STE WILLIAMS

The world’s biggest names in the consumer webmail space are sharing security intelligence with businesses for free to help drive adoption of the DMARC email-authentication system.

Last month, Google, Microsoft, AOL, Facebook, and Yahoo! joined up with service providers such as PayPal to push the Domain-based Message Authentication, Reporting Conformance (DMARC) standard, which integrate with Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) systems.

The advantage of participating in DMARC for businesses is that they, as domain name holders, can specify email-handling policy via DMARC, which acts as an overlay for SPF and DKIM checking. By confirming that an email message is actually coming from a business’ servers and not from a spammer, spoofed emails are cut out, and info about that spam-blocking is then fed back into the DMARC register to identify the email systems being used by the spammers. The open flow of information between DMARC and businesses ensures that both sides benefit from more efficient spam blocking.

This week, the email-intelligence firm and founding member of the DMARC consortium Agari opened up its Receiver Program, making it free to all comers. Businesses can sign up to get the latest anti-spam and anti-phishing intelligence from members of DMARC, and can use it to refine filtering techniques.

“This makes it free to implement in minutes,” Agari spokeswoman Suzanne Matick told The Register. “You’re automatically getting policy instead of building your own form, and the policy can be easily updated.”

Giving all this intelligence away for free is a loss leader for the webmail companies, since it cuts down on both the infrastructure costs of dealing with the stuff, and on user dissatisfaction. By getting all the biggest consumer names on board, DMARC is looking for a quick route to market criticality.

George Bilbrey, president of DMARC cofounder Return Path, told The Register that having 40 per cent of consumer webmail providers getting behind the standard gave it instant momentum, but that the business market would take more time and finesse. However, the security industry had seen the benefits right away.

“I’ve been at a conference this week, and based on casual conversations, enterprise security vendors are very interested,” he said. “They all have it on their map, and we’ll see the first DMARC-spec products within a year, I suspect.”

The draft DMARC specification was released on Monday and the standard’s supporters are moving quickly. Paul Midgen, vice-chair of DMARC.org and senior program manager at Hotmail, told The Register that Hotmail is “almost ready to complete” on DMARC, and that progress on the final specification is well under way.

The DMARC spec is now in a public consultation phase, he explained, and the team is collecting feedback from users on what needs to be included. On a loose timeframe, the final revisions should be completed by next summer, and the goal is to move it on to the Internet Engineering Task Force (IETF) for ratification within a year after that.

“The expectation is that when we turn over control to the IETF there will be more changes, and we need to acknowledge that,” Midgen said. “The DMARC group has done a very good job of being inclusive, but an IETF submission is a huge consideration and you never know what’s go happen.”

He suggested businesses could get involved in a couple of ways. First, the sender side of email could be augmented with DMARC – it’s a fairly simple job to get up and running. The larger the company, the more difficult the installation, as with most updates, but the long-term cost savings would be significant, Midgen asserted. Secondly, businesses could get an early heads-up on the latest security data, and at least lay the groundwork to cut lead-times for future implementation. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/24/dmarc_spam_phishing_free/

WikiLeaks suspect Private Bradley Manning declined to enter a plea on Thursday at the start of his court martial over charges that he had handed over reams of US Army classified data to the website, AP reported from the court.

The 24-year-old was formally charged with 22 counts in the court appearance, including aiding the enemy, wrongfully causing intelligence to be published on the internet and theft of public property. The aiding the enemy charge carries a maximum penalty of life in prison, while the other counts carry a combined maximum of more than 150 years in jail.

In a court martial, the defendant can put off entering a plea until the start of the trial, which can give the defence more time to finalise its strategy.

Military judge Colonel Denise Lind didn’t set a trial date but scheduled another court hearing for 15 to 16 March.

Manning allegedly downloaded and handed over more than 700,000 documents and video clips to WikiLeaks, the largest leak of classified information in US history.

The soldier’s defence lawyers are claiming that he was emotionally troubled and shouldn’t have been given access to classified data or have been sent to Iraq for a tour of duty. They also say that the documents and videos that WikiLeaks published did little or no harm to national security.

Manning has supporters who say that he is really a whistleblower who acted in the best interests of the country. One of these, a member of the anti-war group Code Pink, stood up in court and shouted: “Judge, isn’t a soldier required to report a war crime?”, which the judge ignored, AP reported.

The protester was referring to Manning’s alleged leaking of a video showing a 2007 Apache helicopter attack in Iraq that killed a Reuters news photographer and his driver. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/24/deferred_plea_wikileaks_case/

When it comes to bombs, the more powerful they are, the bigger their impact. With a cyber-weapon, the opposite is true: the more powerful it is, the more limited the damage it causes. The deeper a bug can get into any given system, the less likely it is to trouble anything else.

And that’s why cyber-weapons aren’t real weapons, says Thomas Rid, a reader in War Studies at Kings College London and co-author of a new paper published today in the security journal RUSI Journal.

Rid, the war boffin who brought us the theory that cyber war wouldn’t actually be war because no one gets killed, has some more soothing common sense for those worried about cyber-geddon:

[Having] more destructive potential is likely to decrease the number of targets, the risk of collateral damage and the political utility of cyber-weapons.

Rid’s point is that cyber weapons that can attack any web target tend to be low-level and quite crap: DDoS bots that can take a website offline temporarily or deface it, tools that cause inconvenience and sometimes embarrassment.

Bugs or malicious software threats that could cause significant damage to a system – eg, penetrating databases for specific sensitive internal data or causing particular real-world machines to malfunction – would need to be so specific to their target that they would be harmless to almost everything else and cause little to no collateral damage.

Take say, the worst of the worst – Stuxnet – the virus that allegedly set the Iranian nuclear programme back two years: it spread over 100,000 Windows computers en route to Iran’s critical computer network and didn’t damage any of its carriers.

Cyber-weapons with aggressive infection strategies built in, as popular argument goes, are bound to create uncontrollable collateral damage. The underlying image is that of a virus escaping from the lab to cause an unwanted pandemic. But this comparison is misleading.

What we shouldn’t worry about

So while a DDoS can cause what Rid describes as “second order” damage, in itself the code doesn’t harm a system, take data or cause any physical damage to a person.

Also – we don’t need to fret too much about crazed warrior hackers from North Korea reducing all figures in the stock exchange to zero. Most high profile systems that provide services like the Stock Exchange have active protection and back-up systems.

Weaponised code does not come with an explosive charge. Potential physical damage will have to be created by the targeted system itself, by changing or stopping ongoing processes.

Simply knocking a site offline would alert the target to the problem immediately and probably cause a back-up to kick in. Serious damage would require an intelligent malware agent that was capable of changing ongoing processes while hiding the changes from their operators, Rid says. To our knowledge, this has not yet been created, and making something as complex would require the backing and resources of a state, he added.

But even if new smart high-power cyber weapons were created, though they “open up entirely new tactics” they also have “novel limitations”.

He adds that “all publicly-known cyber-weapons have far less ‘firepower’ than is commonly assumed”. Concluding: “At closer inspection cyber-weapons do not seem to favour the offence.”

Next page: What we should worry about

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/24/cyber_weapons/

Old-school crooks managed to steal documents related to secret plans to build a joint French-British drone aircraft after snatching a briefcase at a Paris railway station.

The briefcase was stolen from an executive at French defence contractor Dassault Aviation while he and a colleague were in the process of purchasing a Eurostar ticket at Paris Gare du Nord station on 2 February, according to French media reports. The man left his briefcase unattended in order to help his colleague, who was apparently being hassled by an unidentified ne’er-do-well. When he looked back the case was gone.

Police are examining CCTV footage in order to identify the suspected footpads, the BBC reports.

Dassault Aviation played down the incident, saying that the documents involved lost in the snatch were not particularly sensitive and stating that the security of the project was not at risk.

The incident serves as a reminder that despite all the hype about cyber-espionage and targeted attacks, many against military contractors, the threat of theft or loss of sensitive documents (or computers that contain those documents) is just as real as it ever was. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/24/drone_doc_theft_security_flap/

Security watchers warned on Friday that a new variant of a Mac-specific password-snatching Trojan horse is spreading in the wild.

Flashback-G initially attempts to install itself via one of two Java vulnerabilities. Failing that, the malicious applet displays a self-signed certificate (claiming to be from Apple) in the hope users just install the malware.

Once snuggly in place, the malware attempts to capture the login credentials users enter on bank websites, PayPal, and many others.

OS X Lion did not come with Java preinstalled, but Snow Leopard does, so users of Mac’s latest OS are more at risk of attack.

Mac security specialist Intego warns that the variant is infecting Mac users and spreading in the wild. Symptoms of infection can include the crashing of browsers and web applications, such as Safari and Skype.

Intego, which has added detection for the malware, has a write-up of the attack with a screenshot of the self-signed certificate used by the malware in action.

A report out this week from McAfee noted that after a spike of fake anti-virus packages targeting users back in June very little malware targeting Mac fans has been seen since. There were four million new strains of Windows malware in Q4 2011, compared to less than than 50 new Mac malware samples over the same three month period, according to McAfee. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/24/flashback_mac_trojan/

A survey of UK consumers revealed many are far more careful with their social network login credentials than passwords that grant access to corporate systems.

A third – 34 per cent – of 2,000 people quizzed admitted sharing their work passwords, but 80 per cent of the same group were unwilling to reveal their Facebook login details.

The survey, commissioned by cloud security firm Ping Identity, suggests that the use of multiple passwords is posing a security risk to individuals and businesses alike.

More than half of the punters polled need to remember four or more different passwords daily, something that seems to be tricky for many. More than half (61 per cent) of those surveyed admit they write down their passwords in order to remember them. One of five (21.6 per cent) needed to remember more than eight different passwords.

Complex password policies often dictated by businesses and online retailers have added to password headaches. More than half (53.5 per cent) of consumers are required to change their passwords on a regular basis, so 60 per cent restrict themselves to number and letter combinations that are easily forgotten. Worse still, in an effort to reduce the amount of complex passwords they need to remember, consumers often reuse passwords across multiple sites.

“The more passwords we’re forced to remember, the more we’re likely to forget, or write down in an effort to ensure we always have access to the accounts that matter,” said John Fontana of Ping Identity*. “Not only does this leave individuals open to fraudulent activity and exposes the businesses they work for, but it also highlights the value we place on different passwords.”

A fault with the default password

Another password-related study out this week reveals that although users generally want stricter security policies, they rarely bothered changing the default passwords, contrary to common sense.

Less than 30 per cent of the 460 respondents to a survey ran by password recovery business ElcomSoft claimed they have never forgotten a password. The remainder admitted forgetting login credential either because of infrequent use (28 per cent), not writing their password down (16 per cent) or because the password had slipped their mind while they were off work on a holiday (13 per cent).

A quarter of those quizzed said they changed their passwords regularly, while a further 25 per cent change their passwords infrequently. The remaining half change their passwords either sporadically or almost never.

The poll revealed a serious issue with default passwords – whether automatically generated or assigned by hand. Around a quarter (28 per cent) of respondents always change the default password, while more than 50 per cent would usually keep the assigned one.

ElcomSoft counsels against this lax attitude. “Using default passwords is dangerous, even though they might be complex, simply because you can easily find lists of passwords in the internet,” explained ElcomSoft spokeswoman Olga Koksharova. “A really strong password should be not only long and complex, it should be unique.”

Most respondents to the survey (61 per cent) weren’t happy about their organisations’ security policies, being in either full or partial disagreement with their employer’s current policy. Three-quarters (76 per cent) of all respondents indicated they wanted a stricter security policy.

A series of pie chart illustrating the main findings of ElcomSoft’s survey can be found here [PDF]. ®

Bootnote

* Ping Identity markets services designed to reduce the number of passwords staff at its corporate clients need to remember, so it has a vested interest in talking up the problem that multiple passwords can create. This doesn’t mean it’s wrong though.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/23/password_survey/

Federal authorities have applied for permission to extend the operation of a safety net that allows machines infected by the DNSChanger Trojan to surf the net as normal beyond a 8 March deadline.

DNSChanger changed an infected system’s domain name system (DNS) settings to point towards rogue servers that hijacked web searches and pointed surfers towards various sleazy websites, as part of a long running click-fraud and scareware punting scam. The FBI stepped in and dismantled the botnet’s command-and-control infrastructure back in November, as part of Operation GhostClick. As many as 4 million machines were infected as the peak of the botnet’s activity.

Rogue DNS servers were replaced by legitimate machines at the time of the takedown operation but nothing was done to disinfect infected PCs, a particular concern since the DNSChanger malware is designed to disable security software, leaving infected machines at heightened risk of infection.

Barring court permission, legitimate servers that were set up to replace rogue DNS servers will be taken offline on 8 March, 120 days after the initial takedown operation. The feds have applied (PDF) to extend this safety net until 9 July.

A study by security firm Internet Identity revealed that at least 250 of all Fortune 500 companies and 27 out of 55 major government entities had at least one computer or router that was infected with DNSChanger in early 2012, findings that suggest the post-Ghost Click clean-up operation is running behind schedule. Barring an extension in the operation of the surrogate DNS servers these infected machine rely upon, surfers will be unable to browse the web or send emails as normal after 8 March, unless the DNS settings of compromised computer are restored to their original state.

More information on how to clean up infected machines, and other resources, can be found on the DNS Changer Working Group website here.

Operation Ghost Click led to the arrest of six Estonian nationals, accused of manipulating millions of infected computers using DNSChanger. The alleged ringleader of the group, Vladimir Tsastsin, and another suspect have been already cleared for extradition to the US. Baltic Business News reports that local courts approved the extradition of the four remaining suspects last week. These extraditions remain subject to government approval but this is all but assured, the local news site reports.

Tsastsin previously ran controversial domain registration firm EstDomains, whose accreditation was pulled by ICANN back in 2008 over concerns that EstDomains had become a haven for cybercriminals.

KrebsOnSecurity has a copy of the indictment against Tsastsin and other suspects in the GhostClick case here (PDF). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/23/dnscahnger_extension/

Juniper has bought web application security firm Mykonos Software in a deal valued at around $80m (£51m) in cash.

Mykonos develops technology designed to secure websites and web applications from advanced hacker attacks. The software uses “deception-based technology’ that uses honeypotting to detect and divert attacks.

The software sits in front of your apps and embeds triggers that escalate responses based on attacks, according to an explanation of the technology by Juniper’s cloud security guru Christofer Hoff, who claimed the software needs minimal configuration.

Mykonos describes its technology as Intrusion Deception Systems, distinct from Web Application Firewalls (WAF), a category of security products that has earned something of a bad rep. One of the main reasons WAF tech proved tricky was because it needed to have knowledge of applications to work without disrupting existing services, creating all sorts of implementation headaches.

A blog post by Juniper, which contains more than a little marketing hyperbole, goes on to explain how Mykonos’ software thwarts attacks.

By creating detection points that can identify attackers at the onset of an attack, the technology can detect and evaluate the threat level of malicious activity, and respond automatically with threat-appropriate counter measures.

Mykonos provides device level tracking, beyond the IP address, which allows for attackers to be uniquely identified, monitored and/or blocked. It can catch an attack in progress, profile the attacker, learn the attacker’s behavior and sophistication, and then use that behavior to thwart future attacks.

Juniper aims to use the technology to go on the offensive against hackers as well as making systems protected by Mykonos too much trouble and effort to crack into for profit-motivated cybercrooks. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/23/juniper_mykonos/

US President Obama has proposed a “bill of rights” for online privacy that could give the US government greater powers to wallop the likes of Google and Facebook for fumbling sensitive data.

White House chiefs have told the Commerce Department to herd internet companies, privacy advocates and related bods into a room to develop enforceable rules based on his proposed blueprint for improving consumer protections

The proposed bill will give the Federal Trade Commission (FTC) the job of enforcing data privacy rights that are agreed to by everyone involved in the process.

“American consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online,” President Barack Obama said in a canned statement.

“As the internet evolves, consumer trust is essential for the continued growth of the digital economy. That’s why an online privacy Bill of Rights is so important. For businesses to succeed online, consumers must feel secure.

“By following this blueprint, companies, consumer advocates and policymakers can help protect consumers and ensure the Internet remains a platform for innovation and economic growth.”

Just this month mobile app developers were caught slurping users’ address books, Google was accused of bypassing browser privacy and lawmakers jumped on the Chocolate Factory’s changes to its privacy policy.

The world’s top internet firms rake in moola from targeted online advertising yet there’s the worry that companies aren’t admitting exactly how data collected from punters is used. Lawmakers sorting out privacy issues have had a piecemeal and reactionary response so far.

The Digital Advertising Alliance, which represents almost all online advertisers including Google, Yahoo and Microsoft, has said it will improve its Do Not Track software for web browsers.

The alliance offered punters a way to avoid being identified across websites, but the system was criticised as confusing and complicated. It has now agreed to make a much simpler Do Not Track button in browsers that people can use to opt out of cookie-based data collection, which will also be policed by the FTC.

So far the bill is really just a gesture, since signing up is voluntary, although any firm that refused to sign up wouldn’t be doing much for its reputation. And the White House also said it would be working with Congress to try to develop follow-up legislation.

According to Prez Obama, the privacy rights of consumers online are:

• Individual Control: Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.
• Transparency: Consumers have a right to easily understandable information about privacy and security practices.
• Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
• Security: Consumers have a right to secure and responsible handling of personal data.
• Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
• Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
• Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

You can read the full report, snappily titled Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, here (PDF). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/23/white_house_privacy_rights/

Mobile software that meddles with your sensitive info must have privacy polices and must display them clearly, California’s Attorney General Kamala Harris declared yesterday in a statement agreed by all major app sellers.

Under the new rule, anyone downloading a program from Apple, Android, RIM, Windows, HP or Amazon stores should be presented with an app privacy policy that reports what personal information the software will slurp and how it will be used. Apps that don’t use personal data don’t have to present a policy.

The move comes after reports that only 5 per cent of apps have privacy policies and popular titles were caught snatching contact lists and unique phone IDs, location, age, gender and even key taps. Harris expressed the hope that the joint statement will bring developers in line with California’s laws on digital privacy.

It will also have a ripple-out effect for anyone outside California as app stores are global, and will bring the issue to the attention of federal law-makers.

“This agreement strengthens the privacy protections of California consumers and of millions of people around the globe who use mobile apps,” Harris said in a statement. “By ensuring that mobile apps have privacy policies, we create more transparency and give mobile users more informed control over who accesses their personal information and how it is used.”

Apps that fail to meet the new guidelines will be fined at a rate of up to $5,000 per user, said Harris at a conference reported by the LA Times. Users will get new tools to report apps that breach privacy regulations and a review will be held in 6 months’ time.

The new app privacy agreement doesn’t change what apps can or can’t do, but does make punters aware of what’s happening in their phone. However watchdogs argue that privacy policies – often weighed down in small print – are not the best way to inform consumers.

“This is an improvement from the current Wild West that is the mobile market,” said John M Simpson of the Californian Consumer Watchdog Privacy Project. He added:

But trying to decipher what’s going on through a privacy policy written by lawyers, paid by the word to obfuscate can be extremely frustrating.  It’s even more difficult on small hand-held devices. We need a simple, persistent way to send a message that a user doesn’t want to be tracked. We need Do Not track legislation.

The move to stop browsers tracking user activity – nicknamed the Do Not Track debate – has raged on at PC level – this brings that argument into the mobile space.

Apple and Google host approximately 1 million mobile applications, up from just 600 in 2008. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/23/california_mobile_app_privacy_policy/