STE WILLIAMS

Double-barrel net infrastructure hack threatens ecommerce

Analysis Security watchers warn that hackers might be able to develop potent attacks that would be extremely hard to foil by combining DNS hacks of the kind that affected The Register and other high-profile websites over the weekend with DigiNotar-style forged digital certificates.

An attack on Domain Name System (DNS) service provider NetNames on Sunday affected scores of prominent websites, including those run by the Daily Telegraph, UPS, Acer, National Geographic, BetFair and Vodafone as well as El Reg. Surfers visiting the affected sites were redirected to a hacker holding page set up by Turkish hacker group Turkguvenligi.

Turkguvenligi pulled off the hack not by attacking the affected sites directly but by a SQL injection attack aimed at gaining access to NetNames systems. Once they had achieved access, the hackers placed counterfeit registry re-delegation orders through via NetNames’ provisioning system. This meant that DNS records of affected sites were changed so that they pointed towards Turkguvenligi’s page rather than at the legitimate sites.

The unauthorised changes were reversed and normality was restored over a matter of a few hours. NetNames disabled compromised accounts and bolstered the security of its systems to guard against future attacks.

Turkguvenligi launched a similar set of DNS redirection attacks against Korean websites and a Gary McKinnon support website back in August, as well as attacking vulnerability mitigation firm Secunia last year.

Ash Patel, country manager, UK Ireland at security appliance firm Stonesoft, said that the DNS hack showed that organisations need to play close attention to the security policies of their suppliers. “It’s not just the ‘corporate’ that needs to be concerned but all other businesses that serve such organisations,” he said.

Mark James, technical manager at Eset, warned that although Turkguvenligi had only run the attacks to claim bragging rights, others might apply the same techniques to run cybercrime scams, such as particularly convincing phishing attacks.

“Whilst the attack seems to be ‘harmless’, the possible outcome could have been massively damaging if they had chosen to point to a ‘look-a-like’ site that requests user information,” James said.

“SQL injection has been used for a long time and, in all honesty, shouldn’t be possible these days. The ability to direct unsuspecting users to fake websites could pave the way for massive amounts of abuse.

“These days, we expect to see phishing emails that ‘look’ like the real thing, but have masked addresses; however, if the end user types an address they know is correct, then they should be safe in the knowledge they are going to end up in the right place.”

Rik Ferguson, a security consultant at Trend Micro, warned that DNS redirection hacks might be combined with DigiNotar-style certificate breach to create especially sneaky attacks.

“Imagine a scenario where someone is able to modify DNS records for, say yourbank.com to a destination of their choice and at the same has got hold of fraudulent certificates to certify its identity,” he explained. “Those two combined could spell real trouble and obviate the annoying need to get a ‘man’ in the middle.”

The high-profile DNS attack last weekend coincides with the ongoing fallout from the DigiNotar breach. The two incidents collectively illustrate a worrying fragility in key systems that underpin the foundations of ecommerce transactions.

“Putting security solutions as add-ons to the infrastructure is not working,” a security researcher at the Internet Storm Centre commented. “We need a fundamental rebuild of the security architecture we are using and we need it now.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/08/dns_redirection_hack_analysis/

Double-barrel net infrastructure hack threatens e-commerce

Analysis Security watchers warn that hackers might be able to develop potent attacks that would be extremely hard to foil by combining DNS hacks of the kind that affected The Register and other high-profile websites over the weekend with DigiNotar-style forged digital certificates.

An attack on Domain Name System (DNS) service provider NetNames on Sunday affected scores of prominent websites, including those run by the Daily Telegraph, UPS, Acer, National Geographic, BetFair and Vodafone as well as El Reg. Surfers visiting the affected sites were redirected to a hacker holding page set up by Turkish hacker group Turkguvenligi.

Turkguvenligi pulled off the hack not by attacking the affected sites directly but by a SQL injection attack aimed at gaining access to NetNames systems. Once they had achieved access, the hackers placed counterfeit registry re-delegation orders through via NetNames’ provisioning system. This meant that DNS records of affected sites were changed so that they pointed towards Turkguvenligi’s page rather than at the legitimate sites.

The unauthorised changes were reversed and normality was restored over a matter of a few hours. NetNames disabled compromised accounts and bolstered the security of its systems to guard against future attacks.

Turkguvenligi launched a similar set of DNS redirection attacks against Korean websites and a Gary McKinnon support website back in August, as well as attacking vulnerability mitigation firm Secunia last year.

Ash Patel, country manager, UK Ireland at security appliance firm Stonesoft, said that the DNS hack showed that organisations need to play close attention to the security policies of their suppliers. “It’s not just the ‘corporate’ that needs to be concerned but all other businesses that serve such organisations,” he said.

Mark James, technical manager at Eset, warned that although Turkguvenligi had only run the attacks to claim bragging rights, others might apply the same techniques to run cybercrime scams, such as particularly convincing phishing attacks. “Whilst the attack seems to be ‘harmless’, the possible outcome could have been massively damaging if they had chosen to point to a ‘look-a-like’ site that requests user information,” James said.

“SQL injection has been used for a long time and, in all honesty, shouldn’t be possible these days. The ability to direct unsuspecting users to fake websites could pave the way for massive amounts of abuse.

“These days, we expect to see phishing emails that ‘look’ like the real thing, but have masked addresses; however, if the end user types an address they know is correct, then they should be safe in the knowledge they are going to end up in the right place.”

Rik Ferguson, a security consultant at Trend Micro, warned that DNS redirection hacks might be combined with DigiNotar-style certificate breach to create especially sneaky attacks. “Imagine a scenario where someone is able to modify DNS records for, say yourbank.com to a destination of their choice and at the same has got hold of fraudulent certificates to certify its identity,” Ferguson explained. “Those two combined could spell real trouble and obviate the annoying need to get a ‘man’ in the middle.”

The high-profile DNS attack last weekend coincides with the ongoing fallout from the DigiNotar breach. The two incidents collectively illustrate a worrying fragility in key systems that underpin the foundations of e-commerce transactions. “Putting security solutions as add-ons to the infrastructure is not working,” a security researcher at the Internet Storm Centre commented. “We need a fundamental rebuild of the security architecture we are using and we need it now.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/08/dns_redirection_hack_analysis/

Google: SSL alternative won’t be added to Chrome

Still smarting from a counterfeit secure sockets layer certificate that threatened at least 300,000 of its users in Iran, Google has no plans to fortify its Chrome browser with an experimental technology that bypasses the current system for validating websites.

In a blog post published Wednesday, Google security researcher Adam Langley said he didn’t think the technology known as Convergence “is something we would add in Chrome.” Moxie Marlinspike, a researcher who has made a career out of exposing huge architectural cracks in the net’s foundation of trust, designed the system to address security vulnerabilities and privacy weaknesses in the current SSL system.

In a nutshell, Convergence is a crowd-sourcing technology that allows endusers to query people or organizations they trust to vouch for the validity of certificates used to authenticate Gmail, eBay, or any other website that uses an https suffix. In its current incarnation, the system relies on a handful of “notaries,” including Marlinspike’s organization and the the Electronic Frontier Foundation. It’s capable of accommodating an unlimited number of notaries and would allow end users to query as many or as few as they want.

Convergence prevents certificate authorities from logging what trusted websites a given user accesses, and it also allows users to choose who they trust. For an in-depth description, see this video of Marlinspike’s presentation at the Black Hat Security conference in August.

Google’s Langley lauded the idea of “trust agility” behind Convergence, but said he didn’t think the practical considerations made it a suitable addition to Chrome. Among other problems cited, he said “99.99% of Chrome users” would never change default Convergence settings designating which notaries should be queried. He continued:

Given that essentially the whole population of Chrome users would use the default notary settings, those notaries will get a large amount of traffic. Also, we have a very strong interest for the notaries to function, otherwise Chrome stops working. Combined, that means that Google would end up running the notaries. So the design boils down to Chrome phoning home for certificate validation. That has both unacceptable privacy implications and very high uptime requirements on the notary service.

Langley also said Convergence would do nothing to fix certain problems Marlinspike and others have identified in the current SSL system. They include the use of “captive portals” at Wi-Fi hotspots and elsewhere that require users to enter credit card numbers into a portal page before getting an internet connection. The lack of a link to the outside world makes it impossible for users to know they’re giving their card number to a valid site, but they can’t get an outside connection until they do, creating a Catch 22.

Langley also cited the problem of firewalled “internal servers,” in corporate networks that prevent notaries from seeing the sites an end user wants validated.

Langley’s post comes nine days after the discovery of a fraudulent Google.com certificate that was issued in early July by DigiNotar, a Netherlands-based certificate authority whose trusted imprimatur was used to validate official websites of the Dutch government. More than 300,000 people, mostly located in Iran, were exposed to the certificate while trying to access Gmail.

A recent security audit documented weak passwords and other security lapses and the issuance of at least 531 bogus certificates at DigiNotar, which is a wholly owned subsidiary of Vasco Data Security, an Illinois-based provider of two-factor authentication services.

The incident highlighted one of the chief weaknesses of the SSL system, which is its reliance on far too many single points of trust. Users of the Convergence Firefox addon would have received warnings immediately after accessing any of the fraudulent certificates.

To be fair, a homegrown technology Google added to Chrome detected the fraudulent Google certificate, but it wouldn’t have caught counterfeits for sites that aren’t owned by the web giant.

For his part, Marlinspike said that Convergence is a beta that he’s developed in his spare time, and that with additional work it has the potential to overcome whatever flaws it has now.

“I believe that all of the problems are very solvable, and that it is currently the best path we have out of this mess,” he wrote in an email. “I can only do so much as a lone developer without any commercial backing, however, and if the browser vendors are serious about driving innovation in this area, they’re going to have to help.”

Here’s hoping the developers at Google, Microsoft, Mozilla, and Opera get the memo. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/08/google_chrome_rejects_convergence/

Cybercrooks aiming to cash in on 9/11 anniversary

Cybercrooks are preparing to commemorate the 10th anniversary of the 9/11 attacks with a range of malware traps and hacking attempts both on social networks and the wider internet, net security firm BitDefender warns.

The first wave of these attacks comes in the form of the newly established websites offering supposed content such as “Bin Laden alive”, “in depth details about the terrorist attack”, “police investigation results” and “towers going down” to attract the curious. The sites are filed with links to scareware and phishing sites. Others have created fraudulent charity donation sites that serve only to line their greedy pockets at the expense of genuine gift-giving sites. In addition, fraudsters are running fake auctions and sales of items supposedly linked to the devastating attacks such as shards of metal from the twin tower or even “commemorative coins” supposedly minted from silver collected at the attack site.

More scam, perhaps involving malware, can be expected to follow over the coming days.

“Because of the advancement of hacking and spamming technology over the past decade, plus the significance of the anniversary and increased media coverage, Sept 11 this year may prove hectic on the malware front,” said Catalin Cosoi, head of the Online Threats Lab at Bitdefender.

BitDefender says many of the scams likely to be on show are similar to those seen during anniversaries of the London bombings of July 2005. Cybercrooks marked remembrances of the 7/7 attacks with fake donation requests, spamming of viruses disguised as supposed videos of the assaults and advanced fee fraud email scams. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/08/9_11_anniversary_scams/

Lost memory stick had 87 NHS patients’ info unencrypted

A medical student who copied the private data of 87 patients onto a memory stick – and then lost it – has landed the University Hospital of South Manchester in trouble with the Information Commissioner’s Office (ICO).

The ICO ruled today (7 September) that the South Manchester hospital breached the Data Protection Act by letting the student copy the names, ages, occupations and operation details of 87 patients at the Burns and Plastics unit in Manchester on to a unsecured personal memory stick. The data specifically related to hand operation patients.

The student initially copied the info onto an NHS approved encrypted memory stick but then copied the information again onto a personal, non-encrypted memory stick in order to continue auditing work after their placement at the hospital had ended. The memory stick then went AWOL.

The ICO information committee blasted the NHS for not briefing the student correctly. The University-affiliated hospital explained that they believed the student had been taught about data protection by the university, but have promised now to brief all staff, temporary and permanent on data protection laws.

Sally Anne Poole, Acting Head of Enforcement at the ICO said:

“This case highlights the need to ensure data protection training for healthcare providers is built in early on so that it becomes second nature. Medics handle some of the most sensitive personal information possible and it is vital that they understand the need to keep it secure at all times, especially when they are completing placements at several health organisations. NHS bodies have a duty to make sure their staff – both permanent and temporary – understand their responsibilities on day one in the job. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/08/manchester_hospital_med_student_loses_data_stick_hosp_fined_by_ico/

Three in ten Americans urge feds to read their email

A survey into attitudes ten years after the 9/11 attacks has found that three out of ten Americans are happy to let the government read their emails without a warrant. And this rose to 47 per cent for emails addressed to foreigners.

Over a thousand Americans were polled by NORC at the University of Chicago into their attitudes a decade on from the attacks, and the results make depressing reading. Almost half of respondents thought the government should be able to review someone’s search history without court permission, and 55 per cent thought financial records were fair game for unwarranted scrutiny.

Nearly a quarter are happy for the government to listen in on their phone calls, rising to 49 per cent if the calls are overseas. Over 70 per cent approved of video surveillance in public places, and this rose to over 80 per cent if the respondents had children.

On the much-debated topic of torture over half of those surveyed thought that torture of suspected terrorists was OK, and a similar number favoured “harsh interrogation techniques.” That said 46 per cent of people felt torture wasn’t justified, something that might reassure visitors to this country.

Overall Americans are distinctly gloomy about the prospects for their country. Just one in five people thought that the US was on the right track now, compared to 70 per cent just after 9/11. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/08/americans_favour_wiretapping/

AMD Steam-game offer suspended after keys pilfered

Data security problems have led to the suspension of a free-videogame-with-every-Radeon-graphics-card offer from AMD and Codemasters.

Three million activation codes that allowed gamers to play a free copy of DiRT 3 on Steam have leaked. AMD’s redemption site, AMD4u, was left vulnerable to a .htaccess exploit. This website security flaw allowed the activation codes for the rally driving game to be extracted from a database on the site.

In a statement, AMD said that valid game vouchers would still be honoured while admitting this process is likely to be delayed, Eurogamer reports.

“Activation keys associated with free DiRT 3 game vouchers shipping with select AMD products were compromised,” the statement explained. “These activation keys were hosted on a third party fulfillment agency website, www.AMD4u.com, and did not reside on AMD’s website. Neither the AMD nor Codemasters servers were involved.

“We are working closely with Steam, Codemasters, and our fulfillment agency to address the situation. AMD will continue to honour all valid game vouchers, however the current situation may result in a short delay before the vouchers can be redeemed.”

Steam is likely to block the codes leading to fears that anyone who innocently uses the codes as part of the promo will end up with a blocked account as a result. Chris Boyd (AKA Paperghost), a keen gamer who works as a security researcher for GFI Software, said Steam is trying to prevent such collateral damage.

“The biggest concern on the mind of a gamer would be if their PC gaming accounts – such as those utilising the Steam platform, which may be tied to hundreds of pounds worth of gaming titles – could be suspended due to using one of the stolen keys to activate DiRT 3 on their account,” Boyd told El Reg. “The official Steam Support Twitter account has addressed this issue, so hopefully that will set their minds at ease for the time being.”

The DiRT 3 incident caps a miserable summer for information security at games developer Codemasters. In an apparently unrelated recent incident, Codemasters was forced to pull its website offline and get users to change their passwords following a hack attack back in June. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/08/amd_gaming_offer_security_snafu/

McAfee: Cyber thugs will turn your car into Christine

Poorly secured embedded systems in next-generation cars create a way in for hackers, according to a new study by McAfee.

Hackers may be able to gain access everything from the locks to car engines and more, according to a report titled Caution: Malware Ahead that looks at the emerging risks in car system security.

McAfee, which partnered with Wind River and ESCRYPT on the report, paints a scenario where hackers might be able to create the hacker-compromised equivalent of the demonically-possessed Plymouth Fury from the Stephen King story Christine or something from The Transformers, perhaps.

Embedded computing devices are increasingly used in cars in areas including airbags; radios; anti-lock braking systems; electronic stability controls; autonomous cruise controls; communication systems; and in-vehicle communication. Researchers have demonstrated that critical safety components of an automobile can be hacked, giving hackers physical access to the vehicle’s electronic components. Other studies have shown how vehicles or their occupants can be tracked.

The car industry is continually adding features and technologies that deliver new applications such as internet access and the ability to further personalise the driving experience. In addition, there’s a push to integrate cars with consumer devices such as smartphones and tablets. McAfee’s concern is that in the rush to add all these new features security will be treated as an afterthought.

The McAfee study examines risks associated with cybercriminal activity including the possibility of:  

  • remotely unlocking and starting a car via mobile phone;
  • remotely disabling a car;
  • tracking a driver’s location, activities and routines;
  • stealing personal data from a Bluetooth system;
  • disrupting navigation systems; and
  • disabling emergency assistance.

Examples of such attacks actually happening in real life are absent from McAfee’s study. A interesting exercise by F-Secure a few years back singularly failed to infect a car via Bluetooth and we’ve not seen anything since to suggest that this has changed, even with advances in the sophistication of technology that might make such a scenario more feasible.

McAfee is nonetheless adamant that the potential for car-based hacker mischief is all too real.

“As more and more functions get embedded in the digital technology of automobiles, the threat of attack and malicious manipulation increases,” said Stuart McClure, senior vice president and general manager, McAfee. “Many examples of research-based hacks show the potential threats and depth of compromise that expose the consumer. It’s one thing to have your email or laptop compromised but having your car hacked could translate to dire risks to your personal safety.”

Depending on your point of view, the study is either aimed at raising awareness or is an attempt to talk up a threat that McAfee and its associates can then sell into.

“The report highlights very real security concerns, and many in the auto industry are already actively designing solutions to address them,” said Georg Doll, senior director for automotive solutions at Wind River. “Given the development time for automobiles, the industry is finding it essential to start work now by teaming up with those possessing the right mix of software expertise.”

McAfee banged on for many years about the looming threat of malware on mobile devices that has only recently become a real-world problem for some smartphone users. At least the car security report omits the automobile risk equivalent of the financial cost of mobile malware guesstimates that were a regular feature of its late ’90s mobile threat reports.

Some of the more tin-foil-hat-wearing sections of the Reg readership may see the report as evidence why we should all move back to wholly mechanical cars, preferably models that rely on double de-clutching to change gear. Many would regard that as a step too far.

The McAfee study naturally concentrates on hacker-based threats without tackling the more immediate problem of what happens when those embedded devices go wrong without external interference. In such cases cars can subject occupants to white-knuckle high-speed rollercoaster rides that leave drivers powerless to brake or decelerate, as chilling tales from our occasional RoTM columns graphically illustrate (here, here and here).

There’s also no mention of the perils of slavishly following SatNav instructions or near-death blunders involving GPS-based location kit, a serious omission we hope will be addressed in future editions of the report. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/08/car_hack_risk_study/

DigiNotar hacker says he stole huge GlobalSign cache

An internet user with proven ties to the DigiNotar hack claims he stole email, customer data and other sensitive data from two competing web authentication authority that will be released publicly soon.

In a statement posted Thursday, an individual calling himself Comodohacker expanded on previous claims that he breached the security of Israel-based certificate authority StartCom and its competitor GlobalSign, which is headquartered in the US. “I have ALL emails, database backups, customer data” for StartCom, he wrote, and went on to say he had access to “the entire server,” database backups and system configuration of GlobalSign. GlobalSign has already stopped issuing certificates while it investigates.

Thursday’s claims came shortly after Comodohacker offered the first conclusive proof he had insider knowledge of the security breach of Netherlands-based DigiNotar that minted more than 500 counterfeit certificates for Google.com and dozens of other websites. The unknown individual, who claims to be a 21-year-old Iranian who is sympathetic to his country’s government, posted a file that was signed with the private key of the fraudulent Google certificate, proving he had close contact with the people who perpetrated the hack.

Comodohacker previously confirmed his involvement in a hack on a reseller of the Comodo certificate authority that also forged counterfeit credentials for sensitive websites.

In Thursday’s post, he went on to provide details into the breach on DigiNotar, claiming its HSM, or hardware security module, ran on the OpenBSD operating system and had only a single port open that was protected with RSA SecurID and SafeSign Token management systems. It’s unclear if that description matches the systems used by DigiNotar.

In June StartSSL suffered a security breach in which attackers attempted to mint fraudulent certificates for several sensitive websites but were ultimately unsuccessful. It was at least the fifth time an entity that issues SSL, or secure sockets layer, certificates had been targeted. In all, four of Comodo’s resellers have suffered security breaches in the past six months.

There’s no proof Comodohacker was behind the June attack on StartSSL, but in a post published Tuesday and a second post that followed the next day, he claimed he managed to gain control of the hardware security module StartSSL uses to issue certificates but was thwarted at the last minute because the company relied on manual verification.

In the same post, Comodohacker disputed claims Microsoft made Monday that fraudulently issued certificates for domains including *.microsoft.com and *.windowsupdate.com could be used to hijack Microsoft’s security update system.

“I’m able to issue windows update,” he wrote. “Microsoft’s statement about Windows Update and that I can’t issue such update is totally false!”

Microsoft declined to comment.

Given the track record of Comodohacker, and the previous attacks on the PK, or public key, infrastructure, which some observers believe is sponsored by the Iranian government, the claims should be thoroughly investigated, said Comodo CEO Melih Abdulhayoglu.

“This is totally a state-sponsored attack on the PK infrastructure so you have to take it seriously,” he told The Register. “You have to immediately turn everything into emergency mode, whatever that is in your company.”

In addition to temporarily ceasing certificate issuance during its investigation, GlobalSign has hired Dutch security firm Fox IT to assist in the probe. It’s unclear what steps StartCom has taken in response to the claims. Representatives from both companies didn’t respond to emails seeking comment for this post. ®

This article was updated to add details about a previous attack on StartCom, and fraudulent certificates issued for Microsoft domains.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/07/diginotar_hacker_proof/

Ex-Microsoft accountant jailed for $1.1m Redmond theft

A former Microsoft accountant has been sentenced to two years in prison and ordered to repay over a million dollars after pleading guilty to theft and money laundering.

Randal Ray Seal stole the money from Microsoft after working in the company’s accounting department for nearly a decade. He said the thefts were initially carried out to highlight a flaw in the company’s accounting systems, but his bosses ignored the problem when he informed them, the Seattle P-I reports.

However, after Seal was laid off in 2004, he took the money, and it was only in 2009 that the authorities caught up with him. In addition to two years in prison, Seal will have to pay back around $1.1m to Redmond’s coffers.

“I made the poor decision of revealing the defects by exploiting the flaws in the department’s system,” Seal told the court.

“When I was terminated I had not thoroughly thought out how I would divulge my actions. In the end, instead of doing what was right and returning the money, I succumbed to my behavior was totally inappropriate.”

Seal originally offered to pay back half the money, but US District Court Judge James Robart ruled that the full amount had to be returned. His defense attorney said that Seal had pleaded guilty and felt remorse that he would never be able to work at Microsoft again.

“Randy has agonized over his actions and been unable to see any kind of future for himself,” he said in court documents.

“In fact he was almost relieved that he was finally able to tell the truth about what he had done, especially to his wife.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/07/microsoft_accountant_jailed_theft/