STE WILLIAMS

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

The public exposure of Chinese hacking group APT1 and its alleged affiliation to the People’s Liberation Army has done nothing but drive its members deeper underground, according to a US congressional report.

The US-China Economic and Security Commission, which advises Congress on China, said in a draft report seen by Reuters that the allegations made by security firm Mandiant in February only led to a brief cessation of activities.

“There are no indications the public exposure of Chinese cyber espionage in technical detail throughout 2013 has led China to change its attitude toward the use of cyber espionage to steal proprietary economic and trade information,” the report apparently argues.

Mandiant’s report raised a great many eyebrows in the international community earlier this year when it became the first to link extensive APT-style campaigns by the infamous APT1 or Comment Crew with PLA unit 61398, which it said worked out of the same nondescript tower blocks in Shanghai’s Pudong district.

The 60-page report, although not 100 per cent conclusive, makes a pretty compelling argument and is the closest anyone’s come to establishing the link between Beijing and extensive online attacks on targets outside the Great Firewall.

It was hoped by some that the naming and shaming done in the report would cause Beijing to rethink and dial back its cyber espionage efforts, but that now seems to have been something of a pipe dream.

The US draft report apparently claims that Mandiant’s revelations “merely led Unit 61398 to make changes to its cyber ‘tools and infrastructure’ [to make] future intrusions harder to detect and attribute”.

In fact, as early as May this year, Mandiant reported that APT1 was “active and rebuilding”. It added the following:

APT1 maintained an extensive infrastructure of computer systems around the world, and it is highly likely that APT1 still maintains access to those systems or has utilised those systems to establish new attack infrastructure in the last three months.

The 20+ other APT groups Mandiant is tracking, which are suspected to operate from China, didn’t significantly change their operations after the February report, it said.

For its part, Beijing continues to claim it has no part in any kind of offensive online espionage activity and that it is a victim, not a perpetrator, when it comes to cyber crime – a claim which has gained more credence since the NSA spying revelations came to light. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/07/mandiant_exposure_drove_apt1_underground/

Acton, Mass., November 6, 2013 – EiQ Networks, a pioneer in simplified security, risk and compliance solutions, today announced the availability of a new offering to help organizations assess their cyber defense readiness. The Cyber Defense Readiness offering was developed to provide organizations a preliminary assessment report of whether security gaps exist in their network and systems.

Increasingly organizations of all sizes are becoming victims of cyber attacks on a daily basis. A majority of breaches go undetected due to the complexities involved in analyzing all security data across IT assets, inadequate security controls, and lack of actionable and timely security intelligence. According to a recent Ponemon study, it takes an average of 80 days for a company to discover a malicious breach and another four months to resolve it. Per Ernest Young 2013 global information security survey organizations throughout the world continue to struggle to hire enough qualified staff to help ensure adequate cybersecurity. This lack of trained cyber security staff, coupled with antiquated compliance dominated security programs, and technologies, and the fact that it is becoming increasingly easier for hackers to attack corporate networks with new and sophisticated hacker tools, it is no wonder organizations of all sizes are exposed to cyber criminals and attacks. The 2013 Verizon DBIR illustrates that both large and SMB companies are equally prone to a cyber attack.

EiQ’s Cyber Defense Readiness offering is based on the three critical pillars of a sound security program. Namely:

• Process: A set of processes and best practices developed and implemented based on industry standards such as SANS 20 Critical Security Controls

• Technology: A set of tools that provide immediate and comprehensive visibility into the “Threat” by utilizing Unified Situational Awareness that removes data silos and connect all the dots

• People: Trained, experienced Information Security professionals that monitor and assess an IT infrastructure 24 x7

By combining all three pillars, EiQ is able to deliver to an independent assessment of an organization’s cyber defense readiness in an easy to view report.

“Companies require a holistic view of their security posture, but often times do not have enough qualified security professionals on staff or well-defined best practices based security program in place to help with cyber defenses,” said Rob Aragao, vice president, services at EiQ Networks. “This offering provides an independent audit of their cyber defense readiness and it can be accomplished relatively quickly.”

You can register for your EiQ Networks Cyber Defense Readiness assessment today at: http://offers.eiqnetworks.com/eiq-networks-cyber-defense-readiness-assessment

This new complimentary offering is part of EiQ Networks commitment to resolve the industry-wide challenges around traditional SIEM and log management acquisition, operational complexities and trained cyber security professional shortages. As such, further announcements will be forthcoming that will address the complexity and management burdens associated with SIEM products.

About EiQ Networks:

EiQ Networks, a pioneer in simplified security and compliance solutions, is transforming how organizations identify threats, mitigate risks and enable compliance. Our solution, SecureVue, is a unified situational awareness platform that proactively detects incidents, minimizes “false positives” and delivers timely and actionable intelligence by simplifying often-complex interactions between security, risk and compliance. Through a single console, SecureVue provides a unified view of your entire IT infrastructure for proactive security and risk analysis, continuous monitoring, configuration auditing, compliance automation and context relevant search. For more information, visit: http://www.eiqnetworks.com.

Article source: http://www.darkreading.com/management/eiq-networks-offers-to-help-organization/240163664

PLAYA VISTA, CA – November 5, 2013 – Belkin, a trusted leader of technology solutions for office, classroom, IT infrastructure, and mobile environments, today announced the expansion of its award-winning secure KVM product line with the first-to-market Belkin Secure Windowing KVM Switch. The new switch delivers superior peripheral security for government and high security agencies by providing true data path isolation between systems and networks–the hallmark of Belkin’s Advanced Secure KVM product family.

Unlike conventional KVMs, the Belkin Secure Windowing KVM Switch requires no manual push-button switching between channels. The new switch enables simultaneous user interaction with multiple computers connected to networks with different security levels, using one mouse, one keyboard and one or two display monitors.

Traditional secure KVM switches allow users to work on only one channel or computer at a time. The new switch is the only product designed for environments in which the user needs to constantly work at and monitor multiple computers, with different security levels, simultaneously– without quality loss, latency, reduced colors, or dropped frames. Using state-of-the-art video technology, the Belkin Secure Windowing KVM allows users to fit up to four full HD sources on a single HD display.

The Windowing KVM is fully compatible with legacy (using Belkin Smart Cables) and new government systems, and is Common Criteria validated to EAL 4+ to assure the highest level of protection.

Additional security features of Belkin’s Secure Windowing KVM Switch include:

• Advanced scaling function, allowing users to scale the video source x 1/2 and x 1/4

• Two additional working modes: tile and scaling

• Dual-display model, the ideal setup for high-end users

• Easy customization of channels, colors, cursors, task bar, background, and more

“The new Secure Windowing KVM Switch brings the era of manual push-button switching between channels to an end, and makes simultaneous interaction with multiple computers a reality,” said Luis Artiz, director of product management, Business Division, Belkin International. “Like all products in Belkin’s award-winning Secure KVM portfolio, the Windowing KVM exemplifies our continued focus on improving workstation security, which pivots on true data path isolation between systems and networks. We will continue to advance our technology to meet the security requirements of government agencies, financial institutions, and other organizations that handle sensitive or confidential data on separate networks with different levels of security.”

Belkin’s Secure Windowing KVM Switch is now available through the company’s network of authorized channel partners.

Belkin delivers the necessary components for workstation security, as well as every essential accessory and peripheral device to provide a complete, efficient, productive workstation that meets the demands of government use. For more information visit: Belkin Government.

About Belkin Business

Belkin Business, a division of Belkin International, offers technology solutions for office, classroom, IT infrastructure, and mobile environments. A proven technology leader for more than 30 years, organizations worldwide trust Belkin for its unwavering commitment to product quality, and expertise in creating solutions designed to address customer requirements in business, government and education. With a global supply chain and broad provider network, Belkin commands a purchasing power that delivers greater value and unparalleled execution advantages to customers. The company’s line of commercial products are available through Belkin’s global network of distributors and resellers. Headquartered in Playa Vista, California, the company is represented in more than 25 countries and can be found on the Web at http://www.belkinbusiness.com.

Article source: http://www.darkreading.com/end-user/secure-windowing-kvm-delivers-simultaneo/240163665

London, November 5, 2013 – Is a cashless society the shape of things to come? Many predict a world without physical money, where people are prepared to carry out all their banking transactions through mobile devices. But few are willing to completely do without personal interaction with advisors. These were findings of a recent study conducted by GFT Technologies. As part of its survey, the international IT solutions provider asked some 900 people – in Brazil, Germany, the UK, Spain and the United States.

According to forecasts, by 2017 one billion people will be carrying out online financial transactions or engage in mobile banking. “The bank that customers opt for will be largely dictated by the mobile banking options offered,” states Marika Lulay, Chief Operating Officer at GFT. “The traditional banks will really feel the pressure placed on them by the direct banks and the providers of digital wallets, or in-app billing options.” One clear finding of the study: the key to success will be omni-channel banking. This is because customers use different banking channels in parallel – from smartphones to tablets and personal computers. As a result, the key challenge for the banks will be to match all the different processes involved and integrate them.

The GFT Study also clearly highlights the huge gaps between habits in different countries. In Spain and Brazil, over 60% of respondents said they already use mobile banking solutions, whereas German customers were much more cautious about adopting new methods: only 26% use their smartphone for banking purposes. The UK currently sits between these two extremes, with nearly 40% of respondents adopting the mobile banking platform. “If the customers’ fears of fraud or security breaches can be overcome, this number is certain to rise,” states Lulay. Additionally, over half of the respondents were unwilling to completely do without their local branch office: customers need personal contact, especially when it comes to larger transactions or credit arrangements. The picture is different for money transfers, cash withdrawals or bank statements – areas where, according to the study, at some point soon traditional branches will not be required for these types of activities.

“This is a time of transition for us,” states Marika Lulay, recommending that the banks combine different sales channels into integrated offerings. “It’s important to understand which branches should be kept on and make these future-ready by ensuring they provide a rich selection of interactive tools and entertainment options.” The study points to a variety of pioneering bricks-and-mortar concepts. Just some examples: Q110, the Deutsche Bank of the future, or San Francisco’s first banking caf, which is run by ING Direct and allows customers to open a new account while enjoying a cappuccino.

GFT offers banks specialist support to gear themselves to future requirements. One area in which GFT can help is security, a topic highlighted by the study as fraught with difficulty – not just in terms of protecting smartphones but also when it comes to managing passwords. One way to enhance security comes in the form of near field communication NFC-TAN, a mobile authentication process developed by GFT in collaboration with the University of Tbingen in Germany. Another key area highlighted by the study as a future trend will be voice recognition, a field in which GFT has already developed a proof of concept for a biometric voice authorisation system.

#

Notes to Editors

About the study

The aim of the study, which was titled ‘Will smartphones replace bank branches?’, was to probe the usage and attitude of respondents when it comes to mobile banking and to identify future trends in different countries. In May 2013, 894 people were surveyed in five countries: Brazil, the United States, Germany, the UK and Spain. As part of the study, the researchers also gained an overview of the current status of the market by reviewing existing studies and examining pioneering branch concepts. A free copy of the study can be obtained here – http://www.gft.com/uk/en/index/services/perspectives/bluepaper_will_smartphones_replace_bank_branches.html

About the GFT Group:

The GFT Group is a global technology partner for future digital issues – covering everything from discovering innovation to developing and implementing sustainable business models.

Within the GFT Group, GFT stands for competent consulting and reliable development, implementation and maintenance of customized IT solutions. The company is one of the world’s leading IT solutions providers in the banking sector.

emagine offers companies the opportunity to staff their strategic technology projects both quickly and flexibly with capable experts. To achieve this, emagine has an international network of highly qualified IT and engineering specialists at its disposal.

CODE_n, the GFT Group’s innovation platform, offers international startups, technology pioneers and established companies access to a global network. It’s where ideas become business.

Headquartered in Germany, the GFT Group has stood for technological expertise, innovative strength and outstanding quality for over 25 years. Founded in 1987, the GFT Group is expected to achieve revenues of around €260 million in 2013. With a global team spanning 2,000 employees, the company is represented in eight countries by its 32 local offices. The GFT Group is listed on the Frankfurt Stock Exchange (Prime Standard).

Article source: http://www.darkreading.com/government-vertical/gft-mobile-banking-study-mobiles-cannot/240163666

As custodians of the Internet mull over the lessons that revelations about National Security Agency (NSA) surveillance offer about the insecurity of the Internet’s infrastructure, architects must find ways to make wholesale spying more expensive. So said noted cryptographer and security evangelist Bruce Schneier in a talk today about Internet hardening at the Internet Engineering Task Force (IETF) plenary session.

“There are a lot of technical things we can do. The goal is to make eavesdropping expensive,” Schneier said. “That’s the way to think about this, is to force the NSA to abandon wholesale collection in favor of targeted collection of information.”

As things stand now, the NSA’s surveillance efforts are aided and abetted by the information economy as it stands today, he explained. With data being collected about consumers at every step of their movement online and very little of it being purged from corporate systems, it is only a matter of time that someone puts that data to use.

“This is not a question of malice in anybody’s heart, this is the way computers work. So what you’re ending up with is basically a public-private surveillance partnership,” he says. “NSA surveillance largely piggybacks on corporate capabilities—through cooperation, through bribery, through threats and through compulsion. Fundamentally, surveillance is the business model of the Internet. The NSA didn’t wake up and say let’s just spy on everybody. They looked up and said, ‘Wow, corporations are spying on everybody. Let’s get ourselves a cut.”

[How do you know if you’ve been breached? See Top 15 Indicators of Compromise.]

According to Schneier, groups like IETF need to find a way to get everyone to understand that a secure Internet is in everybody’s best interest. And beyond the political and legal solutions to the problems, technologists must find ways to make it more onerous for wide scale surveillance to be carried out.

This starts first with ubiquitous encryption on the Internet backbone, Schneier said, along with useable application layer encryption. Additionally, thought needs to put into target dispersal.

“We were safer when our email was at 10,000 ISPs than it was at 10,” he said. “It makes it easier for the NSA and others to collect. So anything to disperse targets makes sense.”

Additionally, increasing use of endpoint security products and better integrated anonymity tools can help thwart widespread spying. Finally, security and technology assurance needs to be fixed, so that back doors aren’t left behind for any one person or group to take advantage.

“This is a hard one but it’s an important one,” he said. “We need some way to guarantee, to determine, and to have some confidence that the software we have does what its supposed to do and nothing else.”

Additionally, people need to understand that while the NSA is in the limelight at the moment, it is a symptom of a much bigger disease. Not only is the NSA not the only government agency across the world to engage in these behaviors, but so too are private organizations to some extent.

“This is a fundamental problem of data sharing and of surveillance as a business model. This is about the benefits of big data versus the individual risks of big data,” he said. “When you look at behavioral data of advertising, of health data of education data, of movement data, the question becomes how do we design systems that benefit society as a whole while protecting people individual. I believe this is the fundamental issue of the information age.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/making-wide-scale-surveillance-too-expen/240163668

The alleged paedophile wanted 15 minutes of what he thought would be a 10-year-old naked Filipina girl giving him a sex performance in front of a webcam.

He didn’t want to pay too much, though.

The “girl” – a CGI character named “Sweetie” created by researchers from the Netherlands charity Terre des Hommes – asked for $15 (£9), but the alleged predator talked her down to $10 (£6).

A sample of the conversation was reproduced in the charity’s PDFwriteup of a mass paedophile sting undertaken to battle webcam sex tourism.

It took place on 26 April between a researcher, who posed as Sweetie using an application – “Sweetie1000” – that relies on cutting-edge, Hollywood-style animation, and the predator, identified as a 35-year-old father of two from Atlanta, Georgia, in the US.

The predator was only one of 1,000 identified by Terre des Hommes researchers after the alleged child abusers were caught in the act of soliciting webcam sex performances from Filipino children.

The number of alleged predators who have been identified is, in turn, only a small percentage of the 20,172 predators from 71 countries who responded to the researchers’ lure, asking for webcam sex performances.

The researchers identified the suspects using information available in public online databases and data provided by predators, they said:

No computer hacking or illegal methods were applied. Instead, we just asked predators to provide identifying information under the fictional pretext – a technique known as “social hacking.”

Four researchers spent a combined total of 1,600 hours over the course of 10 weeks posing as prepubescent Filipina girls in 19 public online chat rooms.

Details of the suspects’ identities and activities have been submitted to Interpol.

The researchers gave these details in an FAQ to depict how the extremely convincing character of Sweetie came to life:

First, her face and body were modeled to resemble a 10-year-old Filipina girl. In that model, specific points were marked at which her joins [sic] and muscles move. Then we used motion sensors to record the exact sequence of motions that a person performs while chatting with people online – typing, smiling, frowning, looking up, down, and side to side. Those motions were captured and recorded from a human model wearing motion sensors and the motion sequences were programed into an application that controls the way Sweetie moves on command. We used a control board that had pre-programmed motions and facial expressions, so while the researchers chatted with predators, predators would see Sweetie typing while the researchers typed to ensure precise timing.

Terre des Hommes’s research suggests that predators will pay between $10 and $100 per show, depending on whether transactions are made through a pimp or a middleman, how long the show lasts, and the nature of the performance.

The suspected predators will only be prosecuted if police manage to gather their own evidence.

The biggest problem in battling this type of child abuse is that police don’t investigate predation until a crime is reported, the charity says.

But in the case of webcam sex tourism, victims don’t usually report the crimes for a number of reasons, whether it’s financial dependency or that they’re trafficked slaves held captive in “dens” where they may also endure physical abuse and neglect, the charity says.

Often … children are intimidated and fearful of consequences or they and their families depend on the income generated through webcam sex performances.

How is this not entrapment?

Terre des Hommes explains:

[Avoiding entrapment] is done by using as little overt “influence” as possible and luring individuals rather than targeting them based on suspicion. Luring individuals with an opportunity to commit a specific crime is a passive method of identifying people who are already inclined to commit that crime.

For example, researchers lured individuals via chat names that suggested that they were prepubescent girls, the charity said:

The opportunity to commit a crime was presented when adults in chat rooms were faced with a supposed minor whom they had the option to respect or abuse. Individuals who contacted the supposed minor were presumed innocent until they actually committed a crime on their own volition.

Terre des Hommes regards individuals who initiate contact and request a sexual webcam show from someone claiming to be a child as predators actively attempting to abuse children.

Such individuals are, in fact, considered to be inclined or predisposed to committing the crime, the charity says.

I agree with Terre des Hommes.

Do you? Let us know in the comments section below.

Terres des Hommes is offering law enforcement agencies a toolkit that explains its method of finding and identifying online predators. It’s also offering operational Sweetie1000 software and training in its use.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Uxq28zKIjUM/

Four months ago, the Android platform was stirred, though fortunately not too badly shaken in the end, by a pair of code verification holes.

Simply put, you could add malware to a legitimate app – one from the Play Store, if you liked, complete with icons, branding and reputation – in such a way that Android’s digital signature verification would consider it unaltered.

From the helpless user’s point of view, Google wouldn’t just fail to warn about the app possibly being dodgy, it would actively assert that it was the a validated and unaltered item from the original, legitimate vendor.

Google, developers, users: everyone lost out except the crooks.

Sloppy coding

Both of those earlier holes came about as a consequence of sloppy coding to do with Android Package (APK) files, the format used for delivering apps.

It turns out that there was a third bug of a similar sort, found at around the same time as the others, but only publicly patched this month, when the open source code from Android 4.4, better known as Kit Kat, was released.

→ Android and iOS low level code maestro Jay Freeman (better known as @saurik), amongst others, found this bug mid-2013 but forbore from writing it up until the patch was officially out.

It’s the sort of mistake that a company with the self-professed security smarts of Google really ought not to have made, not least in one of Android’s much-vaunted security linchpins, namely the compulsory validation of digital signatures when installing new software.

So this is a story worth telling, because it is a powerful reminder of how backward compatibility, multi-language programming, and the re-use of code libraries not designed with security in mind can get in the way of correctness.

Here’s what went wrong.

The how and why of APK files

For reasons I don’t know, but presumably because the format was well-established, Google settled on ZIP files as the storage containers for Android Packages (APKs).

APKs are just ZIPs containing a special subdirectory, called META-INF, that holds signed checksums for all the other files in the package.

Unfortunately, the ZIP file format came out in the late 1980s, aimed at convenience and efficiency, not security.

→ The reason that APKs need a special META-INF directory for cryptographic metadata is that ZIP files were designed to support only the most basic non-cryptographic validation, such as checking that a shareware download wasn’t corrupted by your 0.0012 Mbit/sec modem. Verifying the identity of the original creator was not a consideration.

A ZIP file, also known as an archive, is effectively a special-purpose filing system.

ZIPs can store multiple files in a directory structure, with each file and directory individually named, timestamped, compressed and, optionally (albeit insecurely) encrypted.

Today, of course, despite the giant size of many software distributions, removable storage devices are usually larger than the files you’re downloading – OS X Mavericks, at a whopping 5.3GB, for example, fits easily onto all but the very cheapest and smallest USB sticks on the market.

But that wasn’t true in the 1980s and 1990s, when downloads often ran to several megabytes, while a regular floppy diskette could store just 720KB.

ZIP files, therefore, were not only compressed to save space, but also laid out so that they could easily be split across multiple diskettes.

Better yet, they could be restored – file by file, if necessary – without requiring you to insert every diskette one-by-one to work out the directory structure before starting.

As a result, the ZIP format is deliberately redundant, and its internal directory structure is recorded twice.

The file and directory names are stored first as a series of individual local headers interleaved with the data for each file, and then stored again in the curiously-named central directory tacked on the end.

By keeping the central directory to the end, the ZIP program never needs to ask you to reinsert an earlier floppy disk to rewrite it when building the archive.

And by interleaving file headers throughout, ZIP files can still be recovered, at least in part, even if the last floppy in the set is lost or damaged.

The downside of redundancy

This sort of redundancy is handy in an emergency, but can be dangerously distracting during routine operations.

There’s a famous nautical adage (or if there isn’t, there should be) that says, “When you set to sea, take three chronometers. If one of them breaks, throw one of the remaining two overboard.”

I made that up, but the reasoning is sound: with three clocks, you still have a majority vote if one goes wrong.

But if you have two, and they read differently, what are you going to do to resolve the dilemma?

You face a similar problem with ZIP file metadata.

What Google really ought to do – or ought to have done when the first two APK holes surfaced – is to break this dilemma permanently by treating APK files in one or both of these ways:

• Pick one of the two file metadata systems in the ZIP format, and use it exclusively when decompressing APKs, deliberately removing or avoiding any library code that might read and rely on the alternative metadata and thus harm security.
• As part of validation, before trusting any file objects inside an APK, check that the two directory structures are identical, giving the same filenames, timestamps, sizes, and so forth. If not, assume corruption or malevolence.

The latest flaw

The ZIP file ambiguity exploit patched in Android 4.4 abuses the filename length field in a ZIP file’s metadata.

This tells you how many bytes to skip forward in the local file header to get past the filename in the header itself to the actual file data, and how many bytes to skip forward in the central directory to get past the filename to the next directory entry. (There is no file data in the central directory, only file metadata.)

You can probably guess what’s coming next.

The Java code in Android 4.3 and earlier that extracts the file data to verify it uses the filename length from the central directory.

But the C code that extracts the file to install and execute it uses the filename length in the local header.

So you can deliberately craft a a file that is laid out as shown above, with the local header filename length deliberately set so large that it points past both the filename and the original file data.

This presents one file to the verifier, and a different file to the operating system loader.

Very simply put: the loader can be fed malware but the verifier will never see it.

How can that work?

At this point you may be wondering how this subterfuge can possibly work, unless the dodgy file is the last in the archive and Android doesn’t check for a neat conclusion to its file-by-file processing of the APK.

After all, in the above diagram, surely the C code will see an absurd and deeply suspicious filename?

The filename length is so big that the C code will see the real filename with the raw binary content of the original file (shaded green) tacked on the end, and that won’t match anything in the META-INF security database.

And surely the Java code that does the verification will get lost when moving forward in the APK?

The data that follows the original file data is supposed to be the next local file header, recognisable by its PKx3x4 “magic” string, but in our example, the file data is followed by yet more data – the imposter file (shaded pink).

Saurik explains this very simply in his coverage of the bug: the C code ignores the filename from the local header; and the Java code uses file offsets from the central directory to navigate through the archive.

So neither of the giveway “something’s gone wrong” conditions described above arises.

→ The central directory includes a file offset for each local header, so that once the Java code has finished verifying a file, it can jump directly to the next one, thus avoiding the local header data that would cause it to skip forward incorrectly. The imposter data, squeezed between the legitimate file and the next local header, is simply ignored.

What to do

Google doesn’t seem to have gone for a holistic fix, such as either or both of those listed above.

But the Android maintainers have made a small but apparently effective adjustment by altering the Java-based validation code so that it follows a similar path through the data to that used by the loader.

By forcing the Java code to rely on the local header data to find its way to the file data, the verifier will check what the loader is going to run, not merely what an attacker wants it to see.

I still think that disallowing APK files altogether if they contain discrepancies between the two streams of file metadata would be a more solid and satisfying approach, but we shall have to take what Google has given us.

And given the comment in the old code noting that the “extra field” data could vary from the central directory (the cause of the previous verification hole), you’d have thought that the programmer might have thought ahead and applied the same logic proactively to the filename length.

But the laconic variable name localExtraLenOrWhatever in the old code suggests that the programmer didn’t have security on his mind when he wrote that snippet, so the proactive fix didn’t happen, thus retaining the filename length vulnerability.

So, until your device gets upgraded to Android 4.4, you’re at risk.

We offer these three tips:

• Stick to the Google Play Store, where we hope that Google has taken a holistic approach and is rejecting submissions with fishy-looking metadata in their APK files.
• Use an Android anti-virus (yes, Sophos just happens to have a good one, and it’s free from the Play Store) that can scan newly-installed packages automatically before you run them.
• If you’re a programmer, don’t follow Google’s lead here – code with security on your mind all the time.

Neither the Play Store nor your favourite anti-virus can guarantee to keep all unwanted apps off your device, but together they will come close.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bFdd2LEOLWQ/

Pan-European law enforcement agency Europol has announced the take-down of a global gang of cybercrooks thought to be responsible for compromising point-of-sale (POS) terminals in Europe and North America, netting 30,000 sets of card details.

The investigation, referred to as “Operation Spyglass” (or “Project Lorgnette” to its French-speaking participants) was initiated last summer in Canada, and later drew in participation from French and German police forces as well as Canadian banking groups. Europol’s European Cybercrime Centre (EC3) provided support and coordination.

The gang members are thought to have tampered with POS terminals in European and North American shopping centres, harvesting card data and disseminating it to teams in several towns across Québec.

These teams then processed the data and passed it on to overseas carders, who used it to create counterfeit cards. The 30,000 sets of card details gathered yielded an average €300 each, for a total “potential loss” of €9 million ($12 million, £7.7 million).

Initial arrests were made in March this year – seven in France and six in Germany – and the Canadian end of the operation was mopped up on October 29th, with 16 people arrested in various parts of Québec. These include the man believed to be the gang’s leader in the city of Boucherville, a suburb of Montréal.

In the past POS risk has been dominated by malware targeting the computers running in shops and hotels, particularly in North America where slow adoption of chip-and-pin technology has left these data from systems easier to monetize.

More recently though we’ve seen rigged card readers available on the cybercrime underground market, making it easy to harvest both card and accompanying PIN data once a trojanised device has been inserted into a business.

Though few details were made available by Europol, the tampering is described as “sophisticated manipulation”, and carders’ method of acquiring the money as “withdrawal”.

The wording implies that they were using the same sort of techniques and had acquired the matching PIN info to go with the card data, allowing them to simply walk up to ATM machines with their cloned cards and take out the cash.

Connecting rogue hardware to sensitive networks seems to be an increasingly common technique for cybercrooks of late, with similar methods used in foiled attempts to rob banks in the UK earlier this year, and also as part of the long-term compromise of Antwerp port facilities by drug smugglers.

It really shouldn’t be so easy to inveigle unknown devices onto networks though; device control systems should be able to spot and reject connection attempts from hardware that is not trusted.

Much effort has gone into the hardening of the chip-and-pin standard to prevent access to complete data in transit or on infectable PC control systems, but it sounds like more work may need to be done on ensuring the physical devices are harder to tamper with, or to simply swap out for trojanised versions.

On the plus side, it’s always good to see effective worldwide collaboration between police forces resulting in the successful rounding up of global cybercrime gangs.

So well done to Europol, the various forces and agencies involved and the “hundreds of police officers in the EU and Canada” who took part in the operation.

Follow @VirusBtn
Follow @NakedSecurity

Image of POS terminal and chip and pin card courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/lUrl-KNucSk/

Facebook on Wednesday announced it’s adding a button to all content that will enable bullying victims and their allies to anonymously report abuse, be it comments, photos, videos or other Facebook content, the social network said in a blog posting.

The Report links will appear next to the content.

To click on an abusive page, for example, users will be able to:

1. Go to the Page they want to report
2. Click the dropdown menu under the Page’s cover
3. Select Report Page

The Report button is only one tool in Facebook’s new Bullying Prevention Hub, created by Facebook engineers and its partners at the Yale Center for Emotional Intelligence.

Other tools will include recommendations for adults who want to help, Facebook said:

Today on Facebook, we encourage anyone who sees harassment or bullying to report it, and we even offer teens the ability to connect with a trusted adult to get help as part of our social reporting tool.

With the new Bullying Prevention Hub, we’ll be arming bullying victims with information on what they can do when they see harassing content, recommendations to adults who want to help, and even guidance to the person accused of bullying on what he or she has done and how he or she can do better.

Facebook said that in putting such a tool at people’s fingertips at the moment they need it most, it’s the first time an internet company has integrated bullying prevention tools directly into a product.

I sincerely hope that this tool does help bullying victims.

We should bear in mind that the Report button is bound to be abused, as well.

Critics of Nova Scotia’s new Cyber-Safety Act – passed in the wake of the tragic death of bullied, allegedly gang-raped Rehtaeh Parsons – have pointed out that tools meant to help victims can also threaten the rights of free expression.

Hopefully, Facebook administrators will be able to effectively sift through abuse reports and weed out those that boil down to little more than censorship of content that a given user finds offensive for reasons other than it being actually abusive.

Instagram, Facebook’s popular photo-sharing app and many young people’s preferred place to hang out online, wasn’t mentioned in the company’s posting.

But that site – no stranger to abuse – already has its own instructions on reporting abusive content and spam.

For more tips on helping children and teens who might be cyber-bullied, check out Sophos’ Top 10 tips to keep kids and teens safe online.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/T9cNkj5i9ag/

Microsoft is warning about a brand new security hole in Windows that could let criminals get control of your computer through booby-trapped image files.

The flaw, dubbed CVE-2013-3906, is described by Redmond’s security experts as a “remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images.”

In short: just opening a maliciously-tweaked TIFF image could lead to what’s known as a drive-by download, or drive-by install, where malware is silently installed onto your computer without any warning message or “are you sure” dialog.

Zero-day

The CVE-2013-3906 hole is a zero-day – security jargon that means “the crooks got there first,” with the vulnerability coming to Microsoft’s attention as the result of successful in-the-wild attacks, not through responsible disclosure.

In other words, attacks are not merely likely or imminent, but actually already happening, before a patch is available.

So far, the attacks we’re aware of have relied on embedding booby trapped TIFF images inside DOCX files (documents from Office 2007 and later).

Someone sends you a specially constructed document, for example by email; you open it to see if it’s really worth opening; and that’s that – you’re infected.

But Microsoft has also warned that CVE-2013-3906 might be exploitable through a range of different activities, such as:

• Previewing or opening a specially-crafted email.
• Opening a specially crafted file such as an attachment or download.
• Browsing to a poisoned web page.

Fix it

Fortunately, even though there isn’t a full and formal patch ready yet, Microsoft has published a Fix it tool that will quickly render your computer immune to this particular attack.

The Fix it works by telling Windows not to process TIFF files, thus neatly sidestepping the issue of booby-trapped images.

You can achieve the same result by hand (or with a scripting tool, or a group policy object) by setting the following entry (make it a DWORD) in the registry:

HKEY_LOCAL_MACHINESOFTWARE
   MicrosoftGdiplusDisableTIFFCodec = 1

Of course, if your workflow requires you to be able to open and view TIFF files, you can’t use the DisableTIFFCodec option.

However, if you try the fix and it gets in the way, it can easily be reversed simply by deleting the abovementioned registry entry: no permanent system changes are made when the Fix it is run.

Our advice

We advise the following:

• Don’t run as administrator all the time. That way, if you do get attacked, you limit the extent of your exposure.
• Be cautious of unsolicited attachments.
• Make sure your anti-virus is updating frequently and correctly to maximise your protection.
• Try out the Fix it unless you are certain in advance that it will get in the way.

As fellow writer Lee Munson pointed out, November’s monthly Patch Tuesday update is due out next week, so it is possible that a permanent patch will not be available until December.

Be on your guard – and apply the Fix it if you can.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/YGrPAgHlfPw/