STE WILLIAMS

Reuters websites were hacked for third time in a fortnight when hackers posted a bogus article falsely claiming that Saudi Arabia’s foreign minister Saud al-Faisal was dead.

The planting of the false report follows two similar attacks earlier this month. First, a bogus piece stating that the Syrian rebels were retreating appeared on a blog run by the news agency. Then, just days later, Reuters’ Twitter feed was hijacked to post pro-Syrian government messages.

Reuters acknowledged the latest breach in a statement that provides few clues about who carried out the latest breach, or how the hack was pulled off.

“Reuters.com was a target of a hack on Tuesday. Our blogging platform was compromised and a fabricated blog post saying Saudi Arabia’s Foreign Minister Prince Saud al-Faisal had died was illegally posted on a Reuters journalist’s blog on Reuters.com,” the statement explains. “Reuters did not report the false story and the post was immediately deleted. We are working to address the problem.”

The news agency uses the WordPress platform for blogging. One plausible theory is that a vulnerability in this widely used package was used to pull off the latest attack, but this remains unconfirmed. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/17/reuters_blogs_hacked_again/

Google’s increasing the financial incentives for reporting vulnerabilities with an upgraded bug bounty scheme and a $2m purse for its latest Pwnium Chrome hacking contest, to be held in October.

The Chocolate Factory’s Chromium Vulnerability Rewards Program has paid out more than ONE MILLION DOLLARS to researchers who bring in documented new bugs, on top of nearly half a million shelled out for non-Chromium web vulnerabilities. But according to Google security software engineer Chris Evans, this still isn’t enough dosh to hold a hacker’s interest.

“Recently, we’ve seen a significant drop-off in externally reported Chromium security issues,” he blogged. “This signals to us that bugs are becoming harder to find, as the efforts of the wider community have made Chromium significantly stronger.”

To spur interest and reward harder work, Google’s adding a bonus of $1,000 for any bugs that are deemed “particularly exploitable,” with similar awards for flaws that work on a wide variety of platforms besides Google’s, or which are discovered in sections of the code base previously determined to be stable and bug free.

In particular, Google is looking for flaws in GPU drivers, especially in Intel’s hardware, as well as any 64-bit code flaws. It’s also said extra awards are available for finding vulnerabilities in the stripped-down Linux kernel that powers its Chrome OS, if they can bypass the system’s sandboxing.

Presumably these kinds of hacks will be what the judges are looking for at in Google’s second Pwnium Chrome hacking contest. The purse for this round, held at the 10th anniversary Hack in the Box conference in Kuala Lumpur in October, has doubled to $2m for people who can kick holes in Chrome’s security.

Those who can demonstrate (and document) a “Full Chrome exploit” on a Windows 7 system running the latest build of the browser can bag $60,000. A “Partial Chrome Exploit,” which uses at least one bug to get user access earns $50,000, and a successful attack on a “Non-Chrome exploit” via Windows or Flash will net $40,000 to the demonstrator.

All this money sloshing around is good news for security researchers, and the bounty system Google has run since 2010 pays off internally, too. The Chocolate Factory gets a bit more security, which is a useful selling point for Google Apps in enterprise, and the cost is nothing in terms of its marketing budget, while providing pocket money and more for legitimate researchers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/16/google_bug_cash_pwnium/

More than 300,000 automation systems – covering lighting control, building automation and security, heating and air conditioning and more – need patching after a slew of vulnerabilities in the Tridium Niagara AX went public thanks to an ISC-CERT advisory.

The announcement of the vulnerabilities comes nearly synchronously with the announcement of the patch – and ounce again highlights the slack security attitudes endemic in the industrial control segment.

According to the researchers that turned up the vulnerabilities, they had been trying to work with the vendor for a year before the advisory (PDF) was published at the CERT’s control systems page.

Niagara AX is a framework designed to draw data from a wide variety of control systems, from multiple vendors, into a single management environment with a Web interface. The vulnerabilities were documented by Billy Rios and Terry McCorkle as research for this July article in the Washington Post.

The advisory notes the following vulnerabilities in the software:

• Directory traversal – allowing an attacker to use a crafted Port 80 request to access restricted directories;
• Weak storage of credentials – credentials are held in a configuration file residing on the server’s root directory;
• Plaintext storage of usernames and passwords;
• and
• Predictable session IDs.

Tridium has now released a patch for its Niagara AX versions 3.5 and 3.6 – but not until it had taken so long to respond that Rios wrote that “following up with an unresponsive vendor is extremely frustrating.”

Rios claims that Tridium has been aware of the vulnerabilities for nearly a year. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/16/tridium_issues_patch/

Experts are split over whether a lack of ‘genetic diversity’ in the (Domain Name System) DNS infrastructure is leaving the internet at greater risk of attacks.

Four in five (80 per cent) of the world’s internet-facing DNS servers are essentially genetically identical, according to Domain Name System vendor Secure64.

In the natural world, such a limited gene pool would leave a species vulnerable to a single disease, as most graphically illustrated by the potato blight that hit crops throughout Europe during the 1840s. Lack of diversity in DNS technology could be similarly bad news because a single successful attack could theoretically take down a massive portion of global DNS infrastructure.

Most of the world’s DNS servers rely on the same DNS code base (BIND, Berkeley Internet Name Domain), creating the potential for a global internet wobble in the event of a sophisticated attack or virus. And more than a dozen major vulnerabilities have been reported in BIND DNS software, which underpins much of the web’s DNS tech from multiple vendors.

‘You don’t hear about them, but exploits do occur’

Secure64 was unable to cite a clear example of a critical security bug in BIND that might be an agent in the doomsday scenario it presents. the firm nonetheless maintains that the risk from a lack of diversity in DNS systems is all too real.

“Most exploits are never reported in the media for obvious reasons, but DNS experts know that these exploits do occur,” Mark Beckett, VP of marketing at Secure64, explained. “This is why most operators of large DNS networks are very concerned about patching security vulnerabilities very quickly, as they don’t want to risk loss of service availability for their users or customers.”

Beckett was able to cite a couple of examples of exploits (here and here) but whether these attacks are severe enough to be categorised as super-critical is debatable.

Greater diversity at the hardware, operating system and application layers would contribute greater resistance against DNS attacks or at least offer a fallback system when servers need to be patched, according to Secure64.

“Any software product can have vulnerabilities, but BIND is an especially attractive target because it is so widely deployed,” argues Dr Bill Worley, CTO of Secure64 and a former chief scientist at HP. “When a company’s DNS infrastructure is entirely dependent on one technology, that’s an obvious risk. That is why genetic diversity is so important for DNS infrastructure.”

“Organisations that exclusively use BIND-based commercial DNS products are forced to spend unplanned time upgrading software on their DNS infrastructure or risk exposing their DNS service to attack and disruption. This endless cycle of patching increases both risk and operational costs. Genetic diversity at the hardware, operating system and application layers protects customers against vulnerabilities that affect other DNS variants.”

Overstating the risks to drum up biz? Who us?

However other DNS experts, while agreeing that diversity was important on the wider scale, said that Secure64 was overstating the case for businesses to switch to a two supplier approach while ignoring some of the practical problems involved in maintaining a relationship with two or more suppliers.

Cricket Liu, vice president of architecture at DNS appliance firm Infoblox, explained: “I tend to agree with the general premise that ‘genetic diversity’ is important.  But the idea that over 80 per cent of the world’s DNS servers are essentially genetically identical isn’t accurate.  The population of Microsoft DNS Servers is just enormous, though they tend to be used internally.”

“The requirement for genetic diversity is a systemic requirement, not a requirement of any single organisation’s DNS infrastructure. Yes, we want the root name servers to exhibit such diversity (and they do by running a mix of implementations), but there’s a very high price to an organisation to running multiple code bases: the need for additional, specialised expertise; the danger that the overall quality of administration degrades; the need to manage multiple vendor relationships; the danger of interoperability issues and inconsistent feature support.”

Secure64’s Beckett conceded that Liu had raised a valid point. “It is harder to manage multiple software products than a single one, so most organisations don’t do it,” Beckett told El REg. “But some larger organisations are starting to adopt a DNS diversity strategy, despite its extra overhead, in order to mitigate the risk of a software failure in a single component.

“We suggest that what is good for the internet (genetic diversity of DNS) can also be good for an individual organisation,” he added.

Secure64 markets DNS servers based on NSD (Name Server Daemon) and not BIND. Beckett denied suggestions that its warning about genetic diversity was either a disguised sales pitch or an example of mud-slinging against BIND.

This is not a commercial versus open source argument, nor is it a ‘my product is better than yours’ argument. It is simply a security best practice to bolster your resistance to potential failures in one piece of software by deploying at least one other completely different implementation in your network. So you could diversify your authoritative name servers by deploying both BIND and NSD, for example (in fact, this is exactly the strategy deployed by the root servers and many of the large top level domains) so that a bug in one implementation is unlikely to affect the other. Or you could deploy a commercial resolver like Secure64 DNS Cache with BIND or djbdns and you would bolster your resolving infrastructure in the same way.

“You just have to make sure that you deploy two ‘genetically different’ implementations. Deploying BIND with a commercial, BIND-based appliance does not provide you with the desired diversity, for example,” Beckett concluded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/16/shallow_dns_gene_poll/

Saudi Arabian Oil Co (Saudi Aramco) shut down its computer network on Wednesday in response to a serious computer virus infection. The state-owned firm said the computer security incident is having no effect on oil production.

“On Wednesday, August 15, 2012, an official at Saudi Aramco confirmed that the company has isolated all its electronic systems from outside access as an early precautionary measure that was taken following a sudden disruption that affected some of the sectors of its electronic network,” Saudi Aramco explains in a statement on its Facebook page.

“The disruption was suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network.”

Saudi Aramco confirmed the integrity of all of its electronic network that manages its core business and said the interruption has had no impact on any of the company’s production operations. “The company employs a series of precautionary procedures and multiple redundant systems within its advanced and complex system that are used to protect its operational and database systems,” it added.

It is unclear when Saudi Aramco will be able to plug back its systems into the interwebs. The identity of the strain of malware that caused the breach has not been released. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/16/saudi_aramco_malware/

The operators of a website that earlier this year reported that a hacker had stolen units of virtual currency worth hundreds of thousands of pounds are being sued by four users that claim to be owed more than $460,000.

According to documents submitted to a US court, four users of the Bitcoinica website have sued those involved in running the site, claiming that they have “knowingly and willfully conspired and agreed upon themselves to hinder, delay and deprive” them of their right to withdraw their money from the site.

In addition the four users claim that those involved “acted willfully and with the intent to cause injury” to them and that therefore they had been “guilty of malice, oppression and/or fraud in conscious disregard” for their rights and should be liable to pay “punitive damages”.

In May the Bitcoinica site, which allowed users to trade real currency for virtual Bitcoin units (BTC), announced that 18,547 BTC had been stolen by a hacker of its systems. Currently a BTC is worth approximately $10. The operators said at the time that it would honour all “withdrawal requests” from those that had made deposits via its exchange. It subsequently announced that those making such claims would be provided with 50% of what they claimed in an initial payment.

More than 43,000 BTC were reportedly stolen from Bitcoinica following a hacking incident in March.

Since the second breach Bitcoinica has remained closed to trading whilst “the transitional process” for upgrading the exchange “to a professional level of security” is completed. The four users have only been able to withdraw half their money from the site and are claiming that those involved in running the site have acted in breach of contract by failing to repay $460,457.20 they claim they are still owed, according to the court documents.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/16/bitcoin_legal_action/

Users who are otherwise careful to protect their information often fail to protect confidential information they display on computer screens from shoulder surfers.

According to a recent survey, more than half of employees fail to protect their data despite admitting that they are able to read the confidential information of others. The poll was conducted by ComRes, for Secure, the European Association for Visual Data Security.

ComRes discovered that 71 per cent of employees have been able to see or read what someone is working on over their shoulder. Despite being aware of the potential problems that could arise from shoulder surfing, more than half (53 per cent) of the 2,000 workers quizzed said they do not take precautions to protect sensitive or private info from potential snoops – even when they work in high risk environments such as trains, planes or coffee shops.

The survey supports research carried out in compiling Secure’s recently released white paper on Visual Data Security – which revealed that while 90 per cent of 150 IT security professionals polled were aware of the threat posed by a visual data security breach, the vast majority (82 per cent) had little or no confidence that their workers were doing anything to prevent their data from being viewed whilst working in a public environment.

Organisations spend millions guarding against malware and hackers while ignoring the potential Achilles’ heel of visual data security.

The growing issue has been compounded both by a more mobile workforce and the increased availability of smartphones with high-resolution cameras, which enable unauthorised individuals to easily capture sensitive information.

Secure’s White Paper provides examples of visual data security breaches and the practical steps that organisations can take to protect their consumer’s data and their own.

For example, a senior UK civil servant at the department of Business, Innovation and Skills fell asleep on a commuter train, leaving highly sensitive information displayed on his screen. A fellow passenger took two photographs of the information while it was displayed on the screen, which made their way into a Daily Mail story about the breach.

In the US, the private details of clients of a Bank of America branch office in downtown St Petersburg, Florida were visible through the bank’s windows to people on the street outside the bank’s offices.

According to the white paper, management consultancy Ernst Young reported a case they investigated where a “call centre staff member provided screenshots of internal systems to fraudsters to help them reverse engineer an application”. Many incidents of visual data security breaches go unreported but those that have hot the news make a big splash, especially when government agencies or ministers are involved.

In August 2011, the UK’s International Development Secretary was photographed leaving Number 10 Downing Street with sensitive government papers relating to Afghanistan on display. These papers were caught on camera by news photographers and film crews.

A similar blunder by the then assistant commissioner of the London Metropolitan Police Force’s counter terrorism unit, Bob Quick, led to a camera being able to capture secret documents outlining a planned police raid on a terrorist cell – as Quick entered Number 10. The mistake cost the senior cop his job.

Response to Parliamentary questions in the wake of these snafus reveals that the UK government has rolled out policies to guard against further visual data security breaches. For example, new recruits to the Treasury are briefed on the importance of visual data security as part of their induction training.

The Data Protection Act obliges companies to take all possible steps to protect personal data – including measures to guard against a visual data security breach. And it’s not all doom and gloom.

There are organisations in the private sector who are already applying best practice in visual data security. Barclays Bank, for example, makes use of computer privacy panels that mean that only someone directly in front of a computer are able to see its screen.

Brian Honan, an experienced infosec consultant and author of the Secure white paper, experienced that “with the frequency and innovative nature of data attacks rising, organisations must ensure that the defences they have in place protect against all potential data breaches and not just some.”

Visual data security involves ensuring that information cannot be viewed by unauthorised individuals. This is particularly important when private or sensitive information is involved. A comprehensive explanation of the issue, and tips about best practices, can be found in the Secure white paper here (PDF). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/16/shoulder_surfing_security_risk/

Open… and Shut Apple may have minimal market share in desktop computers, but it has dominated the smartphone and tablet markets for years without any significant hacker exploits. Is Apple impervious to hackers, or is it just a matter of time before its luck runs out?

The answer to both questions is a definite maybe.

For years Apple has flown under the radar of serious hackers, its sub-10 per cent market share in personal computers is a weak target compared to Microsoft Windows, which roughly has a 90 per cent market share.

As Apple’s slice of the personal computer market nudges up, now scraping 12 per cent, it is becoming an increasingly juicy target.

Still, it’s doubtful that the Apple Mac will ever come to dominate the PC industry in a way that will encourage hackers to stay up late thinking of ways to crack it. Not only is the payoff relatively small but the amount of effort is comparatively large. Mac OS X, built on top of a security-conscious Unix kernel, is architected for security, whereas Windows has traditionally treated security as a feature to be added to the kernel, rather than baked right in.

While Microsoft’s security has improved over time, Apple has long benefited from treating security as a first-class citizen in its engineering philosophy.

This carries through to the design of Apple’s mobile operating system iOS, as well. It had better, as the top target for hackers going forward isn’t Microsoft. It’s Apple.

Imperva has been tracking hacker forums for years, and recently highlighted [PDF] the trend toward discussions about mobile, particularly iOS:

What hackers are chortled about among themselves

Apple, which was somewhat blasé about iOS security early on, releasing the iPhone with serious security design flaws, has since smartened up about mobile security. The company released a white paper [PDF] documenting Apple’s iOS security approach in May 2012, and then tried and failed to convince hackers at the annual Black Hat conference that it takes security seriously.

And yet Apple continues to expose a sometimes casual approach to security, as recently highlighted by Mat Honan. In Honan’s case, he admitted to failing to back up and secure his accounts sufficiently, but given Apple’s emphasis on making beautiful devices for mainstream users, with equal or less attention to security, Honan’s story could be played out again and again.

However, it’s doubtful that hackers would bother to make the phone calls to Apple or Amazon in order to crack someone’s accounts. Apple’s security lapses involved social engineering on the hackers’ part and the link between its devices and the cloud.

In terms of device-level and software-level security, Technology Review reports: “Apple’s security architecture is so sturdy, and so tightly woven into its hardware and software, that it is both easy for consumers to use encryption on their phones and very difficult for someone else to steal the encrypted information.”

Indeed, as much as I and others have criticized Apple for its obsession with controlling the end-user experience from software to silicon, this same approach may actually make its systems more secure than more open approaches.

Perhaps. It does seem that Apple software, be it Mac OS X or iOS, is much more resistant to security breaches than Windows ever was. But we’re still in the early stages of mobile security, and it’s very possible that as more hacker time and attention is devoted to Apple, Apple will crack. It certainly isn’t immune to attack.

When iOS security does crack, a more open approach to security may be necessary. The last time Apple’s security mechanisms were seriously compromised was the outbreak of the Flashback Trojan, which directly resulted from Apple taking a too-controlling approach to patching Java running on Macs. Microsoft, working closely with Oracle, issued security patches for its customers months before Apple got around to doing so.

Apple does things on its own timetable and how it chooses. But in the case of security, a willingness to collaborate with partners and even competitors may be the right way to go. ®

Matt Asay is senior vice president of business development at Nodeable, offering systems management for managing and analysing cloud-based data. He was formerly SVP of biz dev at HTML5 start-up Strobe and chief operating officer of Ubuntu commercial operation Canonical. With more than a decade spent in open source, Asay served as Alfresco’s general manager for the Americas and vice president of business development, and he helped put Novell on its open source track. Asay is an emeritus board member of the Open Source Initiative (OSI). His column, Open…and Shut, appears three times a week on The Register.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/15/open_shut_apple_security/

A Trojan has targeted airport workers logging into their employer’s private network, security researchers have claimed.

Crooks are believed to have modified the bank account-raiding Citadel Trojan, which is also used in ransomeware scams, and deployed it at a “major international airport hub” to access internal applications and files. It is understood officials and relevant government agencies have been warned of the infiltration. In response, the airport disabled remote access to the attacked virtual private network (VPN), according to security software maker Trusteer.

The man-in-the-browser attack, we’re told, featured a combination of form grabbing and screen capture techniques to lift employees’ usernames, passwords and one-time pass codes generated by an unnamed two-factor authentication vendor, which was has also been notified about the attack.

Trusteer said the affected vendor offered pattern-based authentication and it was this technology that was circumvented to pull off the VPN compromise.

After snapping a copy of the user’s screen, the attacker would be able to figure out the permutation of digits, along with the one-time code stolen by the form grabber, to reproduce targeted user’s login credentials.

Trusteer said the attack on the airport hub is a new tactic by crooks but not unprecedented. Other enterprises have being targeted by screen-capturing/form grabbing financial malware in the past, it said. Incidentally, the security firm also launched a Citrix-friendly version of Trusteer Rapport for Enterprise, which is supposed to thwart attempts to sniff passwords and other sensitive data. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/15/trojan_airport_hub_vpn_attack/

Security researchers have discovered a vulnerability in a top DDoS attack tool that provides a handy means to neutralise onslaughts.

The Dirt Jumper Distributed-Denial-of-Service (DDoS) Toolkit is one of the most popular attack tools available. It was deployed in a digital siege against security news website KrebsonSecurity.com among many, many other victims in recent months. The weapon works by instructing an army of compromised computers to flood a website with traffic until legitimate visitors are unable to connect.

However a flaw in the software, uncovered by security researchers at DDoS mitigation specialists Prolexic, can be exploited to thwart assaults.

Armed with the identity of the CC server or infected host, and open source penetration-testing tools, it is possible to gain access to the database in the system used to control the PC army and, more importantly, the server-side configuration files, Prolexic discovered.

“With this information, it is possible to access the CC server and stop the attack,” explained Scott Hammack, chief executive officer at Prolexic.

“DDoS attackers take pride in finding and exploiting weaknesses in the architecture and code of their targets. With this vulnerability report, we’ve turned the tables and exposed crucial weaknesses in their own tools,” he added.

The Pandora DDoS toolkit, the latest member of the Dirt Jumper family, is also somewhat buggy.

Pandora can be used to launch five different attack types, including a combination of techniques against the web application and infrastructure layers of targeted websites. Typos in the malware result in broken GET requests. These mistakes are not bad enough to stop a network of compromised machines from launching the distributed attack, but they are severe enough to identify the zombie assailants.

A threat advisory from Prolexic explaining the bugs in both DDoS crimware tools can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/15/dirt_jumper_ddos_tool_flaw/