STE WILLIAMS

Sensitive information held in content management system Microsoft SharePoint is vulnerable to mining as the result of a newly discovered attack, security researchers warn.

So-called frame-sniffing attacks involve the use of a hidden HTML frame to load a target website inside the attacker’s malicious webpage. Using the tactic, attackers would be able to read information about the content and structure of the framed pages.

Context Information Security said the hack relies on tricking a content management system user into browsing a webpage controlled by an attacker, possibly in response to a spam email. If the user leaves the tab open then the attacker can use frame-sniffing to run searches on SharePoint just like an internal user.

The security consultancy warns that the approach bypasses browser security restrictions that are meant to prevent webpages directly reading the contents of third-party sites loaded in frames. Guarding against the attack involves tweaking the X-Frame-Options on the server, so that browsers disallow framing. However this option is not applied by default on current versions of Microsoft SharePoint.

“Using frame-sniffing it’s possible for a malicious webpage to run search queries for potentially sensitive terms on a SharePoint server and determine how many results are found for each query,” explained Paul Stone, senior security consultant at Context. “For example, with a given company name it is possible to establish who their customers or partners are; and once this information has been found, the attacker can go on to perform increasingly complex searches and uncover valuable commercial information.”

Context researchers tested SharePoint 2007 and 2010 installations. They discovered that by default, neither version of the enterprise server software sends the X-Frame-Options header that instructs web browsers to disallow framing. As a result, firms that rely on both flavours of the enterprise content management systems are vulnerable to both frame-sniffing and click-jacking. Attacks are possible if the URL of a SharePoint installation is known, even if it is only accessible on an intranet.

After reviewing the vulnerability, Microsoft said it planned to change the X-Frame-Options in the next version of its content management software:

We have concluded our investigation and determined that this is by-design in current versions of SharePoint. We are working to set the X-Frame-Options in the next version of SharePoint.

Frame-sniffing can also be used to harvest confidential data from public websites, such as LinkedIn, that fail to protect against framing, according to security researchers at Context:

An attacker using a malicious website could build a profile of visiting users by piecing together small pieces of information leaked from different websites. For example, the product IDs of previously bought items from a shopping site could be combined with a person’s user ID from a social networking site.

LinkedIn said it was investigating the issue. We’ll update this story as and when we hear more.

A blog post by Context explains the frame-sniffing attack in greater depth and outlines possible defences against potential attack, by adding the X-Frame-Options header. The post features a video that shows an attacker extracting sensitive information from a fictional corporate SharePoint installation.

On casual glance the attack might resemble a cross-site scripting flaw of the type that allows content under the control of hackers to be displayed in the context of a vulnerable website.

Not so.

“It’s not a cross-site scripting attack, as no code is injected into the site (and it’s not an input validation flaw, like XSS or SQL injection),” Stone told El Reg. “It’s an information leak that allows certain bits of data to be read. Sites are ‘vulnerable by default’ in that they don’t have to do anything special in order for this attack to work – if they don’t protect against click-jacking then they’re also vulnerable to frame-sniffing.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/16/framesniffing/

The newly-found attack code that exploits critical flaws in Microsoft’s RDP (Remote Desktop Protocol) system appears to have been leaked by Microsoft or one of its partners, says the researcher who originally discovered it.

Luigi Auriemma, an Italian security researcher who originally reported the flaw to Microsoft, has examined the attack code and says parts of it are the same as the sample that he sent in for analysis, and contains code that he wrote to show the proof of concept. He said additional information he has received makes it likely the code was leaked from the Microsoft Active Protections Program (MAPP).

“If the author of the leak is a Microsoft employee… bad for him,” he writes. “If the author of the leak is one of the MAPP partners… it’s the epic fail of the whole system, what do you expect if you give the proof of concept to your ‘super trusted’ partners?”

The MAPP system was set up by Microsoft to share information with trusted partners in the software industry, primarily in the security field. It’s one of a number of initiatives that Microsoft is making to try to improve its threat posture to attacks, but it appears that leaky partners may have had the opposite effect.

“Microsoft is actively investigating the disclosure of shared MAPP vulnerability details and will take the necessary actions to protect customers,” Yunsun Wee, director of Microsoft’s Trustworthy Computing Group told El Reg in an emailed statement. “Given that a proof-of-concept code is publically available, we recommend customers apply the security update as soon as possible to be protected.”

In a blog post, Wee confirmed that the attack code found in the wild does appear to be the same as that submitted by Auriemma, and said that Microsoft was taking steps to “ensure that confidential information we share is protected pursuant to our contracts,” – or to put it another way, server logs are now being pored through to find the culprit. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/16/microsoft_rdp_flaw_release/

Security watchers have discovered proof-of-concept code that attempts to exploit a high-risk Windows security hole, causing computers to crash.

The exploit attacks a RDP (Remote Desktop Protocol) flaw patched by Microsoft on Tuesday. Redmond’s security staffers warned at the time that the critical update (MS12-020) was of a type hackers were likely to latch onto, warning that exploits were likely to follow within 30 days.

The discovery of proof-of-concept code on a Chinese website less than 72 hours later came as no great surprise. Security firms warned that worse is likely to follow. The vulnerability might easily be exploited to create a worm that spreads automatically between vulnerable computers.

“The hackers worked quickly on this particular vulnerability and we’ve already seen attempts to exploit the flaw which exists in a part of Windows called the Remote Desktop Protocol (RDP),” said Graham Cluley, senior technology consultant at Sophos. “Affected Windows computers will ‘blue screen’, but I wouldn’t be surprised if whoever is writing this code tries to develop the attack further to produce a fast spreading internet worm.”

In related news, a supposed Python script for a worm that exploits the RDP exploit has appeared online. Sophos says the claim is a hoax and no such worm exists, at least for now.

“It references a Python module that doesn’t exist (FreeRDP), and claims to be written by [email protected], an obvious reference to the high profile Anonymous hacker who was recently revealed to have been secretly working for the FBI for months,” Cluley explains.

RDP is disabled by default on Windows, but often activated in corporate environments. The utility of the service means it is commonly allowed through firewalls. In addition, no authentication would be needed to hack into many vulnerable hosts, factors that explain the unusually high profile of warnings given to the bug.

Enterprises are advised to apply patches quickly, where possible, or at minimum to allow Microsoft’s suggested exploit mitigation strategies. Defensive measures involve activating the Remote Desktop’s Network Level Authentication (NLA) to require authentication before a remote desktop session is established, as explained by Microsoft here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/16/rdp_worm/

Prominent members of Anonymous have said that a open-source distro bearing the hacktivist group’s moniker is nothing to do with them and is likely to be riddled with Trojans.

Anonymous OS Live – supposedly an Ubuntu-based OS, which advertises itself as being pre-loaded with various hacking tools and utilities (Tor, John the Ripper, SQL Poison etc) – appeared on SourceForge at the start of the week. The 1.5GB package achieved 37,000 downloads before SourceForge pulled the plug on Thursday afternoon, citing its “intentionally misleading name” and security concerns.

The person who uploaded the alpha software said that “Anonymous-OS Live is an Ubuntu-based distribution and created for educational purposes, to checking [sic] the security of web pages”.

However accounts such as AnonOps described the distribution as a fake, which is pre-loaded: but with viruses and Trojans rather than hacking tools.

“The Anon OS is fake it is wrapped in trojans. RT,” A tweet by AnonOps warns.

YourAnonNews repeats the warning, likening the latest incident to the appearance of the Zeus banking Trojan on a back-doored version of the Slowloris hacking tool released earlier this month.

“#Protip – Don’t use Anonymous OS, we don’t know anything about it and can’t vouch for it,” YourAnonNews concludes.

Rik Ferguson, a researcher at Trend Micro, told the BBC that the software was “a functional OS with a bunch of pre-installed tools that can be used for things like looking for [database] vulnerabilities or password cracking”.

Versions of the Linux distro that have security tools already installed – such as Back Track – already exist, he added.

More security commentary on the appearance of the distro can be found on Sophos’s Naked Security blog here.

Analysis to determine whether there actually are any viruses or Trojans buried in the code is yet to take place. Reviews of the software note that it contains a unmodified version of Low Orbit Ion Cannon (LOIC), a DDoS tool linked to several arrests of Anonymous supporters. “I don’t know how much more booby-trapped a tool can get than pointing authorities right back at your IP address, as LOIC does [if it is not] modified,” writes Ars Technica, which describes the distro as “lame”.

A statement by SourceForge explains its thinking on initially allowing the project to go ahead before its decision to pull the plug on downloads as security concerns increased.

We looked at the project, and decided that although the name of the project was misleading (we see no evidence that it is connected with Anonymous) it appeared, on initial glance, to be a security-related operating system, with, perhaps, an attack-oriented emphasis. We have, in the past, taken a consistent stance on “controversial” projects – that is, we don’t pass judgement based on what’s possible with a product, but rather consider it to be amoral – neither good nor bad – until someone chooses to take action with it.

However, as the day progressed, various security experts have had a chance to take a look at what’s really in this distribution, and verify that it is indeed a security risk, and not merely a distribution of security-related utilities, as the project page implies.

SourceForge said the lack of transparency from the project’s creators meant that people are “taking a substantial risk in downloading and installing this distribution”. The software distribution site therefore made a decision to move Anonymous OS Live offline and “suspend this project until we have more information that might lead us to think differently”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/16/anon_os_trojan_fears/

Rutgers student Dharun Ravi is facing a possible ten years in prison after he used his webcam to spy on a gay roommate and broadcast the resulting video.

In 2010, Ravi’s 18-year old roommate, Tyler Clementi, was filmed with an unidentified partner by Ravi and a friend, who then showed the footage around their campus and announced that more footage would be coming. Clementi, who had only just come out to his parents, killed himself shortly afterwards by jumping the George Washington bridge, leaving a suicide note on Facebook reading “Jumping off the gw bridge, sorry.”

Ravi was charged with 15 indictments, including invasion of privacy, bias intimidation, tampering with evidence and a witness, and hindering apprehension. The jury took two days to consider its verdict, and found him guilty of bias intimidation (considered a hate crime), and of tampering with evidence – Ravi had attempted to delete evidence of his activities after Clementi committed suicide.

“These acts were purposeful, they were intentional, and they were planned,” prosecutor Julia McClure told the jury on the first day of the trial, CNN reports. She claimed that Ravi “was bothered by Tyler Clementi’s sexual orientation.”

Ravi’s lawyers argued that it was a simple prank gone horribly wrong, and that Ravi had simply been immature. “He hasn’t lived long enough to have any experience with homosexuality or gays,” his attorney Steven Altman said in closing arguments. “He doesn’t know anything about it. He just graduated high school.”

While the case sparked a national debate on the problems of gay bullying, it also highlighted the fact that cyberbullying is relatively easy to prove in a legal context. Twitter feeds, computer hard drives, and text messages were all used to define exactly what happened, to the extent that both sides did not dispute the events themselves – just the motivations behind them.

The court did allow Ravi to appeal, and he is now free on $25,000 bail. He faces ten years in prison and deportation to his native India, after turning down a plea deal that would have seen him do 600 hours of community service and receive counseling. Fellow student Molly Wei, who also participated, took a deal to testify against her friend in exchange for 300 hours of community service and undergoing a course on cyber bullying. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/16/rutgers_webcam_spying_guilty/

There was embarrassing news for the Indian government this week as one of its ministers was forced to admit that over 100 of its web sites had been hacked in just three months at the beginning of the year, including that of a state-owned telecoms company.

Minister for communications and IT, Sachin Pilot, revealed in a written reply in parliament that a total of 112 sites had been compromised from December 2011 to February 2012, Indian news service IANS reported.

Many of the sites hacked appeared to be those of government agencies in various regions of the sprawling country including Madhya Pradesh, Rajasthan and Kerala, the report continued.

Also singled out was state-run telco Bharat Sanchar Nigam Limited (BSNL), which was hacked and defaced in December allegedly by hackers belonging to the ‘H4tr!ck’ group.

BSNL in particular came under attack from Pakistani hackers several times last year, most notably from a group calling themselves the Pakistan Cyber Army, and many of the hacks of government sites mentioned by Pilot could be blamed on mischief makers from India’s fierce rival across the border.

According to the Indian Computer Emergency Response Team, there were 834 defacements of .in web sites in India during January this year, with the figure rising to 1,425 for all sites.

The authorities certainly don’t seem to be getting any better at deflecting such attacks given that around the same number of government sites – 117 – were attacked in the entire first half of 2011, according to an official release.

This would seem to indicate that basic security measures are still not been taken at the back end to bolster defences against common attack methods including cross-site scripting and SQL injection.

It’s not just the public sector that has been found wanting though, with Microsoft India’s online store still offline after being targeted by alleged Chinese hackers.

Despite reassuring customers that their data was safe, Microsoft was later forced to admit that actually the hackers may well have nabbed credit card details from what is thought to have been an unencrypted database. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/16/indian_government_sites_hacked/

The Australian Institute of Criminology (AIC) does not have the resources to repeat its 2009 Australian Business Assessment of Computer User Security (ABACUS) study into the prevalence of cybercrime in Australia.

An AIC spokesperson told The Register that the cost and complexity involved in an ABACUS study is not something the Institute can currently contemplate, and added “It’s certainly important to keep track of the trends in this area, although nationally representative prevalence surveys of cybercrime are rarely undertaken.”

“The AIC will, if resources are available, look to undertake similar surveys to our ABACUS project that was one of the few large-scale business victimisation surveys in this area.”

The AIC’s 2011 Australian crime: Facts figures report therefore use previously-published data from AusCERT and the Australian Competition and Consumer Commission (ACCC). Both sources collected data for 2010 studies. That leaves the cyber crime section of the AIC’s 2011 report reliant on aged data from a year other than that defined as the document’s reporting period.

We don’t think anyone needs advanced epistemological training to deduce that the report may therefore be a little light-on. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/16/aic_cybercrime_study/

George Hotz, aka geohot, has been arrested by Texas police on drugs charges while on his way to give a talk to the annual SXSW festival in Austin.

Hotz, who shot to fame when he was sued by Sony for cracking his PS3 gaming console, was arrested at a notorious police checkpoint in the West Texas town of Sierra Blanca, and found to have a small amount of marijuana in his car. The Sierra Blanca police have claimed a number of similar high-profile busts for pot possession at the same checkpoint, including Snoop (Doggy) Dog and Willie Nelson.

According to the Abovethelaw blog, Hotz and a friend were stopped at the checkpoint after a drug-sniffing dog took an interest in them. Police found a 1/4 oz of dope and edibles containing a further 1/8 oz, but the police booked him for the entire weight of the stash, valuing it at $800 and earning Hotz a felony rap.

Hacker Hotz joins Snoop Dog and Willie Nelson

Hotz is now out of jail on $1,500 bail, and may not make his SXSW speaking spot. He is reported to be a medical marijuana card holder, but since Texas doesn’t recognize that there is any medical reason to be packing pot, that’s not going to help him much.

In 2007, while he was still just 17, Hotz was one of the first people to successfully hack an iPhone, and continued to do so with every following upgrade. He was the first person to crack Sony’s PS3 to allow it to run whatever version of Linux he wanted, and released the exploit into the wild.

Sony was less than overjoyed at the news, and promptly took legal action against Hotz under the Digital Millennium Copyright Act for releasing details of how to hack the PS3, and confiscated his systems. The company eventually settled the case, with Hotz promising not to do it again and donating $10,000 to the Electronic Frontier Foundation.

Hotz did take a job at Facebook following his legal troubles, but has reportedly quit after less than a year. Facebook did not respond to requests for information on his current employment status.®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/15/hotz_sxsw_drug_arrest/

Comedian Russell Brand is reportedly wanted by police for allegedly grabbing a small iPad-like device from a photographer in New Orleans and hurling it through a window.

The cops have issued a misdemeanour warrant for Brand’s arrest, reports gossip website TMZ. Although eyewitnesses claim an iPhone was lobbed, it is impossible to discount the possibility that it was a palm-sized new iPad.

Photographer Timothy Jackson told police he was using a device markedly similar to an iPad in a car, attempting to use it to take photos of the actor-comedian who recently divorced from Katy Perry. Brand allegedly reached into the car, grabbed the miniature-style voice-enabled fondleslab and hurled it through a nearby window.

Jackson is accusing him of criminal damages.

Brand took to Twitter to defend himself, claiming that what he did was “a tribute” to Steve Jobs and his iPhone iPad success.

New new iPads are likely to be in short supply tomorrow when they launch in shops. They’ll be even shorter if people follow Brand’s example.

The Daily Mail has a full description of the tiny iPad incident here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/15/russell_brand_minature_ipad/

The Australian State of New South Wales has amended its Crimes Act with a new definition of ‘consorting’ that makes electronic communications evidence of participation in criminal groups.

The new law is a second attempt at making it hard for motorcycle gangs to do business. Such gangs are suspected of playing a significant role in Australia’s illegal drugs trade and have also been involved in drive by shootings and a firebombing in suburban Sydney. In 2009 two rival gangs brawled at Sydney Airport, resulting in the murder of one gang member who was bludgeoned to death with a bollard. Those incidents made motorcycle gangs a hot political issue and led to politicians of all persuasions playing the law and order card often and gleefully.

The State’s first attempt to stop motorcycle gangs foundered in the High Court (Australia’s ultimate court), which found a law aimed at preventing association between members exceeded the powers available to NSW’s Parliament and courts. That law was also criticised for sweeping definitions that some feared meant it could be applied to many sorts of association.

The new Crimes Amendment (Consorting and Organised Crime) Bill 2012 tries to improve on previous legislation by lowering the burden of proof required to show that someone participated in a criminal group. Defendants will now have to disprove that they “ … knew, or ought reasonably to have known …” that their activity “… contributed to the occurrence of a criminal activity.”

That activity could include email and mobile phone calls. Both were mentioned by NSW Premier Barry O’Farrell today at a news conference, where he said the new law “brings the offence of consorting up to date” by including those two media.

The wording of the Bill is, however, rather broad as it states:

“The new offence also makes it clear that consorting can occur in person or by any other means, including by electronic or other form of communication.”

We’ll wait for lawyers (all the good ones we know are out drinking expensive champagne at the time of writing) to tell us if that swarm you’re currently torrenting with can now be considered a criminal conspiracy given that you really should know that file sharing that new episode of The Simpsons is illegal and you’re doing it with other people who know the same thing, using electronic communication.

We’ll update once we can get some lawyers on the phone. Watch this space. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/15/nsw_anti_gang_law/