STE WILLIAMS

Microsoft plans to start 2012 with a surprisingly large Patch Tuesday that covers seven security bulletins which collectively address eight separate vulnerabilities. Previous January releases have normally featured only one or two bulletins.

The solitary critical bulletin in the batch fixes a remote code execution issue in Media Player. The remaining six “important” bulletins due next Tuesday handle the BEAST SSL issue and various information disclosure bugs, escalation of privilege issues and an update to Microsoft’s SEHOP (Structured Exception Handler Overwrite Protection) technology to enhance the defence-in-depth capability that it can offers to legacy applications. The “important” rather than critical status for the Beast SSL issue is at least debatable.

The BEAST attack affects web servers that support SSLv3/TLSv1 encryption. Microsoft has already published a workaround, which involves using the non-affected RC4 cipher in SSL installations. A patch was originally promised in December but delayed until this month due to problems uncovered during testing.

“Despite all of the hype over ‘The Beast’, attacks have simply never materialised and the issue has retained its ‘important’ classification from Microsoft,” notes Paul Henry, a security and forensic analyst at Lumension.

Adobe and Oracle have both timetabled quarterly updates, on 10 January and 17 January, respectively in what promises to be a busy month for patching, Qualys adds.

Microsoft’s pre-alert is here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/06/patch_tuesday_pre_alert_jan_2012/

A defacer affiliated with Anonymous vandalised Sony’s online front door this week over the corporate behemoth’s support of SOPA, a hated anti-piracy law proposed in the US.

The Sony Picture’s website was defaced and clearly unauthorised comments were posted on the media giant’s Facebook page. The digital graffiti was scribbled by a hacker who uses the Twitter handle s3rver_exe. Both acts of vandalism were rapidly purged, while the YouTube video illustrating the hack was quickly pulled.

Neither cyber-assault was significant as the perp readily concedes. Even so, the latest security breach doesn’t reflect well on Sony’s much vaunted efforts to bolster its electronic defences following last year’s PlayStation Network hack, which forced Sony to take down its gaming platform for weeks.

In an ironic twist, the Twitter account of @s3rver_exe was hacked on Friday in the wake of the #OpSony pawnage.

“Sony was hacked because the admin panel was not encrypted ROFL. And I have got my account back,” s3rver_exe said. “I don’t know why the hacker hacked me. I think he did it for the lulz.”

“The hack wasn’t big but still the servers were vulnerable and I got access to the admin too,” he later added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/06/sony_defacement/

The Information Commissioner’s Office (ICO) is to give “particular regulatory attention” to health organisations as it focuses on areas most likely to result in damage to people’s information rights, the watchdog has said.

The ICO, which ensures compliance with UK data protection, e-privacy and freedom of information laws, announced the priority as part of a new information rights strategy. Other areas the ICO will focus its attention on are credit and finance, criminal justice, internet and mobile services and security, the strategy said.

The ICO said that it is impossible to “address all risks to the upholding of information rights equally”. It said it would make choices about the cases it would take enforcement action in based on the benefits it perceives could be achieved by doing so.

“We cannot address all risks to the upholding of information rights equally nor should we attempt to do so,” the ICO said in its information rights strategy (17-page / 303KB PDF). “We will make choices where we can whilst acknowledging that the legislative framework imposes certain obligations on us particularly in relation to our casework.”

“We have to recognise that there is a legitimate expectation that we will enforce the law, that the decisions we take will be robust ones and that we have to provide good customer service but this does not mean that we cannot make choices,” it said. “Our choices will be driven by the external outcomes we are seeking – how can we deploy our effort and the effort of those we regulate in a way that makes the maximum long term and sustained contribution to the outcomes we are seeking and does not just provide short term fixes? Put simply – how do we deliver best value for money in the upholding of information rights?”

When choosing the cases to pursue the ICO will “take account of factors such as the volume, nature and sensitivity of information involved and the number of people whose information rights might be impacted on in any situation”.

The ICO also said it would weigh-up the issues that are in the public interest when prioritising its workload. The watchdog said it would take into account the importance the public places on “different aspects of information rights” and said it was prepared to adopt positions that are not “universally popular”.

“We take the view that sometimes the public interest will be best served by us acting to protect the information rights of minorities or by us drawing attention to the downsides of new developments that might otherwise appear attractive,” the ICO’s strategy said.

Decisions on ICO intervention will also be assessed on how likely that action is “to make a real difference” where the aim will be to get “as big a return in furthering delivery of our desired outcomes as is possible for the resources we and those we regulate invest,” the watchdog said. The ICO will be pro-active in attempting to prevent breaches of information rights from occurring rather than devoting resources to a “cure” when breaches happen.

“Education, awareness raising and the provision of guidance are therefore key activities for us,” the strategy said.

The ICO said it would look for opportunities to “defend or promote” rights concerned with information in the public sector where bodies are supposed to be “open and accountable” with how they spend public money and in their decision making.

Priorities will “inevitably” be determined by “element of subjective judgement involved in the assessment of information rights risks” but this judgement will be based “as far as possible” on “evidence, analysis and experience,” the ICO said.

The ICO said it was committed to ensuring its activities were conducted transparently, proportionately, consistently and on a targeted basis, and said it would be accountable for its work.

Broad goals for the ICO to achieve as part of its information rights strategy include ensuring a “high proportion” of members of the public are aware of their information rights and how to exercise them and to help develop this understanding within the “formal education system”.

The ICO also hopes to improve public confidence in the upholding of information rights. The strategy contains further aims to establish “a high level of awareness” within organisations of their obligations under information rights law and ensuring that those obligations are met. Organisational culture, processes and new systems should contain good practice in how information rights are complied with, the ICO said.

Information Commissioner Christopher Graham said that businesses should not cut back on data security as a result of financial pressures.

“Businesses under pressure in the downturn must be tempted to cut corners and push boundaries,” Graham said in a blog post. “That’s a bad call, since the first casualty of a big data breach is going to be a brand’s reputation. Consumers will abandon companies that disrespect their privacy. (And that’s leaving aside the ICO’s power to levy a civil monetary penalty of up to £500,000 for serious breaches of the data protection principles.)”

Copyright © 2012, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/06/ico_enforcement_of_info_rights_to_focus_on_health_sector/

GCHQ is offering its expert tech employees bonuses to prevent more staff from leaving for high-tech companies such as Google and Microsoft.

The service said that it has a government approved system of offering both recruitment and/or retention payments to keep internet security specialists. GCHQ said that it seeks to make the overall package of pay, pension, leave and flexible working as competitive as possible, but added that it also needs to demonstrate value for money for the taxpayer.

A spokesman for GCHQ told GGC that it does not comment on individual amounts, but said that reports that the sums amounted to “tens of thousands of pounds” were inaccurate.

“We are never likely to be able to compete with high-tech companies on salary alone. We clearly value our staff and their contribution to our unique mission in support of the UK’s national security and economic wellbeing,” he said.

The spokesman added that GCHQ also offers similar benefits to other specialist staff within the service.

The government has pushed hard to recruit the next generation of internet specialists, after admitting in October that it was failing to keep specialist cyber security staff. In response to the intelligence and security committee’s annual report for 2010-11, the government said that “experienced internet specialists are highly prized by both government and industry” and GCHQ recognised the importance of maintaining its competitiveness in the marketplace.

“GCHQ is also considering other measures to attract and retain suitably skilled staff in greater numbers,” the government said at the time.

Last month GCHQ ran an ad campaign which challenged hackers to crack a code to get an interview.

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/06/gchq_offers_retention_bonuses_to_keep_tech_experts/

ANZ Bank-owned online broker ETrade, has been the target of a sustained malicious offshore generated cyber attack.

The denial-of-service attack resulted in thousands of emails flooding the broking site, prompting a cessation of services from Christmas Eve to the New Year period.

According to a Fairfax report, offshore Etrade clients were the worst affected with some countries unable to access accounts for almost two weeks. An ETrade spokesperson confirmed that while overseas clients were , more profoundly affected, Australian clients had intermittent access to their accounts.

“We experienced some malicious activity that impacted the performance of the ETrade website prior to Christmas,” the ETrade spokesperson said in a statement.

“We responded immediately to minimise any disruption to our clients and ensure our data remained secure. At no stage was security of the ETrade site breached,” it added.

Neither ANZ nor ETrade have supplied any detail on the nature of the attack or who the culprit was.

Customers only received an explanation of the outage yesterday stating, “immediate action was taken to restrict access from some overseas locations, but given the nature of the incident we were restricted in what we could communicate with you at the time. Importantly, at no stage was the security of the Etrade website breached.”

The Sydney Morning Herald reported that St George customers were also affected by the attack as its online trading service is supplied by Etrade. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/05/etrade_in_ddos_attack/

Hackers have managed to get Amazon’s proxy-based Silk browser compiled into other Android versions, allowing anyone* to take advantage of the Amazon cloud.

The hack requires a rooted device, and some mucking about with apk files, but does share the Silk love. XDA-Developers member TyHi initially hacked the Silk browser into the popular CyanogenMod Android distribution, but others have tested it on a wide variety of builds and devices – though there appears to be no reason to bother beyond the joy of seeing what can be done.

Silk offloads most of the rendering of web pages onto the cloud, improving performance and reducing the bandwidth required, but it is far from alone in taking that approach. SkyFire and Bolt work the same way, as does Opera’s Turbo option, and Opera has even gone on record promising not to misuse the accumulated data.

So the only reason for wanting to run Silk would seem to be a desire to let Amazon know more about one’s browsing habits, as though the company hasn’t accumulated enough information on everything one buys, or thinks about buying.

So this is just a hack to demonstrate what can be done, which is an admirable thing in itself and to be respected. But for most users Silk has little to offer beyond what’s already available, with rather less effort. ®

* Anyone with a compatible handset, and a desire to root it too.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/05/amazon_silk_hack/

A US man who had been convicted on a second-degree murder charge will get a new trial after a computer virus destroyed transcripts of court proceedings.

Randy Chaviano, of Hialeah, Florida, was given a life sentence for the fatal shooting of Carlos Acosta after he was convicted by a Miami jury in July 2009. An appeal was lodged when it was discovered that only a partial record of the trial that led to Chaviano’s conviction could be found.

In the circumstances the Third District Court of Appeal had no option but to strike the conviction and order a fresh trial.

Court stenographers normally record proceedings on both paper and digital disk. But Terlesa Cowart, stenographer at Chaviano’s 2009 trial, forgot to bring enough rolls of paper and relied on digital recordings alone to chronicle proceedings. She transferred this data to her PC and erased it from the stenograph. Cowart has been fired for the monumental screw-up, The Miami Herald reports.

Bad move. The PC subsequently became infected by an unidentified virus, causing the destruction of the records. No secure backup was taken, so the state will be put through the expense of a second trial that will cause, at the very least, inconvenience for witnesses and heartache for the victim’s family.

Commentary on the security implications of the case can be found in a blog post by Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/05/virus_deletes_court_transcript/

A bank account-raiding worm has started spreading on Facebook, stealing login credentials as it creeps across the site, security researchers have revealed.

Evidence recovered from a command-and-control server used to coordinate the evolving Ramnit worm confirms that the malware has already stolen 45,000 Facebook passwords and associated email addresses. Experts from Seculert, who found the controller node, have supplied Facebook with a list of all the stolen credentials found on the server. Most of the victims are from either the UK or France.

Ramnit differs from other worms, such as Koobface, that have used Facebook to spread because it relies on multiple infection techniques and has only recently extended onto social networks. Koobface, by contrast, only uses Facebook or Twitter to spread.

“Ramnit started as a file infector worm which steals FTP credentials and browser cookies, then added some financial-stealing capabilities, and now recently added Facebook worm capabilities,” Aviv Raff, CTO  at Seculert, told El Reg.

“We suspect that they use the Facebook logins to post on a victim’s friends’ wall links to malicious websites which download Ramnit,” he added.

Ramnit first appeared in April 2010. By last July variants of the malware accounted for 17.3 per cent of all new malicious software infections, according to Symantec. A month later Trusteer reported that flavours of Ramnit were packing sophisticated banking login credential snaffling capabilities – technologies culled from the leak of the source code of the notorious ZeuS cybercrime toolkit at around the same time.

The new Ramnit configuration was able to bypass two-factor authentication and transaction-signing systems used by financial institutions to protect online banking sessions. The same technology might also be used to bypass two-factor authentication mechanisms in order to gain remote access to corporate networks, Seculert warns.

Invading Zuckerberg’s Reservation

The move onto Facebook by the miscreants behind Ramnit seems designed primarily to expand the malware’s distribution network and infect more victims.

“We suspect that the attackers behind Ramnit are using the stolen credentials to expand the malware’s reach,” Seculert concludes, adding that capturing the login credentials of Facebook accounts creates a means to attack more sensitive accounts that happen to use the same email address and password combination.

“The cyber-criminals are also taking advantage of the fact that people usually use the same passwords for different web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks,” it said.

The Ramnit outbreak on Facebook follows the November outbreak of an earlier worm that tried to infect victims with a variant of ZeuS.

“More and more malware families have started using social networks to reach victims instead of spam,” Raff added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/05/ramnit_social_networking/

US special operations troops will shortly be armed with a projectile which can be fired from a portable launcher to hit a car or boat some distance off, following which the pocket-size adhesive bomb will release one of several types of “non lethal” gas into the target’s interior. The new weapon has been dubbed the “KIBOSH” by the secret super-troopers’ procurement office.

The Register learns of the KIBOSH from a government request-for-information document issued just before the festive season seeking contractors who could help to build the weapon. The idea is that KIBOSH would be delivered in the form of a round of ammunition for a normal military 40mm grenade launcher, a weapon already in widespread use among US Special Ops forces – it is available as a standalone weapon or an under-barrel accessory fitted to a rifle, carbine or submachinegun.

According to the announcement, issued by the Special Operations Command (SOCOM) procurement division:

Each KIBOSH shall be capable of being shot from a 40mm Low Velocity Grenade Launcher from over a distance of 150 feet and effectively dispensing the contents of a liquid or gas payload the size, shape and weight of a 12 gram Crossman CO2 cartridge into a vehicle, vessel, or room without going all the way into the space and harming individuals inside.

The KIBOSH is also described as a “non lethal delivery system” and the USA has long been engaged in destroying its stocks of lethal agents such as VX. Furthermore there would seem little point in using an elaborate gas grenade to kill the occupants of a vehicle, boat or room when simple high explosives would do the job at least as well, so it’s clear that the KIBOSH is intended to deliver non- (or anyway less-) lethal agents. A 12 gramme CO₂ cartridge* will produce a mere six litres of gas under standard atmospheric conditions, so whatever SOCOM plan to put in the KIBOSH it will need to work well in quite low concentration if it is to be effective in large rooms, boat interiors etc.

It also seems that the KIBOSH may be able to do more that simply fill the target’s interior with incapacitating gas (which might call its non-lethal nature into question in the case of a speeding car). Additional information, supplied here in pdf, specifies that it could alternatively “allow for deployment of flash bang type material” and that it should also “provide for antenna release/deployment after impact for payloads with transmitters/receivers” and “stay attached to target after hitting target”, while providing “visual confirmation of where round hit target (day and night)” by means of “visual/IR LED/acoustic beacon after impact”.

So we’d seem to be looking at some sort of sticky bomb which, having gassed or flashbang stun-bombed the interior of the target, remains attached to the exterior acting as a blinking visual/nightsight infrared beacon – perhaps also as a tracking bug of some sort. Truly, the secret supertroopers don’t want much.

According to the SOCOM procurement desk, they expect to see the kit in service and putting the KIBOSH on America’s enemies within 6 months of placing an order, though it’s not clear when (or indeed, if) that will happen. ®

Bootnotes

*Some readers may be familiar with these as the type used to recharge one’s soda syphon before preparing a refreshing b.-and-s.: others may know them from paintballing, though in this case the gas is usually less refined and may include lubricants.

We aren’t told what KIBOSH stands for. A suitable backronym is triflingly easy to conjure up, however: Kinetic Injection via Barrier Obtrusion to Subdue Harmlessly, or Knockout Interdiction Ballistic Ordnance Stun Hardware. Etc.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/05/kibosh_gas_projectile/

Innocent websites were blocked and labelled phishers on Wednesday following an apparent conflict between OpenDNS and Google’s Content Delivery Network (CDN).

OpenDNS – a popular domain name lookup service* – sparked the outage by blocking access to googleapis.com, Google’s treasure trove of useful scripts and apps for web developers. According to reports, a flood of errors hit pages that used Google-hosted jQuery and hundreds of thousands of sites fell over.

Visitors to websites were confronted with a message saying: “Phishing site blocked. Phishing is a fraudulent attempt to get you to provide personal information under false pretenses.”

Other visitors were greeted with a 404 error, aka the dreaded ‘file not found’ message.

Web design and hosting specialist Brit-Net, whose operations director Mat Bennett captured the phishing error message here, told The Reg the outage lasted for nearly three hours.

As sites and service providers struggled to get back online they employed fallback scripts and re-routed traffic to Microsoft’s rival CDN. Brit-Net was among those updating its code to point to Microsoft.

The cause of the problem with OpenDNS seemed to be the googleapi.com security certificates, according to Bennett and this article advising on working around the problem.

The fact the issue popped up suddenly on Wednesday would suggest that engineers at Google had been fiddling with SSL certificates or made some other change that conflicted with OpenDNS. Google was not available for comment at the time of publication.

Bennett told The Reg that one consequence of the outage for his company is that it would institute a system that sets Google as the default but would switch to Microsoft’s CDN if Google’s system drops out in future to save having to manually tweak web apps. ®

Bootnote

* DNS, for the uninitiated, is the vital system that points browsers at the correct servers when given a human-readable address, such as facebook.com or theregister.co.uk. Although ISPs provide DNS services for their customers, punters can opt to use alternative providers, such as OpenDNS.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/05/google_opendns_clash/