STE WILLIAMS

Researchers have discovered malware circulating in the wild that uses a private signing certificate belonging to the Malaysian government to bypass warnings many operating systems and security software display when end users attempt to run untrusted applications.

The stolen certificate belongs to the Malaysian Agricultural Research and Development Institute, according to Mikko Hypponen, chief research officer of F-Secure, the Finnish security firm that found it was being used to sign malware spread using booby-trapped PDF files. By using the official credential to vouch for the trustworthiness of the malicious application, the attackers were able to suppress warnings Microsoft Windows issues when users attempt to install unsigned applications.

“The malware itself has been spread via malicious PDF files that drop it after exploiting Adobe Reader 8,” Hypponen wrote in a blog post published on Monday. “The malware downloads additional malicious components from a server called worldnewsmagazines.org. Some of those components are also signed, although this time by an entity called www.esuplychain.com.tw.”

The discovery is the latest reminder of the challenges posed in securing the PKI, or public key infrastructure, used to digitally ensure the authenticity and integrity of websites and applications. With more than 600 entities entrusted to issue the certificates, all it takes is the compromise of one of them for an impostor to obtain the private key needed to issue counterfeit credentials for Google, eBay, the Internal Revenue Service or virtually any other service.

Over the past couple years, a growing number of private keys have been abused. One of the best known examples was the Stuxnet worm that sabotaged Iran’s nuclear program. It used pilfered digital keys belonging to two companies from Taiwan. The Duqu malware, which some researchers say has significant similarities to Stuxnet, also used private certificates.

Hackers recently compromised the systems of Netherlands-based certificate authority DigiNotar and minted counterfeit credentials for half a dozen sites, including Mozilla’s addons website and Skype. A bogus certificate for Gmail was used to spy on about 300,000 people accessing the service from Iran.

Two weeks ago, credentials issued by intermediate certificate authority Digicert Malaysia were banished from major browsers following revelations the company issued secure sockets layer certificates that could be used to attack people visiting Malaysian government websites. A day later, Netherlands-based KPN Corporate Market said it suspended the issuance of new certificates after discovering a security breach that allowed hackers to store attack tools on one of its servers.

The compromised certificate discovered by F-Secure shows the signer as anjungnet.mardi.gov.my. It expired at the end of September. Hypponen said Malaysian authorities have indicated the certificate was stolen “quite some time ago.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/14/stolen_certificate_discovered/

Hackers say they’ve reverse engineered the Siri personal assistant that debuted in last month’s release of the iPhone 4S, a feat that allows them to make it work from virtually any device.

To back up their claim, the hackers – from the mobile-application developer Applidium – released a collection of tools on Monday that they say can be used to build Siri-enabled applications on devices that were never authorized to offer the proprietary Apple feature. The tools, written in the Ruby, C, and Objective-C languages, are the result of painstaking sleuthing into the way Siri communicates with a remote server Apple dedicates to the service.

“Today, we managed to crack open Siri’s protocol,” the Applidium developers wrote in a blog post. “As a result, we are able to use Siri’s recognition engine from any device. Yes, that means anyone could now write an Android app that uses the real Siri! Or use Siri on an iPad!”

The chances of someone using the findings to mass produce a Siri app for unauthorized devices is slim, since the hack requires a valid iPhone 4S unique identifier to be sent to the server. That means Apple could easily revoke identifiers that are used an abnormally high number of times, or from an abnormally high number of different locations.

But there doesn’t appear to be anything stopping individual iPhone 4S owners from using the hack to expand the number of devices that work with Apple’s proprietary natural-language app.

The Applidium developers reverse engineered Siri by setting up their own HTTPS servers with an SSL, or secure sockets layer, certificate they signed themselves. That allowed them to observe the commands Siri sent to Apple’s server, which is located at guzzoni.apple.com. They eventually found that the body of such requests is little more than a binary plist whose contents can be deciphered using the Mac OS X plutil tool.

Interestingly, Siri sends a huge amount of data to the Apple server, and it uses the Speex audio codec to compress raw audio data before it is transmitted. When Siri operates in text-to-speech mode, Apple’s server applies a confidence score and time stamp to each word.

iPhone fans who are excited by the possibility of this hack are advised to move quickly. Apple has long killed iOS bugs that make jailbreaks possible shortly after they’re discovered, so it wouldn’t be surprising to see the closing of this hole that allows Siri to be ported to rival devices. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/15/siri_hack/

Many free-of-charge antivirus products fail to protect Android smartphone against malware effectively, leaving users with a false sense of security as a result.

Tests by antivirus testing lab AV-Test.org revealed that the best freebie Android anti-virus scanner, Zoner Antivirus, caught 32 per cent of 160 recent Android threats. The other six free-of-charge Android products fared abysmally, with the best of the rest detecting just 10 per cent of the threats. One detected none whatsoever.

AV-Test.org tested seven free-of-charge anti-virus products that it downloaded from the Android marketplace, after searching “anti-virus”. The most widely used of these – Antivirus Free from Creative Apps – has over a million users but is still way behind either Lookout Mobile Security and AVG’s DroidSecurity, which number 12 million and 10 million plus users respectively. AV-Test.org omitted these products from the tests because Lookout also offers a paid-for security software for Android and, in the case of DroidSecurity, because the technology was recently acquired by AVG (and rechristened AVG Mobilation).

The omission of the products from the tests mean that AV-Test.org’s test results are less than comprehensive. But even their findings of a less than complete sample of Android anti-malware products are a real eye-opener, not least because they come from one of the few recognised authorities in anti-virus testing.

Each of the tested security software products was installed on an Android smartphone deliberately infected with inactive specimens of more than 150 recent Android threats. AV-Test.org ran on-demand scans in each case, recording how many threats were detected.

AV-Test.org also included test on F-Secure Mobile Security and Kaspersky Mobile Security, both commercial products, for comparison purposes. Kaspersky and F-Secure both detected more than 50 per cent of threats analysed, substantially better than any of the freebie products tested though poor when compared to the performance of their desktop products.

The second half of these tests involved deliberately attempting to infected freshly cleaned devices with 10 strains of Android malware. Products from F-Secure and Kaspersky detected and blocked all the samples. Zoner Antivirus blocked eight while the other six freebie products blocked either one or none. BluePoint AntiVirus Free, Kinetoo Malware Scan and Privateer Lite warned against one malicious app. Antivirus Free by Creative Apps, GuardX Antivirus and LabMSF Antivirus beta failed completely.

Paid-for apps beat freebies

“In general, the free products didn’t perform very well (with just one exception), but the commercial products which were tested as reference performed significantly better,” Andreas Marx, chief executive officer of AV-Test.org, told El Reg. “We’re working on a review with a focus on commercial apps within the coming weeks.”

Marx explained the rationale for the omission of both Lookout and DroidSecurity from this round of tests.

“The product selection is based on the criterion of how common the different freeware anti-virus products are (including their user ratings), based on the Android market scores/data. We wanted to limit the testing to no more than 10 products total in order to perform everything in a timely manner,” Marx told El Reg.

“In this first Android test-run, we focused on ‘free’ anti-virus offerings (the two commercial products from Kaspersky and F-Secure were included as reference only with no final scores given). We consider Lookout’s offering as a commercial product, despite the fact that there is also a freeware edition available. The product also includes much more features than a dedicated anti-virus offering. Other products like ‘DroidSecurity’ were not included, as this one was recently acquired be AVG Technologies, so we considered it also as ‘commercial’ product.”

A greater range of Android security products will be put through their paces in further tests by AV-Test.org.

“As we have received an enormous feedback on this first Android security test report, we will perform further Android reviews in near future which are focusing on much more Android security products and anti-virus offerings. This one will include ‘freeware’ and ‘commercial’ offerings from a wide range of vendors,” he added.

AV-Test.org’s full report on anti-virus scanners for Android can be found here [PDF].

The scanning test set contained 83 Android installation packages (APK) and 89 Dalvik binaries (DEX).

Sean Sullivan, security advisor at F-Secure, explained that its Android security software deliberately avoids detecting binaries because they can lead to false positives.

Because of this the scanning results might be misleading, he said, adding that F-Secure’s security caught all the tested malware variants when they actually tried to execute.

Despite making this point, Sullivan described AV-Test’s methodology as “fair enough” because it tested in the same way for every product evaluated. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/14/android_anti_virus/

Former Scotland Yard assistant commissioner, John Yates, has been cleared of misconduct, after it was claimed that he had helped the daughter of a News of the World journalist get a job at the Met.

The Independent Police Complaints Commission said in a brief statement that, following a probe into Yates’ affairs, no evidence had been found to “justify disciplinary proceedings”.

The IPCC said it would publish a final report in the next few weeks.

Yates resigned from his post in July. He was cleared in August of a separate allegation of misconduct during an inquiry by the cop watchdog into the phone-hacking scandal that continues to rock News International – the sister company of Rupert Murdoch’s News Corp.

At the conclusion of that investigation, deputy IPCC chair Deborah Glass said that Yates had made a “poor decision in 2009.”

That comment refers to the one-time assistant commissioner’s failure to re-open the Met’s original probe into phone-hacking claims brought against individuals working for the News of the World.

Yates spent just one day in 2009 looking at the initial investigation into voicemail interception evidence, but concluded at that point that there was nothing worth pursuing further.

The IPCC had investigated his relationship with former NotW deputy editor turned PR wonk for the Yard, Neil Wallis, whose daughter’s CV was passed on by Yates presumably to the Met’s personnel department.

In July, at the height of the phone-hacking drama, Wallis was arrested by police and later bailed on suspicion of conspiring to intercept communications. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/14/ipcc_clears_john_yates_news_of_the_world/

The EU information security agency (ENISA) has warned that people can get too easily “trapped” into “personalised information silos” when using social networks.

In a new report, the security experts said that there was a risk associated with the growing use of what it described as “life-logging” technology.

ENISA said that a “oligopolistic market structure” existed in that arena.

“Thus, one or a few globally active platform providers may become hubs for life-logging activity in general,” it said.

“A good early example is today’s Facebook, with an impressive amount of 600 million active users. In such a market structure, the platform provider of choice exercises considerable power, because users of the service are de facto ‘locked in’.

“They cannot switch easily to another network without incurring considerable transaction cost or leaving out completely on service participation.”

ENISA noted that the inability to transfer contacts and personal data such as photos from, say, Facebook to Google+ made it more difficult for users to freely shift their information around the interwebs.

“Consequently, the risk exists that the leading life-logging service provider abuses their market power. For economic reasons, they can strategically reduce available choices in terms of service access, applications offered, information made available and social control options,” ENISA added.

The report continues by highlighting that such technology could:

• artificially control the service richness offered on his platform to users, ie, impede the publication of potentially competitive application offerings, limiting the innovation opportunities around life-logging;
• hinder the spread of information if that information is not commercially or politically desired;
• lever out net neutrality by introducing different service levels at the application layer; and
• dictate the social rules around the life-logging service, such as privacy rules, rules around the confidentiality of user data, the copyrights to posted content, etc.

ENISA suggested that the European Commission should consider those warnings when revising the now-delayed data protection directive.

It called on the EC to promote security and privacy risk management as a framework for governments, regulators and service providers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/14/enisa_report_life_logging/

Cybercrims should get tough sentences, according to the head of Scotland Yard’s e-crime unit, who criticised judges for going easy on e-banking fraudsters while throwing the book at the their old-school cohorts in crime.

Det Supt Charlie McMurdie expressed frustration that cyber-fraudsters, such as those convicted as the result of Operation Lath and Operation Pagode, tended to receive softer sentences than those committing regular robbery or fraud.

“Sentencing is still an issue,” McMurdie said, the BBC reports. “Some of these people have made millions and if it was fraud or robbery they would get eight or 10 years but they get less because it’s cybercrime.”

Operation Pagode involved the operations of a underground cybercrime forum where as many as 8,000 people traded stolen credit card details as well as drug-making kits. The site, GhostMarket.net – described by cops as the biggest English-speaking forum of its kind in the world or a Facebook for cybercrooks – was run by a pair of 18-year-olds. The duo were initially arrested for trying to pay a hotel bill with a stolen credit card before they skipped bail and were re-arrested at Gatwick with a laptop containing more than 100,000 stolen credit card details. After the Gatwick arrest, the pair were jailed for four and five years, respectively. Other suspects were jailed and convicted of various cybercrime offences in the same case.

Operation Lath resulted in the conviction and imprisonment of two Ukranian nationals over a banking Trojan scam estimated to have involved the theft of £3m from victims’ bank accounts. Pavel Klikov, 29, and Yevhen Kulibaba, 33, from Chingford, Essex, were each jailed for four years and eight months, a sentence McMurdie argued failed to reflect the severity of their crimes.

“Sentencing powers are sufficient but it’s the appreciation of the harm these individuals are causing that is lacking,” she said. “In total some of these cases involve £5m or £6m. People think there are no victims, no one loses out because individuals get their money back from the banks. But it’s a loss to the UK economy and a gain for that criminal organisation.”

Does the punishment fit the crime?

So are stuffy old judges being soft on cybercrooks? Actually the reality might be a bit more complex than that. Judges have to operate within sentencing guidelines that will look at a convicted suspects age, mental state, previous criminal form, and whether they co-operated with police and made an early guilty plea. After surveying these guidelines, judges must decide whether to add to or subtract from a tariff, which can be related to how much was stolen (for example), in working how long the criminals should be imprisoned or how much of a fine and time on probation they ought to spend, for lesser offences.

Judges like to have testimony from victims on how much they have lost out from a crime, something that’s often difficult to come by in the case of cybercrimes. Estimates on how much might have been obtained via a scam plays well in the press but simply won’t do in court. What judges want is testimony from victims or, almost as good or even better from the point of view of recovering proceeds of crime, property or cash or saleable goods tied to a suspect whose acquisition can’t be explained via legitimate receipts or paperwork.

Basing sentencing on estimates of how much a crime might have netted simply won’t do. If judges ignore sentencing guidelines and apply tough sentences based on an estimate, it is probable if not inevitable that any sentence they impose will get reduced on appeal. This is something I’ve seen for myself firsthand, in reporting the sentencing of Welsh VXer Simon Vallor. Judge Geoffrey Rivlin wanted to know what financial losses had occurred as a result of Vallor’s creations. Even hard figures from MessageLabs on how many times it had blocked Vallor’s creations were of no real use to him. Admittedly this was all eight years ago, but much the same sentencing process applies even now.

So McMurdie would do better to come up with schemes to persuade victims of cybercrime to testify, a very difficult process, rather than criticising judges.

Victims of cybercrime are sometimes harder to identify than victims of conventional crime, where the extra personal element is a factor in motivating testimony. Identified victims of cybercrime are often companies that are reluctant to come forward, partly because they do not want their security failings aired in open court.

Old lags don’t change

Asked whether traditional criminals were switching to cybercrime – a logical move if McMurdie is to be believed and the danger of serving a long stretch behind bars is much reduced – the police boss suggested old lags were too set in their ways to change.

“There is no significant intelligence that old-fashioned ‘blaggers’ have become cyber hackers,” McMurdie said in a BBC report. “They wouldn’t understand it. Nor have I evidence of old-fashioned gangsters commissioning cybercriminals.”

Ouch.

After years failing to recognise the damage caused by e-crime, disbanding the former NHTCU and failing to set up a cybercrime reporting structure, the UK government has finally begun to act.

The government was allocated £650m to fight cybercrime, providing an increased budget that has allowed the PceU team to expand from 20 officers to 104. Three new regional regional e-crime units – in north-west England, the East Midlands and Yorkshire/Humberside – are due to begin operations in January.

Threats the PceU will have to grapple with next year include online ticketing fraud and other cyber-threats linked to next year’s London Olympics. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/14/pceu_cybercrime_sentencing/

A 52-year-old Londoner has been jailed for 15 months after he was caught attempting to sexually groom a child online.

Scotland Yard said that John Friary, of Camberwell Road, SE5, was sentenced last Friday at Isleworth Crown Court.

Friary, a former Labour councillor, was snared by a blackmailer posing as a 15-year-old girl on internet chat rooms.

Officers from Hertfordshire Police had been investigating Peter Simms, who pleaded guilty to blackmail at St Albans Crown Court and was subsequently jailed for 21 months in May this year.

They flagged Friary – a blackmail victim of Simms – to the Met’s Paedophile Unit.

“Inquiries revealed that Friary was one of the individuals Simms had been in contact with,” said the Yard.

“Conversations between the pair involved Friary’s attempts to make arrangements to meet the individual – believing him to be a 15-year-old girl – with the intention of committing a sexual offence.”

John Friary, 52, of Camberwell Road

Friary, who has been placed on the Sex Offenders Register, was arrested on 25 January and taken to Fulham police station where he was charged with “attempting to arrange to meet a child following sexual grooming”.

DI Noel McHugh of the Met’s Paedophile Unit said: “I am in no doubt that had the girl existed Friary would not have hesitated in committing a serious sexual offence.

“This type of case should act as a reminder to young people to be cautious about who they are communicating with online.

“Any young person who has had contact with Friary online and believes they may have been the victim of crime is encouraged to contact the investigation team direct on 020 71612811. Alternatively you can contact Crimestoppers on 0800 555 111; ChildLine on 0800 1111; report the matter to your local police station; or inform a teacher or trusted individual.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/14/online_grooming_man_jailed/

Iran admitted on Sunday that unspecified computer systems in the country had been infected with the Duqu worm, a strain of malware similar to the infamous Stuxnet worm that sabotaged key nuclear plant systems in the country last year.

The head of Iran’s civil defence organization told the official IRNA news agency that the outbreak was under control. “The software to control the [Duqu] virus has been developed and made available to organisations and corporations,” Brigadier General Gholamreza Jalali said, AFP reports.

“The elimination [process] was carried out and the organisations penetrated by the virus are under control… The cyber-defence unit works day and night to combat cyber attacks and spy [computer] viruses,” he added.

Duqu was discovered in early September by computer scientists at the Budapest University of Technology and Economics. Subsequent analysis by anti-virus analysts at Symantec, F-Secure and others revealed the malware was closely related to the earlier Stuxnet worm, albeit probably designed for a different purpose.

The worm, like Stuxnet, features a forged digital certificate and makes use of Windows zero-day exploits. But Stuxnet made use of three zero-day exploits, Duqu uses just one (a flaw involving the TrueType font parsing engine).

Stuxnet was designed to infect industrial control systems and narrowly focused on screwing up the operation of any high-speed centrifuges connected to these systems, such as the kit Iran uses to enrich uranium. While Stuxnet was designed for sabotage, Duqu appears to be built with reconnaissance in mind. The malware collects information from infected systems, possibly in preparation for future attacks.

Jalali described Duqu as the third virus to hit Iran following Stuxnet and the Stars worm it said it detected in April. It’s unclear if Stars is also related to Stuxnet. Oddly, and rather suspiciously, samples of stars have not come into the possession of Western anti-virus firms, leading some to publicly question whether the malware was anything more than a propaganda ploy by Tehran. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/14/duqu_malware_infestation/

Valve has now confirmed that the hack of its Steam forums reported last week may have included the theft of credit card numbers.

The company has e-mailed users saying that the intruders that defaced its forums also accessed a database which included “information including user names, hashed and salted passwords, game purchases, email addresses, billing information and encrypted credit card information.”

Since the card data was encrypted, it may not be usable to the attackers, operating under the handle fkn0wned. However, according to the Washington Post and others, the e-mail from founder Gabe Newell advised customers to watch their credit card statements for evidence of misuse.

It’s been a bad 2011 for online game servers, with the now-infamous Sony PlayStation Network hack setting gamers a-jitter and costing the company both dollars and reputation.

Valve has sought to reassure users that it wasn’t slack with their personal information. A password reset has been applied to all forum users, and the company suggests that any gamers whose Steam password was the same as their forum password should reset that as well. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/13/steam_confirms_credit_card_database_attacked/

Floyd Landis, the disgraced US cyclist who was stripped of his 2006 Tour de France victory for doping, was handed a suspended 12-month prison sentence for his part in a hack of an anti-doping lab computer.

Arnie Baker, Landis’s former trainer, also received a suspended 12-month term from the same French court in Nanterre, near Paris. The criminal hacking case stemmed from the use of a trojan to infect a computer at the Laboratoire National de Depistage du Dopage in 2006, a few weeks after the lab accused Landis of testing positive for testosterone during the Tour de France.

The lab that year reported that someone had broken into its computer systems. An investigation by a magistrate in Nanterre later found that someone used a trojan to download 1,742 files from the lab. The contents of some of those files later appeared in a memo on Baker’s website that challenged the credibility of the lab.

A man named Alain Quiros later confessed to being the person who planted the trojan. He was sentenced to six months in prison and a fine of €4,000.

Quiros was also convicted of breaching the computers of Greenpeace on behalf of French energy company EDF.

All three suspects were ordered to collectively pay €75,896 to the French lab.

Both Landis and Baker have maintained their innocence in the computer trespass case. During a trial, Landis’s attorney said his client received the stolen documents from an anonymous sender. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/12/floyd_landis_sentenced/