STE WILLIAMS

Sony has warned users against a massive bruteforce attack against PlayStation and Sony network accounts.

The attack – which used password and user ID combinations from an unidentified third-party source – succeeded in compromising 60,000 PlayStation Network and 33,000 Sony Online Entertainment network accounts. These accounts have been locked and passwords reset.

Credit card information is not stored on the dashboard of Sony accounts but it might have been possible that unauthorised charges were made against the wallets held on compromised accounts. Sony has promised to refund any such losses, as explained in a statement by Philip Reitinger, senior vice president and chief information security officer at Sony Group, on the PlayStation blog here.

Both the motive for the latest attack against Sony network users and the identity of the perpetrator(s) remains unclear.

Sony shut down its PlayStation Network in April in the aftermath of a far more damaging hack attack. The service wasn’t restored until a month later. Personal information on 77 million account-holders was exposed as a result of the April PlayStation hack. Details including names, addresses, passwords and purchase histories was exposed by the megahack.

Sony was widely criticised for its handling of the incident, one of the biggest data breach incident (by volume of records) in history. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/12/playstation_network_brute_force_attack/

While media around the world are excited by the announcement of every new zero-day vulnerabilities, attackers yawn, according to Microsoft.

Presenting Volume 11 of its Security Intelligence Report at the RSA Conference in Europe on October 11, Microsoft pointed out that less than one percent of the attacks its report identified were trying to exploit zero-day vulnerabilities.

The report finds that most malware propagates through user interaction – in short, getting users to fail the malware IQ test and click on a malicious link or application – while more than one-third of malware exploits Win32/Autorun on the insertion of media like USB keys.

Moreover, the research finds that 90 percent of infections exploited a vulnerability for which a patch had been available for more than a year. This is well in line with research from Australia’s Defence Signals Directorate, which in July identified application and operating system patching as two of the four most important attack mitigation strategies available to IT managers.

Interestingly, given the general belief that the world is in the midst of a malware apocalypse, the report also finds encouraging trends in the first half of this year. “Medium and high severity vulnerabilities disclosed in 1H11 were down 6.8 percent and 4.4 percent from 2H10, respectively,” the report notes, while “low complexity vulnerabilities – the easiest ones to exploit – were down 41.2 percent from the prior 12-month period.”

Java exploits – including JRE, JVM and JDK vulnerabilities – dominate the landscape, while the CV-2010-2568 vulnerability (used by the Stuxnet family) drove an increase in operating system-level exploits, the report states. The report also observed nearly a million Acrobat and Adobe Reader document format exploits, nearly all of which involved the Win32/Pdfjsc exploit family.

Vinny Gullotto, general manager of the Microsoft Malware Protection Center, told the RSA Conference the data in the report “helps remind us that we can’t forget the basics.

“Techniques such as exploiting old vulnerabilities, Win32/Autorun abuse, password cracking and social engineering remain lucrative approaches for criminals.”

Phishers seem to be shifting their tactics as well, from their older preference for financial sites to targeting social media sites, which got 83.8 percent of malicious page impressions in April, the report finds.

“Overall, impressions that targeted social networks accounted for 47.8 percent of all impressions in 1H11, followed those that targeted financial institutions at 35.0 percent,” the report says. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/11/zero_day_overrated_says_ms/

Home Depot, The Wall Street Journal, Photobucket, and hundreds of other websites share visitor’s names, usernames, or other personal information with advertisers or other third parties, often without disclosing the practice in privacy policies, academic researchers said.

Sixty-one percent of websites tested by researchers from Stanford Law School’s Center for Internet and Society leaked the personal information, sometimes to dozens of third-party partners. Home Depot, for example, disclosed the first names and email addresses of visitors who clicked on an ad to 13 companies. The Wall Street Journal divulged to seven of its partners the email address of users who enter the wrong password. And Photobucket handed over the usernames of those who use the site to share images with their friends.

The report comes as US officials have proposed a mandatory Do Not Track option for all websites. Some operators have argued such measures are unnecessary because their systems for tracking visitors’ browsing histories aren’t linked to a user’s specific identity.

In the report, Jonathan Mayer, a Stanford graduate student who led the study, argued against the claim that the online tracking is anonymous. A username alone, he explained, is often more than adequate to identify the owner, and when it’s combined with other information, such as his geographic location or first name, even widely used usernames can be uniquely assigned to an individual.

“We believe there is now overwhelming evidence that third-party web tracking is not anonymous,” he wrote. “It is a legitimate policy question whether, on balance, Do Not Track should be enforced by law. But the difficult weighing of competing privacy risks and economics can’t be short-circuited by claims of anonymity.”

The report studied websites included in the Quantcast top 250 that offered user signups, didn’t require a purchase or other qualification to create a username, and didn’t include so many features as to be impractical for study. Of the 185 sites that met the three criteria, 113 of them included usernames and other identifiers in the URLs they shared with advertisers and analytics partners. The five biggest recipients were ComScore, Google Analytics, Google’s DoubleClick, Quantcast, and Facebook.

The report cited privacy policies of many of the websites that appeared to make no mention of the practice. The WSJ‘s, for example, says: “We will not sell, rent, or share your personal information with these third parties for such parties’ own marketing purposes.” In its own policy, Home Depot says it “will not trade, rent or sell your personal information, without your prior consent.”

The Stanford researchers have previously documented a variety of attempts by websites and marketers to track users’s browsing habits, sometimes when they’ve taken pains to remain anonymous.

In August, they revealed JavaScript hosted on MSN.com and three other Microsoft websites that secretly logged visitors’ browsing histories across multiple web properties, even when the users deleted browser cookies to elude tracking. The researchers also exposed a marketer that helped websites deliver targeted ads by exploiting a decade-old browser flaw that leaks the history of websites that users visit. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/11/websites_share_usernames/

The maker of a peer-to-peer application for Android handsets has agreed to settle federal charges that it was likely to cause users to unwittingly expose sensitive files to other people using the app.

Angel Leon, developer of FrostWire for Android, agreed to redesign the app after officials of the Federal Trade Commission alleged it was likely to cause a large number of users to inadvertently share personal files stored on their devices. Leon also agreed to make changes to a PC version of the p2p application FrostWire Desktop.

By default, FrostWire for Android shared many users’ photos, videos, documents, and other files already stored on phones and tablets running Google’s mobile operating system, according to a complaint filed by the FTC. Nothing in the installation and set-up instructions adequately informed users of the risks, it alleged.

“FrostWire for Android, as configured by the defendants, was likely to cause a significant number of consumers installing and running it on their mobile computing devices to unwittingly share files stored on those devices,” attorneys for the federal consumer watchdog agency wrote.

Over the years, untold numbers of people have mistakenly made proprietary data available over p2p file-sharing networks. Last year, the FTC warned 100 schools, local governments, and private corporations that their inadvertent sharing of sensitive information put others at risk of identity theft. More often than not, the unintended exposure is the result of users who don’t take the time to properly configure their file-sharing applications.

Tuesday’s settlement prevents Leon from using the default settings of the programs. It also bars him from making misrepresentations about the file-sharing behavior of the programs. The FTC has more here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/12/android_p2p_app_charges/

RSA Europe The infosec industry needs to move beyond “faith-based security” to an evidence-based approach that takes ideas from battlefield combat if corporations are ever to get ahead of hackers and keep security spending down to manageable levels.

Joshua Corman, director of security intelligence at Akamai, argued that while almost every enterprise attempts to develop security metrics for its environment, these approaches are more akin to “numerology” than hard science.

Raw data and numbers are rarely available in the field of information security and, when they are, they tend to get misquoted or misunderstood, according to Corman. For example, a widely cited misquote from a Verizon data breach report – “90 per cent of breaches are due to 18 patchable vulnerabilities” – is often taken as a basis by enterprises for developing a security policy. Another problem is that advice designed to address the main security shortfalls in small businesses is sometimes misapplied to large enterprises. Raw data on accidents can be applied to draw up actuarial tables for insurance purposes, but the same approach doesn’t work in information security, according to Corman.

“Collecting data and numbers to try to develop actuarial tables for security just doesn’t work because the problem space just isn’t like that,” Corman argued. “Information security is less about actuarial tables and more about game theory.”

Vendor-supplied statistics are often misleading, Corman told El Reg. “Vendors pluck out figures that support their sales pitch. They use statistics like a drunk uses lampposts – more for support than illumination.”

Rather than taking lessons from industry surveys, analyst reports or vendor-supplied arguments, security managers should look to lessons from military doctrine. The “observe, orient, decide and act” loop can be applied as well to fighting cyber-adversaries with unknown capabilities and tactics as it is in battlefield situations, according to Corman.

Corman is due to expand on his ideas during a conference debate snappily entitled Metrics are Bunk!?: A Zombie Apocalypse, Football/Soccer Security Metrics at the RSA Conference in Europe on Thursday. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/11/faith_based_security_fail/

That new “anonymous Twitter” app we wrote about last week? It is more anonymous than Twitter – but it isn’t actually very anonymous.

“Vibe isn’t like BBM, which is encrypted,” New York-based developer Hazem Sayed told The Reg. “This wasn’t designed like BBM was for exchanging confidential market information, but we don’t have information that we store other than where the user posted the update from.”

Vibe came to the attention of the international media because it was primarily being used by protesters at the #OccupyWallStreet demonstration instead of Twitter – partly because it lets you connect with people who are close-by in real life rather than just people you follow and partly because it is more anonymous and more secure. You don’t need an account, as it doesn’t record your IP: just your location. The messages self-destruct after a certain period of time.

#OccupyWallStreet has now spread to around 60 other US cities.

The app’s interesting not just because protest has kept growing, but because of the role social media increasingly plays in popular uprisings, whether they’re noble – Twitter in Egypt and Bahrain – or looty – BBM in the London riots.

We pushed Sayed. How deep does the anonymity go?

“What does anonymity mean?” he replied. “Vibe is for people within a group who want to be anonymous to each other, whether that’s people at a conference or students at a seminar not being afraid to ask stupid questions.”

Just because Vibe is more secure and anonymous, it isn’t completely secure or anonymous. And El Reg readers were all over the security holes. To take one example of the searing analyses posted on the comment board of our last story:

“So let me get this right … in order to receive the Top Secret messages from your fellow anarchists .. all you need to do is subscribe your mobile (which is linked to you by the account you signed in from) to this server … and send the server your location information on a regular basis … then by subscribing to the channel “#burnWallstreet” you can escape from The Man by getting Top Secret warnings … “Errr … so you identify yourself to the server, allow it to map your position, and then indicate your intentions by channel subscription … Sounds great!”

Sayed admits that the app is far from watertight. But according to him that’s not the point:

“The data on our app doesn’t get stored by us, but between the phone and the network providers; they keep logs that can be used for all sorts of purposes,” he said.

“Vibe is not designed to make those things difficult to do for those agencies – but it would be more difficult than say Twitter or Facebook, where all that’s required is a password and you have access to all a user’s messages and contacts.

“The app isn’t trying to circumvent anything. It’s more about a philosophy of the mobile web. You don’t need registration, just a mobile. The idea of having an account comes from the web era where lots of people may have used the same computer. Vibe is a mobile thing.”

And Sayed has been pushing his product hard. The developer has been travelling to various American cities, introducing Vibe to people through a series of projections on screens he calls “Vibe Walls”.

He actively pushed the adoption of Vibe at the beginning of the #OccupyWallStreet protests by handing out leaflets in Zuccotti Park about the location-based mobile app and setting up a projector in the square, allowing anyone nearby with a mobile to send their thoughts to the screen. The Vibe Wall stayed up every night for a week during the first week of the #OccupyWallStreet protests, which began on 17 September…

The vibes in Zuccotti Park – previously known as ‘Liberty Plaza’

– in New York, viewed through Vibe’s “sister app” AskLocal.

Though the police have shown themselves willing to arrest protesters, Sayed doesn’t think that it will be worth their while to track down phone logs and chase up Vibe messages, something the UK government threatened to do with the BBM chat logs of local looters’ exchanges during the riots. He said:

Even if the police can find out about it – what are they going to do? Go track down network logs to find out that someone up ahead on the road told people down the road that there was a police block? I see that the police could get paranoid about it, but it’s just people sharing what they think.

The Reg doubts the FBI will hunt down all the revolutionary hipsters responsible for slathering the Wall with Ghandi quotes, but perhaps Sayed knows something we don’t…

Vibe is available for free on iPhone and on Android. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/11/mobile_app_vibe/

Organisations do not have to issue all the information stored in complaint files in order to comply with individuals’ personal data access requests, the UK’s data protection watchdog has said.

Under the Data Protection Act (DPA) individuals have the right to access all personal data organisations store about them, but generally have no rights to access information held about others. The Information Commissioner’s Office (ICO) said organisations only have to issue the information that relates to an individual which allows them to be identified following a ‘subject access request’ from that individual.

“For information to be personal data it must relate to an individual and allow an individual to be identified from it – not all the information in a file will do this,” the ICO said in its guidance (23-page / 472KB PDF).

“However, the context in which information is held, and the way it is used, can have a bearing on whether it relates to an individual and therefore on whether it can be the individual’s personal data. Even if information is used to inform a decision about someone, this does not necessarily mean that the information is personal data,” the ICO said.

“Some information in a complaint file will never be personal data, regardless of the context it is held in and the way it is used – even if it is used in a way that affects an individual,” it said.

The ICO said that examples of information that may not need to be disclosed to comply with a subject access request include details of policy discussions, such as disciplinary procedures.

The ICO’s guidance included advice on how organisations can determine whether opinions stated in complaints files qualify as personal data and said that organisations should be aware that information held in complaints files may hold personal data about more than one person.

The ICO’s guidance also advised organisations over how to consider the disclosure of personal data under UK freedom of information (FOI) laws. The Freedom of Information Act (FOIA) and the Freedom of Information (Scotland) Act came into full force on 1 January 2005, giving individuals the right for the first time to see information held by government departments and public bodies, subject to some exceptions.

Under the FOI laws public organisations are generally exempt from disclosing third party personal information, but organisations are still obliged to conduct a ‘public interest test’ to determine whether it is right for information to be disclosed, the ICO has previously said.

“Third party personal data cannot be disclosed if it would be unfair to do so,” the ICO said in its guidance.

“Fairness in the DPA is particularly about fairness to any person the personal data were obtained from – ie, it is primarily about fairness to the data subject.

“However, other factors, such as a person’s seniority, role and the legitimate interests of the public in the disclosure of the personal data must also be taken into account when assessing fairness. In general, it is more likely to be fair to disclose information about an employee acting in a professional capacity than about a private citizen,” the ICO’s complaints guidance said.

Organisations should maintain records of information with appropriate filing systems in order to comply with requests under the DPA or FOI laws, the ICO said.

“If organisations have good information management procedures in place, this will make it easier for them to deal with either DPA or FOIA access requests,” the ICO guidance said.

“For example, reliable indexes, contents pages, descriptions of documents and metadata can make it easier for those dealing with requests to locate personal data, decide whose personal data it is and to make a decision about its disclosure. It may be possible to establish a routine where the same sorts of requests are made to the same sorts of file,” it said.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/11/complaint_files_disclosure/

RSA Europe Two groups from the same country teamed up to launch a sophisticated attack against RSA Security’s systems last March, EMC’s security division said.

Unspecified information gained during the attack paved the way towards an unsuccessful attack against a defence contractor (self-identified as Lockheed Martin), senior RSA execs said during the opening of the RSA Conference in London on Tuesday.

“Two groups were involved in the attack,” Thomas Heiser, RSA Security president, said during a keynote at the conference. “Both are known to authorities but they have never worked together before.”

“The attack involved a lot of preparation,” he added.

Forensic examination in the wake of attack on RSA’s systems allowed the security arm of EMC to draw tentative conclusions about the origin and purpose of the assault on systems that underpinned its SecurID two-factor authentication technology.

RSA executive chairman Art Coviello said that “one group was very visible and one less so”. Coviello declined to point the finger of blame towards any particular country but said during a later question-and-answer session that both came from the same country. “We’ve not attributed it to a particular nation state,” Coviello said. “However with the skill and degree of resources involved it could only have been a nation state.”

Coviello’s comments painted a picture of the attack as a collaboration between criminal hackers and either a military or intelligence agency, even though he sidestepped a question on whether this was a correct interpretation of his remarks.

Fallout

Heiser downplayed both the impact of the attack and RSA Security’s subsequent drip-drop disclosure of what exactly happened and how it had affected customers of its flagship SecurID two-factor authentication technology, which is widely used for secure remote access to corporate email or intranet applications.

“There was one attack on RSA,” he said. “The information taken from the RSA attack was a vector in one other attack, which was thwarted. We know of no other attack.

“We killed the attack while it was still in progress and communicated rapidly with our customers as much as we could tell them.”

Both the FBI and Department of Homeland Security are continuing to investigate the case.

“Our adversaries left information,” Heiser said. “We didn’t want to thwart the investigation, so for that reason we haven’t disclosed everything we know.”

RSA was widely criticised for its reluctance to disclose details of the assault. Even now, more than six months after the assault, it will only say that information related to SecurID was stolen. It hasn’t said what was taken although it has been widely suggested that it might have been the seed database used to generate one-time codes on the devices it supplies.

RSA Security offered to supply enterprise customers with replacement tokens in response to the attack. Both Coviello and Heiser declined to say how many tokens it has replaced, although, pressed on the point, Coviello said it was a “small percentage”.

During a question-and-answer session, Heiser denied accusations that many customers had been “left hanging” in the aftermath of the attack.

“We got out to our top 500 customers relatively quick. We have many thousands of other customers which we don’t deal with directly, so there wasn’t that that kind of hand-holding. We have to rely on our marketing press and partners,” he said.

“We disclosed everything we could without putting other customers at risk,” he said.

Hackers were looking for ‘defence-related intellectual property’

Heiser said that RSA was a pawn in a bigger assault: “The motive was to gain access to defence-related intellectual property. RSA was not the target but a means to an end,” he said.

Coviello said one of the ironies of the attack was that it validated trends in the market that had prompted RSA to buy network forensics and threat analysis firm NetWitness just before the attack. Security programs need to evolve to be risk-based and agile rather than “conventional” reactive security, he argued.

“The existing perimeter is not enough, which is why we bought NetWitness. The NetWitness technology allowed us to determine damage and carry out remediation very quickly,” Coviello said.

“Organisations are defending themselves with the information security equivalent of the Maginot Line as their adversaries easily outflank perimeter defences,” Coviello added. “People are the new perimeter contending with zero-day malware delivered through spear-phishing attacks that are invisible to traditional perimeter-based security defences such as antivirus and intrusion detection systems.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/11/rsa_securid_breach_keynote/

Microsoft has unveiled a website aimed at raising awareness of browser security by comparing the ability of Internet Explorer, Mozilla Firefox, and Google Chrome to withstand attacks from malware, phishing, and other types of threats.

Your Browser Matters gives the latest versions of Firefox and Chrome a paltry 2 and 2.5 points respectively out of a possible score of 4. Visit the site using the IE 9, however, and the browser gets a perfect score. IE 7 gets only 1 point, and IE 6 receives no points at all. The site refused to rate Apple’s Safari browser in tests run by The Register.

The page is designed to educate users about the importance of choosing an up-to-date browser that offers industry-standard features. The ability to automatically warn users when they’re about to download a malicious file, to contain web content in a security sandbox that has no access to sensitive parts of the computer’s operating system, and to automatically install updates are just three of the criteria.

Microsoft’s Your Browser Matters gives Firefox 7 running on a Mac 2 out of a possible 4 points

The site gives Internet Explorer 9 a perfect score of 4

The site dings Firefox for a variety of omissions, including its inability to restrict an extension or a plug-in on a per-site basis, its failure to use Windows Protected Mode or a similar mechanism such to prevent the browser from modifying parts of the system it doesn’t have access to, and its lack of a built-in feature to filter out malicious XSS, or cross-site scripting, code. Among other things, Chrome lost points for not using Windows features that protect against structured exception-handling overwrite attacks.

Reg readers still stuck in the rut of critiquing Microsoft security based on products released a decade ago are likely to be unimpressed. The reality is that over the past few years, Redmond has endowed Windows and IE with measures such as ASLR, or address space layout randomization, and DEP, or data execution prevention, that significantly reduce the damage attackers can do when they exploit buffer overflows and other bugs that are inevitable in any large base of code. Apple didn’t pull ahead of Microsoft on this score until earlier this year with the release of its Mac OS X Lion.

It didn’t take long for Mozilla developers to take issue with the critique.

“Microsoft’s site is more notable for the things it fails to include: security technologies like HSTS, privacy tools like Do Not Track, and vendor response time when vulnerabilities are discovered,” Johnathan Nightingale, Mozilla’s director of Firefox engineering, said in a statement. He said: “Mozilla is fiercely proud of our long track record of leadership on security.

Partners throwing their endorsement behind the new Microsoft page include the Anti-Phishing Working Group, the Online Trust Alliance, and the Identity Theft Counsel. ®

This article was updated to add comment from Mozilla.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/11/microsoft_browser_crituque/

VeriSign, which manages the database of all .com internet addresses, wants powers to shut down “non-legitimate” domain names when asked to by law enforcement.

The company said today it wants to be able to enforce the “denial, cancellation or transfer of any registration” in any of a laundry list of scenarios where a domain is deemed to be “abusive”.

VeriSign should be able to shut down a .com or .net domain, and therefore its associated website and email, “to comply with any applicable court orders, laws, government rules or requirements, requests of law enforcement or other governmental or quasi-governmental agency, or any dispute resolution process”, according to a document it filed today with domain name industry overseer ICANN.

The company has already helped law enforcement agencies in the US, such as the Immigration and Customs Enforcement agency, seize domains that were allegedly being used to sell counterfeit goods or facilitate online piracy, when the agency first obtained a court order.

That seizure process has come under fire because, in at least one fringe case, a seized .com domain’s website had already been ruled legal by a court in its native Spain.

Senior ICE agents are on record saying that they believe all .com addresses fall under US jurisdiction.

But the new powers would be international and, according to VeriSign’s filing, could enable it to shut down a domain also when it receives “requests from law enforcement”, without a court order.

“Various law enforcement personnel, around the globe, have asked us to mitigate domain name abuse, and have validated our approach to rapid suspension of malicious domain names,” VeriSign told ICANN, describing its system as “an integrated response to criminal activities that utilize Verisign-managed [top-level domains] and DNS infrastructure”.

The company said it has already cooperated with US law enforcement, including the FBI, to craft the suspension policies, and that it intends to also work with police in Europe and elsewhere.

It’s not yet clear how VeriSign would handle a request to suspend a .com domain that was hosting content legal in the US and Europe but illegal in, for example, Saudi Arabia or Uganda.

VeriSign made the request in a Registry Services Evaluation Process (RSEP) document filed today with ICANN. The RSEP is currently the primary mechanism that registries employ when they want to make significant changes to their contracts with ICANN.

The request also separately asks for permission to launch a “malware scanning service”, not dissimilar to the one recently introduced by ICM Registry, manager of the new .xxx extension.

That service would enable VeriSign to scan all .com websites once per quarter for malware and then provide a free “informational only” security report to the registrar responsible for the domain, which would then be able to take re-mediation action. It would be a voluntary service.

RSEP requires all registries including VeriSign to submit to a technical and competition evaluation.

Sometimes, ICANN also opens up an RSEP question to public comment, as seems likely in this case.

But ICANN’s board of directors would have the make the ultimate decision whether to approve the anti-abuse policy and the malware-scanning service.

VeriSign is already anticipating that there may be criticisms from internet users “concerned about an improper takedown of a legitimate website” and told ICANN it plans to implement a “protest” policy to challenge such decisions.

The company’s move echoes policy development in the UK, where .uk registry Nominet is in the late stages of creating rules that would allow it to suspend domains allegedly involved in criminal activity at the behest of law enforcement. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/11/verisign_asks_for_web_takedown_powers/