STE WILLIAMS

Today, it’s Adobe’s turn to attend confession.

The multimedia giant has owned up to getting pwned, admitting that “attackers illegally entered our network”:

We recently discovered that attackers illegally entered our network. The attackers may have obtained access to your Adobe ID and encrypted password. We currently have no indication that there has been unauthorized activity on your account. If you have placed an order with us, information such as your name, encrypted payment card number, and card expiration date also may have been accessed. We do not believe any decrypted card numbers were removed from our systems.

To prevent unauthorized access to your account, we have reset your password… We recommend that you also change your password on any website where you use the same user ID or password. As always, please be cautious when responding to any email seeking your personal information.

Not a happy time for Adobe – one of the problems you face after you realise you’ve suffered a breach is working out what the crooks did while they were at large in your network.

If you are the victim of a break-and-enter at home, it’s often fairly obvious what happened: the TV-shaped hole in your entertainment centre cabinet, for example, is a glaring clue.

Even if you don’t know immediately what’s missing, it’s often possible to make a reasonably accurate inventory afterwards – passport? wallet? watch? – and react accordingly.

Network breaches aren’t like that, not least because when data is stolen, you still have your own copy.

→ Pedants may point out that “to steal” means “to take someone else’s property unlawfully without intending to return it”, but here I use the word unapologetically. You know what I mean.

Worse still, since the crooks bypassed your security to get in, they may have bypassed your security while they were in, so you can’t even be sure whether you can trust your logs.

So I feel Adobe’s pain, as they’ve had to make a very general admission, and reset everyone’s password, even though it may turn out that not much in the way of unencrypted Personally Identifiable Information (PII) was taken during the intrusion.

But that’s cold comfort for people who have bought from Adobe recently.

Some notes about the disclosure

Just a couple of points of things I suggest that Adobe could and should have done differently in the disclosure.

• “The attackers may have gained access to your… encrypted password.”

The devil’s in the details. Technically, the passwords probably weren’t encrypted, which would imply that Adobe could decrypt them and thus learn what password you had chosen.

Today’s norms for password storage use a one-way mathematical function called a hash that pretty much uniquely depends on the password, so that you can calculate the hash from the password, but not the other way around.

This means that you never actually store the password at all, encrypted or not: the user reveals the password on login, but you only ever need to process it in memory to verify the hash, so it need never be saved to disk.

Of course, that means that crooks could produce a giant table of hashes for popular passwords, thus speeding up their attacks, so you also usually add some salt: a random string that you store with the user’s ID and mix into the password when you compute the hash.

Even if two users choose the same password, their salts will be different, so they’ll end up with different hashes, which makes things much harder for an attacker.

And, lastly, you don’t usually just apply the hash function once to the salt-and-password combination.

You use some sort of key derivation function (KDF) that does a lot more than just a single hash calculation, so you slow down any attempt by someone who has stolen your database to try a long list of passwords one-by-one. (This is sometimes called key stretching, for obvious metaphorical reasons.)

→ Common KDFs used with salting-and-hashing are PBKDF2, bcrypt and scrypt. They are typically used so it takes 10,000 times longer, or more, to check each password than a plain hash function would. This hinders attempts to crack passwords against a dictionary list without noticeably slowing down each legitimate login.

With all this in mind, it would have been nice to see Adobe state explicitly what salting, hashing and stretching algorithms were in use, even if only as an appendix to the breach notification.

That means that users could take their own advice about how likely it is that their stolen “encrypted password” could be worked out by an attacker.

• “Encrypted payment card number, and card expiration date.”

Maybe I am reading too much into this, but I interpret this sentence (and note carefully the comma before “and”) to mean that your card number was encrypted, but your expiry date was not.

My suspicion is reinforced by the later explicit remark that “decrypted card numbers” were probably not stolen.

Why not be perfectly clear?

If card numbers and expiry dates were both encrypted, say so explicitly.

If not, make it clear that the crooks now probably do have your expiry date, even though they may not have your full card number.

• “Change your password on any website where you use the same … password.”

How about making this advice much stronger?

If you are using the same password on other sites, don’t just go and change it.

Go and change it to something that is not the same as any other site, so that crooks who work out your password for one account don’t automatically get access to other parts of your online life, too.

That’s what we’re advising as one of our three “Do These 3” tips for Cybersecurity Awareness Month, because we think it’s important.

It would be nice to see Adobe treating it as important advice, too.

Listen to our “Do These 3” tips now in this short, special-issue podcast

(03 October 2013, duration 8’58”, size 5.4MB)

Before we go

By the way, one final reminder if you hold personal information about other people.

Encrypting credit card data and salting-hashing-and-stretching passwords are vital security protections.

But they are not a replacement for keeping the data safe in the first place – they’re a second layer, in case your first line of defence should fail.

Just saying.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Eesde6Qz1F0/

Just under two months ago, we wrote about the closure of secure email service Lavabit.

Lavabit’s founder, Ladar Levison, explained that he was in a spot of legal bother that made it impossible for him to continue to operate with a clear conscience, so he would suspend the service.

He also noted that, much as he wanted to, he couldn’t give details about said legal bother.

All he could do was to point out that he had lodged an appeal and hoped to open up the service again one day.

Of course, the smart money was that law enforcement wanted access to data belonging to a certain Mr Edward Snowden, the National Security Agency (NSA) whisteblower, who was known to be a Lavabit user.

We hedged our bets about the reasons here on Naked Security, since the only thing we knew was that we didn’t know whether the kerfuffle involved Snowden at all.

But recently unsealed court documents [PDF, 162 pages, 16MB] now tell a bit more of the story.

The name Snowden is still mentioned only in passing (various redactions have suppressed names throughout the unsealed documents).

So we still don’t have official confirmation that Snowden, amongst others, was the target of the investigation.

That, however, hardly matters any more.

What matters is the intriguing tale of the court requiring Lavabit to hand over its SSL private keys, and Lavabit arguing that it ought not to comply, since that would give access to all messages to and from all customers, which would be unfair and unreasonable.

Very greatly simplified (and I hope I have not oversimplified to the point of misunderstanding), the court wanted Lavabit to enable law enforcement to intercept so-called email metadata for a particular user.

But due to the use of SSL/TLS at all times, with data kept encrypted in transit and at rest, even accessing mail headers was no simple matter – unless law enforcement were given Lavabit’s private keys.

(A MiTM, or man-in-the-middle, attack on encrypted traffic is trivial if you have all the encryption keys and certificates to use “in the middle.”)

Eventually, Lavabit had little choice but to comply, turning over five SSL private keys.

It still wasn’t game over for Lavabit user’s privacy, however, because Levison gamely supplied the cryptgraphic material in printed form, stretched over 11 pages in a four-point font.

To say that the law enforcement officers were underwhelmed is the understatement of the year, and matters were soon back in court, with “handing over the keys” quickly redefined to mean, “handing over the keys as computer-readable PEM files suitable for immediate use, and no more mucking around.”

Indeed, to guard against further stalling tactics, the government petitioned the court to fine Levison $5000 for every day he continued to dither.

At this point, Levison folded and complied, but pulled the plug on Lavabit at the same time, and that was that for the men-in-the-middle.

The New York Times reports that a prosecutor referred to the abrupt shutdown of Lavabit as “just short of a criminal act,” but, then, nearly-a-crime isn’t actually a crime.

What can we learn from this?

To me, one of the most interesting aspects of this story is the recognition by a non-tech-savvy court that at least part of the problem was the regrettable fact that Lavabit would need to put the privacy of 400,000 users at risk to secure the lawful surveillance of just one person.

As the court pointed out (this is a transcript, not a written judgement):

[Y]ou’re blaming the government for something that’s overbroad [the requirement to hand over the all-revealing SSL keys], but it seems to me that your client is the one that set up the system that’s designed not to protect that information, because you know that there needs to be access to calls that go back and forth to one person or another. And to say you can’t do that just because you’ve set up a system that everybody has to — has to be unencrypted, [read: in which all users are encrypted in the same way] if there’s such a word, that doesn’t seem to me to be a very persuasive argument.

In short, the court is as good as saying, “If you wanted to come up with this ‘but what about the privacy of all the 399,999 other users’ argument, why didn’t you implement the system so their individual privacy was better protected?”

After all, Lavabit could have taken an approach more like the one used by Kiwi internet showman Kim Dotcom’s Mega service, so that each user’s encrypted traffic and content could stand (or fall) alone.

Of course, that wouldn’t have stopped Levison shuttering the entire service, effectively DDoSing all his users to protect the privacy of one of them.

But from a cryptographic point of view, it would have made a lot more sense to me.

Follow @duckblog

Image of eye charts courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dY5BS-b8-_w/

Tags: 4-point font, 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, Adobe, awareness, breach, bust, court order, CSAM, drugs, FBI, lavabit, NCSAM, Silk Road, Snowden, ulbricht

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/JN6A0txdRnU/

Free ESG report : Seamless data management with Avere FXT

Microsoft is preparing to close a wide-open security hole in Internet Explorer – a vulnerability state-backed spies are exploiting to mine organisations across Asia.

A update to fix the flaw is among four critical patches Redmond has lined up for the October edition of Patch Tuesday, due next week. Versions 6 through to 11 of the web browser are known to be vulnerable.

The use-after-free bug in Internet Explorer [CVE-2013-3893] allows attackers to execute arbitrary code on a victim’s computer; a mark simply has to surf to a web page booby-trapped with JavaScript that triggers the flaw.

In fact, the bug itself is quite an interesting case study: modern Windows kernels attempt to randomise the layout of software in memory and mark the areas containing just data as non-executable, which in theory is supposed to make life extremely difficult for hackers.

But the web page, in this case, can coax IE into loading a Microsoft Office library that snubs address space layout randomisation (ASLR). This sits in a known region of memory, allowing the attack code to initially hop around the library and use instructions within it to grant itself permission to execute its payload of code.

The attack code is packed into JavaScript strings, which sit in memory that Internet Explorer’s MSHTML component accidentally uses when it really shouldn’t: it tries to call a function pointer, but by that fatal moment, this pointer instead refers to an attacker-controlled part of memory rather than the expected friendly function.

Exploited since August

The vulnerability first came to public attention late last month when targets in Japan were attacked by miscreants exploiting this programming gaffe. Security biz FireEye published an alert about the infiltration attempts on 23 September, and claimed that assaults using the same bug in Microsoft’s browser software started around 23 August.

Redmond had realised there was a problem, though not its seriousness, days before FireEye sounded the alarm. Microsoft published technical details and workarounds to defend against the flaw on 17 September.

Security researchers have since linked the same CVE-2013-3893 bug to multiple attacks by various state-sponsored hacking crews against targets in Taiwan and elsewhere in the Far East. In this context the patch for Internet Explorer versions 6 to 11, due to arrive next Tuesday, can’t come a day too soon.

October 2013 marks the tenth anniversary of Microsoft’s regular security patch rollouts, Patch Tuesday. Alongside the critical IE update, the world’ll get three similarly critical security fixes for Windows that affect the vast majority of deployed platforms except Windows Server 2012 R2 and Windows RT 8.1. Everything from Windows XP up to and including Windows 8 and Windows RT will need patching.

Redmond’s security gnomes are also fuelling up four lower severity security bulletins, all rated as “important”. Microsoft Office, Microsoft Silverlight 5 and Redmond’s Sharepoint portal server software will all need patching as a result of security fixes due to arrive on 8 October.

More details will be released once the updates are deployed next week. In the meantime, Microsoft’s pre-release notice provides more details of the affected software packages.

Wolfgang Kandek, CTO of Qualys, commented: “The recent [Internet Explorer] 0-day … is certainly the top-priority patch for next week and it affects all versions of Internet Explorer from 6 to 11. Fortunately, attack volume using this vulnerability has continued to be low and this has given Microsoft the opportunity to do a full test cycle on all possible combinations of operating systems and target sites.”

Adobe – fresh from warning about a compromise on its website that might have exposed the IDs, password hashes, and encrypted credit card information of nearly three million customers – separately announced plans to deliver a solitary patch for Acrobat 11.0.4 and PDF Reader 11.0.4 on Windows. More details can be found in Adobe’s advisory here. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/04/oct_patch_tuesday_ie_0day_fix_due/

Free ESG report : Seamless data management with Avere FXT

An NSA presentation released by Edward Snowden contains mixed news for Tor users. The anonymizing service itself appears to have foxed US and UK government snoops, but instead they are using a zero-day flaw in the Firefox browser bundled with Tor to track users.

“These documents give Tor a huge pat on the back,” security guru Bruce Schneier told The Register. “If I was a Tor developer, I’d be really smiling after reading this stuff.”

The PowerPoint slide deck, prepared in June last year and entitled “Tor stinks”, details how the NSA and the UK’s Government Communications Headquarters (GCHQ) have been stymied by trying to track Tor users, thanks to the strength of the open source system.

“We will never be able to de-anonymize all Tor users all the time,” the presentation states. “With manual analysis we can de-anonymize a very small fraction of Tor users, however, no success de-anonymizing a user.”

The presentation says that both the NSA and GCHQ run Tor nodes themselves (the Brits use Amazon Web Services for this under a project entitled Newton’s Cradle), but these are only a very small number in comparison to the whole system. This makes tracking users using traditional signals-intelligence methods impossible.

There’s also a case of diminishing returns as Tor becomes more popular. With each user acting as a transport node, the sheer scale of the system means it becomes steadily more difficult for the intelligence community to run enough nodes to be useful for tracking.

The agencies have also tried to use “quantum” cookies to track targets who are using Tor. Some cookies appear to persist after Tor sessions, the presentation notes, and the agencies are investigating if this can be developed into a working tracking system.

A separate leaked document from GCHQ, published in the Washington Post, gives an indication of how this could be done. Operation Mullenize is a technique for “staining” individual user’s computers with trackable code, and is now being rolled out after a year of development. Over 200 stains were injected onto systems in two months last year, the report notes.

There are also indications that the NSA had been trying to influence the design of Tor to make it more crackable, a somewhat Kafkaesque approach given that Tor is primarily funded by the US government itself to provide anonymity to internet users operating under repressive governments.

The NSA has been accused of this before, having been said to be deliberately weakening NIST encryption standards. But Schneier said in the case of Tor, the agency appears to have had little luck.

“It’s harder than you think to sneak stuff in,” Schneier said. “If you show up and say ‘Here, I’ve got some Tor code!’ I don’t think you’re going to get it in. As far as we know, they’ve had no success doing that.”

But documents shown the The Guardian by Snowden indicate that the intelligence organizations have also been trying sneakier methods in a delightfully named attack dubbed EgotisticalGiraffe. This targets the software that is bundled with Tor, specifically version 17 of the Firefox browser which was vulnerable to a zero-day attack.

It’s an attack vector that was adopted by the hacking community after operating system vendors started getting smarter about security, and which spawned a rash of attacks against third-party software such as Java and Adobe Reader. Now the NSA is using the same methods to track and crack Tor users.

“It should hardly be surprising that our intelligence agencies seek ways to counteract targets’ use of technologies to hide their communications,” the NSA told the paper in a statement.

“Throughout history, nations have used various methods to protect their secrets, and today terrorists, cybercriminals, human traffickers and others use technology to hide their activities. Our intelligence community would not be doing its job if we did not try to counter that.”

Mozilla has now fixed the Firefox flaw used in EgotisticalGiraffe, but it seems likely that a fair few Tor users won’t have updated their software as often as they should and may still be vulnerable. But Cindy Cohn, legal director of the Electronic Frontier Foundation, told The Register that the methods used by the NSA and GCHQ were immensely worrying.

“They are using the kind of techniques that federal prosecutors send people to jail for decades for using,” she said. “These are tools that are criminal, and I’m still wondering what’s the authority? What kind of authority are they claiming that they can do this?”

Cohn said the courts need to know how data is being collected before warrants are issued. She pointed out that the NSA has already been fingered for passing information to the Drug Enforcement Agency and the Internal Revenue Service, which then covered up where they got their data from.

“You really have to question if there is a rule of law anymore?” Cohn said.

“If the government gets to essentially burn down your house because it thinks you’re engaging in illegal activity and then hide the fact by pretending there was an arsonist around at some point, it’s not a lawful situation,” she said. “There’s a fundamental thing that’s being lost here for an allegedly self-governing country.” ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/04/nsa_using_firefox_flaw_to_snoop_on_tor_users/

Free ESG report : Seamless data management with Avere FXT

The NSA has published a statement explaining why US spies have been studying, infiltrating, and subverting so many of the digital technologies upon which people depend.

The statement, “Why the Intelligence Community Seeks to Understand Online Communication Tools Technologies”, was published by the US Office of the Director of National Intelligence on Friday, shortly after news broke that the NSA has spent years trying to crack the anonymous Tor communications network.

“The articles fail to make clear that the Intelligence Community’s interest in online anonymity services and other online communication and networking tools is based on the undeniable fact that these are the tools our adversaries use to communicate and coordinate attacks against the United States and our allies,” the NSA wrote.

Though Tor is undoubtedly used by many people for many different purposes, we would note that Osama Bin Laden, the architect of the September 11 2001 World Trade Center and Pentagon attacks, lived his final years in a compound with no internet connection whatsoever and studiously avoided all internet and carrier-based communications, depending instead on people.

The statement goes on to note that “the Intelligence Community is only interested in communication related to valid foreign intelligence and counterintelligence purposes and that we operate within a strict legal framework that prohibits accessing information related to the innocent online activities of US citizens.”

Recent revelations around the NSA’s spying systems have shown that the agency spent two years indulging in the bulk collection of mobile phone locations at home and abroad without oversight. Another leak described how its “Project Marina” scheme indiscriminately slurped metadata on internet users – both European and American – and stores that data for a year allowing it to be looked at “regardless whether or not it was tasked for collection.”

“In the modern telecommunications era,” the NSA writes, “our adversaries have the ability to hide their messages and discussions among those of innocent people around the world. They use the very same social networking sites, encryption tools and other security features that protect our daily online activities.”

This appears to be a subtle justification for the NSA graphing connections between people both at home and abroad, such as its scheme to analyse people through the traces they leave on social networks.

“Americans depend on the Intelligence Community to know who and what the threats are, and where they come from,” the notoriously press-shy agency said.

“Many of the recent articles based on leaked classified documents have painted an inaccurate and misleading picture of the Intelligence Community,” the mercurial surveillance agency noted. “The reality is that the men and women at the National Security Agency and across the Intelligence Community are abiding by the law, respecting the rights of citizens and doing everything they can to help keep our nation safe.”

Documents declassified by the NSA in September show that between May 24, 2006, and February 17, 2009, the organization was monitoring 17,835 phone accounts, barely 2,000 of which had “reasonable articulable suspicion” of wrongdoing.

A recent statement from NSA inspector general Dr. George Ellard disclosed that some spies “intentionally misused” the NSA’s signals intelligence techniques to spy on their lovers and partners without oversight. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/04/nsa_spying_statement/

When companies relied on the static analysis of binaries to determine whether a program is malicious, attackers came up with a simple way to bypass defenses: obfuscating the code with packers and other techniques.

Many security firms then moved onto dynamic analysis, allowing a program to run in a sandboxed or virtual environment and looking for signs that it was doing something malicious. The strategy is a significant departure from the past, when authors created code that would noisily attempt to exploit a number of vulnerabilities, says Michael Sutton, vice president of research for Zscaler, a cloud security provider.

“A few years ago, we would see them throw everything at the machine, and hoped that one of them worked,” he says. “The downside is that it creates more noise and is more likely be picked up by host-based AV. Now, we see them being more surgical in their attacks and only delivering the payload that will work on the compromised platform.”

Attackers are increasingly using evasion techniques to foil automated analysis, the latest moves in an ongoing cat-and-mouse game between malware authors and security analysts. While evasion is far from a standard feature of malware, it is frequently used in exploit packs–the attack toolkits developed and sold by rogue developers–an attempt by the authors to delay the reverse engineering of their latest attacks. Recent malware–such as DarkLeech and the latest variants of Capshaw and Kelihos–are examples of the possibilities of evasions.

[Following a program’s evolution back to the author may not yet be a reality, but computer scientists are searching for more accurate measures of the relationships between software versions. See Researchers Seek Better Ways To Track Malware’s Family Tree.]

Always checking for vulnerable components and only attempting to compromise the system if those components are present, is one of the three ways in which attackers attempt to sabotage defender’s analysis. Attackers can also attempt to detect whether its running in a virtual machine or an analysis environment. in many cases, the attackers know the environments used by defenders to analyze malware, so can create effective method of evading detection, says Giovanni Vigna, director of the Center for CyberSecurity at the University of California at Santa Barbara.

“Evasion is the reaction to dynamic analysis, to the sandbox, and it’s very difficult to catch,” says Vigna. “Most of the analysis right now is done manually after observing that there is bad stuff that has not been detected–that is, a false negative–which is then analyzed manually to find the evasion.”

If the attacker is unfamiliar with the analysis environment, they can still use techniques to fool typical analysis setups, such as sleeping for a long period or waiting for human input. Finally, some attackers are starting to gather intelligence to see if the system which they are trying to infect could be a honeypot or even a known compromised systems. A recent version of Kelihos, for example, check Internet black lists to see if the about-to-be-compromised system will likely be blocked.

“They have multiple evasions that targets each environment,” says Alexandros Kapravelos, a PhD student in computer science at UCSB and the co-creator of the Revolver system for detecting evasive malware. “While some of these evasions hit our system, the other ones are designed to hit somebody else.”

At the USENIX Security Conference in August, Kapravelos, Vigna, and three other researchers from UCSB and the University of Birmingham presented a method for detecting evasive Web malware. The Revolver system creates abstract representations of a program’s function and then uses clustering and other machine learning techniques to match the code with known good and bad software. Malicious software that uses evasions become more visible when looked at from a run-time point of view.

Since September 2012, the researchers collected almost 6.5 million Web pages, of which about 266,000 were malicious. From those pages, the researchers culled more than 700,000 benign scripts and 5,700 malicious scripts, which also included 150 different evasion techniques. Some of the evasions took advantages of differences between the Internet Explorer and the browser implemented by the analysis system, known as Wepawet. Other evasions used differences in the rendering of PDF objects to detect the analysis environment.

When the researchers found the attackers using an evasion technique, they would patch their analysis system. Generally, within a few days, attackers would return with a new evasion, the researchers stated in their paper.

This makes “a tool like Revolver necessary to automatically keep track of this behavior and keep false negative detections as low as possible,” the researchers stated.

Keeping up with the attackers requires automation, an approach that is used in some form by many security firm in their own fights with attackers, says Zscaler’s Sutton.

“That overall approach is fairly accepted in the AV community,” he says. “Otherwise you just can’t keep up, because there are millions of pieces of malware every day.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/monitoring/firms-researchers-seek-better-ways-to-de/240162297

5 ways to reduce advertising network latency

Adobe’s systems have been hit by numerous “sophisticated attacks” that have compromised the information of 2.9 million customers, and accessed the source code of Adobe products.

The company said on Thursday that it has been the victim of a major cyberattack and said hackers had accessed those millions of customer IDs and encrypted passwords.

“We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders,” the company said.

It does not believe decrypted credit or debit card numbers were accessed.

“As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password,” the company wrote.

The company says people should change their passwords on any other website where they have used the same user ID and password. But you’d do that anyway, wouldn’t you?

It is “in the process” of notifying customers whose credit or debit data may have been stolen, and is offering them condolence in the form of a “one-year complimentary credit monitoring membership where available.”

Where we come from, that’s called offering free stable doors after the horses have bolted.

The company has also contacted federal law enforcement officials and notified banks that process customer payments for Adobe.

Hackers have also accessed the source code for the company’s Adobe Acrobat, ColdFusion, ColdFusion Builder, and other unnamed products, the company said in a separate blog post.

Security firm Hold Security claims to have found 40 gigabytes in encrypted archives on a hacker’s server, apparently containing source code on some of Adobe’s biggest products.

“This breach poses a serious concern to countless businesses and individuals,” Hold Security wrote. “Effectively, this breach may have opened a gateway for new generation of viruses, malware, and exploits.”

Adobe is seeking to reassure users. “We are not aware of any zero-day exploits targeting any Adobe products. However, as always, we recommend customers run only supported versions of the software, apply all available security updates, and follow the advice in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide,” it wrote. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/03/adobe_major_hack/

5 ways to reduce advertising network latency

Popular source-code warehouse GitHub was back online today after weathering a huge denial-of-service attack throughout the week.

The status page of the San Francisco-based outfit charts the progress of the assault and the attempts to end it. Problems with the web service first cropped up on Tuesday, 1 October, before the team realised they were facing a denial-of-service storm. This first wave was dealt with late on Wednesday only for a second phase of the attack to flare up again on Thursday.

Barry Shteiman, senior security strategist at database and web app security firm Imperva, said a titsup GitHub would have had a knock-on effect on programmers at many organisations.

“GitHub’s business is to act as a code repository for companies big and small. This is unfortunately a brutal case of the impact of third party services on business security and availability,” he said.

Ashley Stephenson, chief exec of security appliance firm Corero Network Security, added the multi-phase pattern of the attack against GitHub is typical of other denial-of-service attacks.

“From what GitHub have disclosed it looks like the DDoS [distributed denial of service] attacks targeted at their networks followed a very typical progression,” Stephenson said. “It is not unusual for attackers to probe a site with different attack vectors to figure out what type of vulnerabilities exist. It is likely that as the attacker(s) saw that GitHub were able to stop one type of DDoS attack they modified the characteristics of the attack until the website and services were again impacted.”

“A second wave of attacks, just a day later, is also a common sequence, more than likely coming from the same source, having already analysed how GitHub would likely react in trying to mitigate the attack, the second wave of DDoS attacks do appear to have been successful in taking down the site,” he added.

Stephenson concluded: “We are seeing more often that DDoS attacks against web servers evolve over a period of 24-48 hours until they take down a site or their perpetrators give up and move on. GitHub have done the right thing in keeping their users informed of the status of the attacks.”

GitHub is a frequent target of DDoS attacks. It suffered two major attacks in August and the same number in July alone. The possible motives much less the perpetrators behind the latest assault remain unclear.

DDoS attacks, in general, are often used by hackers to probe for vulnerabilities in a website or as a smokescreen to deflect attention from the main motives of an attack – which in the case of GitHub may involve tampering with projects’ source code or similar malfeasance.

Sysadmins on the receiving end of DDoS attacks often need to tweak the settings of firewall equipment, intrusion prevention system and other security defences to compensate for the assaults. These changes can sometimes unwittingly open up further vulnerabilities. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/04/github_ddos/

5 ways to reduce advertising network latency

Thirteen further alleged members of web rabble-rousers Anonymous have been charged with masterminding online attacks against corporations and others who oppose internet piracy.

Anonymous’ “Operation: Payback is a bitch” campaign involved a series of denial-of-service assaults apparently against government and company websites between September 2010 and January 2011 – and, it is claimed, mainly targeting organisations hostile towards the illegal exchange of copyrighted stuff on file-sharing networks.

Targets including the US Copyright Office; major credit card companies such as Visa and MasterCard; trade groups including the Recording Industry Association of America and the Motion Picture Association of America; the Bank of America; and a law firm. Each were subjected to floods of network traffic that overloaded servers and knocked websites offline, it is alleged.

UK targets including the British Phonographic Institute; the Ministry of Sound nightclub; and the now defunct law firm ACS:Law were also hit by the alleged activists, US prosecutors claim.

It is further believed that other international targets include the administrators of Hadopi, a French system that punishes people who infringe intellectual-property rights; the Spanish General Society of Authors and Publishers; the Italian branch of the International Federation of Phonographic Industry; and the Australian Communications and Media Authority. Websites associated with individual artists, such as former KISS bassist Gene Simmons, were also hit, it is claimed.

Anonymous’ Low Orbit Ion Cannon (LOIC) was used to flood targeted web servers with junk traffic, say prosecutors: with enough users gathered to point the software at a server, it is possible to overwhelm the target.

But LOIC makes no attempt to hide the internet network addresses of those who participated in attacks, a boon for investigators.

The defendants, whose ages range from range 21 to 65, are all charged with conspiracy to intentionally cause damage to protected computers. Not all the subjects participated in all the attacks.

According to a 28-page indictment [PDF] (PACER summary here, dated 3 October), it’s alleged the 13 suspects decided which websites to target and when before circulating instructions on the net, inviting others to take part in the assaults. Information was passed around web bulletin boards, social networks and dedicated IRC channels, it is claimed.

The alleged offences also extended to alleged incitement to harassment. For example, defendant Wade Carl Williams (AKA TheMiNd) allegedly posted a link to a flier that had the home address and phone number of the Bank of America’s chief exec and his wife in December 2010. Almost all the offences listed on the indictment cover distributed denial-of-service (DDoS) attacks, however.

One of the suspects, Dennis Owen Collins (AKA iowa, owen or anon5), was charged in 2011 with similar DDoS offences involving attacks by Anonymous against PayPal [indictment PDF here]. Collins along with 13 other suspects are expected to answer charges in a Californian court over the alleged attacks on PayPal later this month, RT reports. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/04/op_payback_anon_indictment/