STE WILLIAMS

Updated Controversy has accompanied the discovery by a student of a critical vulnerability in BackTrack, a flavour of Linux that’s a favourite among security pros.

The previously undiscovered (hence zero-day) privilege escalation bug in the network penetration-testing distro was discovered during an ethical hacking class organised by the InfoSec Institute.

Jack Koziol, security programme manager at the institute, explained that the bug in Backtrack 5 R2 (the latest version) allowed the student to overwrite settings to gain a root shell. The flaw – which was not remotely exploitable – stemmed from a bug in wicd (the Wireless Interface Connection Daemon).

BackTrack Linux is a favourite among the security community, particularly penetration testers. The distro is normally booted off a CD or a USB stick and the bug would only be a worry if firms ran a network of machines using Backtrack AND the flaw was remotely exploitable. Neither is the case.

Other Linux distributions share the vulnerable wireless network card manager component, including Debian (details here) and Arch. An advisory and an (official) patched version of wicd 1.7.2, which fixes the issue, can be found here.

The InfoSec Institute initially described promoted the flaw as a “Backtrack 5 R2 priv escalation 0day” before revising its advisory to make it clear that the bug affected wicd (the Wireless Interface Connection Daemon), possibly in response to criticism from the BackTrack Linux community.

A commentary on the Infosec Institute advisory by the BackTrack Linux community, alongside a graphic depicting a bull taking a dump, is highly critical of the security training organisation handling of the bug.

Initially, the bug report confused us, as BackTrack 5 R2 by default has a single root user, with no open TCP or UDP ports – therefore a console escalation from root to root seemed frivolous. The title of the bug was even more confusing – calling it a “BackTrack 0day” misrepresents the bug, apparently in an attempt to make it seem bigger than it is.

As an organization who claim to be security professionals, the Infosec Institute should know better. They should know that an accurate vulnerability description is probably the most important aspect of a bug report. Without this basic rule in place, every single 3′rd party FTP overflow in windows would be categorized as a “Windows 0day”, and every PHP web application vulnerability would be defined as an “Apache 0day”.

The controversial security flaw was discovered during fuzzing, which is a technique that lobs random or unexpected data at software to trigger vulnerabilities. While it’s unclear if it could be exploited remotely, it still needs fixing.

The security bug stems from a failure to sanitise user inputs, a deficiency that creates a mechanism to start a given executable or script with root-level privileges on systems running the daemon, provided the hacker has local hands-on access.

“This 0-day exploit for BackTrack 5 R2 was discovered by a student in the InfoSec Institute ethical hacking class, during an evening capture-the-flag exercise,” Koziol explained. “The student wishes to remain anonymous, he has contributed a python version of the 0-day, a patch that can be applied to wicd, as well as a writeup detailing the discovery and exploitation process.”

The cleverclogs who discovered the flaw enjoyed a breakfast of champions, Koziol explained.

“Usually the winner of the CTF exercise in the ethical hacking course gets a free InfoSec polo shirt, and the instructor buys him or her a beer. This guy was so excited he found the bug he stayed up all night making an exploit and patch and ended up having the beer for breakfast the day after while the rest of the class ate pancakes.” ®

Bootnote

This story was revised throughout to reflect the BackTrack community’s response to the InfoSec Institute’s initial advisory and the educational institute’s revision of its security bulletin.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/12/backtrack_linux_0day/

Updated Controversy has accompanied the discovery by a student of a critical vulnerability in BackTrack, a flavour of Linux that’s a favourite among security pros.

The previously undiscovered (hence zero-day) privilege escalation bug in the network penetration-testing distro was discovered during an ethical hacking class organised by the InfoSec Institute.

Jack Koziol, security programme manager at the institute, explained that the bug in Backtrack 5 R2 (the latest version) allowed the student to overwrite settings to gain a root shell. The flaw – which was not remotely exploitable – stemmed from a bug in wicd (the Wireless Interface Connection Daemon).

BackTrack Linux is a favourite among the security community, particularly penetration testers. The distro is normally booted off a CD or a USB stick and the bug would only be a worry if firms ran a network of machines using Backtrack AND the flaw was remotely exploitable. Neither is the case.

Other Linux distributions share the vulnerable wireless network card manager component, including Debian (details here) and Arch. An advisory and an (official) patched version of wicd 1.7.2, which fixes the issue, can be found here.

The InfoSec Institute initially described promoted the flaw as a “Backtrack 5 R2 priv escalation 0day” before revising its advisory to make it clear that the bug affected wicd (the Wireless Interface Connection Daemon), possibly in response to criticism from the BackTrack Linux community.

A commentary on the Infosec Institute advisory by the BackTrack Linux community, alongside a graphic depicting a bull taking a dump, is highly critical of the security training organisation handling of the bug.

Initially, the bug report confused us, as BackTrack 5 R2 by default has a single root user, with no open TCP or UDP ports – therefore a console escalation from root to root seemed frivolous. The title of the bug was even more confusing – calling it a “BackTrack 0day” misrepresents the bug, apparently in an attempt to make it seem bigger than it is.

As an organization who claim to be security professionals, the Infosec Institute should know better. They should know that an accurate vulnerability description is probably the most important aspect of a bug report. Without this basic rule in place, every single 3′rd party FTP overflow in windows would be categorized as a “Windows 0day”, and every PHP web application vulnerability would be defined as an “Apache 0day”.

The controversial security flaw was discovered during fuzzing, which is a technique that lobs random or unexpected data at software to trigger vulnerabilities. While it’s unclear if it could be exploited remotely, it still needs fixing.

The security bug stems from a failure to sanitise user inputs, a deficiency that creates a mechanism to start a given executable or script with root-level privileges on systems running the daemon, provided the hacker has local hands-on access.

“This 0-day exploit for BackTrack 5 R2 was discovered by a student in the InfoSec Institute ethical hacking class, during an evening capture-the-flag exercise,” Koziol explained. “The student wishes to remain anonymous, he has contributed a python version of the 0-day, a patch that can be applied to wicd, as well as a writeup detailing the discovery and exploitation process.”

The cleverclogs who discovered the flaw enjoyed a breakfast of champions, Koziol explained.

“Usually the winner of the CTF exercise in the ethical hacking course gets a free InfoSec polo shirt, and the instructor buys him or her a beer. This guy was so excited he found the bug he stayed up all night making an exploit and patch and ended up having the beer for breakfast the day after while the rest of the class ate pancakes.” ®

Bootnote

This story was revised throughout to reflect the BackTrack community’s response to the InfoSec Institute’s initial advisory and the educational institute’s revision of its security bulletin.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/12/backtrack_linux_0day/

Red-faced ICANN has delayed its new generic top-level domains programme again as it struggles to deal with the fallout of a security bug that exposed confidential data about applicants.

The internet overseer also confirmed it was first warned of a data leak vulnerability in mid-March, weeks before it eventually pulled the plug on the new TLD registration website.

The organisation’s TLD Application System, which companies use to file applications, has been offline since last Thursday – shut down just 12 hours before the end of a three-month filing period – and an anticipated reopening today has been cancelled.

It now seems likely that it will be well into next week before ICANN finally closes its new gTLD application window, which has seen bids filed for new domain suffixes such as .london, .blog, .shop and very possibly .google and .youtube.

“We believe that we have fixed the glitch, and we are testing it to make sure,” ICANN chief operating officer Akram Atallah said in a statement in the early hours of this morning.

“We also want to inform all applicants, before we reopen, whether they have been affected by the glitch,” he said. “We are still gathering information so we can do that.”

The “glitch” was actually a vulnerability that allowed some applicants to see files that had been uploaded to TAS by other applicants. While the documents could not be opened, in many cases the filename would be enough to reveal the gTLD being applied for by a third party.

This is seen as highly confidential and sensitive information. The vast majority of new gTLD applicants are playing their cards close to their chests while the application window is still open as they fear competition that could force them into a potentially expensive auction.

Merely opening a TAS account costs $5,000; filing a dot-word TLD application costs an additional $180,000.

Some applicants have told El Reg that they uploaded files to TAS with names containing their desired gTLDs, and one, speaking on condition of anonymity, has confirmed that he saw the vulnerability and reported it to ICANN six days before TAS was shut down.

“I could infer the applicant and string based on the name of the file,” he told us.

Over the weekend, ICANN confirmed in a statement that it had uncovered reports about the bug from TAS users as early as 19 March. In each case, the organisation thought it was an isolated bug that it then fixed, which was clearly not the case.

The organisation had planned to reopen TAS today and close it on Friday, but it now seems that the system will be down for the rest of the week. ICANN said today it plans to provide an update no later than Friday about the new filing deadlines.

ICANN is still targeting 30 April for revealing the names of all 1,000-plus new gTLD applications, but that also seems increasingly unlikely. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/17/icann_tas_still_offline/

Red-faced ICANN has delayed its new generic top-level domains programme again as it struggles to deal with the fallout of a security bug that exposed confidential data about applicants.

The internet overseer also confirmed it was first warned of a data leak vulnerability in mid-March, weeks before it eventually pulled the plug on the new TLD registration website.

The organisation’s TLD Application System, which companies use to file applications, has been offline since last Thursday – shut down just 12 hours before the end of a three-month filing period – and an anticipated reopening today has been cancelled.

It now seems likely that it will be well into next week before ICANN finally closes its new gTLD application window, which has seen bids filed for new domain suffixes such as .london, .blog, .shop and very possibly .google and .youtube.

“We believe that we have fixed the glitch, and we are testing it to make sure,” ICANN chief operating officer Akram Atallah said in a statement in the early hours of this morning.

“We also want to inform all applicants, before we reopen, whether they have been affected by the glitch,” he said. “We are still gathering information so we can do that.”

The “glitch” was actually a vulnerability that allowed some applicants to see files that had been uploaded to TAS by other applicants. While the documents could not be opened, in many cases the filename would be enough to reveal the gTLD being applied for by a third party.

This is seen as highly confidential and sensitive information. The vast majority of new gTLD applicants are playing their cards close to their chests while the application window is still open as they fear competition that could force them into a potentially expensive auction.

Merely opening a TAS account costs $5,000; filing a dot-word TLD application costs an additional $180,000.

Some applicants have told El Reg that they uploaded files to TAS with names containing their desired gTLDs, and one, speaking on condition of anonymity, has confirmed that he saw the vulnerability and reported it to ICANN six days before TAS was shut down.

“I could infer the applicant and string based on the name of the file,” he told us.

Over the weekend, ICANN confirmed in a statement that it had uncovered reports about the bug from TAS users as early as 19 March. In each case, the organisation thought it was an isolated bug that it then fixed, which was clearly not the case.

The organisation had planned to reopen TAS today and close it on Friday, but it now seems that the system will be down for the rest of the week. ICANN said today it plans to provide an update no later than Friday about the new filing deadlines.

ICANN is still targeting 30 April for revealing the names of all 1,000-plus new gTLD applications, but that also seems increasingly unlikely. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/17/icann_tas_still_offline/

An Ohio man pleaded not guilty today to charges that he hacked into a pair of police websites in Salt Lake City, Utah in January.

John Anthony Borell III, a 21 year old from Ohio, made the plea at an arraignment hearing in Salt Lake City today, AP reports. He faces up to ten years inside and a $250,000 fine if found guilty on the charges.

He was arrested last month after the websites of the Utah Chiefs of Police Association and Salt Lake City Police Department were hacked back in January. Borell has been required to live in a halfway house in the run-up to his court appearance.

Borell was reportedly tracked down by the FBI via a Twitter address he allegedly used to claim responsibility for the attacks to local media. The FBI used subpoenas to obtain the messages.

The attack on the Salt Lake City Police Department site allegedly accessed details of citizens’ reports of crimes, including the personal data of informants.

The attacks on the Utah sites coincided with a wave of attacks by Anonymous and were, inevitably, attributed to the hacktivist group.

The Salt Lake City Police Department apparently spent $33,000 sorting out its website after the attack.

Today it took to Twitter to publicize the Borell case, immediately drawing flak from Anonymous non-reps AntiS3curityOPS for apparently declaring Borell guilty ahead of the actual trial.

Salt Lake City cops are pretty sure they know who done it

®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/16/utah_cop_hacks/

University of Illinois at Chicago researchers are taking aim at fake reviews, which they say can seriously damage online businesses.

In particular, the Google-backed study is designed to seek out organized groups of comment fraudsters, and automate the process of identifying and shutting them down.

Fake reviewers can have devastating affects on a variety of Internet-dependent businesses, but with the emergence of user-reviewed social-style operations like Yelp and TripAdvisor, both positive (to promote a business) and negative (to damage a competitor) frauds are becoming endemic.

For the affected business, the researchers say, weeding out the fakes is expensive: while it’s not hard for a human to identify a fraud, the process is labour-intensive.

In their paper, authored by the university’s Bing Liu and Arjun Mukherjee, along with Google’s Natalie Glance, the researchers present an algorithm called GSRank which they hope can be deployed against review fraud.

The key to identifying groups working organized review fraud is their behavior, the paper states, with key fingerprints comprising:

* Time window – members of a group working together to promote or demote a product or service are likely to post reviews within a few days of each other;

* Deviation – naturally, since they’re hired to push a products ratings in a particular direction, an organized group will all post similar ratings. The degree to which the group’s reviews deviate from “genuine” reviews is a hint that someone’s trying to game the system;

* Content similarity – not only will a group give their target the same rating, they’ll also often copy content among themselves. In addition, individuals trying to eke out a living in the cents-per-review business of fraud will have stock phrases that they re-use in different reviews;

* Get in first – the researchers also note that fake reviews will be posted early in the life of a product or service. “Spammers usually review early to make the biggest impact” they write, because “when group members are among the very first people to review a product, they can totally hijack the sentiments”. That behavior can, however, also help identify the fakes;

* Group size – the size of the group, and its size relative to the number of genuine reviews, can both indicate the presence of spammers; and

* “Group support count” – as the researchers note, it’s unlikely that the same (say) 10 random individuals would repeatedly find themselves reviewing many different products; so to have the same group turning up across many different products also helps indicate spammers.

The researchers note that they can’t tell the difference between multiple individuals working together, or one “sockpuppet” user operating multiple user IDs. However, since their algorithm is looking at behavior rather than identity, that shouldn’t matter. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/17/seeing_through_sockpuppets/

Blighty’s intelligence agency MI5 forget to replace the expired digital certificate for its website over the weekend.

The schoolboy error meant anybody trying to securely access the Security Service’s site – perhaps to report a suspected terrorist activity – would have been warned by their browser that the connection was untrusted. Communications would have still have been be encrypted if surfers chose to proceed regardless of the alert.

The digital paperwork expired on Sunday, 16 April, and a new one was installed on Monday morning. The replacement certificate was issued on 25 March and expires on 27 March 2018, so the problem was sparked by a failure to install the new cert rather than late payment for a renewal. Both the old and new credentials were issued by VeriSign.

Spook-watching Spyblog points out that the glitch was particularly embarrassing for MI5 because its www.mi5.gov.uk web server is configured to be accessible only over a secure connection.

“Since the MI5 website redirects to an SSL/TLS HTTPS-only version, they have effectively created a Denial of Service attack on themselves,” Spyblog notes.

“‘This connection is untrusted’ web browser warnings do not give the impression of professional competence and respect for internet confidentiality, which potential users of their SSL/TLS encrypted ‘Reporting suspected threats’ web form should expect, and upon which their lives and the lives of potential British targets may depend on.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/16/mi5_digi_cert_snafu/

A self-identified member of Anonymous was jailed for two years and eight months on Friday over a hacking attack against Britain’s biggest abortion provider in March.

James Jeffery, 27, from Wednesbury, West Midlands, swiped around 10,000 records of women who had registered with the British Pregnancy Advisory Service (BPAS) in an attack that also involved the defacement of the service’s website with the Anonymous logo.

The court heard that Jeffery had used a Twitter account under the handle of infamous Colombian drug lord ‘Pablo Escobar’ to brag about the assault and publish the name and log-on details of a BPAS administrator. He also threatened to release the personal data of people who had sought pregnancy counselling or other sexual health advice through the service – but he failed to follow through on this threat.

In a statement at the time, BPAS stressed that no medical or personal information regarding women who received treatment at the service had been obtained during the attack.

Jeffery was arrested days after the attack and subsequently admitted to offences which included gaining unauthorised access to data held on the BPAS systems as well as other computer hacking crimes. He was jailed at a hearing at Southwark Crown Court on Friday. During the hearing, the court heard that Jeffrey had been in contact with Hector Xavier “Sabu” Monsegur, the alleged LulzSec kingpin turned FBI supergrass, for almost a year.

The former software engineer had targeted the BPAS because he “disagreed” with the decisions of two women he knew to terminate their pregnancies, The Guardian reports.

During sentencing, Judge Michael Gledhill QC said:

Those who find abortion repugnant do not use it as an excuse to justify deliberately committing offences. Your skills are so good that you decided to hack into their [BPAS’s] website and you succeeded.

You stole the records of approximately 10,000 women. Many of them were vulnerable women, vulnerable simply because they had had a termination or because of their youth or because their family did not know about their situation.

You were proud about what you had done – you boasted about it on Twitter.

The sentence that I impose is both to punish you for what you have done and to send out a clear message of deterrence to anyone tempted to commit similar hacking offences.

Commenting after the sentencing of Jeffery on Friday, BPAS chief executive Ann Furedi said: “This was one of the most extreme examples of anti-abortion activity we have seen. We are grateful to the police for the swift action they took to apprehend Mr Jeffery and are glad the matter is now resolved.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/16/anon_jailed_over_abortion_site_hack/

Security experts are warning of yet more malicious applications found on Google’s official online apps market Play, this time designed to steal personal data in the background while promising to show trailers for Japanese anime, video games and porn.

McAfee malware researcher Carlos Castillo explained in a blog post that the new Android Trojan had been discovered in 15 applications on Google Play so far and downloaded by at least 70,000 users.

The malware, specifically designed to target Japanese users, is hidden in apps which show internet-based video trailers.

On installation, the malicious apps request the user grants them permission to read contact data and read phone state and identity which.

If granted by the user, this will enable them to pilfer Android ID, phone number and the victim’s entire contacts list including names, email addresses and phone numbers.

It will then attempt to send the data in clear text to a remote server and, if successful, will request a video from that same server to display, said Castillo.

“Due the privacy risk that these applications represent to Android customers, all of them have been removed from the market,” he cautioned.

“McAfee Mobile Security detects these threats as Android/DougaLeaker.A. Users should verify in the Google Play market prior installation that the application does not request permission to perform actions not related to its purpose.”

Google’s relatively open Android ecosystem has led to a huge surge in malware hidden in legitimate looking applications.

Apart from data-sucking Trojans, cyber criminals have looked to distribute apps containing premium dialler malware, SMS fraud Trojans and malware designed to turn a user’s handset into a bot.

Worryingly, two-thirds of Android anti-malware scanners are not up to the task, according to recent research from AV-Test.

The firm said that there are more than 11,000 strains of malware in the wild targeted at the platform – a figure growing at some pace. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/16/japan_anime_adult_malware_android/

The spotlight on Julian Assange is on high beam, this time masterminded by his own content production efforts.

Assange warned us in January that he would be launching his own pirate TV talk show.

This Tuesday (April 17) the hotly anticipated production will go live, branded The World Of Tomorrow.

To whet our appetite, the Wikileaks founder has promised that the first 26-minute episode will feature a mystery “a notorious guest”.

Assange said that his decision to do the show was driven by being under house arrest for so long. “It’s nice to have an occasional visitor and to learn more about the world. And given that the conversations we were having are quite interesting, why not film them and show other people what was going on.”

Assange says his guests will be “iconoclasts, visionaries and power insiders” and that his unnamed show is already licensed to broadcasters commanding more than 600 million viewers.

The show will be broadcast with RT, Russia’s state-funded multilingual network. It is understood that 12 episodes have been completed and will air on RT, as well as online and on “other networks”.

“Through this series I will explore the possibilities for our future in conversations with those who are shaping it. Are we heading towards utopia or dystopia and how we can set our paths? This is an exciting opportunity to discuss the vision of my guests in a new style of show that examines their philosophies and struggles in a deeper and clearer way than has been done before,” he said.

Assange, is still creatively languishing under UK house arrest awaiting a decision on possible extradition to Sweden over trumped up allegations of sexual assault.

Showing that he has not lost touch with contemporary culture, the music for the show has been composed by Sri Lankan rapette, M.I.A.

Apparently M.I.A. hs been hanging with Assange in London, visiting him in his exiled state.

In 2010 she released a mixtape called “Vicki Leekx and has been vociferous in her Assange support.

As noted lasted week, production has started in Australia for a docu-drama called Underground, covering Assange’s early hacking life.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/04/15/assange_storms_your_tv/