STE WILLIAMS

When it comes to electronic devices bad things do happen. Components fail, power outages do occur, and files can be accidentally deleted.

For that reason it is always advisable to have a backup strategy so that you never lose your home made videos, holiday snaps or business accounts.

Any IT professional would tell you that… unless his name is James Howells.

Howells, who works as an IT consultant, may have committed two cardinal sins.

The first was throwing away a hard drive in an insecure manner. When his laptop broke he cannibalised it, taking parts he could re-use elsewhere. He tossed the hard drive into a drawer where it remained until he decided it was no longer needed.

Without physically breaking the drive or removing the data stored on it he threw it out, presumably forgetting the value that data may hold to anyone who went searching through his refuse bin.

The second big mistake Howells made was tossing out a drive that he hadn’t backed up. After gathering dust in his desk drawer for three years it seems he didn’t even have any idea what data was stored on the disk.

Now, however, it looks like he’ll be paying the price for his foolishness as the drive he threw out may well be one of the most valuable in history – around 7.5 million dollars.

Back in 2009 Howells used the now dead laptop to mine Bitcoins, just after the service was launched. Up until the time his girlfriend complained that his laptop was getting too hot and noisy he says he managed to accumulate a total of 7,500 Bitcoins.

At the time the currency had little value but, with the value of each Bitcoin now in excess of $1,000, Howells’ horde is worth $7.5m (around £4.6m).

The problem, of course, is that Howells threw out the hard drive which contains the cryptographic private key that is required in order to access and spend the virtual currency.

Speaking to The Guardian, Howells said:

You know when you put something in the bin, and in your head, say to yourself ‘that’s a bad idea’? I really did have that.

Howells checked all of his USB sticks and other hard drives in the hope that he had backed up the key he required but realised he had nothing.

Believing he had thrown the hard drive out between June 20 and August 10 he went to his local landfill site in Newport in the hope of discovering it (image courtesy of James Howells’ Twitter account).

I had a word with one of the guys down there, explained the situation. And he actually took me out in his truck to where the landfill site is, the current ditch they’re working on. It’s about the size of a football field, and he said something from three or four months ago would be about three or four feet down.

Howells thought about searching the tip for the drive himself but was put off when he was told that a police search of the area would likely involve mechanical diggers and a team of 15 people equipped with protective clothing. Pretty costly, considering the drive may not be found in an operational state, so he opted out.

Howells is now asking for donations towards the cost of recovering the hard drive.

Whilst I have little sympathy for James Howells, who I think probably should have known better, this story does serve as a very real reminder of the importance of backing up important data on a regular basis, as well as disposing of hard drives properly.

Note: budding treasure hunters thinking of heading to Wales in a quest to find the hard drive should think again as a spokeswoman told The Guardian that they “wouldn’t be allowed in.”

Follow @Security_FAQs
Follow @NakedSecurity

Image of Bitcoins courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/zFVTHfmEpQs/

Email delivery: Hate phishing emails? You’ll love DMARC

A new banking trojan that its creators brag can attack “any bank in any country” has already been blamed for several thousand attempts to infect computers.

The Neverquest banking trojan supports almost every trick used to bypass online banking security systems, including web injection, remote system access and social engineering, Kaspersky Lab warns. Neverquest surfaced on hacker forums during July in an advert looking for a partner to work with the trojan on servers run by a group of cybercriminals.

Months later, variants of the malware matching the design specs started surfacing in active attacks. By mid-November Kaspersky Lab had recorded several thousand attempted Neverquest infections all around the world. Things can only get worse as the fraudsters behind the malware are only just spinning up their malware machine, which might take months to reach its full potential.

Neverquest uses the same self-replication mechanisms as Bredolab, a digital pathogen used as a platform for spam distrubution and scareware scams that caused all sorts of problems when it began spreading back in 2009. At its pre-decapitation peak, Bredolab infected an estimated 30m Windows PCs, so Neverquest’s similarity to it is bad news for internet hygiene.

Routines built into Neverquest harvest contact information from a victim’s email client. This information is used by cybercriminals to send out mass spam mailings with attachments containing trojan downloaders, designed to install Neverquest. Booby-trapped emails contain malicious zip attachments and are typically designed to look like official notifications from a variety of online services.

Another routine steals FTP passwords associated with websites. This compromised access is then used to plant malicious code (exploit packs) on websites. This creates drive-by download attacks so that surfers visiting the otherwise legitimate site are sprayed with malicious code ultimately designed to plant Neverquest malware on vulnerable PCs using browser exploits and similar attacks.

The crooks behind the malware are aiming to steal a march against their more established rivals who push other banking trojan toolkits such as ZeuS and Carberp, according to security researchers.

Sergey Golovanov, principal security researcher at Kaspersky Lab, commented:

“After wrapping up several criminal cases associated with the creation and proliferation of malware used to steal bank website data, a few ‘holes’ appeared on the black market. New malicious users are trying to fill these with new technologies and ideas. Neverquest is just one of the threats aiming to take over the leading positions previously held by programs like ZeuS and Carberp.”

Neverquest steals usernames and passwords to online bank accounts as well as all the data entered by the user into the modified pages of a banking website. Special scripts for Internet Explorer and Firefox are used to enable these thefts, giving the malware control of the browser connection and routing it to the cybercrooks’ command server.

Scripts to enable fraud against German, Italian, Turkish and Indian banks, as well as payment systems, come bundled with the hacker tool. Neverquest also comes with utilities to enable fraudsters to extend the target list.

Kaspersky Lab analysts reckon investment funds from fidelity.com are the top target for the fraudsters behind the malware. Malicious users have the chance not only to transfer funds to their own accounts but also to play the stock market using the accounts and the money of Neverquest victims.

One unusual feature of the malware means fraudsters can conduct transactions and wire money from one compromised account to the accounts of other victims. Normally funds are fraudulently siphoned off from compromised accounts to accounts maintained by money mules in the same country, junior partners in banking fraud scams. These money mules withdraw the money, keeping a small percentage, before using money transfer services such as Western Union to send it to the masterminds behind the scams, who are often based in eastern Europe.

Neverquest is also designed to harvest data to access the accounts of numerous social networking services, including Twitter and Facebook. The malware has yet to use social media to spread, however, according to security researchers at the Russian security firm.

A full write-up on the threat, including screenshot, can be found on a post at Kaspersky Lab’s Threatpost blog here. ®

Hybrid storage performance leadership

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/29/_meet_the_new_swiss_army_knife_of_cybercrime/

Email delivery: Hate phishing emails? You’ll love DMARC

A jokey US ad agency recruitment campaign encouraged users to stage fake computer crashes so that they might be able to ditch work early.

The Happy Hour virus from Colorado admen TDA_Boulder came with a series of screensavers that allowed users to claim they were unable to work because their machines had gone wrong, creating a convincing excuse for them to ditch work early in the process.

A choice of three static images, including a representation of the infamous Windows Blue Screen of Death, are offered. Other choices include “Kernel Panic” and “Broken Monitor”.

The idea of the tongue-in-cheek recruitment campaign was to promote the idea that’s it’s possible to have a healthy work-life balance even in the hectic advertising biz, AdWeek reports.

The HappyHourVirus.com site explains TDA’s workplace philosophy and how self-inflicted computer problems might play a role in this, presumably when all else fails: “We are all better employees if we achieve something called work-life balance. However, pursuing that goal is not always an easy task in today’s corporate culture. Please use the Happy Hour Virus to leave work early and enjoy the company of friends, family or co-workers.”

“We are aware that this might jeopardise your productivity the following day,” continued the site, “but we are willing to take that risk on your behalf. And if this sounds like a philosophy you could live with, learn more about us here,” it adds, complete with a link to an employment application.

The whole set-up takes the diametrically opposite line to a job ad from games and comics site Penny Arcade looking for a “Web / Software Developer Sys Admin” which outlines unashamedly wretched working conditions. “We are quite literally looking for a person that can do four jobs… if you’d like to be at the technical epicenter of it all and don’t mind having a really bad sense of work-life balance, this is the job for you,” the unappealing pitch concludes.

Visitors to the Happy Hour virus site can download fake crash motifs and install them onto their PCs without going through any kind of registration process. The site remains live and open to all, not just those looking for a job with TDA. Removing the fake screensaver involves simply pressing the escape key.

Screw YOU guys. I’m going home.

Net security firm Sophos makes the obvious point that the downloads available from the Happy Hour virus site might easily be abused by the workshy. Trivialising computer security is no good thing, Naked Security writer Paul Ducklin adds in a light hearted piece on the campaign, full of tech-themed jokes.

Ducklin’s article includes an obvious fake quote from Boulder Online Regulators of Interactive Network Games (geddit) as well as a suggestion to update the Blue Screen of Death theme for Windows 8 and the sarcastic observation that Mac users wouldn’t be able to use the ruse because “Macs don’t get viruses and thus cannot actually crash”. ®

Hybrid storage performance leadership

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/29/happy_hour_workshy_virus_fakery/

Email delivery: Hate phishing emails? You’ll love DMARC

Several UK banks have suffered actual financial losses as a result of cyber-attacks in the last six months, according to a Bank of England study.

The Bank of England’s latest Financial Stability Report, published on Thursday, reiterates warnings about the risk posed by hacking attacks made six months ago when Andrew Haldane, the BofE’s director of financial stability, testified before parliament’s Treasury Select Committee.

Haldane was passing on the view from representatives of Britain’s top banks that computer security was their biggest operational risk.

The latest report (PDF) from the central bank contains a small section, titled “Operational risks, including from cyber attack, remain a concern” that riffs further on this theme.

The June Report also highlighted potential operational risks related to financial institutions’ information technology (IT) systems. A quarter of respondents to the Bank of England’s 2013 H2 Systemic Risk Survey highlighted operational risk as one of the main risks to UK financial stability.

Over half of these responses cited risks from cyber attack — where an individual or group seeks to exploit vulnerabilities in IT systems for financial gain or to disrupt services. Cyber attack has continued to threaten to disrupt the financial system. In the past six months, several UK banks and financial market infrastructures have experienced cyber attacks, some of which have disrupted services.

While losses have been small relative to UK banks’ operational risk capital requirements, they have revealed vulnerabilities. If these vulnerabilities were exploited to disrupt services, then the cost to the financial system could be significant and borne by a large number of institutions.

Concerns that high-volume DDoS attacks of the type that interrupted the operations of US banks last year might easily be deployed against Britain banks to similar effect have fortunately proved groundless. Reported operational problems in UK banks (such as recent incidents at Barclays and HSBC) have come as a result of system failure, rather than hostile attacks.

An April attack that led to arrests in September after crooks allegedly planted remote-control hardware in a computer at a Barclays bank branch, which was linked with the alleged theft of £1.3m, is a cause for concern – but no great worry on the grander scheme of things.

A far more tangible existential risk comes from something like an ATM cash-out scam, which cost two Middle Eastern banks $45m last year after hackers broke into a database of prepaid debit cards.

Many operational problems would, of course, be known to the Bank of England without reaching the press. And banks are stepping up their readiness to deal with attacks. For example, financial firms and banks across London took placed in a cyber-war game earlier this month, code-named Waking Shark II.

Banks have focused on credit, market and liquidity risk over the past five years because of financial sector upheavals, caused first by the sub-prime mortgage crisis and banking bailouts of 2008, followed by the ongoing eurozone crisis and a general recession across the EU. The vast majority of the Bank of England’s report focuses on these types of risks rather than anything posed by computing attacks, which, nonetheless, still pose a risk that cannot be ignored. Security vendors not unsurprising focused on cybersecurity in commenting on the report.

Peter Armstrong, director of cyber security at Thales UK, said banks need to move towards more integrated cyber defences.

“The combination of high interconnectedness, reliance on centralised market infrastructure and complex legacy IT systems are leaving our banks vulnerable to cyber attacks,” Armstrong said. “A holistic approach that is designed to tightly integrate cyber-defences with processes, people and physical measures is crucial to ensure financial organisations are protected against the latest evolution of threat and attack vectors.”

Armstrong placed a particular emphasis of re-training staff and sharing threat intelligence among financial institutions as important tactics in the never-ending fight against cyber attacks.

“Banks must make more effort to retrain or re-skill their employees,” he said. “Much more emphasis should be placed on retention of soft skills, IP, organisational culture, the evolution of internal security policies and knowledge of legacy systems.”

“Greater collaboration on cyber issues should also lead to an improvement in cyber awareness and continuous policy evaluation and adaptation, particularly as external attacks multiply faster than legacy IT security solutions can currently keep up with,” he added.

Chris McIntosh, chief exec at security and communications company ViaSat UK, said the cyber threat warning from the central bank comes as little surprise because the financial sector is routinely targeted by state-sponsored and organised crime elements.

“Rather than waiting for the next data breach to occur, the UK’s banks need to realise that they have likely already been compromised and need to work back on this basis… The financial sector is the custodian of millions of customer details and the gateway to billions of pounds. Unless this sector takes the right action, we will see attacks become more refined and sophisticated with massive repercussions for this sector and the wider economy,” he concluded.

A extensive catalogue of the documents released at part of the central bank’s Financial Stability Report, November 2013 can be found on the BofE website here. ®

Hybrid storage performance leadership

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/29/uk_banks_cyber_threat_warning/

For a period of two years, if often felt that not a week went by without some security company or product vendor announcing the takedown of a multi-million node botnet. I don’t know if it was the waning enthusiasm of the media to cover “yet another botnet takedown”, the public’s exhaustion over a threat they could do little prevent, or the fact that the majority of botnet “takedowns” were merely temporary setbacks for their criminal overlords, but as we reach the end of 2013 the frequency of such boastings have declined noticeably.

While the public broadcasts of botnet takedowns are now more likely to be associated with a golden age in the battle against the bots, the war continues on a less visible plane. Irrespective of whether this war can in fact be won, a question I’m increasingly being asked is whether certain organizations and government entities want in fact to win it.

Why wouldn’t the good guys want to win the botnet battle? Many salty dogs of the security industry have experienced how shutting down one attack vector forces the threat to evolve in another direction; a direction that will likely be even more difficult to combat or, minimally, require substantial research effort to investigate. Eighty-percent efficacy against a threat you understand is considerably better than zero-percent of a threat you have no technology in your back-pocket for.

But that’s not the only reason why a growing pool of security professionals would sooner hold-back from shutting down the botnets that plague the Internet. Botnets harvest a lot of data from their victims. Access to that data is increasingly lucrative and, if you package the data just right, can be sold on as a subscription feed to a growing pool of organizations.

The security analyst community used to be quite open in the way they shared information about botnets – in particular, information about the command and control (CC) servers, the domain names and IP addresses being used, samples of the bot malware, and copies of the CC software. Now, because this information has a demonstrable value, those that have it are much less likely to “give back to the community”. If anything, they’re more likely to create new subscription services and provide it as a paid-for stream of data.

But what is this data, and who is it useful to?

When people first hear that botnet data is up for sale, I think most jump to the conclusion that the data is a stream of all the personal and confidential information being stolen from the botnet victims. In some cases it may be, but most often it’s not. More often than not, it may simply be a list of IP addresses of the victims under the control of a single piece of malware.

Depending upon who you’re selling to and what their missions are, even data as “uninteresting” as the IP addresses of the victims holds a unique and complementary value to some folks. For example, government agencies like the CIA or NSA can use it to map which botnets are successfully penetrating computers within countries or institutions they’re tracking. By knowing what the original malware was, the agency is going to know the operating system and major application version numbers of the infected devices. This adds to the pool of knowledge about an adversary which could be leveraged in a time of need.

If an organization is smart, they’ll also be sinkholing the CC domains – probably not all of them, just enough to provide visibility of the victims, but not crossing a threshold which forces the criminal who built the botnet to change tactics and stop growing their botnet.
If the botnet CC software isn’t particularly well written (which is often the case), or if someone has reverse engineered the CC portal software and found interesting vulnerabilities, then simply knowing the domain names used by the botnet malware may allow an agency to access all the information being harvested by the bot on the victims computer (e.g. UID’s, passwords, applications installed, browser history, banking credentials, etc.), or even issue new commands.

It used to be that the worlds of bug hunters and malware analysts were separate and far between. In the last couple of years the ability to analyze malware samples and identify exploitable vulnerabilities in them has become very important. Given that some botnets have a bigger pool of victims than many commercial software vendors have licensed customers, the value of an exploit that grants reliable remote control of a popular malware agent is rising in value. I’d hazard a guess that a remotely exploitable vulnerability in Zeus, SpyEye, or any of the other top-10 botnet malware families is likely worth tens of thousands of dollars to most government agencies around the world.

In many ways, botnets have become a golden goose to those charged with gathering intelligence on the populations of foreign entities. The bulk of the victim’s data is useful for mapping populations, communication profiles, and as egress points for counter intelligence exercises. Then, given how many botnet victims there are, the probability that a few “interesting” computers will have succumbed along the way is similarly high – providing direct insight in to a pool of high value targets.

The incentives are high for many businesses and government agencies to not be too heavy handed in combating the global botnet pandemic. There’s money to be had and, with each passing day, more interesting ways are being uncovered in how to package the data, and how to employ it.

— Gunter Ollmann, CTO, IOActive Inc.

Article source: http://www.darkreading.com/attacks-breaches/a-mercenary-approach-to-botnets/240164329

Email delivery: Hate phishing emails? You’ll love DMARC

Microsoft is scrambling to encrypt its data centers’ interlinks – after a fresh Snowden leak suggested the NSA and GCHQ tapped into the cables and intercepted sensitive network traffic.

Documents obtained by the Washington Post from the whistleblower show that Microsoft’s Hotmail, Windows Live Messenger services and Passport communications were scanned by software called Monkey Puzzle, which was developed at the British snooping nerve-center GCHQ.

Reaching into the private unencrypted interlinks allows both intelligence agencies to effectively spy on Microsoft customers, and copy their messages and address books, it is claimed.

“These allegations are very disturbing. If they are true these actions amount to hacking and seizure of private data and in our view are a breach of the protection guaranteed by the Fourth Amendment to the Constitution.” Brad Smith, Microsoft’s general counsel, said in an email to The Register.

Smith, given his role as a legal eagle, also pointed out that the documents don’t constitute proof per se that the NSA is tapping into its traffic surreptitiously. But he said the company’s engineering teams will be beefing up security, “including strengthening security against snooping by governments.”

Sources familiar with the matter say Microsoft will get to work on shielding its network traffic in the coming days, and senior executives are meeting to discuss the issue and plan a response. The Windows giant is already smarting from the commercial and reputation hit it has taken from the PRISM scandal and the latest situation just adds salt to the wound.

One email in Edward Snowden’s leaked dossier, dated November 2009, comes from a developer at GCHQ. It explains how the Monkey Puzzle software can scoop data from Google, Yahoo! and Microsoft Passport, saying “the NSA can send us whatever realms they like right now.”

Snowden also revealed PowerPoint decks rated top secret showing that “metadata-rich” address books were downloaded and stored on multiple databases. One showed the interception of a message on the now-defunct Windows Live Messenger system.

The news comes a month after another leak from the globetrotting whistleblower showing that the NSA was doing the same thing with Google and Yahoo!’s interlinks. One Google engineer was moved to obscenity when shown the tapping plans, dubbed Project MUSCULAR by the NSA, and El Reg wonders if Redmond CEO Ballmer is turning the air blue this morning.

Following the October leak, Yahoo! announced it will begin encrypting its interlinks between data centers, and Google has been doing so for some time. But Microsoft said it was holding off on such a move as little as two weeks ago.

Based on the documents released so far, tapping data-center interlinks appears to occur mostly overseas – where the NSA can operate solely on presidential say-so alone rather than having to get permission from the courts. The spooks are also reportedly going through third-party companies to slurp the data.

“NSA’s focus is on targeting the communications of valid foreign intelligence targets, not on collecting and exploiting a class of communications or services that would sweep up communications that are not of bona fide foreign intelligence interest to the US government,” the agency told WaPo in a statement. ®

Hybrid storage performance leadership

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/27/microsoft_encryption_nsa_spying/

Google’s recent decision to revamp YouTube’s comment system by integrating Google+ in order to reduce spam has proven to be extremely unpopular with users. Ironically, however, it has proven to be quite a hit with the spammers themselves.

The problem has not gone unnoticed by the YouTube comments team who, on Monday, acknowledged the issue via a blog post:

Since we launched the new comments experience on YouTube two weeks ago, we’ve received a lot of feedback from creators on the increase in comment spam. While the new system dealt with many spam issues that had plagued YouTube comments in the past, it also introduced new opportunities for abuse and shortly after the launch, we saw some users taking advantage of them.

In response to the plague of spam hitting the video-sharing site, YouTube has now implemented some updates which it believes will stem the tide.

The main changes involve better detection of bad links, improved recognition of impersonation attempts, and a change in the length of time that comments are displayed for.

There will also be improved detection of ASCII art – images dropped into comments by constructing a picture from text characters – which should hopefully lead to far less tanks, bananas and penises being seen beneath YouTube videos in the future (though I suspect there will always be a few bananas leaving stupid comments).

YouTube also disclosed that it will be adding further features to the commenting system which it hopes will be of benefit to video creators:

So what’s next? We’re moving forward with more improvements to help you manage comments on your videos better. Bulk moderation has been a long standing creator request and we’ll be releasing tools for that soon. At the same time, we’re also working on improving comment ranking and moderation of old-style comments.

Whether the changes will appease all of YouTube’s user base remains to be seen as many seem to favour a return to the pre-Google+ days.

A petition was recently launched on change.org asking for a return to the old comment system:

Google is forcing us to make google+ accounts and invading our social life to comment on a youtube video and trying to take away our anonymous profile. They are also trying to censor us unless we share the same world view as they do.

Such sentiment seems to be quite widespread, with over 200,000 people adding their digital signatures to the petition in the last two weeks.

Google, however, seems unperturbed in continuing the integration and one could speculate that there are a couple of reasons why it would wish to persevere.

From Google’s point of view, forcing YouTube users onto its social networking site has the potential to lift its profile at a time when it is arguably playing third (or more) fiddle to both Facebook and Twitter.

Secondly, integration of the two sites will provide Google with even more information about the users of both services and, as all Naked Security readers should know by now, that data has value to those who wish to use it in order to deliver targeted advertisements.

How do you feel about Google forcing people to have a Google+ account in order to comment on YouTube? Do you think it’s all a storm in a teacup and great if it means the changes eventually will reduce the amount of spam on the site, or are you just plain annoyed that you need to sign up to Google+ in order to leave a comment in the first place?

Follow @Security_FAQs
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jPiF3-wjtNk/

Microsoft has gone public to warn about a zero-day vulnerability in the Windows XP kernel.

Apparently, the bug, dubbed CVE-2013-5065, is being exploited in the wild, though details of exactly how, where, by whom and to what effect are not known.

That makes it rather hard to decide exactly how to respond, but here’s what we know so far:

• The bug is in the NDPROXY.SYS driver, which co-ordinates the operation of Microsoft’s Telephony API (TAPI).
• The exploit doesn’t allow remote code execution on its own, only an elevation of privilege (EoP).
• The vulnerability exists in Windows XP and Server 2003 only.
• No formal patch or Fixit has been published yet.
• A simple registry tweak can immunise an XP computer against the vulnerability.
• The registry tweak has some side-effects you need to know about.

Even though EoP holes aren’t directly exploitable by remote attackers, cybercriminals can combine an EoP with a conventional exploit, such as a drive-by malware attack against your browser or other content-rendering software.

Learn about the various types of vulnerability, including Remote Code Execution and Elevation of Privilege:

(Audio player not working? Download MP3, or listen on Soundcloud.)

Adding an EoP to a drive-by means that the attack is no longer limited to the privileges of user whose browser (or PDF reader, Flash player or Java runtime) gets attacked.

According to network security company FireEye, that has happened with this exploit, which the company says it has seen as part of a PDF-based attack against unpatched versions of Adobe Reader.

And this is the worst sort of EoP: it doesn’t just boost you from a regular user to an administrator, but beyond.

In Microsoft’s words, “an attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.”

Running in kernel mode is like being an administrator’s administrator.

What to do?

The best solution of all is to get off XP onto any later version of Windows.

We all know we probably ought to have done that already, and that we definitely ought to do so by April 2014, but we also know that not everyone is going to be able to make it by 2014, let alone right now as a response to fix this issue.

Get advice about dealing with the end of XP:

(Audio player not working? Download MP3, or listen on Soundcloud.)

If you’re stuck with XP, you may be able to use Microsoft’s interim workaround: prevent the buggy NDPROXY.SYS driver from loading at all.

Simply deleting the file won’t do, as the Windows driver cache will helpfully restore it for you. (Anyway, deleting the file is permanent and thus a hassle to reverse if it doesn’t work out.)

Microsoft’s cunning plan is to tweak the registry to configure the NDProxy driver to load NULL.SYS (a special functionless driver) instead of the faulty NDPROXY.SYS executable.

You need to change (or create, if it doesn’t exist) the following registry entry:

Key:          HKLMSYSTEMCurrentControlSet
                              ServicesNDProxy
Value name:   ImagePath
Type:         REG_EXPAND_SZ
Set data to:  system32DRIVERSnull.sys

When you reboot, you will be immune to this EoP exploit.

Of course, this sort of hack comes with a cost: the NDProxy service will no longer work, and therefore anything relying on TAPI won’t work either.

That includes Dial Up Networking (remember that?) and RAS, which you might expect; and also Microsoft’s Virtual Private Network (VPN) software, which you might not expect.

→ If you are connecting to Microsoft servers using a non-Microsoft VPN, such as the SSL or IPSEC based options offered by the Sophos UTM product, you should be able to neutralise the NDProxy service without locking yourself out of the VPN. But be sure to test things first: if you have problems, you can easily revert the change by altering the above ImagePath registry value back so it points at system32DRIVERSndproxy.sys.

Don’t forget to patch your non-Microsoft applications, too.

Obviously, patching other software won’t fix the XP kernel hole, but we’ve so far only heard of one real-world attack using this EoP, and it relies on a bug in Adobe Reader.

That Reader vulnerability, as far as we know, is not a zero-day, so if you have been prompt about patching, you should be protected against it already.

Lastly, take care about opening files like PDFs that don’t come from a known-good source.

FireEye isn’t saying whether the attack it investigated was delivered by email or via the web, but either way, a little caution goes a long way!

NB. Sophos products detect currently-known samples of files exploiting CVE-2013-5065 as Troj/20135065-A.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/rJJdeCvAD9A/

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

Microsoft is scrambling to encrypt its data centers’ interlinks – after a fresh Snowden leak suggested the NSA and GCHQ tapped into the cables and intercepted sensitive network traffic.

Documents obtained by the Washington Post from the whistleblower show that Microsoft’s Hotmail, Windows Live Messenger services and Passport communications were scanned by software called Monkey Puzzle, which was developed at the British snooping nerve-center GCHQ.

Reaching into the private unencrypted interlinks allows both intelligence agencies to effectively spy on Microsoft customers, and copy their messages and address books, it is claimed.

“These allegations are very disturbing. If they are true these actions amount to hacking and seizure of private data and in our view are a breach of the protection guaranteed by the Fourth Amendment to the Constitution.” Brad Smith, Microsoft’s general counsel, said in an email to The Register.

Smith, given his role as a legal eagle, also pointed out that the documents don’t constitute proof per se that the NSA is tapping into its traffic surreptitiously. But he said the company’s engineering teams will be beefing up security, “including strengthening security against snooping by governments.”

Sources familiar with the matter say Microsoft will get to work on shielding its network traffic in the coming days, and senior executives are meeting to discuss the issue and plan a response. The Windows giant is already smarting from the commercial and reputation hit it has taken from the PRISM scandal and the latest situation just adds salt to the wound.

One email in Edward Snowden’s leaked dossier, dated November 2009, comes from a developer at GCHQ. It explains how the Monkey Puzzle software can scoop data from Google, Yahoo! and Microsoft Passport, saying “the NSA can send us whatever realms they like right now.”

Snowden also revealed PowerPoint decks rated top secret showing that “metadata-rich” address books were downloaded and stored on multiple databases. One showed the interception of a message on the now-defunct Windows Live Messenger system.

The news comes a month after another leak from the globetrotting whistleblower showing that the NSA was doing the same thing with Google and Yahoo!’s interlinks. One Google engineer was moved to obscenity when shown the tapping plans, dubbed Project MUSCULAR by the NSA, and El Reg wonders if Redmond CEO Ballmer is turning the air blue this morning.

Following the October leak, Yahoo! announced it will begin encrypting its interlinks between data centers, and Google has been doing so for some time. But Microsoft said it was holding off on such a move as little as two weeks ago.

Based on the documents released so far, tapping data-center interlinks appears to occur mostly overseas – where the NSA can operate solely on presidential say-so alone rather than having to get permission from the courts. The spooks are also reportedly going through third-party companies to slurp the data.

“NSA’s focus is on targeting the communications of valid foreign intelligence targets, not on collecting and exploiting a class of communications or services that would sweep up communications that are not of bona fide foreign intelligence interest to the US government,” the agency told WaPo in a statement. ®

Disaster recovery protection level self-assessment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/27/microsoft_encryption_nsa_spying/

Earlier this year, the Department for Business, Innovation and Skills (BIS) reported that 93% of large businesses fell prey to a cyberattack in 2012.

Similarly, small and medium-size businesses (SMBs) also suffered, with 87% being targeted – up 10% from the previous year.

Now, the reasons why SMBs are at risk has been examined in detail in a recent Sophos-sponsored report by the Ponemon Institute.

The report – The Risk of an Uncertain Security Strategy – surveyed over 2,000 IT security managers within organisations employing up to 5,000 people.

Given the job roles of the respondents, some of the findings are quite staggering with 44% of those surveyed saying that a strong security policy is not a priority and 58% claiming that management do not see cyber attacks as a significant threat.

Other barriers to implementing an effective IT security strategy were also identified with 42%, unsurprisingly perhaps, citing a lack of budget as a large factor. Another major issue identified by the survey was a lack of skilled personnel.

Other findings in the Ponemon report are even more concerning.

Considering the fact that respondents in the survey are all responsible for managing the security function, I find it quite alarming that 1 in 3 admitted that they did not know whether their organisation had been subjected to a cyber attack in the last twelve months. Such a lack of knowledge would seem to suggest a deficiency either in the monitoring and reporting of incidents or with the IT management itself.

Also, the Ponemon Institute discovered that those in more senior positions seemed to have the least knowledge of the threats posed to their business, which is again a concern as they are likely to be the decision makers who would deem whether a particular threat should be a priority or not.

Interestingly, 31% of the individuals surveyed said that there was no particular person within their company with responsibility for making security decisions.

Another discovery was that SMBs struggle to assign a monetary value to information assets. If an organisation does not apply a cost to its assets then how can it determine their value and, hence, the appropriate level of security protection to apply to it?

The topic of mobile devices were of concern to the individuals surveyed, especially given the widespread adoption of BYOD which they reported. Many respondents said that their organisations are planning to invest in technologies to reduce BYOD risks as a result.

I was pleased to see that 51% of respondents did not equate regulatory compliance with a strong security position, given that remaining compliant shouldn’t be the goal and rather should be a by-product of good security.

So what can SMBs do to improve their knowledge of cyber threats?

Sophos recommends the following:

• Proactive monitoring, detection and reporting on threats to enable quick and incisive decision making
• The establishment of mobile and BYOD policies
• Where in-house security resources are limited, better planning and adoption of cloud technologies, consultants and easily managed resources can help to free up the organisation’s information security professionals
• Costing of information assets and downtime so that senior management can invest in cost effective solutions to protect them
• Working with the higher echelons of management within the business in such a way that they place a higher priority on cyber security

You can read the full Ponemon Institute report here.

Follow @Security_FAQs
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/R2RHZWLRxjw/