STE WILLIAMS

Hacker group Rex Mundi has published thousands of loan-applicant details it siphoned off from US payday loan outfit AmeriCash Advance.

The move follows AmeriCash Advance’s refusal to sump up $15,000 in what Rex Mundi describes as an idiot tax for maintaining insecure systems and what AmeriCash Advance characterises as an extortionate demand. Rex Mundi said it extracted AmeriCash Advance’s customer database on 15 June, via an insecure page designed for affiliates of the finance firm.

“This company which specializes in payday cash advances (basically small loans for low-income workers, which are vastly overpriced) left a confidential page unsecured on their server,” Rex Mundi explained. “This page allows its affiliates to see how many loan applicants they recruited and how much money they made. Not only was this page unsecured, it was actually referenced in their robots.txt file (Bad, bad move, guys).”

“We managed to download thousands of loan applicant records. This data contains the names of applicants, the amount they applied for, their email addresses and the last four digits of their SSN. In addition, some ‘problematic’ applications also include comments left by AmeriCash Advance’s employees about the applicant and the name of the applicant’s bank. As usual, we will publish those records on the internet if AmeriCash Advance does not pay us by next Tuesday,” it said.

In a statement supplied to Cnet.com, AmeriCash acknowledged that breach and condemned the alleged extortion attempt that followed, which it said it resisted.

On June 12, AmeriCash Advance received a fax, telling us that part of our website had been hacked. The letter went on to demand initial payment of $15,000 from us. We immediately notified the appropriate authorities and promptly took steps to ensure that no other data could be accessed. We will not cave in to blackmail, and are cooperating fully with the authorities to protect our customers and bring these criminals to justice.

AmeriCash added that it was in the process of notifying affected customers, warning them to be vigilant about possible follow-up phishing attacks or other malfeasance.

In response, Rex Mundi said it didn’t need to “hack” into AmeriCash Advance’s system because they were left wide open for anyone to enter.

AmeriCash Advance is yet to respond to our request for further comment on the breach. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/22/payday_loan_data_breach/

Privacy-conscious users have sounded the alarm after it emerged the “New Tab” thumbnail feature in Firefox 13 is “taking snapshots of the user’s HTTPS session content”.

Reg reader Chris discovered the feature after opening a new tab only to be “greeted by my earlier online banking and webmail sessions complete with account numbers, balances, subject lines etc.

“This content is behind a secure login for a reason,” Chris added.

In response to queries on the matter prompted by Chris’s experience, Mozilla acknowledged that the behaviour was undesirable and promised a patch. In the meantime, the browser and email client firm points privacy-conscious users towards various workarounds, as a statement (below) explains.

We are aware of the concern and have a fix that will be released in a future version of Firefox. Mozilla remains resolute in its commitment to privacy and user control. The new tab thumbnail feature within Firefox does not  transmit nor store personal information outside the user’s direct control.

The new tab thumbnails are based on  users’ browsing history. All information is contained within the browser and can be deleted at any time. Users can also switch back to using blank new tab screens by clicking the square icon in the top right corner of the browser. That will change the default preference to show a blank page, rather than the most visited websites when a new tab is opened.

Users who share their computer or use Firefox on a public computer should follow best practices for protecting their privacy by utilizing the built-in privacy tools in in Firefox, such as Private Browsing Mode.

Firefox 13 was released on 5 June, adding new features including updated new tab and home tab pages. The updated new tab page feature is broadly akin to the Speed Dial feature already present in other browsers and displays cached copies of a user’s most visited websites. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/22/firefox_new_tab_security_concerns/

Security watchers have discovered a worm that targets drawings created in AutoCAD software for computer-aided design (CAD).

Tens of thousands of drawings have been swiped using the malware, which is likely to have been designed for industrial espionage, according to antivirus firm Eset. The worm, dubbed ACAD/Medre.A, steals files and sends them to email accounts located in China. ESET said it had worked with Chinese ISP Tencent, the Chinese National Computer Virus Emergency Response Center and Autodesk – the creator of AutoCAD – to stop the harvesting of drawings by blocking email accounts associated with relaying stolen data. Business users in Peru were the main victims of the attack.

“The high number of infections observed in Peru might also be explained by the fact that malware disguised as AutoCAD files may have been distributed to companies that were conducting business with public services in Peru,” according to Eset. “This leads us to think organisations in this country might have been the primary target of the ACAD/Medre.A operators.”

The malware has also cropped up elsewhere in Latin America but Peruvian users were the main target. The miscreants behind the attack were using internet resources in China as dropsites in a delivery chain but it doesn’t necessarily follow that they were Chinese.

“After some configuration, ACAD/Medre.A sends opened AutoCAD drawings by email to a recipient with an email account at the Chinese 163.com internet provider,” explained ESET Senior Research Fellow Righard Zwienenberg. “It will try to do this using 22 other accounts at 163.com and 21 accounts at qq.com, another Chinese internet provider.

“ACAD/Medre.A represents a serious case of industrial espionage. Every new design is sent automatically to the operator of this malware. Needless to say this can cost the legitimate owner of the intellectual property a lot of money as the cybercriminals have access to the designs even before they go into production,” he added.

ESET has released a free stand-alone cleaner utility to aid in the clean-up of infected systems.

AutoCAD malware strains are rare but not unprecedented. For example an AutoCAD virus surfaced in 2009.

More details on the AutoCAD worm attack can be found in a blog post by Eset here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/21/autocad_worm/

LinkedIn is facing a class action suit over the security breach that saw millions of users’ passwords posted online.

Illinois resident Katie Szpyrka leads the complaint, which alleges that LinkedIn failed to “properly safeguard its users’ personally identifiable information”.

The complaint filed in California accuses the business network of using a “weak encryption format” for users’ information and not having crucial security measures in place.

A LinkedIn spokesperson told The Register that the class action suit’s claims were “without merit”.

“No member account has been breached as a result of the incident, and we have no reason to believe that any LinkedIn member has been injured,” the company said. “Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation.

“We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behaviour.”

The 6.5 million user passwords hacked and posted online were in hashed format, but the biz site evidently had not applied any salts. Salting adds extra arbitrary data to a password when it is hashed, thwarting pre-generated tables and making life more difficult for password crackers. The class action suit claims that hashing without salting is not an “industry standard protocol” as promised by LinkedIn’s privacy policy.

“Despite its contractual obligation to use best practices in storing user data, LinkedIn failed to utilise basic industry standard encryption methods. In particular, LinkedIn failed to adequately protect user data because it stored passwords in unsalted SHA1 hashed format,” the filing said, branding SHA1 “outdated”.

The case also latches on to reports that LinkedIn was hacked through an SQL injection attack, which uses weaknesses in a company’s website to get into its back-end systems.

“If true, LinkedIn’s failure to adequately protect its website against SQL injection attacks – in conjunction with improperly securing its users’ personally identifiable information – would demonstrate that the company employed a troubling lack of security measures,” the complaint said.

Naturally, the class action suit is looking for attorney fees and damages for US members of LinkedIn. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/21/linkedin_class_action_suit_password_leak/

The Department of Health is setting up a new organisation to oversee the scope of the clinical content in the NHS Summary Care Record (SCR). An SCR is an electronic patient record that sums up all of the data collected in the course of all an individual’s treatments by the NHS.

The new body will be known as the Summary Care Record Content and Advisory Board and is intended to consider proposals by the SCR programme board to change the scope of the SCR.

“At the first meeting it is expected the board will agree its precise terms of reference and the detailed process it will follow to arrive at its decisions,” a spokeswoman for the department said.

A launch date has not yet been decided, but the recruitment process for a person to chair the board is currently underway. Once the chair is appointed, people on patient representative groups and clinical professional bodies will be invited to join the board.

The decision to set up the new organisation was taken after a ministerial review into the SCR in October 2010. The review recommended that new arrangements should be introduced to take responsibility for the scope of the content of the SCR.

In addition, the review said that “as a principle, any change to the scope of the record must be driven by citizens and patients, with appropriate advice from the professions and tempered by the IT capability”.

More than 15 million patients already have an SCR and the department said it is working to increase SCR creation and viewing. Feedback suggests that clinicians and patients believe the SCR has an important role to play in improving patient care and safety in urgent and emergency care, it said.

“As further SCRs are created, clinicians in urgent and emergency care will gain confidence that the records will be available and be inclined to use them to support the delivery of care,” the spokeswoman said.

“We would like clinicians to be able to be view a patient’s SCR, when it is appropriate for them to do so, so that the benefits to patient safety and care can continue to be realised, including more informed and appropriate prescribing, reduced medication errors, greater clinician confidence when caring for patients and improved support for patients who may have problems communicating.”

Victor Fraga, senior health analyst at Kable, said: “The SCR is just one small piece in the large care record jigsaw. Currently, the scope of the SCR is very limited, as it only holds data about allergies, blood type and major surgery.

“But this scope needs to be increased so that the SCR can make a real impact on improving patient care, data sharing and achieving efficiency savings.”

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/21/board_to_oversee_expansion_nhs_summary_care_record/

Microsoft’s upcoming operating system is a step forward in security, at least according to a security researcher who is among the first to take a detailed look at early releases of Windows 8.

Chris Valasek, a senior security research scientist at development testing firm Coverity, began examining the security features of Windows 8 last autumn, before the consumer previews of the upcoming revamp of the new Microsoft OS came out.

Windows 8 will come with a radically redesigned user interface, dubbed Metro, which was designed in part to give Windows that same feel across smartphones, desktops, laptops and tablets. Despite radical changes, it seems the innards of the operating system are much the same as those found in Windows 7. Valasek described the leap between Windows 7 and 8 as less than that between XP and Vista.

One major change between Windows 7 and 8 is the addition of more exploit-mitigation technologies, however. Windows Memory Managers (specifically the Windows Heap Manager and Windows Kernel Pool Allocator) are designed to make it far harder for attackers to exploit buffer-overflow vulnerabilities and the like to push malware onto vulnerable systems.

The technology is aimed at thwarting the abuse of software bugs rather than preventing or even minimising the occurrence of vulnerabilities in the first place. “There are always going to be vulnerabilities but you can make it difficult to leverage vulnerabilities to write exploits,” Valasek explained. “It’d be naive to think there’ll be no new vulns.”

Another big change comes with the app store that goes with Windows 8.

Applications for the next version of the operating system will feature more granular controls. Applications will be restricted to functions necessary to performing their declared function, unlike the current situation where installed applications are given free rein. Apps will have limited permissions to perform actions consistent with their declared intent. The restrictions, along with other factors, will reduce the scope for malware to do mischief, even if it does find its way onto a Windows 8 system.

“These new Windows 8 Apps will be contained by a much more restrictive security sandbox, which is a mechanism to prevent programs from performing certain actions,” Valasek explains. “This new App Container provides the operating system with a way to make more fine-grained decisions on what actions certain applications can perform, instead of relying on the more broad ‘Integrity Levels’ that debuted in Windows Vista/7.”

“Overall I’d far rather write exploits against Win 7 than Win 8,” Valasek explained.

Windows 8 also comes with a new version of Internet Explorer, Microsoft’s browser software. Internet Explorer 10 will come with a mode that disables support for third-party plug-ins such as Flash and Java. However, Valasek added that users will “probably be giving some things up” in this mode. Even outside this mode, plug-ins will be hooked to memory randomisation – another development that will make it more difficult for miscreants to develop exploits.

One of the most contentious security-related revamps in Windows 8 is a secure boot feature which open-source advocates have argued would lock out alternative operating systems. Valasek said assessing the pluses and minuses of this feature from a security perspective was outside the scope of his study. Open-source advocates have come up with possible workarounds, such as this one from Matthew Garrett, but the situation remains far from ideal for open source-fans.

Windows 8 remains a work in progress and further changes are more than likely before its eventual release. Valasek’s study is based in part on reverse engineering of Windows Heap Manager and analysis of executables using disassembler tools such as IDAPro.

Valasek is putting together a paper on Windows 8 security that he hopes to present at the Black Hat Briefings in Las Vegas in July. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/21/win8_security/

Consumer Affairs Victoria (CAV) has taken down a page on which it alleged Apple’s App Store contains “counterfeit or ‘cloned’ apps” that “look like real apps but don’t have the same kind of security as those made by established software programmers” and “can expose personal data to malware or predatory, virus-like software.”

The decision comes after The Register yesterday pointed out to CAV that the claim was rather hard to sustain, given Apple’s famously-stringent app-vetting process. We also asked Apple what it thought of the claim.

At 11:00 AM Thursday, Sydney time, CAV told The Reg the following:

“Consumer Affairs Victoria has been in contact with Apple to clarify content of the news alert. While this takes place the alert has been removed from the website.”

Apple had already disowned the content of the page.

“This is not something that has come from Apple,” Apple Australia PR person Fiona Martin told El Reg in a voicemail deposited on Wednesday morning. Martin suggested we ask Consumer Affairs Victoria (CAV) to explain itself, and we did.

CAV’s response, issued on Wednesday afternoon, offered a link to this New York Times article that details account fraud but makes no allegations about counterfeit or cloned apps. A CAV spokesperson did offer anodyne advice to this effect:

Consumer Affairs Victoria reminds consumers to always remain vigilant in the online environment and provides advice when concerns are raised in the public domain about potential consumer detriment.

Even when using trusted service providers, it is important that consumers take all reasonable steps to prevent being scammed.

But the agency did not provide any evidence for its claim the App Store contains data-sucking counterfeit apps and has since removed the page, which now produces a neat 404 error. If you want to view what was online yesterday, we’ve reproduced the relevant bits below, and if you doubt us there’s a full screen grab you can view here.®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/20/au_app_store_malware_claims/

A Microsoft researcher, Cormac Herley, has penned a paper titled “Why do Nigerian Scammers Say They are from Nigeria?” (PDF), and concludes the whoppers the scam includes are actually a very efficient way of finding likely targets.

Herley’s analysis suggests the scam works because it quickly passes BS-detection thresholds in most readers, but those stupid enough to fall for the scam self-select by responding. Scammers end up with a list of hot prospects who have self-selected, leaving them with less work to cash in than would be required with a more plausible tale.

“An email with tales of fabulous amounts of money and West African corruption will strike all but the most gullible as bizarre,” he writes. “It will be recognized and ignored by anyone who has been using the Internet long enough to have seen it several times. It will be figured out by anyone savvy enough to use a search engine [and] won’t be pursued by anyone who consults sensible family or fiends [that’s Microsoft’s typo], or who reads any of the advice banks and money transfer agencies make available.”

“Those who remain are the scammers ideal targets,” the paper proclaims, as “A less outlandish wording that did not mention Nigeria would almost certainly gather more total responses and more viable responses, but would yield lower overall profit.”

There’s a serious side to all this, as the main thrust of Herley’s research is how false positives are used by folks with more evil intent than Nigerian scammers to design other fomrs of attack. He therefore suggests “thinking like an attacker does not end when a hole is found, but must continue (as an attacker would continue) in determining how the hole can be monetized.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/21/nigerian_scams_msft_research/

Bromium, the security startup launched a year ago by the techies behind the open source Xen server virtualization hypervisor, are lifting the veil a bit on the software that they are cooking up, while at the same time announcing a big new bag of cash to pay for the ongoing development of what the company is calling a microvisor.

Ian Pratt and Simon Crosby, colleagues from Cambridge University who created (and somewhat begrudgingly commercialized) the Xen hypervisor, which Citrix Systems bought in September 2007 for $500m, are behind the stealthy startup. They tapped Gaurav Banga, who was previously CTO and senior vice president of engineering at computer BIOS maker Phoenix Technologies, to be their CEO.

Banga knows a thing or two about virtualization, having created the Unified Extensible Firmware Interface (UEFI) for modern system BIOSes and also HyperSpace, a baby Linux environment that Hewlett-Packard acquired for its PCs in June 2010.

Bromium came out of stealth mode last June, and at the time Crosby and Pratt didn’t say much about what they were up to, except that they would be using virtualization in some manner to secure PCs and servers in a different way and that they had secured $9.2m in Series A funding from Andreessen Horowitz, Ignition Partners, and Lightspeed Venture Partners.

The original plan was to have some sort of products in the field by the end of 2011, but that didn’t work out, and Crosby was absolutely unapologetic about it when talking to El Reg, considering the monumental complex job of securing a PC from the outside world. Bromium’s investors don’t seem to mind that this might take a little time, and Highland Capital Partners is leading a $26.5m Series B round, with Intel Capital participating for the first time and Andreessen Horowitz and Ignition Partners kicking in some more dough, too.

The bar that Bromium has set for itself, as it turns out, is quite high, and hence the patience. Which is also reasonable given the daunting task that the company has: creating a completely new security paradigm for PCs without adding a new management console and without changing the user experience at all.

“You have to trust something, so we will start with the hardware,” says Crosby, who walked El Reg through the basic architecture of the Bromium security model and its microvisor approach.

The hardware is analogous to the emperor in what is known as the Byzantine general’s problem, which is how can you know who to trust in the army when you want to attack a city? Your army (by analogy a PC operating system and application stack) could be infiltrated with traitors (malware) who want to delay or thwart your plans, and if you are such a general (the operating system kernel in charge) you have to assume there are such traitors and still carry out your orders from the emperor – and without revealing your plans in full to anyone in the army.

The problem with a PC software stack is exactly the same as with a Roman army: there’s so much stuff to keep track of. In the case of a PC, there are approximately 100 million lines of code in the software stack, and by definition, that means there are always vulnerabilities and that you can never plug them all. That’s a big problem, and ironically, Bromium’s answer is this: Don’t try.

The Bromium microvisor: task-based virtualization

Rather, Bromium is creating a security methodology that invokes the principle of least privileges, which isolates all applications and operating system functions on a PC from each other and that never, ever lets a process see something that it doesn’t need to see.

For instance, when you load Facebook, what the instance of the Chrome browser can see of your disk drive is precisely one file: the cookie that Facebook installs, and not one bit or byte more. That cookie and the Facebook session are loaded up into a virtual container called a microVM, which is different from a hypervisor guest in that it is centered on a specific task, not on abstracting a whole virtual PC environment that an OS can run in.

Here’s another example: when you load an Excel spreadsheet, the only thing that Excel is allowed to see is that spreadsheet, and because a microVM security layer is wrapped around it, it simply is not allowed to reach into the TCP/IP stack and start sending packets out to heaven knows where on the internet. No program is allowed to start a session on your webcam if it has not been granted explicit permission to do so, and so on.

The Bromium microvisor is not a heavy-weight virtualization layer, but a lightweight one that is twisting features that Intel has woven into its recent Core and Xeon processors, such as VT and in the case of business-class PCs, vPro extensions to the Core chips and related chipsets, in a new way to secure tasks running on PCs instead of helping hypervisors run better and more efficiently.

The similar AMD-V and IOMMU extensions to the Fusion and Opteron processors that are analogous to VT and VT-d are also supported with the Bromium microvisor, so a PC based on either chip will be able to protect against outside threats. But to get the full protection, which will be able to thwart attempts to hack a PC from the machine’s actual keyboard, you need the Trusted Execution Environment (TXT) features etched into the vPro-enabled Core processors as well as in the latest two generations of Xeon processors.

Since Bromium is aiming its initial products at enterprises, not consumers, and not focusing yet on servers, supporting vPro-enabled PCs is a good place to start, says Crosby. “Supporting AMD processors as well as Intel chips is not hard,” explains Crosby. “But the guys who are all wound up about PC security are all on vPro machines already.”

A Bromium microvisor on a Windows-based PC can create and destroy hundreds of these microVMs in a second as tasks are started and finished, and it has an infinitesimally small effect on performance.

Nothing is ever perfectly secure, of course, and Bromium is not proclaiming that its microvisor is immune from attack. The microvisor has 10,000 lines of code and its hypercall API, while hardened, is absolutely not impenetrable.

“We can reduce the vulnerability surface from 10⁸ to 10⁴, and that works out to a factor of 10⁴ increase in costs for the bad guys,” says Crosby. “The goal is to make it too expensive for the bad guy to attack you in the first place.”

The interaction of the OS, apps, and the Bromium microvisor and microVM (click to enlarge)

Because the microvisor has tight control over what tasks on a machine can access data, and what data in particular, it is also a means of preventing the loss or corruption of data on a PC. So if you click on something you shouldn’t have on the Internet and a piece of malware gets in, the clever Byzantine general (our kernel) rather than confronting the malware, can wrap the tasks that make up that malware in a microVM and let it pretend to overwrite Windows files.

Yup, it lies to them and puts those corrupted Windows files in a microVM, but the malware can’t know that. And when the malware is done writing on your panes of glass with spray paint, the microvisor deletes the files and the malware in the microVM and thus its attempted corruption are purged from the system.

You’ll notice that this approach to security works whether Windows is patched or not. Let’s hope this doesn’t make Microsoft complacent about security.

Bromium now has 40 employees, and Crosby says that they are doing “some very, very deep systems work.” The company is not talking products yet, but clearly the idea is to get PC OEMs on board with adding Bromium wares to the machines. “We’re in beta now, and we will GA when it is awesome,” says Crosby.

You can find out more about the Bromium architecture in this white paper (PDF). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/20/bromium_microvisor_security/

Consumer Affairs Victoria (CAV) has deleted a page on which it alleged Apple’s App Store contains “counterfeit or ‘cloned’ apps” that “look like real apps but don’t have the same kind of security as those made by established software programmers” and “can expose personal data to malware or predatory, virus-like software.”

The Register yesterday pointed out to CAV that the claim was rather hard to sustain and asked Apple what it thought of the claim.

“This is not something that has come from Apple,” Apple Australia PR person Fiona Martin told El Reg in a voicemail, the arrival of which was rather celebrated as the fruity company generally fails to reply to this organ’s inquiries. We’re also left off invitation lists to events in the USA. Martin suggested we ask Consumer Affairs Victoria (CAV) to explain itself, and we did.

CAV’s response offered a link to this New York Times article http://www.nytimes.com/2012/03/16/technology/pressure-on-apple-builds-over-app-store-fraud.html?_r=2pagewantead=all that details account fraud but makes no allegations about counterfeit or cloned apps. A CAV spokesperson did offer anodyne advice to this effect:

Consumer Affairs Victoria reminds consumers to always remain vigilant in the online environment and provides advice when concerns are raised in the public domain about potential consumer detriment.

Even when using trusted service providers, it is important that consumers take all reasonable steps to prevent being scammed.

But the agency did not provide any evidence for its claim the App Store contains data-sucking counterfeit apps and has since removed the page, which now produces a neat 404 error. If you want to view what was online yesterday, we took a screen grab you can view here.

As soon as CAV tells us why they did so, we’ll let you know. reg

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/20/au_app_store_malware_claims/