STE WILLIAMS

Quick guide to disaster recovery in the cloud

Microsoft is lining up eight bulletins for the November edition of patch Tuesday (12 November), including three critical fixes, but there’s no relief in sight for a zero-day vulnerability in how Office handles .TIFF graphics files.

Hackers are exploiting a zero-day vulnerability in a graphics library that is used by Microsoft Office and older versions of Windows in a targeted attack, as revealed by The Register this week. There is no patch available for this, and nothing is scheduled to arrive next Tuesday.

However, Redmond’s security gnomes have at least issued a workaround to defend against possible attacks that works by disabling TIFF rendering in the affected graphics library. TIFF is a format used frequently when scanning documents and in the publishing industry.

A comprehensive patch against the vulnerability, which only surfaced last week, will probably have to wait until December.

In the meantime there’s November’s eight-strong bulletin to consider, which covers flaw in both Windows and Microsoft Office software. The three “critical” bulletins affect IE and Windows, with the remaining five “important” bulletins affecting Office and Windows.

“All of the critical bulletins and one of the important bulletins result in a remote code execution and should be prioritised higher,” explains Wolfgang Kandek, CTO of cloud security firm Qualys, in a blog post. “The rest of the important bulletins result in the elevation of privileges or a denial of service condition.”

Microsoft’s pre-release advisory – which leaves out details of the vulnerabilities to be addressed pending their release next Tuesday – is here.

Ross Barrett, senior manager of security engineering at Rapid7, said November’s medium to lightweight Patch Tuesday is likely to provoked mixed feelings among sysadmins.

“The November Patch Tuesday Advance Bulletin is out and I think everyone is breathing a sigh of both relief and frustration,” Barrett commented. “Relief because for the first time in a few months, this is a relatively straightforward Patch Tuesday, with fixes for most Windows versions, the ever-present IE roll up patch, and some Office components, but nothing esoteric or difficult to patch. No SharePoint plugins, no complicated .NET patching, no esoteric office extensions.”

“There is frustration because according to the MSRC blog, this round of patches does not include a fix for the recently published, exploited in the wild Office vulnerability described in Microsoft Security Advisory 2896666.” ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/08/ms_nov_patch_tuesday_prealert/

Tags: 0 day, Android, chet chat, chrome, Exploit, Facebook, Firefox, Fix it, giraffe, Microsoft, security hole, sscc, update, upgrade, verification, vulnerability, Windows, Zero Day

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fJUpn0Nvk8Y/

If Ars Technica’s reading of subtle legal language (or lack thereof) proves correct, Apple on Tuesday might well have slipped in a ‘warrant canary’ to its latest transparency report.

From page 5:

Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.

With that simple statement, Ars Technica’s Cyrus Farivar explains, Apple has become one of the few big tech companies to use a warrant canary – a method that companies can use to inform their customers when they have not been served with a secret government subpoena.

Such secret subpoenas, including those covered under the Patriot Act, come with gag orders that prevent companies from telling customers they’ve been served.

When a company publishes the dates that it hasn’t received a subpoena, customers can then infer – from the missing information – the dates that the company must have been served with the subpoena.

In the same vein, Apple might have also managed to inform customers that it’s been served with a subpoena for customer data, with attendant gag order, under Section 702 of the Foreign Intelligence Surveillance Act (FISA) Amendments Act, all without breaking the law, moving its lips or saying a word about FISA.

The fact that it didn’t mention FISA could mean that it has been served, given that it did mention the subpoenas it hasn’t received.

FISA is a US law that compels companies to share data on foreigners (or “foreign powers”, which may include US citizens and permanent residents suspected of espionage or terrorism) and provides the legal basis for the National Security Agency’s (NSA’s) surveillance program.

This way of passively informing customers about subpoenas doesn’t violate laws, though it hasn’t been tested in court.

Nate Cardozo, a staff attorney for the Electronic Frontier Foundation, said in his comments on the Ars Technica story that there are two nice things about Apple’s use of the warrant canary: the fact that Apple’s a big name, and the fact that Apple’s transparency report is only published once every six months:

I don’t mean to say that Apple is magic, but that Apple is a name every federal judge will know. This relates to my second point…

…This canary is designed to chirp only twice a year, and only after a several month delay (transparency report published every six months, with a several month lag between the last data and the report). Why is this a good thing? Federal judges are inherently risk averse. They don’t like to rule in a hurry, and when forced to rule in a hurry, they tend to err on the side of maintaining the status quo. In the warrant canary context, I fear that a judge forced to rule quickly would attempt to maintain the status quo by forcing the service provider to “feed the canary,” that is to lie.

Apple is fully aware of that risk, Cardozo said, and that’s why the company has opted for “an every-six-months-with-a-several-month-delay-canary.”

That way, if Apple is faced with a Patriot Act request, it will be able to litigate without being in a mad rush.

“Think Lavabit, but worse,” Cardozo said.

He continued:

…In the cool light of morning … they’ll be able to tee up the issue on full briefing to a federal judge who’s NOT feeling rushed and who knows that he or she is dealing, not with some fringe security freak of a company (again, think Lavabit), but with a titan of industry.

Cardozo said it all in his summation: “Should be interesting!”

Follow @LisaVaas

Follow @NakedSecurity

Image of canary courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/HGSlqQowIks/

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

The Central Intelligence Agency is reportedly paying ATT the princely sum of $10m a year in exchange for a detailed list of international calls made on its networks.

Several government officials familiar with the program told The New York Times that the system is a voluntary one by the company, and was set up in 2010. It apparently allows the CIA to provide a list of numbers used by suspects to the US telco, which then identifies other numbers contacted and who they called afterwards.

The CIA’s remit begin “at the water’s edge,” meaning it can only act on suspects outside of US soil. To keep this program legal if a number comes up that belongs to a US citizen then ATT blanks out the details, although the CIA can then ask the FBI to investigate.

Mark Siegel, an ATT spokesman, told the NYT: “We value our customers’ privacy and work hard to protect it by ensuring compliance with the law in all respects. We do not comment on questions concerning national security.”

ATT has had problems with spying on its customers in the past. In the wake of the September 11 attacks, the company allowed the NSA to install monitoring stations in its San Francisco headquarters. After Mark Klein, one of ATT’s engineers, blew the whistle on the practice the telco was sued by the EFF before the government granted it retroactive immunity.

While apparently legal, the CIA’s deal with the company does show some serious initiative by the company in turning surveillance into a revenue source. That said, the NSA does also fund companies taking part in the PRISM surveillance scheme to cover expenses, according to documents leaked by ex-intelligence agency contractor Edward Snowden.

“The CIA protects the nation and upholds privacy rights of Americans by ensuring that its intelligence collection activities are focused on acquiring foreign intelligence and counterintelligence in accordance with U.S. laws,” said CIA spokesman Dean Boyd.

“The CIA is expressly forbidden from undertaking intelligence collection activities inside the United States ‘for the purpose of acquiring information concerning the domestic activities of US persons,’ and the CIA does not do so.” ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/08/at_and_t_cia_claim/

Quick guide to disaster recovery in the cloud

The Internet Engineering Task Force (IETF) has vowed that the NSA won’t be allowed to get away with its nefarious surveillance of the internet any more … as soon as 1,100 boffins can agree on a PRISM-proofing plan.

The IETF met this week in Canada and the communiqué issued makes it plain that the standards body is mad as hell about online surveillance and doesn’t want to take it any more.

“Discussions over the past few months, including many in the more than 100 working group sessions this week, are carefully and systematically reviewing Internet security and exploring ways to improve privacy and other aspects of security for different applications,” IETF chair Jari Arkko says in the communiqué.

Stephen Farrell, an IETF security area director, conceded “there are challenges isolating the specific areas of attack that IETF protocols can mitigate” but added that “all of the working groups that considered the topic have started planning to address the threat using IETF tools that can mitigate aspects of the problem.”

Notes from the Vancouver meeting suggest meetings considered a few ways to harden the internet, including transport layer security (TLS) and “possibilities to get the TLS-secured versions more widely and consistently deployed.”

“Plans for upgrading the handling of mail, instant messaging and voice-over-IP protocols, in each case with a view to improving the resistance of the deployed base to pervasive monitoring,” also received some consideration, as did opportunistic encryption of multipath TCP.

Just what will emerge, and when, isn’t known. But the NSA and spooks everywhere can consider themselves warned: standards committees have decided to make their lives hell. ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/08/watch_out_spooks_standards_groups_are_fighting_back/

Quick guide to disaster recovery in the cloud

An Australia developer who goes by the name of “Trade Fortress” alleges a million dollars worth of Bitcoin has been stolen from his virtual wallet.

Trade Fortress made the allegation to ABC Radio, which reports he’s “ over 18 but not much over” and doesn’t know where about 4100 bitcoin. With Bitcoin exchanges currently offering $US290 or more per coin, that’s $US1,189,000 ($AUD1.25m or £738,000).

Trade Fortress has since told Fairfax Media the server at inputs.io, a Bitcoin depository, was breached. That site now offers only a “sorry” notice advising depositors their Bitcoin are gone.

Beyond greed, Bitcoin forums offer other motives for the heist. Posters to this thread and this thread, too accuse an entity called Trade Fortress of failing to deliver agreed-upon development work to their satisfaction and failing to provide refunds. The same forums’ profile for Trade Fortress offers coinlenders.com as the user’s website. The site offers to loan Bitcoins but charges one per cent of the loan per day for overdue payments. The site’s WhoIs information has been anonymised.

The Reg has no idea if the Trade Fortress complained about in the threads we’ve linked to and the person who spoke to ABC Radio and Fairfax are one and the same and does not suggest they are. But if the same person is behind the name, it’s not hard to see why they may have been targeted: usurous money-lenders who don’t perform well on contracting jobs or offer refunds aren’t the most popular people on the planet!

Trade Fortress denies he pinched the coins himself and says he doesn’t see the point in telling Australia’s authorities about the heist as he feels Bitcoin’s anonymity provisions mean it will be impossible to track the culprit. ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/08/bitcoin_burglar_bags_a_million_bucks/

Quick guide to disaster recovery in the cloud

The Gnu Image Manipulation Program, a popular and free Photoshop alternative that glories in the name “The GIMP”, has decided it can no longer permit itself to be downloaded from SourceForge.

The application’s developers announced their decision here, arguing that SourceForge provides a user experience it can no longer support.

“In the past few months, we have received some complaints about the site where the GIMP installers for the Microsoft Windows platforms are hosted,” the developers write.

“SourceForge, once a useful and trustworthy place to develop and host FLOSS applications, has faced a problem with the ads they allow on their sites – the green ‘Download here’ buttons that appear on many, many adds leading to all kinds of unwanted utilities have been spotted there as well.”

A quick visit to SourceForge sustains the claim. Vulture South dropped in to download the useful FileZilla FTP tool and found the ad below.

That ad won’t fool hardened and cynical Reg readers who if they chose to follow the link to the site offering the chance to “READ NOW YOUR FAVORITE BOOKS, MAGAZINES COMICS FOR FREE” would back away quickly. Less experienced surfers? We shudder to think.

A free, full version? Sign me up!

The ads weren’t The GIMP devs’ only beef, as they were willing to tolerate them until SourceForge’s new Windows installer came along. As the devs note, that tool “… bundles third-party offers with Free Software packages. We do not want to support this kind of behavior, and have thus decided to abandon SourceForge.”

The outfit now hosts its own mirrors, with downloads available here. ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/08/gimp_dumps_sourceforge_over_dodgy_ads_and_installer/

Nearly 60 percent of malware investigations in U.S. enterprises involve data breaches that were not disclosed, according to new research.

Some 66 percent of security professionals at U.S. companies with more than 500 employees say they have investigated or worked on a breach that was not disclosed by their organization, while 57 percent said they had worked on a data breach that went unreported, according to a survey of 200 security professionals by OpinionMatters, which was commissioned by ThreatTrack.

“While it is discouraging that so many malware analysts are aware of data breaches that enterprises have not disclosed, it is no surprise that the breaches are occurring,” says Julian Waits, CEO at ThreatTrack. “Every day, malware becomes more sophisticated, and U.S. enterprises are constantly targeted for cyber espionage campaigns from overseas competitors and foreign governments. This study reveals that malware analysts are acutely aware of the threats they face, and while many of them report progress in their ability to combat cyber attacks, they also point out deficiencies in resources and tools.”

Senior executives’ devices become infected 56 percent of the time due to their opening a malicious URL in a phishing email; 45 percent of the time after letting a family member use a company-owned device; 40 percent of the time due to visiting a pornographic website; and 33 percent for installing a malicious mobile app.

Around 40 percent of the IT pros say one of their biggest challenges is they don’t have the security staff resources they need. Some 67 percent say malware complexity is the hardest part of protecting their networks; 67 percent say the volume of malware attacks; and 58 percent, ineffective anti-malware products.

It takes more than two hours for more than half of security pros to analyze a new malware sample, and 4 percent say it takes them less than an hour.

A white paper on the report is available here for download.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/survey-exposes-the-dirty-little-secret-o/240163717

When David Bianco examined the company’s Web browsing logs, it did not take long for a pattern to appear.

At regular periods, nearly a dozen systems across the network would all request data from the same Web page. Because the company, who Bianco declined to name, captured network data, additional analysis revealed that all the suspicious systems downloaded small binaries. By running those executables in a virtual machine, Bianco, a network hunter, was able to identify the cause of the problem–an attacker using specialized malware.

Bianco, whose official title is Hunt Team Manager at incident-response firm Mandiant, does not like to wait for automated systems to flag suspicious behavior. As a network hunter, he goes looking for it. It’s a role that more companies should develop, because it allows them to run down attackers in their network before they do damage, he says.

“The goal of hunting is not only to find the evil in your organization,” he says. “The goal of hunting is to explore methods that let you find the evil in your organization, and—when you find those methods—you polish them up so you don’t have to hunt for the same stuff again.”

Companies that only wait for their security information and event monitoring systems to alert them to anomalies are missing a key resource in the fight against online attacks: Inquisitive security analysts. By being more aggressive within their on network and hunting down signs of suspicious behavior, network hunters can minimize the time between infection and detection, says Will Gragido, senior manager of advanced threats research and intelligence for security firm RSA.

“A proactive defense is something that organizations should aspire toward,” he says. “I don’t think there is anything wrong with advocating a pro-active defense, because it is not the same as hacking back.”

While only organizations with mature network security groups typically the capability to hunt for anomalies in their networks, it is a skill that should be developed within any security group, he says.

Network hunters exploit weaknesses that hampers all external attackers: The attackers do not know the layout of the target’s network, so they will do things that insiders would never do as they poke around the network and discover it topology, say Dan Kaminsky, chief scientist at White Ops, a firm focused on securing the online advertising business.

“They actually don’t know know the network they have broken into, they have to discover it,” he says. “So you want to find these rare signals that reveal the attacker’s actions in realtime.”

Companies looking to start developing the needed skills for network hunters should begin at the end of the cyber kill chain, says Mandiant’s Bianco.

Kill chain analysis models the steps that an attacker must take to achieve his or her objective. The cyber kill chain, a concept first introduced by Lockheed Martin, consists of seven steps: reconnaissance of the target, creating an attack, delivering the payload, exploiting the target, installing tools, establishing command and control, and leveraging access to take action. Most companies embarking on their first hunt should look for the most serious activities at the end of the kill chain: signs of data exfiltration and command-and-control activity, Bianco says.

[For the cybercriminal lions out on the Internet, your company is full of zebras. Defenders should not just protect the herd, but pay attention to those who stray, experts argue. See Five Ways To Better Hunt The Zebras In Your Network.]

Data exfiltration may look like large amounts of traffic from a sensitive server or smaller amounts leaving at frequent intervals. Command-and-control traffic generally is HTTP requests with suspicious or unknown destinations. Where they look depends on what a hunter wants to find, he says.

“It’s like saying, if I’m going to hunt birds, I look in the trees, and if I’m hunting deer, I look at the ground,” Bianco says.

Once a network hunter finds the attacker or malware in the network, they can turn their knowledge of how to pinpoint the attack into rules for the company’s network and security equipment. By fusing the internal information with external threat data, a company can take an internal investigation and turn it into a rule set that can automatically detect such attacks in the future.

It’s that ability to improve security in the future that makes network hunting so valuable, says Adam Meyers, director of intelligence at security services firm CrowdStrike.

“The big challenge is how do you operationalize intelligence information,” he says. “When they are hunting for things on their network, that is where they are getting into the operationalization of the data.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/threat-intelligence/companies-to-evolve-from-event-gatherers/240163721

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

Terrorists in Afghanistan and the Middle East are discussing changing their communication systems as a result of Edward Snowden’s revelations, the boss of GCHQ said on Thursday.

Sir Iain Lobban, director of the UK’s eavesdropping nerve center, made the claims during a meeting in London with MPs and lords on Parliament’s Intelligence and Security Committee [transcript PDF].

He said militants have chatted about Snowden’s bombshell leaks, which have blown the lid on the NSA and GCHQ’s latest global surveillance operations, and mulled whether they should move to other “communications packages” that could be less vulnerable to interception.

“We have seen chat among terrorist groups discussing how to avoid what they now perceive to be vulnerable,” said Sir Iain.

The spy chief said he would only go into the specifics if the committee held a session closed to journalists and the public, claiming that revealing the details in the open would compound any damage done by Snowden’s whistleblowing.

“The cumulative effect of press revelations will make our jobs harder for years to come,” Sir Iain told the panel of politicians. Efforts to “uncover terrorist cells” and “battle sexual exploitation of children” have been undermined by the publication of documents leaked by ex-NSA contractor Snowden, the spy boss claimed.

Sir Iain appeared before the intelligence committee alongside Andrew Parker, director general of the Security Service (MI5), and Sir John Sawers, chief of the Secret Intelligence Service (MI6). The session marked the first time the agencies’ spymasters had appeared together in public and spoken at an open parliamentary meeting – the chiefs normally give evidence in private.

The GCHQ director rarely, if ever, speaks in public, just like his staff, but he added: “I don’t think secret means sinister.”

Sir Iain’s remarks are in line with those of MI5’s new boss, who earlier claimed Snowden’s leaks aided terrorists. MI6 chief Sir John added yesterday that the whistleblower has “put operations at risk”, but did not elaborate further.

Spook masters enjoy a cosy chat

The questioning by politicians was friendly, and difficult topics weren’t pressed or even raised. For example, Sir Iain was not asked about reports that GCHQ is working with the NSA to crack or nobble popular encryption systems, an effort heavily criticized by web grandfather Sir Tim Berners-Lee earlier in the day.

The thorny topic of whether America and Britain’s worldwide dragnet surveillance of internet traffic, the tapping of trans-Atlantic fibre-optic cables and other tactics alleged by Snowden, may be damaging to the UK’s higher ambitions of becoming the best place in the world for e-commerce wasn’t even raised.

The lack of probing questions came as no great surprise. Details of intelligence techniques and inquiries into ongoing operations were declared off limits before the event.

Sir Iain denied that his agency listened into the telephone calls or read emails of the public as a whole. “That would not be proportionate and that would not be legal,” he said. All three spy chiefs said their operatives worked within the law. The committee previously cleared GCHQ of any wrongdoing in its cooperation with the NSA on PRISM.

MI5 chief Andrew Parker claimed that 34 terrorist plots had been thwarted in the UK since the London Underground bombings in 2005, but there were no followup questions so it’s unclear what role, if any, electronic spying played in those counter-terrorism operations. One or two of the foiled attacks would have caused mass casualties if successful, we’re told.

During the hearing, Parker said that the £2bn annual budget for the intelligence services accounted for six per cent of the UK’s yearly defense spending, adding that government ministers felt this level of expenditure was proportionate.

The spy chiefs were asked why their spooks had failed to predict the end of the Cold War, the 9/11 attacks in New York, and the Arab Spring uprising. MI6 chief Sir John responded: “We are not crystal ball gazers; we are intelligence agencies. We could all see the fault lines in Arab societies but no one predicted when the earthquake would hit.” ®

Comment

For 007 fans out there, Sir John dismissed comparisons between him and MI6 boss M in the James Bond universe. Blighty’s real spook chief said his spies don’t go out into the field and report back two months later with a new blonde (or blond) on their arm. Field agents are in constant communication, he said.

But, to me, that’s pretty how Bond has been portrayed for decades, stretching back to the Roger Moore era, at least. Moore’s Bond was the last one to regularly go off grid, though admittedly Daniel Craig’s Bond did disappear for months after he’d been shot and left for dead at the beginning of Skyfall.

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/07/terrorists_switching_ccmms_techniques_because_of_sncwden_leaks_claims_gchq_chief/