code. The demand for cash reportedly appeared in poorly written Gaelic, and the software nastie was spotted on a computer in County Donegal, Ireland.

The victim wisely took his compromised machine for repairs rather than handing over money to the crooks. The virus claimed the lock-down was a result of Irish government detecting that the user had accessed online pornography.

Technician Brian McGarvey of Techie2u computer repairs told The Irish Times that it was the first time he’d come across a virus written in the Irish language during his 12 years of experience in the job.

“It’s quite a sophisticated and convincing scam,” he said. “To someone who didn’t have good Irish it looks very legitimate. I suspect they have used some kind of translation transfer and only about 60 per cent of the virus makes sense in Irish. It has a logo which features an Irish flag and it looks quite official.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/07/irish_language_virus/

Spines in laptop vendor-land are shivering right now with the news that fingerprint scanners from UPEK take users’ Windows passwords and dumps them in near-plain-text in the registry.

The security howler was turned up in the UPEK Protector Suite, which until recently shipped with laptops using the company’s scanners. While the software was replaced following the merger of UPEK and Authentec, Elcomsoft’s post notes that most users will not have installed the new software.

“UPEK’s implementation is nothing but a big, glowing security hole compromising (and effectively destroying) the entire security model of Windows accounts,” wrote Elcomsoft’s Olga Koksharova.

“Windows itself never stores account passwords unless you enable “automatic login”, which is discouraged by Microsoft,” she wrote, however: “After analyzing a number of laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite, we found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted.”

Elcomsoft identifies Dell, Acer, ASUS, Gateway, Lenovo, MSI, Samsung, Sony, NEC, Toshiba and others as current or former UPEK customers. Lenovo says in a support forum post that it is investigating the issue; The Register’s searches of the other vendors’ sites doesn’t turn up any other responses as yet.

There are two requirements for the vulnerability to be exploited: the user has to be using the fingerprint scanner as their default Windows login, and an attacker would need physical access to the machine. Elcomsoft recommends that users disable “Windows login” in the UPEK Protector Suite. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/06/dumb_security_in_biometrics/

Video Julian Assange continues to insist that Australia’s government has done him no favours, but his nation of birth has supported his cause in one, indirect, way.

Screen Australia, the Australian federal government’s national movie-funding-and-promotion agency, is one of the key production finance investors for the Australian-made biopic, Underground, that traces the WikiLeaks founder’s formative years as a teenage hacker.

The film will make its international debut at the Toronto International Film Festival on Saturday night.

A second screening on Monday will be accompanied by extended QA with cyber security and crime adviser to governments and enterprises , Ron Deibert. Deibert is the director of the Citizen Lab at the Munk School of Global Affairs.

Underground, adapted from the book written by Suelette Dreufus on Assange’s early days, is one of just five Australian films selected for screening by the festival. Screen Australia is therefore chuffed, with CEO Ruth Harley saying “It is exciting to see Underground recognized by a major international festival like Toronto. This compelling, high-quality thriller will provide audiences with an engaging and iconic Australian story.”

Australian Network Ten, which commissioned the drama has started a teaser campaign for the local screening of Underground which is expected to be broadcast shortly after TIFF. The trailer for the film is below.

Assange remains ensconced in the Ecuador embassy in London where he attempting to avoid arrest and extradition to Sweden. We’ve no idea if anyone plans to smuggle him a DVD of the flick. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/06/assange_biopic_to_debut_at_tiff/

Various media outlets, including El Reg, have been sent a message claiming to be from a hacking group that has stolen the tax records of Mitt Romney and threatens to release them on September 28.

The writer claims to have taken Romney’s 1040 filings from the offices of PricewaterhouseCoopers in Franklin Tennessee and copied them onto flash drives. A copy has been sent to both the Republican and Democratic parties and the author includes a code phrase for use in further emails. Similar messages have also mentioned that the files are available for sale to anyone willing to hand over a million dollars in bitcoins.

PWC has said that as far as it is aware nothing is missing and that the Secret Service has been asked to investigate. The local Republican headquarters in Tennessee has confirmed that it received a package, but handed it straight to the police.

Republican presidential candidate Romney has come under fire in recent months for releasing very little information about how much tax he paid before 2010, although he assures the electorate he has paid at least 13 per cent a year, well below the national average. Democrats have called for him to make more information public, but he is refusing to do so.

But before you get all excited it’s worth taking a step back and thinking this through, as we did at El Reg offices when the message came in. The case has strong similarities to a case eight years ago that also come up during the height of the presidential campaign: The Killian Papers.

In 2004 President Bush the Younger was facing a re-election campaign against his opponent John Kerry. Kerry had got the nomination in part because he was a Vietnam veteran, whereas Bush had sat out the war as a reservist in Texas.

In September 2004 CBS went public with what it claimed were conduct reports from Bush’s National Guard days, written by his old commanding officer Lieutenant Colonel Jerry B. Killian. The documents stated that Bush had missed a scheduled medical and that pressure was placed on Killian to give the president-to-be a favorable job review.

After the story had broken it almost immediately started to fall apart. Some of the documents were clear forgeries and the person who supplied them to CBS admitted that they had been made up. There were several resignations and the whole thing effectively killed the issue from a political standpoint.

So with this in mind at El Reg we’ve been stepping carefully, checking all available sources and waiting until we saw some evidence before making wild claims. Now that the Secret Service is involved it’s a story of sorts, but even if the final documents do get wide release El Reg would recommend readers keep their skeptics hats on tightly until some proof can be found.

Of course, the simple thing to sort out the whole mess would be for Romney to release more than a couple of years of tax information and let people decide for themselves – a practice Romney’s father followed but that the son has yet to emulate. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/07/hackers_romney_tax_records/

Apple released a Java update on Wednesday but it does not tackle a high-profile flaw that has become the target of attacks over recent weeks.

Java for OS X 2012-005 and Java for Mac OS X 10.6 Update 10 offer patched versions of Java for OS X Lion and Mountain Lion systems that tackle CVE-2012-0547. But this is a different beastie from the CVE-2012-4681 megabug currently stalking Java users, KrebsOnSecurity reports.

Security vulnerabilities in Java are an all-too-real danger for Mac fans, as illustrated by the spread of the infamous Flashback Trojan, which created a 600,000 strain botnet earlier this year. Flashback also exploited a Java hole fixed by Oracle in February, but which had been left unpatched on Mac systems until April, after Flashback had taken hold.

Oracle patched the CVE-2012-4681 megabug with an update to its vulnerable Java Runtime Environment (JRE) 1.7 last week. However Security Explorations, the firm that originally found the flaw, warned that the patch issued by Oracle was itself buggy, without going into details. Even the original flaw dates from April but people only really stood up and took notice after exploits began circulating, around two weeks ago.

It’s all very messy.

The most straightforward advice in the midst of this confusion is for users to uninstall Java, or at minimum disable Java-related browser plugins, standard advice from many security firms before the arrival of Oracle’s emergency fix last week. Most mainstream sites, with the exception of a few e-banking sites don’t need Java in order to work. Users could use an alternative browser for such sites after disabling Java on their main browser, a move that would greatly reduce their exposure to danger.

Bootnote

Common Vulnerabilities and Exposures (CVE) numbers offer unique, common identifiers for publicly known security vulns. The system goes a long way towards resolving the confusing free-for-all in computer virus naming, where vendors frequently refer to strains of malware by their own internal names (eg, Conficker is also known as Downadup and Kido, and the Love Bug worm also goes by Love Letter and ILOVEYOU).

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/06/apple_java_update/

AVG launched a revamped range of its security products on Thursday that it said offered faster scanning and support for the latest touchscreen Windows 8 devices through an updated user interface.

The 2013 vintage of AVG includes new versions of AVG’s consumer products, such as AVG AntiVirus Free, as well as paid-for security products with more features targeted at power user and small businesses, such as AVG AntiVirus.

AVG Internet Security 2013 comes with an integrated security firewall, link scanning (safe surfing), anti-spam, anti-spyware and tech to protect against Wi-Fi hacking. And for the even bigger spenders, there’s AVG Premium Security, which boasts tune-up features and “advanced privacy controls”.

All products in the range offer an active Do Not Track feature, launched back in March, that AVG claims gives users visibility and control over who can see their personal information while they surf the web. The technology enables users to actively block some advertising networks.

Need for speed

AVG Turbo Scan offers a 35 per cent reduction in scan time while improved heuristics, file reputation and crow-sourcing have led to a 11 per cent reduction in database size, Yuval Ben-Itzhak, AVG’s CTO, told El Reg

AVG also offers various mobile security offerings including AVG AntiVirus FREE for Android, AVG AntiVirus Pro for Android as well as AVG Family Safety products for iOS and Windows Phone, free products that offer URL blocking but no anti-malware protection.

“The threat landscape has shifted towards mobile because attacks can be easier to monetise. We’re seeing the same type of attack, often involving social engineering, transferred to mobile,” said Ben-Itzhak.

AVG detected over 370,000 threats specifically targeting mobile devices between April and June 2012. Most of these targeted Androids. AVG, like other security firms such as Kaspersky Lab, would like to do more to protect iOS devices but is hamstrung by restrictions imposed by Apple. That means that on-access anti-malware scanners for iPhones, for example, are a non-starter.

Security firms are frustrated by this restriction even though it’s hard to argue that it creates a security gap. iOS malware is virtually non-existent and the handful of examples that have appeared have only affected jailbroken devices.

AVG, which competes with the likes of Avast and Avira in the freebie consumer security market, has yet to launch security products for Apple desktops. The firm boasts 128 million “active users”, substantially up on the 98 million it boasted a year ago. A reported 15 million of these punters use paid-for products. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/06/avg_2013_launch/

Jimmy Wales, talking in a purely personal capacity, has lambasted Britain’s Home Office for its plans to massively increase online surveillance of all UK citizens. The Maximum Leader says that such a draconian measure would prevent him from plonking Wikipedia servers on Blighty’s soil.

Talking in Westminster last night to a committee of MPs and peers, however, Jimbo omitted to mention that his online encyclopedia outfit has never operated from the UK – and has no intention of ever doing so – because of the nation’s strict laws on defamatory material.

Wales has already launched stinging attacks on the UK’s tight libel legislation. Last night he sneered at what he described as a “technologically incompetent” draft communications data bill, dubbed colloquially as a “snoopers charter”, that is currently being perused by politicos.

Wales told them:

We don’t have servers in the UK, we would be highly disinclined to collect more data than we actually do, which is very, very little for a variety of reasons including our views on freedom of expression, human rights and what people are reading. But if we find that UK ISPs are mandated to keep track of every single web page that you read on Wikipedia, I’m almost certain – err, I shouldn’t speak for our technical staff – we would immediately move to a default of encrypting all our connections in the UK.

During the same session, Wales also played the think-of-the-children card: he mentioned British startups in – yes – Silicon Roundabout, who could find their innovative app, website or digital toaster stifled by such legislation, if it works its way through Parliament in its current form.

He also described Wikipedia as a “gift” for its users as opposed to other unnamed websites that function by “surveilling you”.

Meanwhile, two key figures in the telco debate relating to mass surveillance of the internet were also speaking to the committee.

Malcolm Hutty of the London Internet Exchange (LINX) and Nicholas Lansman of the Internet Service Providers Association (ISPA) were both on hand to offer up rather less shouty perspectives on the contentious bill.

Both questioned the Home Office’s £1.8bn costing estimate, the majority of which apparently relates to data retention. Over 50 per cent of that cash is set aside for storage, according to previous evidence offered to the committee by the man in charge of the plan, Richard Alcock, whose official title is Director of the Communications Capability Directorate.

Lansman and Hutty also characterised the Home Office’s proposed system as a “profiling engine” to be used by spooks and police but which would probably be maintained by private companies.

And, when quizzed, they both professed themselves to have no idea what the Home Office meant by saying that spooks and cops are currently unable to access 25 per cent of the online data they need to do their work.

Lansman said the figure must have been based on “best guesses”, and Hutty added “25 per cent of what?”

Jimbo simply claimed that the number had been plucked out of “thin air”.

What is now starkly obvious from the Westminster sessions The Register has attended is that the Home Office has so far failed to supply any real technical details on its desired Communications Capability to anyone in the UK internet industry. The bureaucrats of the ministry seem to have learned to be opaque after being carpet-bombed by privacy advocates when they first attempted to introduce the Capability under its old name, the Interception Modernisation Programme. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/06/jimmy_wales_complains_about_uk_snoopers_charter/

Security researchers have discovered a malware-based attack against the chipTAN system used by bank customers in Germany to authorise transactions online.

The chipTAN system involves the use of a card reader into which a chip-n-PIN bank card is inserted, which generates a transaction authentication number (TAN) used to green-light a transfer via the bank’s website*.

The Tatanga attack bypasses chipTAN systems by fooling users of malware-infected machines into authorising fraudulent transfers from their accounts, security biz Trusteer warns.

The Tatanga banking Trojan initially injects code into a trusted online banking web page to fool the user into believing that the bank has requested the punter performs a chipTAN “test”. The user is then asked to generate a TAN for the “test” transaction and enter the authorisation code into an HTML page mimicking the look and feel of the bank’s website.

In reality the code is being used to authorise a fraudulent transfer from the user’s online banking account to that of the miscreants.

The malware also covers its tracks; it is designed to replace the user’s transaction history and balance details to hide the fraudulent transfer from the victim.

“ChipTAN systems are considered fairly secure, because the generated TAN takes into account both transaction details and the bank issued chip-and-pin card,” said Trusteer’s CTO Amit Klein. “However, this attack demonstrates that by using man-in-the-browser social engineering techniques, financial malware can circumvent chipTAN security. Implementing endpoint protection against advanced malware like Tatanga, ZeuS and others is the only way to make sure that the integrity of second factor security measures like chipTAN are not compromised.”

More details on the Tatanga attack can be found in a blog post by Trusteer here. ®

* It is a process similar to the systems in card readers issued by UK banks. By contrast, ChipTAN uses an optical reader which must be used by the customer to scan a “flicker code” shown on-screen on the bank’s website whenever a transaction is requested.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/06/german_chiptan_bank_attack/

Even as execs of the Chinese telecom giant Huawei prepare to testify before Congress over concerns that the company’s networking equipment may pose a security threat to US infrastructure, the company issued a public statement claiming that it has never participated in cyber espionage or any other illegal act, and that it would never do so.

That claim comes in a new report written by John Suffolk – a former UK government CIO who now serves as Huawei’s global cyber security officer – with the rather tongue-tying title of “Cyber Security Perspectives: 21st century technology and security – a difficult marriage.”

Huawei, like its Chinese competitor ZTE, has been under investigation by the House of Representatives Permanent Select Committee on Intelligence for nearly a year, after multiple US government and military officials raised concerns about both companies’ ties to the Chinese government.

In the report, which Suffolk describes as “an open and frank perspective” on Huawei’s views regarding cyber security and its impacts, the company asserts that the negative attention it has received is unfair and that espionage would be against its business interests:

For our survival, we have never damaged any nation or had the intent to steal any national intelligence, enterprise secrets or breach personal privacy and we will never support or tolerate such activities, nor will we support any entity from any country who may wish us to undertake an activity that would be deemed illegal in any country.

That’s a line Huawei will no doubt repeat when it appears before the House Intelligence Committee in hearings that are expected to commence as early as this week. But critics in the US and elsewhere maintain that “Chinese actors” are among the most active perpetrators of cyber espionage, and that Huawei’s equipment could be rigged to make such attacks easier.

That’s just politics, Suffolk says.

In his paper he describes Huawei as “a global organisation doing business in over 140 countries.” Furthermore, he questions whether, in the era of the global supply chain, it is valid or even helpful to label a company’s products as “foreign developed”:

Alcatel-Lucent has one third of its global manufacturing done by Shanghai Bell; Ericsson’s joint-venture Nanjing Ericsson Panda Communications Co. has become the largest supply centre of Ericsson in the world; at the end of 2011, Nokia Siemens Networks had 10 manufacturing facilities worldwide: 5 in China (Beijing, Shanghai, Tianjin, Hanghzou and Suzhou), and 2 in India – is what they do “foreign developed”?

Suffolk goes on to criticize the lack of laws, norms, standards, and protocols with regard to cyber security, and says the current environment allows nearly anyone to use malware and other internet-based attacks with impunity.

“If we accept this route, then we must stop complaining and accept the consequences of the cyber race to the bottom of the pit and the return of the Wild West,” he writes.

In an apparent jab against the US and its allies, which have all but admitted using state-sponsored malware in recent attacks on Iran and other targets, Suffolk warns that the lack of international law governing cyber security may soon have severe consequences.

“If governments are indeed involved in the acquisition of zero-day exploits or are developing or ‘weaponising’ attack software, such as Flame and Stuxnet,” Suffolk writes, “the phrase ‘what we sow we reap’ springs to mind.”

Suffolk says the correct approach would be for governments and companies to collaborate on international standards of data protection on a global basis. In the current regulatory environment, he says, Huawei and other companies must comply with different standards for each jurisdiction, which can be prohibitively difficult.

As to the issue of cyber espionage, Suffolk points out that no amount of international regulation or actions by vendors are likely to prevent governments from conducting intelligence activities over the internet, now that it has become central to so much of daily life.

“It is important to keep in mind that throughout history, spying and espionage have continually played a role in diplomacy, for better or for worse,” Suffolk writes.

How much weight such arguments will carry in Congress is questionable, however, and for Huawei the stakes are high. In a statement issued last November, House Intelligence Committee chair Mike Rogers cautioned American businesses not to buy more Huawei kit “until we can fully determine their motives.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/05/huawei_denies_spying/