STE WILLIAMS

The US military is now legally in the clear to launch offensive operations in cyberspace, the commander of the US Strategic Command has said.

“I do not believe that we need new explicit authorities to conduct offensive operations of any kind,” Air Force General Robert Kehler told Reuters.

But he added that the military was still figuring out the rules of engagement for cyber-warfare outside the “area of hostilities”, which are the places they’ve already been approved to do battle in.

US Strategic Command is in charge of a number of areas for the US military, including space operations (like military satellites), cyberspace concerns, ‘strategic deterrence’ (translation: nuclear weapons) and combating WMDs.

In May 2010, it set up a subdivision called US Cyber Command to specifically deal with what the military refers to as the newest potential battle ‘domain’.

The US Department of Defense released a report (9-page PDF) on Tuesday that echoes what America and the UK have previously said, that they reserve the right to respond to cyber threats as they would to any other sort of threat.

“When warranted, we will respond to hostile acts in cyberspace as we would to any other threat to our country,” the DoD said in the report. “All states possess an inherent right to self-defense, and we reserve the right to use all necessary means – diplomatic, informational, military, and economic – to defend our nation, our allies, our partners, and our interests.”

At the start of this month, UK Prime Minister David Cameron said much the same thing at the London Conference on Cyberspace.

“These are attacks on our national interest. They are unacceptable. And we will respond to them as robustly as we do any other national security threat,” the PM said.

General Kehler, who was speaking at the Space and Cyber Law Conference in Nebraska, said the military is learning more every day about operating in cyberspace.

“I think we all wish we were going faster, but we have made progress, we have a number of rules of engagement in place,” he said.

In an ironic twist, at the time of publication, the US Strategic Command website appeared to be down. Probably something they should sort out before they get back to expertly defending against cyber-baddies. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/17/us_military_cyberspace/

Accused Pentagon hacker Gary McKinnon could be tried in UK and not extradited, according to Blighty’s top legal adviser.

A recent judicial review concluded that the much criticised and absurdly lengthy extradition proceedings against McKinnon were conducted fairly. But Dominic Grieve, the UK’s Attorney General, said the review offered “guidelines only”, The Telegraph reports.

Grieve was asked in the House of Commons whether judges might have the discretion to allow McKinnon to be tried in the UK or if dealing with an extradition would always take precedence.

“That is touched on in Sir Scott Baker’s report and it is one of the matters which will have to be taken into account when the government responds to it,” Grieve replied.

“His proposals are rather more in the nature of guidelines rather than the implementation of the forum bar itself. That is one of the matters the government is going to have to consider.”

Janis Sharp, McKinnon’s mum, told El Reg that she was “pleased” with Grieve’s remarks because they offer fresh hope that her son will be tried in the UK.

“Dominic Grieve is a QC and is always very careful with his words, so for him as Attorney General to say this and then to respond to and not to shy away from questions specifically about Gary is good news indeed. Dominic Grieve has always insisted that Gary should be tried in the UK and that the forum should be brought into use by our judges in extradition cases,” she said.

“It’s clear to everyone that British citizens need the same protections afforded to Americans and to virtually all other nationalities,” she added.

McKinnon, 45, is accused of hacking into Pentagon and NASA computers in 2001 and 2002. He has admitted accessing the networks in a hunt for evidence of UFO but denies causing any damage, contrary to US claims otherwise.

The Scot, who has been fighting extradition proceedings since November 2002, has been diagnosed with Asperger’s, a form of autism and something medical experts and campaigners say makes him a suicide risk if he is subjected to the rigours of an extradition to the US, trial and likely imprisonment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/17/mckinnon_uk_trial_hope/

Romanian authorities have arrested a 26-year-old suspected of breaking into NASA’s systems, causing damages estimated at $500,000 in the process.

Robert Butyka, 26, was arrested on Tuesday in Cluj by officers from the Romanian Directorate for Investigating Organised Crime and Terrorism (DIICOT), who were investigating a string of break-ins starting in December 2010 that were traced back to Romania. Butyka, who allegedly goes by the online moniker of Iceman, faces various computer hacking and sabotage charges. Police are in the process of examining computer seized during a raid on Butyka’s home for evidence.

The means used or the motive for the attack remains unclear, but NASA is a frequent target of hacking attacks and almost as frequently a target of cybercrime prosecutions.

A Romanian police statement on the case can be found here (English translation here). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/17/romania_nasa_hacker_charged/

Apple has updated its iTunes software to correct a security shortcoming that offered the potential for miscreants to mount man-in-the-middle attacks and appears to have played a central role in the infamous Ghost Click botnet scam.

iTunes 10.5.1, released on Monday, is a cross-platform update that addresses a flaw that’s most acute on Windows systems. Prior to the update, hackers had the potential to intercept update queries between the iTunes client on a user’s Windows machine and Apple. This might have been abused to offer a Trojaned version of iTunes, or – more likely and much easier to pull off – redirect surfers to a site punting fake anti-virus (AKA scareware) or running click-fraud scams.

The threat is most acute when Apple Software Update for Windows is not installed. In these cases, a user’s default browser might be opened to a location under the control of hackers that poses as an Apple site.

Apple Software Update is included with OS X so the risk is a fair bit less for Mac fans. Nonetheless Mac users also need to update.

Fixing the flaw on both Mac and Windows machines involves enforcing updates via a secure connection, something that probably ought to have been applied as general good practice in the first place. Apple’s advisory makes no mention if attacks based on the vulnerability had actually taken place but we’re pretty sure this relates to the DNS Changer scam, which caused machines running Apple’s Mac OS X, as well Windows PCs, to rely on rogue domain name system servers set up by hackers.

The malware was used to establish a 4 million drone botnet, used to hijack browsing sessions on infected machines. Fraudulent web pages appeared when victims attempted to visit Netflix, the US Internal Revenue Service, Apple’s iTunes and other services. Six Estonian suspects have been charged, and one Russian suspect remains at large, following the high-profile Ghost Click takedown operation earlier this month.

An FBI press release on the Ghost Click takedown specifically cites iTunes as an example of how the alleged fraud operated. The mechanism of the attack is uncannily similar to that addressed by the iTunes update.

DNSChanger was used to redirect unsuspecting users to rogue servers controlled by the cyber thieves, allowing them to manipulate users’ web activity. When users of infected computers clicked on the link for the official website of iTunes, for example, they were instead taken to a website for a business unaffiliated with Apple Inc that purported to sell Apple software. Not only did the cyber thieves make money from these schemes, they deprived legitimate website operators and advertisers of substantial revenue.

Trend Micro, one of several security firms and academics that assisted police in the takedown, has a good write-up on how the Ghost Click scam operated from a technical perspective here.

The scam netted the alleged cybercrooks an estimated $14m since 2007 via clickfraud, fake anti-virus and malvertising rogue (unlicensed) pharmacy websites.

Normally we’d like to phone Apple up and put our theory to it that the iTunes flaw played a central role in the Ghost Click fraud over several years. Unfortunately, experience tells us that Apple, unlike other vendors, never responds to such calls. This is a shame because there are still wider lessons to be drawn from the Ghost click takedown that could help the industry as a whole improve security practices and help prevent future repetitions of this type of scam. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/17/itunes_update_fixes_ghostnet_flaw/

Updated The Internet Systems Consortium is advising BIND users to update immediately to protect against a bug that may already be under attack to crash vulnerable servers.

The ISC says an unidentified network event caused BIND 9 resolvers to cache an invalid record, and when subsequent queries requested the invalid record, the servers crashed with the following assertion failure:

INSIST(! dns_rdataset_isassociated(sigrdataset)).

It’s also apparently being exploited to attack networks, with multiple members of the BIND users email list from Germany, France and the US reporting simultaneous crashes across multiple servers.

The ISC describes the bug as a potential zero-day exploit with no workaround, and urges immediate upgrade to BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, or 9.4-ESV-R5-P1.

The patched code is designed to handle both the cache and the crash. The ISC’s advisory states:

“When a client query is handled, the code which processes the response to the client has to ask the cache for the records for the name that is being queried. The first component of the patch prevents the cache from returning the inconsistent data. The second component prevents named from crashing if it detects that it has been given an inconsistent answer of this nature.”

According to Blair Strang, a security consultant at Australian company SenseOfSecurity, while the situation is “serious”, the “sky is not falling”.

Because past incidents have made BIND developers paranoid, Strang explained to The Register, they’ve ramped up the safety checks inside their code over the years – and this crash is due to the safety checks.

“The name server knows ‘something has gone wrong’ and exits as a defensive measure,” Strang told us. “The security checks were added in BIND 9 because BIND 8 got hammered; several exploits were released for it, which is several too many for one of the essential services holding the Internet together.”

He added that the current vulnerability is still mysterious, and added that “the patch from the BIND guys doesn’t actually fix the bug – it just papers over the crash caused by the assertion (this situation could probably change during the day as people find out more).”

Since the BIND developers don’t yet know what payload triggered the crash, remote code execution is feasible, he said. “Let’s hope it remains a denial of service condition”, he added.

BIND – the Berkeley Internet Name Daemon – has been a favourite target for black-hats. When an exploitable bug is discovered, miscreants can (for example) redirect users to counterfeit sites to harvest data like account IDs and passwords.

Unlike a phishing email attack, which is merely an IQ test that too many people fail, attacks on DNS resolvers are a different animal entirely. If users have typed their bank’s URL in the browser, they’re likely to believe that they’ve arrived at the bank’s site, even if they haven’t. ®

This post was updated to add comment from Strang.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/16/bind_in_a_bind_again/

Part 3 Enterprise browser usage is a messy subject. The enterprise is not what it once was; the days of the homogenous Windows empire are past. Not only are alternative operating systems like Apple’s OS X gaining traction in the enterprise, but the desktop is no longer a browser administrator’s only concern.

The consumerisation of IT has moved us past the simple, easily managed world of Windows on the desktop and BlackBerrys in our pockets. While popular amongst users, this latest trend in IT exacts both privacy and security tolls on business and users alike.

Enterprises need centralised control over browser configuration. Whitelisting and blacklisting browser extensions is critical, as is the ability to manipulate all of a browser’s built-in security settings. Centralized certificate management is another common issue.

Most browsers can treat different websites with different privilege levels, and these lists need to be centrally managed. Similarly, enterprises need the ability to control locations of downloaded files, anti-malware integration and permitted file types.

Every business’ needs are different, yet even in the face of the consumerisation of IT the enterprise need to exert control over browsers for security purposes remains constant. The question is: how?

The homogenous environment

The traditional enterprise environment consists of desktop systems running some flavour of Microsoft Windows. These desktops are easily managed, and configurable via Active Directory.

Active Directory’s Group Policy Objects (GPOs) and Group Policy Preferences (GPPs) offer administrators a simple, centralised, and secure method to lock down Internet Explorer’s (IE’s) settings. This includes the ability to configure browser extensions such that they require permission for every website that attempts to utilize them.

This is a critical security feature. Certain common extensions such as Java, Reader or Flash provide worrisome attack surfaces. Without the ability to lock these browser extensions down, no internet-connected computing environment can ever be considered secure.

IE has a horrible public reputation for security largely due to the zombie-like persistence of IE6. Microsoft has spent a great deal of time and money making Internet Explorer as secure on its own as Firefox with a plethora plug-ins. These efforts have resulted in a new generation of Microsoft browser. IE8 and later can be made very secure; they even include sophisticated anti-phishing security.

While some aspects of user privacy are worrisome – specifically the ability of advertisers and website owners to track users’ browsing habits – browser issues of interest to enterprise and corporate security are perhaps best served by IE.

Corporations don’t particularly care if advertisers can track the movements of their employees. While industrial espionage via web tracking is theoretically possible, if you have legitimate concerns about Google being able to glean corporate secrets via your browsing habits, far more industrial-strength security measures are called for.

Corporations do care about viruses, Trojans, and other malware finding their way onto network PCs. Here, a fully up-to-date IE can provide a secure browsing experience with unmatched manageability.

Next page: Changing up the internet

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/16/how_to_stay_anonymous_part_3/

Facebook said it is well on the way to cleaning up a noxious slurry of porn and pictures of dead animals left by a spam campaign that targeted users’ walls this week.

The attack – which resulted in punters being greeted by an avalanche of photoshopped pornographic images of Justin Bieber – involved tricking users into pasting rogue JavaScript code into their browsers.

As previously reported, Facebook described the mechanism of the attack as a self-inflicted XSS vulnerability. The social network says it managed to eliminate most of the rogue status updates by Wednesday lunchtime.

In a statement, Facebook said:

We’ve built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it. We have also been putting those affected through educational checkpoints so they know how to protect themselves.

Initially it was suspected a purported member of Anonymous, who threatened to unleash a Koobface-style worm against the site, might be behind the attack. This theory has now been binned, and it now seems that cyber-crooks are behind the attack, which is likely to be financially motivated, possibly through means of driving traffic to dodgy shopping sites.

The attack is particularly unpleasant because Facebook tries to maintain a family-friendly environment for its teenage and adult users. Children under 13 are not allowed to open accounts.

The site is reportedly putting in place systems to prevent similar attacks in future. Security experts warns that other popular websites might be hit by similar outbreaks in future.

“The flaw being exploited could likely be used against other sites as well if users can be tricked into pasting malicious javascript into the browser,” Chester Wisniewski, a senior security advisor at Sophos warned. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/16/facebook_filth_flood_clean_up/

Facebook officials have tracked down the scammers responsible for deluging the social network with images depicting bestiality, self-mutilation and other depravity and is vowing to seek swift justice.

As previously reported, Facebook has blamed the torrent of extreme smut on a “self-XSS vulnerability in the browser” that tricked users into pasting and executing malicious javascript in their address bars and caused them to unknowingly share this offensive content. Many victims have reported that the highly offensive content is visible to others but not to the user whose account was used to spread it.

According to reports published by PCMag.com and ZDNet, Facebook officials have also figured out who is behind the attack. Both reports cited the same statement from a Facebook PR representative that says:

“In addition to the engineering teams that build tools to block spam we also have a dedicated enforcement team that has already identified those responsible and is working with our legal team to ensure appropriate consequences follow.”

Neither report divulged the identity of the scammers or said if law enforcement agencies have been called in to investigate.

When The Register asked Facebook representatives for confirmation, one of them responded with a statement that read: “We’ve identified the responsible parties and are pursuing legal action at this time.”

Facebook’s enforcement team has already taken a tough stance against spamming. In 2009, it sued serial spammer Sanford Wallace and two associates for spamming members with wall posts that posed as messages from their friends. The social network was eventually awarded $711 million in the case. Earlier this year, Wallace was criminally charged with hacking more than 500 million Facebook accounts.

Facebook has sued other alleged spammers as well.

Facebook has yet to elaborate on key details of the ongoing attack. It’s still unknown if the cross-site scripting vulnerability is unique to a particular browser and how many of its 800 million users have been affected. ®

This post was updated to add comment from Facebook.

Follow @dangoodin001 on Twitter.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/16/facebook_ids_spam_attackers/

Facebook has blamed a scam that tricks users into pasting rogue code into their browsers for the sudden torrent of filth in users’ walls.

Users of the social network were shocked to see pornographic photoshopped images of Justin Bieber, images of an abused dog and other disturbing content on their friends’ Walls as a result of the attack, which exploded late on Monday but may have actually begun some days earlier.

Although the origin or purpose of the spam attack remains unclear, Facebook is blaming a “self-XSS vulnerability” that involves tricking users into pasting rogue JavaScript into their browsers. A slightly ambiguously worded statement by the social network, quoted below, implies that the shock image outrage is purely user error rather than a flaw in the web browser software or Facebook’s site.

Protecting the people who use Facebook from spam and malicious content is a top priority for us, and we are always working to improve our systems to isolate and remove material that violates our terms. Recently, we experienced a coordinated spam attack that exploited a browser vulnerability. Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible.

During this spam attack users were tricked into pasting and executing malicious javascript in their browser URL bar causing them to unknowingly share this offensive content. Our engineers have been working diligently on this self-XSS vulnerability in the browser. We’ve built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it.

We have also been putting those affected through educational checkpoints so they know how to protect themselves. We’ve put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defences to find new ways to protect people.

One early theory suggested that the Facebook filth flood was linked to a threat last week by a purported member of Anonymous to release a “highly sophisticated” worm (dubbed the Fawkes Virus) onto Facebook. However now even the security firm that most closely tracked this possible threat, Bitdefender, is discounting this speculation.

George Petre, a senior security researcher at Bitdefender, explained that its social networks security app Safego has tackled an increasing number of threats containing porn or other shock images over the last two weeks.

“Since this outbreak followed a relatively quiet period for Facebook threats, and considering the Anonymous video, we wondered if these are related to the Fawkes virus. However, we decided not for a number of reasons: firstly it looks like other Facebook outbreaks. In addition, some of the URLs used to spread this kind of worm contained a domain name related to the idea of shopping (laptop-rental-store.info). These are ordinary scams and we believe Anonymous would use something more sophisticated,” he concluded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/16/facebook_filth_outrage/

Part 3: Enterprise browser usage is a messy subject. The enterprise is not what it once was; the days of the homogenous Windows empire are past. Not only are alternative operating systems like Apple’s OS X gaining traction in the enterprise, but the desktop is no longer a browser administrator’s only concern.

The consumerisation of IT has moved us past the simple, easily managed world of Windows on the desktop and BlackBerrys in our pockets. While popular amongst users, this latest trend in IT exacts both privacy and security tolls on business and users alike.

Enterprises need centralised control over browser configuration. Whitelisting and blacklisting browser extensions is critical, as is the ability to manipulate all of a browser’s built-in security settings. Centralized certificate management is another common issue.

Most browsers can treat different websites with different privilege levels, and these lists need to be centrally managed. Similarly, enterprises need the ability to control locations of downloaded files, anti-malware integration and permitted file types.

Every business’ needs are different, yet even in the face of the consumerisation of IT the enterprise need to exert control over browsers for security purposes remains constant. The question is: how?

The homogenous environment

The traditional enterprise environment consists of desktop systems running some flavour of Microsoft Windows. These desktops are easily managed, and configurable via Active Directory.

Active Directory’s Group Policy Objects (GPOs) and Group Policy Preferences (GPPs) offer administrators a simple, centralised, and secure method to lock down Internet Explorer’s (IE’s) settings. This includes the ability to configure browser extensions such that they require permission for every website that attempts to utilize them.

This is a critical security feature. Certain common extensions such as Java, Reader or Flash provide worrisome attack surfaces. Without the ability to lock these browser extensions down, no internet-connected computing environment can ever be considered secure.

IE has a horrible public reputation for security largely due to the zombie-like persistence of IE6. Microsoft has spent a great deal of time and money making Internet Explorer as secure on its own as Firefox with a plethora plug-ins. These efforts have resulted in a new generation of Microsoft browser. IE8 and later can be made very secure; they even include sophisticated anti-phishing security.

While some aspects of user privacy are worrisome – specifically the ability of advertisers and website owners to track users’ browsing habits – browser issues of interest to enterprise and corporate security are perhaps best served by IE.

Corporations don’t particularly care if advertisers can track the movements of their employees. While industrial espionage via web tracking is theoretically possible, if you have legitimate concerns about Google being able to glean corporate secrets via your browsing habits, far more industrial-strength security measures are called for.

Corporations do care about viruses, Trojans, and other malware finding their way onto network PCs. Here, a fully up-to-date IE can provide a secure browsing experience with unmatched manageability.

Next page: Changing up the internet

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/16/how_to_stay_anonymous_part_3/