STE WILLIAMS

Microsoft has moved to quell fears that Windows 8 is building up a detailed record of all applications stored on client machines via its SmartScreen application.

An analysis by security researcher Nadim Kobeissi noticed a potential privacy violation in Windows 8’s SmartScreen system, which checks applications that the user wants to install against a database of known dodgy code and warns the user if Redmond’s records suggest there may be a problem.

“The big problem is that Windows 8 is configured to immediately tell Microsoft about every app you download and install,” Kobeissi wrote. “This is a very serious privacy problem, specifically because Microsoft is the central point of authority and data collection/retention here and therefore becomes vulnerable to being served judicial subpoenas or National Security Letters intended to monitor targeted users.”

To make matters worse, the install logs are sent to Microsoft and can be snooped by third-parties, the researcher claims, since the mechanism supports the SSLv2 protocol which is known to be breakable. While it’s possible to turn off SmartScreen, it’s not easy, and the OS will remind you periodically to turn it back on.

The thought of Microsoft getting a log of every application stored on a client system predictably got some in the IT community’s hackles up. Stories like this elicit fears in some quarters that all the data is fed back to a secret room in Redmond, where it is examined by the FBI, RIAA, or the Rand Corporation, in conjunction with the saucer people, under the supervision of the reverse vampires.

“We can confirm that we are not building a historical database of program and user IP data,” a spokesperson told El Reg. “Like all online services, IP addresses are necessary to connect to our service, but we periodically delete them from our logs. As our privacy statements indicate, we take steps to protect our users’ privacy on the backend. We don’t use this data to identify, contact or target advertising to our users and we don’t share it with third parties.”

As for concerns over the leakage of material via SSLv2.0, Microsoft said that it will not use this protocol with Windows 8 and that SmartScreen does not support that version. Kobeissi notes that 14 hours after he posted about the issue a new scan of the servers showed no SSlv2 support, although he stands by his original findings.

Lest you think that Kobeissi is some tinfoil-hat type, he is a respected security researcher in his field. Kobeissi, a Canadian of Lebanese extraction, invented the Cryptocat encrypted chat application and is a strong anti-censorship campaigner.

But while in this case it appears that Microsoft is in the clear, there’s still room for improvement. Currently the SmartScreen system does use application information stored at Redmond to validate local apps, hence the information is collected. But Kobeissi points out that the need for this could be eliminated if such data was stored locally on the client end and updated regularly. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/25/windows8_smartscreen_spying/

Hotel lockmaker Onity has developed fixes to safeguard millions of hotel keycard locks against an attack demonstrated at the Black Hat conference last month. But the most comprehensive of the two approaches involves a partial hardware replacement that will cost hotels a substantial amount of cash to apply.

Mozilla software developer turned security researcher Cody Brocious used a Arduino micro-controller costing around $50 to come up with an effective hack against hotel keycard locks, which he demonstrated at last month’s Blackhat security conference in Las Vegas. The hack involved plugging in the homemade device into a data port on the underside of Onity’s locks, reading memory to extract a decryption key, before using this decryption key to fake an “open door” command. Brocious created a cheap rig that spoofed portable programmers, gadgets designed to allow hotels to change the settings on locks supplied by Onity.

The hack is only possible because of two interlinked problems: the ability to read memory locations on vulnerable electro-mechanical locks and flawed cryptography in the key cards system itself.

Onity (which initially dismissed the door springing hack as “unreliable, and complex to implement”) has come up with two mitigations against the attack, the most effective of which will necessitate its hotelier customers shelling out some more cash.

The entry-level (free) fix involves supplying a physical plug that blocks access to the portable programmer port of potentially vulnerable HT series locks, coupled with the use of more-obscure Torx screws to make it more difficulties for would-be intruders to open the lock’s case and access its internal systems.

The second more rigorous fix involves upgrading the firmware of potentially vulnerable HT and ADVANCE series locks together with manually changing the locks’ circuit boards. This more comprehensive fix comes with a fee including parts, shipping and labour costs. Older locks will be more expensive to upgrade – although there will be a special pricing programme, as a statement by Onity explains.

Both fixes will be available from the end of August.

It’s unclear how much Onity’s upgrade of its widely used hotel keycard locks will end up costing either hotel chains or Onity itself. Criticism has been voiced over the fact that hotel chains will have to pay out to get comprehensive remediation against a problem that’s not of their making. “Given that it won’t be a low-cost endeavour, it’s not hard to imagine that many hotels will choose not to properly fix the issues, leaving customers in danger,” Brocious said.

“If such a significant issue were to exist in a car, customers would likely expect a complete recall at the expense of the manufacturer. I can’t help but feel that Onity has the same responsibility to their customers, and to customers staying in hotels protected by Onity locks.”

Brocius also express doubts about the possible efficacy of the mitigations proposed by Onity, as explained in some depth in a blog post on the subject here.

Onity’s keycard locks secure access to an estimated four million hotel rooms worldwide. Brocious decided not to give Onity pre-warning about the Black Hat hack prior to his demonstration. His former employer is also alleged to have sold a licence to use his hotel keycard-hacking trick to a locksmith training firm for $20,000 long before his presentation, according to Forbes reported.

Brocious said that the nature of the vulnerability was so fundamental that it had probably been an open secret for years. “With how stupidly simple this is, it wouldn’t surprise me if a thousand other people have found this same vulnerability and sold it to other governments,” Brocious told Forbes. “An intern at the NSA could find this in five minutes.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/24/hotel_keylock_hack/

Blighty’s playboy Prince Harry isn’t the only royal hitting tabloid headlines for inappropriate snaps: Norway’s monarchy has defended one of its own blue-blooded teens after his web photo uploading spree supposedly sparked a security scare.

Marius Borg Høiby, 15, took photographs while on holiday and published them using a personal Instagram account, Norwegian mass-market newspaper VG reports. The pictures included GPS information pinpointing the location of royal relatives in near real-time, a potentially significant security lapse.

Høiby, the son of Crown Princess Mette-Marit from an earlier relationship prior to her marriage to Norwegian Crown Prince Haakon, openly shared more than 100 images from a publicly accessible account for more than a year, allowing citizens to get an insight into the secret life of the Norwegian royal family.

The snaps showed Høiby and his family in Oslo among other places they visited – a far cry from the blurry images that emerged this week of a naked Prince Harry revelling in a Las Vegas hotel.

However, perhaps more seriously Høiby also divulged information about his family’s upcoming sensitive travel plans. Høiby is half brother to Princess Ingrid Alexandra and Prince Sverre Magnus, heirs to the Norwegian throne, but is not himself a prince.

Norway’s police intelligence unit, the Politiets sikkerhetstjeneste (PST), is under fire for failing to inform the royal family about the potential drawbacks of sharing too much info on social networks.

However, yesterday the monarchy issued a robust defence of the teenager’s actions, according to local reports. In an open letter to VG editor Torry Pedersen, Crown Princess Mette-Marit questioned the uproar over the photos, pointing out that the family’s residences and trips are a matter of public record. She added that the offending Instagram account had been cancelled, a sly admission that revealing a live feed of the royal family’s exact whereabouts was perhaps not the best idea.

Location tagging is a common feature of the latest digital cameras and smartphones. The GPS coordinates embedded in the photo’s metadata can be easily read from files uploaded to the web, assuming the image hosting service doesn’t strip out said information. The US and British armed forces have imposed restrictions on the use of mobile phones in war zones because of the danger that geo-tags might easily give away the location of soldiers.

More commentary on the information security aspects of the incident can be found in a blog post by web security firm Sophos here.

The royal geo-tagging rumpus, which fuelled a debate about the Norwegian government’s attitudes about public safety, was overshadowed by today’s court ruling that Anders Breivik, who killed 77 people in Oslo and the island of Utøya, was sane when he carried out the atrocity in July 2011. He was jailed for 21 years but could be kept behind bars for longer if he poses a threat to society. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/24/instagram_norwegian_royals_security_rumpus/

Computer security biz FireEye has withdrawn claims that the Gauss and Flame super-viruses may be linked.

This is after it emerged that what FireEye had thought was a shared command-and-control server, used to send instructions to PCs compromised by the malware, was actually a “sinkhole” maintained by rival researchers at Kaspersky Lab.

FireEye had noticed communications from both virus strains were heading to the same IP address – but this was a system set up by the Russian lab, which had asked DNS providers to redirect data sent from the two software nasties so as to examine their network traffic.

Staff from Kaspersky came forward to explain their role after FireEye published a blog post asserting that whoever created Flame must also have created Gauss, a conclusion FireEye researchers quickly withdrew. Kaspersky experts had previously pointed to some coding similarities between the two malware strains, both of which have been linked to presumably state-sponsored espionage in the Middle East.

“In light of new information shared by the security community, we now know that our original conclusions were incorrect and we cannot associate these two malware families based solely upon these common CnC coordinates,” FireEye researchers conceded in an updated blog post.

“We apologise for any confusion that has resulted from our earlier assumptions. Unfortunately, the lack of a common information exchange about such activities can result in misleading conclusions.”

Sinkholes do not advertise themselves as such, so innocent mistakes along these lines are more or less inevitable in the absence of better communication among security firms. For example, an analysis of malicious botnet command-and-control servers by security outfit Damballa a couple of years back failed to factor in the existence of deliberately established sinkholes, leading to incorrect conclusions as a result. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/24/fireeye_gauss_reverse_ferret/

The Pentagon is asking for submissions for its next generation of online defenses with a workshop organized by the Defense Advanced Research Projects Agency (DARPA) to develop the tools to protect US networks.

The Foundational Cyberwarfare (Plan X) Proposers’ Day Workshop will be held on September 27 at DARPA’s conference center in Arlington, Virginia. There the Plan X team will explain the goals of the project, demonstrate some of the tools and concepts needed, and solicit private sector support.

Attendance for some sessions is strictly limited to those with a “Secret” clearance level and above. Members of the press or public are expressly forbidden to take part.

DARPA is seeking bidders to develop defensive online capabilities and it isn’t looking for offensive input, it states, which is in line with NATO policy. Plan X calls for “revolutionary technologies for understanding, planning, and managing cyberwarfare in real-time, large-scale, and dynamic network environments.”

Topping the list of tools wanted are automated network monitoring and reconnaissance systems to detect attacks and visualize the network’s structure. The next step is to augment these with a series of semi-automated mission plans to counter popular attack vectors using a “human-on-the-loop interface, similar to the auto-pilot function in modern aircraft.”

As you’d expect, there’s a distinctly military mindset to the proposed plan. Along with automated network reconnaissance tools and tactical planning tools, DARPA is looking for the development of “battle units” that can act as hardened monitoring and communications monitoring platforms and provide “weapon deployment.”

Plan X is also looking for a real BOFH team to run the new platform, although presumably you’d have to have no skeletons in your server room, which rules out many. Successful contractors will be based in the DARPA cyberwar laboratory, although use of outside facilities is allowed under some circumstances.

At this year’s Black Hat USA, online attacks by foreign intelligence agencies were rated the biggest online threat by the former computer security head of the FBI – although, as was repeatedly pointed out by speakers, that war may already have been lost. As conference founder, ICANN CSO, and advisor to the Department of Homeland Security Jeff Moss noted, the US is being comprehensively pwned.

“Certain other nations have actual industrial policy which says we’ll go out and mine secrets of our competitors and we’ll share that information,” he said last month. “We don’t do that in the US, we’re never done that. So we’re out there with one arm behind our back.”

DARPA did stress that Plan X is “explicitly not funding research and development efforts in vulnerability analysis or cyberweapon generation,” and this may be so – after all, that may be handled by another department. But talk of weapon-deploying battle units, coupled with recent cloud security efforts, does make one wonder how geared up Uncle Sam is getting. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/23/pentagon_planx/

Hector Xavier Monsegur, aka Subu, who allegedly led and then sold out the LulzSec hacking group, has bought himself another six months of freedom from the big house.

The US Department of Justice has filed a motion in the New York courts to keep Monsegur on the streets until February 2013 due to his “ongoing cooperation with the government.” Monsegur unsurprisingly offered no contest to the motion, and has reportedly missed earlier court appearances over fears for his personal safety.

Monsegur is claimed to be one of the key figures behind the LulzSec group hacking spree, which conducted a 50-day DDoS and defacement campaign against websites including the CIA, the UK’s Serious Organised Crime Agency, security firm HB Gary, and softer targets like Sony, Fox, and PBS. His role as an informant led to the almost-complete takedown of the LulzSec group, according to the US authorities.

He was caught after failing to disguise his IP address and was arrested in June 2011. He promptly pleaded guilty to charges that could result in 124 years and six months in prison, but agreed to carry on his role within the group for several months. Monsegur collected information on current and planned targets and worked to limit the scope of any further attacks.

An eminently trustworthy character

In August 2011, Monsegur mission led to the arrests of suspects in the US, UK, and Ireland. As a result, Essex boy Ryan Cleary is facing multiple charges on both sides of the Atlantic for hacking offences. Information Monsegur provided also earned a 30 month jail term for James Jeffery after he hacked some British Pregnancy Advisory Service data.

The court documents don’t specify if Sabu is still actively helping with new investigations or just clearing up the old ones. Given the length of the sentence hanging over him, the US government is going to want its money’s worth – so maybe, in time, he’ll imitate fraudster Frank Abagnale on the conference circuit. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/23/lulzsec_sabu_freedom/

Antivirus maker McAfee has fixed a problem that cut off punters’ internet connections earlier this week.

The snafu, caused by a dodgy update for the Intel-owned malware whack-a-mole product, also knackered enterprise versions although it didn’t send users offline. For both the consumer and business builds, the error was traced back to buggy virus definition files, specifically those numbered 6807 and 6809. Fixing the problem involves applying newer functioning updates.

Among those hit were users of BT’s broadband service, which bundles McAfee security technology, prompting the telco to advise customers to reinstall the security software (branded as BT NetProtect Plus) on Monday.

McAfee’s corresponding confession is here. As an FAQ on the bug explains, affected customers were either left without a functioning internet connection or unable to perform any actions in the McAfee Security Center console.

“This problem caused me hours of frustration and anguish, and almost cost me a new router,” Scott, a Reg reader who gave us a heads-up on the gaffe, said.

McAfee also published a preliminary advisory with workarounds for users of its VirusScan Enterprise 8.8 corporate security software. A more detailed note issued on Wednesday provides a more complete fix for sysadmins to apply.

Misfiring definition updates are a well-known Achilles’ Heel of security scanners, akin to punctures in pneumatic tyres, and all vendors experience problems in this area from time to time. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/23/mcafee_net_cutoff_bug/

Mainstream antivirus software only has small window for detecting and blocking attacks, according to a controversial new study.

Host-based intrusion prevention firm Carbon Black found that if an antivirus package had failed to detect a piece of ‘new’ (recently discovered) malware within six days of its first being detected by another firm, the chances were it still wouldn’t detect the sample even 30 days later. Carbon Black reached the finding after running an experiment assessing the effectiveness of 43 antivirus products in detecting 84 random malware samples using the VirusTotal website.

However David Harley, a senior research fellow at antivirus vendor Eset, said that the study has several methodological drawbacks that he believes make its conclusions potentially misleading.

For example, the packages available through VirusTotal are not the same as their desktop equivalents, he says. In addition, as Carbon Black itself notes, the study only looked at static signature detection, only one of several ways that modern security packages block malicious code. Another potential problem fingered by Harley was that the malware samples used by malc0de.com might be simply potentially unwanted applications that some anti-virus packages deliberately omit to detect. These and other reservations are noted in a detailed blog post by Harley here.

It’s probably safe to assume that there are threats that are never detected by any product.

The Carbon Black experiment showed that multiple antivirus products provided better security protection than just one, as expected, but it also showed that if signatures for a malware sample were not added within a few days after the sample first appeared, then they are likely to be permanently absent. “We found that the average new detections per day dropped to nearly zero after day six,” Carbon Black researchers explain in a blog post. “What this means is that, on average, if AV doesn’t detect a piece of malware almost immediately, it likely never would.” Carbon Black findings fly in the face of received wisdom that, given sufficient time, almost every piece of malware will be detected by all antivirus products. Harley said that, despite his reservations about Carbon Black’s methodology, it may have a point.

“Stuxnet and its siblings have proved pretty conclusively that the entire security industry can completely miss a significant threat for extended periods,” Harley concludes. “It’s probably safe to assume that there are threats that are never detected by any product.”

However Harley added a caveat that in most cases “detection of significant, active threats” cascades through the industry so that protection against high-profile threats is offered by most vendors within days.

A month is a long time in malware detection

A second separate experiment by Carbon Black found some antivirus packages detected fewer malware samples on day 30 than on day one. Carbon Black suggests the reason for this may be that antivirus firms are removing detection for malware samples that are no longer in circulation.

Eset’s Harley disputes these findings. “I doubt if any mainstream vendor pulls a detection within 30 days of an initial detection just to make room for another detection. If a vendor stops detecting something, it’s likely to be something else entirely: recognition of a false positive, reclassification (for instance as Possibly Unwanted), or even a process error,” he writes.

Carbon Black concludes that its research suggests that antivirus firms are struggling to develop signatures for the hundreds of thousands of malware sample they receive every day. Even by using generic detection of malware strains the whole system is inundated, it suggests.

Again Harley demurs. “Modern products are indeed highly generic in their approach to detections (signatures, if you insist, though that term is misleading)… But we don’t just add a detection for each processed sample, we modify a detection as necessary,” Harley explains. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/23/anti_virus_detection_study/

Punters’ password hints are easily extracted from the latest Microsoft Windows machines, security researchers have discovered.

TrustWave SpiderLabs uncovered a key called “UserPasswordHint” during wider research into how the Redmond operating system stores password hashes. Subsequent studies showed it was easy to extract and decode password hints from the registry on both Windows 7 and Windows 8 machines. The value stored is obscured with the addition of zeros but not encrypted.

So an eight-line script was all it took to determine the clear-text version of password hints. The researchers have integrated user password hint decoding into Metasploit, the widely used computer security tool that has applications in both penetration testing and hacking.

Obtaining password hints would narrow things down for a hacker running a brute-force or social engineering attack. However other security researchers have noted that password hints aren’t supposed to be secret.

A hint can easily extracted from Mac OS X machines too, according to Mac and smartphone security expert Graham Lee. Password hints are, by their very nature, a security trade-off. “You increase the risk of telling others about your password in return for reducing the risk that you’ll forget it yourself,” Lee explained. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/23/password_hint/

Google has answered the beeping red telephone, pressed the red button and assembled a “red team” as it’s known in security parlance – all after seeing red over the US Federal Trade Commission’s small-change fine for tracking Safari users.

The team will try to crack Google’s software and penetrate its networks to critically examine the ad giant’s engineering skills, a move supposedly in response to the embarrassing privacy cock-up relating to Apple’s web browser, which the FTC recently settled.

Security outfit Kaspersky Lab reported in a blog post that it had spotted a job ad posted by Google, which showed it is searching for a data privacy engineer to join that team.

The ad reads:

As a Data Privacy Engineer at Google you will help ensure that our products are designed to the highest standards and are operated in a manner that protects the privacy of our users. Specifically, you will work as member of our Privacy Red Team to independently identify, research, and help resolve potential privacy risks across all of our products, services, and business processes in place today.

Top candidates will have an intimate knowledge of the inner workings of modern web browsers and computer networks, enjoy analysing software designs and implementations from both a privacy and security perspective, and will be recognised experts at discovering and prioritising subtle, unusual, and emergent security flaws.

Damage limitation is becoming increasingly important to Google, given the high-profile probes of its business practices on both sides of the Atlantic in relation to its data handling over the past few years. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/23/google_red_team/