STE WILLIAMS

Microsoft, Adobe throw fire blanket over blaze of security flaws

Microsoft has fixed 26 security flaws, at least five of which are critical, in its software. At least one of the holes is being actively exploited by hackers to compromise Windows computers.

The latest Patch Tuesday update from the company addresses these vulnerabilities, which are present in workstations and servers running Redmond operating systems.

Most pressing of the critical batch is MS12-060, which is a fault in Windows Common Control that is being exploited in the wild. Victims merely have to open booby-trapped RTF files and Office documents, or visit a maliciously constructed web page, to fall foul of an attack. The files could be sent as email attachments.

Other critical flaws exist in the Remote Administration Protocol (RAP) of Windows Networking; Internet Explorer versions 6 to 9; the Remote Desktop Protocol (RDP) server in Windows XP; and a module in the Outlook Web Access (OWA) component of Microsoft Exchange Server.

Microsoft’s latest security bulletin can be found here. As usual, an easy-to-understand overview from the Internet Storm Centre can be found here.

In other patching news, Adobe also released two new versions of its Adobe Acrobat and Adobe Reader products. A patch for Adobe Flash Player addresses a zero-day vulnerability that has been used in targeted attacks. These assaults have involved tricking victims into opening Word documents with an embedded ActiveX Flash object.

More details on all these patches can be found on Adobe’s website here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/15/patch_tuesday/

Oracle slaps surprise patch over database server hole

Oracle has broken its regular quarterly patch update cycle with a fix for a security flaw publicised at last month’s Black Hat conference.

The vulnerability in Oracle’s database server was demonstrated by David Litchfield, the celebrated white-hat hacker Brit. Oracle released a security update for server versions 11.2.x soon after Litchfield’s Vegas talk last month.

The privilege elevation bug means developers (but not ordinary users or common proles) can gain administrative rights on systems, provided a vulnerable Oracle Text module is installed. The security flaw is not remotely exploitable without authentication and even then CREATE TABLE, CREATE PROCEDURE and EXECUTE privileges are needed for any badness to be possible, according to Oracle.

Nonetheless, exploits for the vulnerability are being circulated in the wild, so patching ought to take place sooner rather than later. Server versions 10.2.x and 11.1.x are affected by the flaw and older unsupported versions of Oracle’s flagship product may be vulnerable too.

Oracle’s security alert can be found here. A more detailed overview can be found in a blog post by by Alex Rothacker, of database security outfit Team Shatter, here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/15/oracle_pushes_unscheduled_database_patch/

Fraudsters nick BILLIONS from China’s e-commerce Wild West

China’s burgeoning e-commerce industry has been remorselessly exploited by internet fraudsters to the tune of 30 billion yuan (£3bn) over the past 12 months despite police efforts to clamp down on dodgy sites.

Industry group the China Electronic Commerce Association (CECA) was behind the concerning stats.

CECA claimed that out of 198 million online shoppers in the country, 31.8 per cent had been conned by fraudulent web sites – at a conservative estimate not less than 30.8bn yuan, according to Xinhua (via TNW).

Around 70 per cent of those deceived by web scamming spent 500-2000 yuan, the report found.

The lack of uniform national standards or a recognisable kitemark for safe sites is thought to be making the fraudsters’ work much easier.

In particular, net tricksters are apparently setting up sites designed to mimic the layout of popular online stores, right down to the URL.

They will then use blackhat SEO techniques to elevate them to the top of the search rankings and post false reviews of products to make the sites appear even more legitimate.

As with most cases of low-value online fraud, the police are reluctant to get involved, especially as there is usually no record of sale, the report continued.

Police are quick to include online fraud in any of their periodical crack downs on illegal web sites, although it is always lumped in with other illegality such as pornographic content, gambling sites and political dissidence.

The Chinese government has already announced plans to address deficiencies in information security across the public and private sectors.

Although short on detail it did at least single out e-commerce as an area that warranted particular attention.

The level of online fraud is somewhat unsurprising in China given the huge sums being spent locally via the web and the relative immaturity of the market when it comes to security and authentication.

The Chinese government expects its domestic online sales to reach a world-beating 18 trillion yuan (£1.4tr) by 2015 and a recent PwC survey found citizens are twice as prolific as their counterparts in the UK and US.

However, straying from the relatively safe confines of e-commerce giants such as Alibaba can be minefield.

The firm has several anti-fraud and security capabilities built into its Taobao platform including phishing alerts, one-time password account authentication, downloadable anti-virus software and a Safety Center featuring tips for users.

As of yet, this is far from the standard in the Wild West of Chinese e-commerce. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/15/e_commerce_fraud_china_billions/

Don’t waste time hiding NBN POI locations

Since it was only a Tweet, I don’t know whether it’s true that the ACCC’s consultation on relocating some NBN points of interconnect was, or was not, based on national security concerns expressed by the Attorney-General’s department.

If it was some kind of misguided national security notion, then Nicola Roxon needs someone to cross-check silly ideas with hard reality. It’s the kind of idea that looks good to someone whose knowledge is good in abstract, but ignorant of the outside world.

I have encountered the kind of people who think that all telecommunications infrastructure should be treated as a national secret. They’re fools: because obscuring the location of the infrastructure, if it were feasible, would cause more problems than it solves.

Let’s start with an easy example. You could cut Australia off from the Internet easily, by cutting a handful of cables owned by Telstra, Southern Cross Networks, the Australia-Japan Cable, and TPG’s PPC-1 cable. Just one cut would cause disruption in the form of increased latency to the US and onwards to the rest of the Internet.*

Shouldn’t their locations be a national secret? If they were, how would ships know not to drop anchors or fishing nets where the cables are most vulnerable – near the shore?

Hence maritime charts include the location of the cables and exclusion zones prohibit certain types of activity in their vicinity. Some idiot could order that they no longer appear on the charts – but since charts already exist showing the cables, all a terrorist needs do is find an old chart.

Let’s look instead at terrestrial fibres. Again: you could try to ban any map containing fibre locations from ever being made public, and to no avail: since the really important locations – say, near a Telstra CBD exchange – have pits in the street. If you know where the exchange is, you could do considerable damage armed only with a crow-bar, a jerry-can of petrol, and a lighter.

Then there’s street-works. My wife has spent a considerable chunk of the last three years in Royal Prince Alfred Hospital, and for most of that time, there’s been council work going on in surrounding streets. Every street gets marked, before the work starts, with paint indicating where a fibre is located, who it belongs to, and how far under the surface it is buried.

Of course, an evil-doer could take the easier option, and just read the carrier’s name on the plate on top of the pit. If you wanted to choose between Telstra, Optus, Uecomm (now owned by Optus but still emblazoned on pit-covers) – the infrastructure is advertised at street-level, on the pit-covers.

In spite of the most elaborate precautions, fibers get cut by earth-movers and cause disruption ranging from local to national. Does some misguided “keep the secret” spook in Canberra really want “backhoe terrorism” to become the norm rather than the exception?

*I realise that’s not a comprehensive list of cables leaving Australia, but it’s enough for discussion.

Next: Mobiles, electricity secrets

Next page: Mobiles, electricity secrets

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/14/natsec_losing_its_mind/

Australian Police want in-house social network

The Police Force in the Australian state of New South Wales wants to build its very own social network.

The Force isn’t just bandwagon-hopping: the tender (registration required) for the network says it’s already done that, with decent results:

The organisation’s ITC department, Business and Technology Services (BTS) recently ran a short-term trial of an Innovation Forum to the intranet, allowing people to comment and vote on ideas put forward by any staff member.

Without any internal communication or promotion, the Innovation Forum was heavily subscribed. There is strong potential for the healthy adoption of an internal social network by NSW Police Force staff.

But there’s strong potential for the project to crash and burn, too, because the Force has exactly $0 for the project and knows training will be tough, as stated in the tender:

We have a large number of staff who are dispersed across a large geographical area. Training staff in new IT platforms is challenging and can be expensive. We therefore seek a platform that is easy to use, self educating and innovative. Good quality inbuilt tutorials/tours would be of interest.

At this point we imagine sharp-eyed Reg readers may have note that this appears to be a project with huge scope and ambitions, limited budgets and known factors that could undermine success. In other words, a train wreck waiting to happen.

We offer that assessment before addressing the long list of objectives for the project, which include a desire to communicate and drive corporate strategies, reduce information silos, promote internal networking, “allow ideas and innovation to be put forward, discussed and voted on by all staff” and also “Provide wikis and shared apps to increase speed of project management and documentation.”

A reduction travel between offices is also a hoped-for outcome, as is a desire to enable the creation of virtual teams “across geographical barriers”.

A comprehensive online phone book is also on the agenda.

Interestingly, the tender doesn’t rule out hosting the network beyond the Force’s walls, stating that “We are still considering the merits of using a networking platform beyond the organisation.”

Throw in the fact that the Force wants very strong security – the tender says “Audit trail, authentication and support for encrypted network communications are considered baseline requirements” – and this looks like what we imagine Police might call “a very complex operational requirement that ultimately proved beyond the capacity of the organisation to achieve effectively in the desired timeframe. We do hope we’re proved wrong. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/14/nsw_police_want_social_network/

Cloud support brings WikiLeaks back online

After being taken out for ten days by a DDoS attack the WikiLeaks site is back online, thanks to some cloudy support from CloudFlare.

The organization said that it had approached CloudFlare about hosting its site, since it has massive capacity and good systems for spotting an blocking DDoS attacks. WikiLeaks said it was originally turned down, but this was due to an error, the hosting company explained in a tweet.

Now WikiLeaks is back online and from the postings the organization is making its mood is combative.

Meanwhile, what of AntiLeaks, which claims to be responsible for the takedown? The spokesman for the group earlier said that the attacks on the site would continue indefinitely, but the shift to the cloud on Tuesday has caused some problems and the group is working on a way to bring down the WikiLeaks site again.

“WikiLeaks web server is now hidden behind five CloudFlare servers. CloudFlare isn’t actually hosting WikiLeaks content itself but acts as a reverse web proxy. This makes it especially difficult to attack WikiLeaks, as each CloudFlare server can handle 10gb/second,” spokesman DietPepsi said in an email to El Reg.

“I am in the process of finding the actual IP address of WikiLeaks web server. I have a couple of leads and believe I will be able to do it, however it will take some time.”

Meanwhile, in Ecuador

In the meantime there’s been considerable kerfuffle over the fate of Julian Assange’s future.

The UK’s Guardian newspaper reported on Tuesday that the Ecuadorian government has decided to grant Assange political asylum in their country. Assange is approaching his 60th day trapped in the Ecuadorian embassy in London and a senior government source told the paper that Assange had been cleared.

“We see Assange’s request as a humanitarian issue. The contact between the Ecuadorean government and WikiLeaks goes back to May 2011, when we became the first country to see the leaked US embassy cables completely declassified,” the official said.

“It is clear that when Julian entered the embassy there was already some sort of deal. We see in his work a parallel with our struggle for national sovereignty and the democratisation of international relations.”

However, the story brought a sharp rebuttal from the Ecuadorian president, who said the situation was still being considered. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/15/wikileaks_back_online_cloudfire/

Can YOU crack the Gauss uber-virus encryption?

Antivirus experts have called on cryptographers and other clever bods for help after admitting they are no closer to figuring out the main purpose of the newly discovered Gauss supervirus.

While it’s known that the complex malware features many information-stealing capabilities, with a specific focus on capturing website passwords, online banking account credentials and system configuration data from infected machines, the content of the virus’s encrypted payload is still a mystery.

Kaspersky Lab had tracked Gauss for weeks before announcing its discovery last week. Antivirus experts at the security biz and elsewhere have been burning the midnight oil in the days since, and although progress has been made – for example in analysing its architecture, unique modules and communication methods – the payload encryption is unbroken.

Researchers reckon the hidden binary blob, when decrypted and executed, looks for a program specifically named using an extended character set, such as Arabic or Hebrew. What that program might be remains unclear as long as the encryption remains unbroken.

The general concuss among security experts is that Gauss – like Flame, Duqu and Stuxnet before it – is a nation-state sponsored cyber-espionage toolkit, quite possibly built from the same components as Flame.

Since late May 2012, more than 2,500 Gauss-related infections have been recorded by Kaspersky Lab’s cloud-based security system, with the majority of infections found in the Middle East. Many of these infections have appeared in Lebanon, the Palestinian Territories and Iran. As previously reported, experts reckon that the super-malware is aimed at tracking targets rather than stealing online banking passwords.

Gauss’s secret encrypted payload is located in the USB data-stealing modules.

“The purpose and functions of the encrypted payload currently remain a mystery,” explained Aleks Gostev, chief security expert at Kaspersky Lab. “The use of cryptography and the precautions the authors have used to hide this payload indicate its targets are high profile. The size of the payload is also a concern. It’s big enough to contain coding that could be used for cyber-sabotage, similar to Stuxnet’s SCADA [industrial machine controller] code. Decrypting the payload will provide a better understanding of its overall objective and the nature of this threat.”

Antivirus experts at the Russian security outfit launched an appeal today for anyone with an interest in cryptography, reverse engineering or mathematics to help find the decryption keys and unlock the hidden payload. More details and a technical description of the problem are available in a blog post here.

Kaspersky issued a similar appeal for help from the wider IT community in helping to determine the mystery computing language used to create key components of Duqu, another espionage tool. Old-school programmers quickly helped Kaspersky to conclude that the so-called Duqu Framework was developed using plain old Object-Oriented C. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/14/gauss_mystery_payload/

Burglar steals $60,000 of computers from Steve Jobs’ home

Police have arrested a man accused of breaking into the former home of Apple icon Steve Jobs and stealing over $60,000 worth of “computer equipment and personal items.”

On July 17, Job’s former home on Waverley Street in Palo Alto was broken into and turned over, AP reports. Santa Clara County Deputy District Attorney Tom Flattery, a member of the high-technology crimes unit, declined to say what exactly had been stolen but confirmed the police had a suspect in custody.

Kariem McFarlin, 35, was arrested on August 2 and charged with committing the thefts and selling stolen property. He’s currently in the Alameda county jail, having failed to find $500,000 in bail money, and faces a possible prison term of seven years and eight months, including a one-year enhancement for “excessive taking of property.”

Flattery refused to be drawn on exactly what was missing, or who it belonged to. But he said that the burglar seemed unaware of whose house he had broken into, indicating this wasn’t a custom rip-off job for a fanboi.

“The best we can tell is it was totally random,” Flattery told the San Jose Mercury News.

You might think $60,000 is a fair amount of kit to leave around the house, even in suburbs as flush with cash as Palo Alto and with computers as expensive as Apple’s. But the docket also included ‘personal items,’ so jewelry belonging Jobs’ widow Laurene Powell could be included in the robber’s haul. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/14/steve_jobs_burglar/

AntiLeaks boss: We’ll keep pummeling WikiLeaks and Assange

As the nine-day DDoS hammering of WikiLeaks continues, hacking group AntiLeaks, has said that attacks will continue and widen, but have nothing to do with the Trapwire monitoring system the whistle-blowing site has been documenting.

In an email conversation with The Register, someone claiming to be the head of the AntiLeaks hacking group – aka DietPepsi – said the attacks were in protest over the role of Julian Assange, who is currently the guest of the Ecuadorian embassy while waiting for his plea for political asylum to be decided.

“What prompted us to form Antileaks is the impending decision by Ecuador to presumably give Julian [Assange] asylum, which should happen within days after the Olympics are over,” DietPepsi said.

In June Assange made a bail-busting visit to the Ecuadorian embassy in London and requested political asylum. The move came shortly after his last appeal against deportation to Sweden to face questions over accusations of sexual molestation was rejected by the UK’s Supreme Court. The Ecuadorian government is still considering the issue.

There have been reports that the attacks are an attempt to halt the latest information dump from WikiLeaks of emails from hacked security consultants Stratfor. The latest batch focus on a little-known state monitoring system dubbed Trapwire.

The system is a conspiracy theorist’s wet dream. Developed by ex-CIA employees by government security contractor Abraxis, Trapwire uses software algorithms and data from multiple surveillance sources, including facial recognition, to help predict criminal activity.

Details from the Stratfor emails show its use is far more widespread than previously thought, with all an executive saying every high-value target in UK, US and Canada was now covered, as well as the cities of London, New York, Los Angeles and Las Vegas.

“I want to make it clear to all the conspiracy theorists out there that we have nothing to do with the United States Government or Trapwire,” DietPepsi wrote, when questioned on the matter. “We find it quite humorous to read all these Twitter comments from people who suspect us of being NSA/CIA/FBI/or even WikiLeaks themself,” and posted a similar statement online the following day.

On the face of it this seems fair. The DDoS attacks on WikiLeaks began on August 3, but WikiLeaks didn’t start publishing emails relating to Trapwire until after that date. As late as August 7 WikiLeaks itself didn’t seem to rate the idea very highly.

WikiLeaks and Assange are not the only subjects of AntiLeaks’ ire it seems. On August 3 DietPepsi said the group took down the Ecuadorian president’s website in a similar DDoS attack and claims the site’s admins have tripled the number of hosting servers required to keep it online, “Though it wouldn’t make a difference should we choose to target them again.”

As proof of the group’s veracity, DietPepsi said the Ecuadorian attack had been flagged up in advance to German tech site Gulli.com. El Reg has asked for more verification, since there’s a world of difference between bringing down a minor government site and the sort of massive attacks WikiLeaks and its affiliate sites are undergoing.

In the meantime the attacks will continue, DietPepsi said, and the access to WikiLeaks, Cablegate and mirror is patchy at best. As for threats of retribution from Anonymous, DietPepsi said the group is “not concerned at all.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/13/antileaks_wikileaks_attack_response/

Anonymous stalking Australian spooks

The Australian chapter of hacktivist prankster cabal Anonymous has been engaging in prolific white noise activity down under making numerous threats via Twitter that it has infiltrated numerous law enforcement sites including Australia’s spy agency ASIO.

On Friday, Anonymous claimed on Operations Australia Twitter account, that it had brought down the Australian Security Intelligence Organisation’s (ASIO’s) site for at least 30 minutes and was also targeting, the Defence Signals Directorate (DSD). While there was reported intermittent issues at both sites, neither were down for significant periods of time.

ASIO admitted in a statement that it was “aware that there may have been some technical issues with its public website.” But stated that the public website does not host any classified information that may be in danger if the site is compromised.

The DSD also stated “the DSD website has not experienced any technical issues and has remained available. The DSD website does not host any classified information and any disruption would not represent a risk to DSD business.” Anonymous’ Operation Australia Tweeted a number of ongoing threats over the we On Sunday night Operation Australia tweeted, “Get READY! DOS ATTACKS ON AFP http://www.afp.gov.au 5 MINUTES! Help Bring these PIGS down!”

However, the AFP site did not appear to be affected on Sunday night. According to CyberWarNews, the merry hacksters had also attempted to bring down the Tasmanian Police site on Sunday night, following a threatened attack on the same site August 7, however the site was running when El Reg checked in. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/12/anonymous_data_digging_downunder/