STE WILLIAMS

With the decrypting of a protected PayPal browser cookie at a security conference Friday, it became official: the internet’s foundation of trust has suffered yet another serious fracture that will require the attention of the industry’s best minds.

Within hours of the demonstration by researchers Juliano Rizzo and Thai Duong, Google researcher Adam Langley signaled his growing acceptance that secure sockets layer, the decade-old cryptographic standard that protects web addresses using the https prefix, was susceptible to an attack that previously was considered impractical. The result: by tampering with with an encryption algorithm’s CBC – cipher block chaining – mode, hackers could secretly decrypt portions of the encrypted traffic.

“The CBC attacks were believed to be largely theoretical but, as Duong and Rizzo have pointed out today, that’s no longer the case,” Langley wrote.

He went on say that, as previously reported, developers of Google’s Chrome browser are experimenting with a work-around but are not yet sure if it will create incompatibilities with various websites. He also said Google SSL is highly resistant to the attack because it favors the RC4 cipher, which doesn’t use CBC.

By Monday, both Microsoft and Mozilla acknowledged that their wares were also affected. An advisory issued by Redmond recommended that websites follow Google’s lead to favor the RC4 cipher while Microsoft engineers develop a Windows update to patch the underlying weakness. Mozilla, meanwhile, made public a three-month old discussion of the underlying vulnerability and the best way to fix it without breaking huge numbers of websites.

To be fair, Duong and Rizzo’s exploit isn’t the easiest to pull off. Attackers must already control the network used by the intended victim, and they can only recover secret information that’s transmitted repeatedly in a predictable location of the encrypted data stream. They must also have means to subvert a safety mechanism built into the web known as the same-origin policy, which dictates that data set by one domain name can’t be read or modified by a different address.

To get around the SOP, the researchers used a Java applet, but they said there are other methods for achieving the same goal.

But as Duong and Rizzo showed, those constraints weren’t enough to stop them from revealing the plaintext of an SSL-protected browser cookie transmitted with each request that a logged-in PayPal user makes on the payments website. Using what’s presumed to be a super-fast connection somewhere in Mountain View, California, Duong was able to recover the authentication in about two minutes, giving him everything he needed to gain unauthorized access to someone else’s account.

The researchers have published a post-presentation analysis and video here. For an excellent technical description of the attack, check out this analysis from Eric Rescorla. It’s upshot is the mildly comforting conclusion that “no SSL/TLS is not completely broken.”

Moxie Marlinspike, a researcher who has repeatedly poked holes in the SSL protocol and its transport-layer security successor, put it this way:

“As it stands, given the number of difficult conditions necessary for deploying this attack, as well as the dependency on leveraging a Java applet for violating SOP, it seems extremely unlikely that individual browser users will be personally affected by this vulnerability.”

Fair enough. But keep in mind, too, that BEAST, short for Browser Exploit Against SSL/TLS, isn’t the only reason to question the adequacy of the cryptographic system the entire internet uses to prevent eavesdroppers from accessing your private accounts. And remember that a patch introduced by OpenSSL in 2002 to fix this very vulnerability was turned off because it introduced incompatibilities in software from Microsoft.

SSL encryption may have dodged a bullet for now, but as the recent DigiNotar debacle demonstrated, the system itself isn’t immune to real-world attacks that have very real consequences for those who depend on it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/27/beast_attacks_paypay/

The office of the vice-president of the European Commission has withdrawn a rather extensive statement on cookies and the EU Data Protection Directive sent out last week “without authorisation”.

Out-Law.com, the legal news site, had written a story last week using the statement from Viviane Reding, where she said that companies needed prior consent to use individual’s data, a contradiction of the UK government’s stance that consent could be given after or during processing of the data.

The story has now been taken down and replaced with the following:

A story previously published here was based on a statement of EU Commissioner Viviane Reding’s views on cookies and the EU Data Protection Directive.

We have been informed that the statement does not represent the Commissioner’s views and was sent without being authorised so we have removed the story.

The confused staff at The Reg asked the VP’s office what had happened, but were told it had no further statement on the statement.

Spokesman Matthew Newman did add, however, that “the reform of the Data Protection Directive is ongoing and our proposals should be released in the next 20 weeks”.

The bone of contention is in the interpretation of the Privacy and Electronic Communications Directive, or e-Privacy Directive – a continuation of the Data Protection Directive – which says that firms can only store and use the information on computers “on condition that the subscriber or user concerned is provided with clear and comprehensive information… about the purposes of the processing, and is offered the right to refuse such processing by the data controller”, with one exception:

This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

When cookies are used as a way to take you from one part of a site to another, eg, from a product page to checkout, this is seen by some as included in this exception.

It is hoped that the reform of the directive, expected in the next six months, will clarify issues around consent. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/26/viviane_reding_statement_withdrawn/

Hackers recently compromised the website hosting the open-source MySQL database management system and caused it to infect the PCs of visitors who used unpatched browsers and plug-ins, security researchers said.

MySQL.com was infected with mwjs159, website malware that often spreads when compromised machines are used to access restricted FTP clients, a blog post from Sucuri Security reported. The hack caused people visiting the site to be redirected to a site that attempted to install malware on visitors’ computers using code from the Blackhole exploit kit, separate researchers from Armorize said.

“It exploits the visitor’s browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, …), and upon successful exploitation, permanently installs a piece of malware into the visitor’s machine, without the visitor’s knowledge,” Armorize researchers warned. “The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.”

Officials with the Oracle-owned MySQL didn’t respond to email seeking comment for this post.

The reported breach is the latest to affect the distribution system for a widely used piece of open-source software. The kernel.org and Linux.com websites used to develop and distribute the Linux operating system remain inaccessible four weeks after it was infected with malware that gained root access, modified system software, and logged passwords and transactions of the people who used them. Representatives haven’t said when they expect the sites to be operational again.

Other open-source projects that have been compromised in recent months include GNU Savannah, and Apache.org, which maintains the Apache webserver. Servers hosting the PHP programming language have also been compromised in the past.

Besides sullying the reputation of open-source software as more secure alternative to competing applications from Microsoft and other for-profit companies, the compromises have sparked concerns about the purity of the code the sites host. If attackers were able to secretly alter the code with backdoors, they could potentially surveil or gain control over sensitive networks that rely on the applications.

In the MySQL.com hack, the attackers appear to have aimed for the less ambitious goal of infecting the desktop machines of those who visited the site. At time of writing, just five of the top 44 antivirus providers were detecting the threat, according to this analysis from VirusTotal.

Sucuri speculated the site was infected after a MySQL developer was compromised and had his password stolen. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/26/mysql_hacked/

A group of mischievous hackers who target the Twitter feeds of news organisations claimed a fresh victim on Sunday when they hijacked the micro-blogging feed of USA Today.

The group, who use the self-disparaging moniker Script Kiddies, hijacked the @USAToday Twitter feed to encourage fans to contact them to suggest new targets. “Please like The Script Kiddies on Facebook! You could choose our next target!” one of the unauthorised (since purged) updates said.

USA Today quickly regained control of the compromised feed. “@usatoday was hacked and as a result false tweets were sent. We worked with Twitter to correct it. The account is now back in our control,” it said. “We apologize for any inconvenience or confusion caused to our readers and thank you for reading @usatoday.”

Script Kiddies previously hit the micro-blogging feeds of Fox News – where they posted a false bulletin on the fictitious assassination of US President Barack Obama – and NBC News, where they posted false news about an imaginary terrorist attack on New York.

It’s unclear how the feeds were compromised but weak password security of one type or another is one obvious suspect. A combination of social engineering and malware is also possible and seems to be the most likely scenario, at least as far as the NBC hack is concerned.

More commentary on the hack – including screenshots of the unauthorised posts – can be found in a blog post by net security firm Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/26/usa_today_twitter_hack/

Spanish anti-virus firm Panda Security has announced plans to cut its workforce in response to a sustained drop in sales.

Panda, which employs 1,000 worldwide as part of either its core business or in local franchises, plans to lay off 120 (or around 35 per cent) of its workforce at its headquarters in Bilbao. A further eight jobs will go in Madrid, according to Spanish media reports. The move follows an earlier round of 70 job losses at the start of the year.

The firm has been hit particularly hard by the general downturn in the Spanish economy as well as competition from free programs in the consumer market. Sales have dropped 35 per cent since 2007, when founder Mikel Urizarbarrena sold the firm to several US investment funds.

Earlier optimism that the firm may be able to file for an IPO has evaporated. Instead the firm has decided to shift strategy by tightening its belt and concentrating on selling security software and services from the cloud. The change of strategy has been accompanied by the departure of long-term chief exec Juan Santana, a former investment banker. José Sancho, a director at Panda Security whose CV also includes a stint at telecoms equipment manufacturer Alcatel, is stepping up to the helm as a replacement for Santana.

In a statement on the appointment and the cost-cutting, Panda said: “The situation of the international IT security market, characterised by the global crisis and the consumer market in Spain, and mainly due to the widespread offer of free antivirus online, has led Panda Security to implement a refocusing of business strategy, which will involve a reorganisation of the company and a significant cost reduction.

“This strategy implies a new stage in the management of the company, which began with the appointment of José Sancho, as the new chief executive officer of the company, replacing Juan Santana. José Sancho will be the chief executive of the group, with direct presence in 61 countries around the world.”

The statement added that the rest of the board remains unchanged and that Panda will shift its strategy towards “cloud solutions, new services and added value products as well as new markets”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/26/panada_job_cuts/

The Liberal Democrat party has said that the government should investigate the potential for abuse of data owners’ rights if private companies hosted public data outside the UK. The junior Coalition partner raised the issue in in its Policies for Information Technology paper.

“Cloud computing is an area where, if [it is] left unchecked, there is serious potential for abuse – for example, large corporations taking control of enormous quantities of public or private data outside the reach of national law,” the paper (21-page/131KB PDF) said.

“Cloud is only attractive if it embodies the principles on privacy and data ownership, access, project management and procurement that we have set out elsewhere in this paper. We recommend that as a matter of urgency, the Government consider the security issues involved with cloud computing, particularly regarding data location and segregation,” it said.

Cloud computing refers to the storage of files and programs on an internet-based network rather than on local computing resources. It allows internet users to access or store information without owning the software required to do so and many online companies, such as Google, operate huge servers that store the data and deliver it to users.

The Lib Dems said that the UK should work with other governments and international bodies to help establish a watchdog regime for cloud services. The party said it believed industry bodies were best placed to regulate content on the internet. It suggested that, where the organisations are not dealing with illegal material, their “processes” should be transparent and their operations overseen by the UK’s communications regulator, Ofcom.

Earlier this year the European Commission held a consultation looking into the issue of cloud computing. The Commission appeared to be considering measures to help standardise terms and conditions for using cloud services. The consultation asked it if it would be “useful” to establish “model Service Level Agreements or End User Agreements” within contractual agreements for cloud services.

The consultation, which closed at the end of August, asked respondents to specify updates the Commission could apply to the EU Data Protection Directive “that could further facilitate cloud computing while preserving the level of protection”. A Commission spokesperson told Out-Law.com earlier this week that new proposals for EU data protection laws would be announced within the next six months.

The Commission is expected to announce a European cloud computing strategy next year and aims to “clarify the legal conditions for the take-up of cloud computing in Europe, stimulate the development of a competitive European cloud industry and market, and facilitate the roll-out of innovative cloud computing services for citizens and businesses,” it said in a statement in May.

Cloud computing providers often detail the jurisdiction in which data is held in contract terms, but a judge in the High Court last year ruled that a company is responsible for “making available” internet-hosted material in the country where its host server is based, not in the country where the material is read or used.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/26/lib_dems_say_gov_should_investigate_security_of_public_data_in_cloud/

The vice-president of the European Commission has withdrawn a rather extensive statement on cookies and the EU Data Protection Directive sent out last week “without authorisation”.

Out-Law.com, the legal news site, had written a story last week using the statement from Viviane Reding, where she said that companies needed prior consent to use individual’s data, a contradiction of the UK government’s stance that consent could be given after or during processing of the data.

The story has now been taken down and replaced with the following:

A story previously published here was based on a statement of EU Commissioner Viviane Reding’s views on cookies and the EU Data Protection Directive.

We have been informed that the statement does not represent the Commissioner’s views and was sent without being authorised so we have removed the story.

The confused staff at The Reg asked the VP’s office what had happened, but were told it had no further statement on the statement.

Spokesman Matthew Newman did add, however, that “the reform of the Data Protection Directive is ongoing and our proposals should be released in the next 20 weeks”.

The bone of contention is in the interpretation of the Privacy and Electronic Communications Directive, or e-Privacy Directive – a continuation of the Data Protection Directive – which says that firms can only store and use the information on computers “on condition that the subscriber or user concerned is provided with clear and comprehensive information… about the purposes of the processing, and is offered the right to refuse such processing by the data controller”, with one exception:

This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

When cookies are used as a way to take you from one part of a site to another, eg, from a product page to checkout, this is seen by some as included in this exception.

It is hoped that the reform of the directive, expected in the next six months, will clarify issues around consent. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/26/viviane_reding_statement_withdrawn/

Facebook has attempted to shoot down claims that it leaves cookies on users’ machines even after they log out of the social network. The response came after an Australian blogger alleged the site can still snoop on your web surfing after you’ve signed out.

Nik Cubrilovic, concerned about Facebook’s approach to privacy, said that logging out doesn’t make a blind bit of difference, adding that Facebook still has ways to potentially track your behavior.

Cubrilovic’s conclusion after examining the behavior of Facebook’s cookies is simple: “Even if you are logged out, Facebook still knows and can track every page you visit.”

This is because instead of telling browsers to remove cookies when users log out, Facebook merely “alters” the state of those little parcels of data – including the cookie that stores your account number.

As a result, if you happen to pass by a page with a Facebook “like” button, “share” button, “or any other widget”, your information – including your account number – will be sent back to Facebook. And if you log into Facebook from a public terminal, those cookies could be left behind.

However, Facebook doesn’t agree. Whether or not Cubrilovic’s claim that he notified Facebook without response during 2010 is accurate, he certainly got a hair-trigger response from Facebook this time.

In a comment on Cubrilovic’s blog, a Facebook engineer – identifying himself as staffer Gregg Stefancik – said that “our cookies aren’t used for tracking”, and that “most of the cookies you highlight have benign names and values”.

“Generally, unlike other major internet companies, we have no interest in tracking people,” the insider added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/26/facebook_sees_logged_out_users/

The Home Affairs select committee has branded police service IT as “not fit for purpose” and claimed it is damaging the police force’s ability to prevent crime and disorder.

In a report titled New Landscape of Policing, the committee calls on the Home Office to revolutionise police IT as a top priority. It says IT is the one area of policing where direction from the centre is vital to effect change.

The document says: “The history of government and Whitehall over the last 20 years or so has demonstrated that this is about not just having the right policies, but also having a good understanding of the strategic direction, achieving the right partnerships, and mutual challenge between policy-makers and delivery organisations.”

Information considered by the committee reveals some of the IT issues the police forces face. This includes an admission by Sir Hugh Orde, the president of the Association of Chief Police Officers (Acpo), that police IT is “a bit of a mess”.

The committee concludes that the main reason for this is that the 43 forces in England and Wales use a multiplicity of different IT systems and IT contracts.

According to the report, Home Secretary Theresa May has revealed that there are about 5,000 staff working on 2,000 different ICT systems across the police service. May has also said that the police currently spend £1.2bn on IT each year, and this did not represent good value for money.

Despite these problems, the committee found that the National Policing Improvement Agency has been successful in making savings on IT procurement. In February the agency reported that it would exceed the £25m target set by the Home Office and deliver savings of nearly £30m.

The agency – which is also responsible for major police IT projects such as the Information Systems Improvement Strategy (Isis) and Project Athena to improve IT convergence – is being phased out, however.

The committee says that a successor must be found to take over the agency’s many IT functions. It asks the Home Office to clarify which police forces will be responsible for IT systems provided directly by the agency, and which will be taken over the by the new police IT company, promised by the home secretary.

It says it expects Airwave to become the responsibility of the new police IT company, but would like this confirmed.

In addition, the report points out that there is so little detail available about the police IT company that it finds it difficult to reach a conclusion about its viability.

There are advantages in creating a single body to oversee police IT, provided it has the right expertise, says the committee. But it adds that the Home Office’s main reason for setting up a company is to avoid EU procurement rules.

It calls on the home secretary to update Parliament about the proposed company by December at the latest.

Keith Vaz, chair of the committee, said: “The police perform a difficult and dangerous task on behalf of the public and the continuing uncertainty about the future of many of the bodies involved in policing has the potential to be very damaging.”

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/26/mps_label_police_it_not_fit_for_purpose/

HideMyAss has defended its role in handing over evidence that resulted in the arrest of a suspected LulzSec member last week.

UK-based HideMyAss, which offers freebie web proxy and paid-for VPN services, said it handed over potentially incriminating data to the feds only in response to a court order. It had been aware that its service was being used by Anonymous/LulzSec members for some time before this without taking any action, as a blog post headed LulzSec fiasco by the firm explains.

Cody Andrew Kretsinger, 23, of Phoenix, Arizona allegedly used HideMyAss.com’s web proxy service to hack into the systems of Sony Picture Entertainment as part of a hack that exposed the personal details of thousands of gamers. According to the court order, Kretsinger used SQL injection techniques that were run via HideMyAss’s anonymising web proxy service to launch the high-profile attack.

HideMyAss explains:

It first came to our attention when leaked IRC chat logs were released, in these logs participants discussed about various VPN services they use, and it became apparent that some members were using our service. No action was taken, after all there was no evidence to suggest wrongdoing and nothing to identify which accounts with us they were using.

At a later date it came as no surprise to have received a court order asking for information relating to an account associated with some or all of the above cases. As stated in our terms of service and privacy policy our service is not to be used for illegal activity, and as a legitimate company we will cooperate with law enforcement if we receive a court order (equivalent of a subpoena in the US).

HideMyAss, which bills itself as a leading online privacy website, adds that it does not condone illegal activity, saying that similar services that do not co-operate with law enforcement are “more likely to have their entire VPN network monitored and tapped by law enforcement, thus affecting all legitimate customers”. The service said it carries out session-logging, recording the time a customers logs onto and disconnects from the service as well as the IP addresses he or she connects to. It said it does not record the actual content of web traffic.

Twitter accounts affiliated with Anonymous were unsurprisingly vociferous in their criticism of HideMyAss’s business practices and assistance of a federal investigation, dubbing the service SellMyAss, and arguing that HideMyAss users are less likely to trust it and more likely to look for alternatives.

“Question @HideMyAssCom: Was it worth to rat out one guy who allegedly hacked #PSN in exchange for all your business? You will find out soon,” AnonymousIRC said.

HideMyAss, which was established in 1995, was set up as a way to bypass censorship on the web before moving on to offer commercial VPN services. It boasts of its recent role in allowing Arab Spring protesters to gain access to websites such as Twitter, which were blocked by the former Egyptian government of Hosni Mubarak. Privacy activists have accused HideMyAss of double standards over its handling of the Kretsinger case.

“The Hide My Ass VPN service is run by a bunch of hypocrites,” said Jacob Appelbaum, a core member of the Tor project, in a Twitter update. “They support revolution and circumvention when it suits their business image.”

In updates to its original blog posts, HideMyAss defended its stance on this point, arguing that it simply complies with UK law. It denied acting as a pawn at the behest of the Feds.

“We are not intimidated by the US government as some are claiming, we are simply complying with our countries legal system to avoid being potentially shut down and prosecuted ourselves.

“Regarding censorship bypassing, some have stated it is hypocritical for us to claim we do not allow illegal activity, and then claim our service is used in some countries to bypass censorship illegally. Again we follow UK law, there isn’t a law that prohibits the use of Egyptians gaining access to blocked websites such as Twitter, even if there is one in Egypt … though there are certainly laws regarding the hacking of government and corporate systems,” it concludes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/26/hidemyass_lulzsec_controversy/