STE WILLIAMS

Free ESG report : Seamless data management with Avere FXT

If you think of an Internet exchange, you probably think of infrastructure that’s well-protected, well-managed, and hard to compromise. The reality, however, might be different. According to research by Stanford University’s Daniel Kharitonov, working with TraceVector’s Oscar Ibatullin, there are enough vulnerabilities in routers and the like that the Internet exchange makes a target that’s both attractive and exploitable.

The attack they demonstrate in this paper on Arxiv can be mounted against common routers and switches, and “does not require extraordinary knowledge of networks or specialized programming skills.”

As they say in the abstract, “modern network platforms are capable of targeted traffic replication and redirection for online and offline analysis and modification, which can be a threat far greater than loss of service or other risks frequently associated with such exploits.”

So how did Kharitonov and Ibatullin work their black magic?

They start by assuming that an attacker is aware of a remote code execution vulnerability on a switch or router in an Internet exchange. This isn’t such a stretch of the imagination, since patches roll around on a regular basis. The second, more arcane challenge is to exploit remote access to the kit to perform analysis or modification of traffic passing through the (say) router.

As they write, “the main challenge is to deliver the “interesting” traffic to them in a manner that does not disrupt data flow and allows the eavesdropped connection to continue”.

Which is easy enough if you have command access to the network devices. Switches and routers can be configured to redirect incoming traffic briefly with the following steps:

• Capture “interesting” traffic at the ingress interface into a captive filter;
• Flick that traffic (using filter-based forwarding or policy-based routing) to the attacker’s analysis engine (referred to in the paper as the “aid host”):
• Return the traffic with source and destination addresses unmodified.

Note that with the exception of the “aid host”, this is merely exploiting features of routers, with the sole exception that a remote code execution flaw has to exist. However, there’s a drawback:

“For one thing, if the remote aid host resides in (or behind) a network that supports source checking via filter or a reverse path forwarding (RPF) feature, this renders direct flow from IP2 to IP1 using IP0 as source impossible. If this happens, an attacker will have to establish an aid host in the same network where the source or destination of traffic resides.”

More effective, the researchers suggest, is to use traffic replication features that already exist in devices. The people who designed port mirrors envisaged that they should be protected against malicious exploitation, so they generally constrain where mirrored traffic should be sent – but with control of enough vulnerable routers, this can be defeated.

“If an attacker controls routers R1, R2, and R3, an FBF [filter-based forwarding – The Register] entry for incoming packets from IP0 to IP1 can be matched to a next hop toward S1 with hardcoded multicast media access control (MAC) as a destination address. This will force S1 to replicate the packet on all ports (a normal behavior for unknown multicast groups). Routers R2 and R3 will both receive the packet; R2 will forward it as usual; and R3 will send it into a tunnel towards IP2 [a machine controlled by the attacker – El Reg] via FBF entry.”

This involves more kit, the researchers note, but also has a greater chance of success.

Other roadblocks in the way of the attacker exist, but aren’t insurmountable: a potential attacker would need to gain access to vendors’ SDKs, or would have to reverse engineer communication pipes, and would have to work out how to program the kit with “ephemeral” state changes that won’t show up in its configuration logs. “This task is much less complex than it sounds, because the initial analysis is easy to do on a test system by simply tracking the logs and messages of processes handling a routine PBR or FBF configuration change.” ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/26/boffins_internet_transit_a_vulnerability/

Free ESG report : Seamless data management with Avere FXT

The Internet Engineering Task Force (IETF) has posted “PRISM-Proof Security Considerations” aimed at making it much harder for governments to implement programs like the PRISM effort whistleblower Edward Snowden exposed as one of the tools in the NSA’s spookery toolbag.

The proposal has just one author – Phillip Hallam-Baker of the Comodo Group – which makes it a little unusual as most IETF proposals are the work of several folks in pursuit of a common goal. The document is only a draft hoped to one day reach the standards track of the IETF’s various efforts, so has little weight at present.

The proposal suggests the internet be re-engineered with “a communications architecture that is designed to resist or prevent all forms of covert intercept capability. The concerns to be addressed are not restricted to the specific capabilities known or suspected of being supported by PRISM or the NSA or even the US government and its allies.”

Sadly the paper is a little light on for actual ideas about how the internet can be PRISM-proofed, offering “a security policy infrastructure and the audit and transparency capabilities to support it” as one item that should be on any hardening effort’s to-do list. More use of cryptography is also proposed, so that “two layers of public key exchange using the credentials of the parties to negotiate a temporary key which is in turn used to derive the symmetric session key used for communications”. That regime should, Hallam-Baker suggests, make it harder to snoop on everyday traffic. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/12/ietf_floats_prismproof_plan_for_harder_internet/

Free ESG report : Seamless data management with Avere FXT

Crooks are using the NSA’s notorious global web surveillance scandal in new ransomware: punters visiting booby-trapped websites are falsely accused of downloading illegal material, told their PCs are now locked from use, and ordered to hand over a cash “fine” to unlock their computers.

Cloud security firm Zscaler has spotted 20 hijacked domains hosting malicious web pages that attempt to trick naive web surfers into installing virus-killing scareware (because it’s claimed their computer is supposedly riddled with malware) or handing over money to unlock PCs that have supposedly been used to download images of child abuse.

Marks are either confronted with a warning that malware has supposedly been detected on their computer, or a bogus NSA PRISM-themed alert. In both cases, the goal is to scare the target into paying the attacker to “fix” their computer.

The campaign started off by pushing fake antivirus software (aka scareware) on the pretext that viruses had supposedly been detected on a mark’s computer and money had to be paid out to have the nasties removed.

Now it’s pushing a ransomware scam, which claims that child porn has been detected on a PC. The user is told he or she can “avoid prosecution” by handing over $300. In the meantime the ransomware says it locks victims out of their machines.

These shenanigans have been common on the web for years, and it’s only the PRISM angle that adds a new spin. Scammers are obviously hoping that their marks pay up to resolve the problem without giving this any further thought. The proposed opt-in system to allow adults to look at legit porn sites in the UK laws may inadvertently help the preposterous con appear a tad more plausible, according to Zscaler.

Accused … how the ransomware appears in the web browser (click to enlarge)

“The attacker uses the recent news about PRISM to claim that the victim’s computer has been blocked because it accessed illegal pornographic content,” a blog post by Zscaler ThreatLabZ researcher Julien Sobrier explains.

“The victim has to pay $300 through MoneyPak, a prepaid card service.”

“The ThreatLabZ team expect attackers to take advantages of the upcoming UK laws on accessing adult content online to send new types of fake warnings to UK victims.” ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/12/prism_themed_ransomware/

Free ESG report : Seamless data management with Avere FXT

A hack on a Vodafone Germany server has exposed the personal details – including banking information – of two million of its customers.

Hackers accessed names, addresses, bank account numbers and dates of birth. Phone numbers, credit card details and passwords are thought to be safe, but the leaked information is still pretty extensive and ample fodder for follow-up phishing attacks.

It’s unclear when the breach took place, but it appears to have involved a successful compromise of an internal server on Vodafone’s network. The German arm of the British mobile giant went public with the problem and began notifying customers on Thursday after first reporting the incident to German police.

In a statement (in Deutsch) expressing regret over the incident and promising to inform customers, Vodafone.de said that police have identified an unnamed suspect and carried out a search.

Vodafone’s German subsidiary promised to beef up the security of its systems to help guard against future attacks. “This case concerns only Vodafone Germany, other countries are not affected,” it said, according to a Google translation of the mobile operator’s statement on the security flap. “It is virtually impossible to use the data to get directly access to the bank accounts of those affected,” Vodafone told Reuters. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/12/vodafone_germany_breach/

Free ESG report : Seamless data management with Avere FXT

Good Technology is trumpeting a newly-inked EAL4+ Common Criteria certification awarded to the its Good For Enterprise MDM and data protection platform.

The company’s local VP and GM Gavin Jones told Vulture South the certification relieves the need for the company to work through certifications on a country-by-country basis, at least for those countries that have agreed to the Common Criteria.

He noted, for example, that while achieving Defense Signals Directorate (now Australian Signals Directorate) certification is significant, the CC certification is more so, covering the 26 current CC countries.

He added that the company considers the certification to EAL4+ level (the highest CC certification) gives Good Technology a break over its competitors, since achieving the certification is expensive and burdensome.

Jones attributed the certification to the containerisation in the company’s mobile security products. This, he said, adds protection of data to the device-level protection that’s the basis of the MDM (mobile device management) sector.

The containerisation encrypts application data separately from the communications channel, and creates app-to-app tunnels to secure individual workflows. Cut-and-paste controls provide data loss prevention capabilities, and the platform allows apps to be locked or corporate data wiped in the event of a breach of policy. The platform also provides secure email, calendar information, contact details, document data and browser access.

The company says it’s got the only mobile collaboration studio to achieve EAL4+ for both iOS and Android platforms, for its Good For Enterprise platform. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/13/good_tech_wins_cc_cert/

Free ESG report : Seamless data management with Avere FXT

It will not come as explosive news to most sensible travellers, but US airline passengers have been warned to leave their grenades at home when getting on a flight.

The US Transportation Security Administration (TSA) has issued a stern warning to anyone thinking of bringing their favourite handheld bomb on holiday.

In a blog post, the TSA said it busted 43 people with grenades in carry-on baggage and 40 people who carried them in their checked luggage. The majority of these grenades were inert, replica, or novelty items, but others were actual live smoke, flare and riot grenades – hardly the sort of thing you’d want to go off during a bumpy flight.

The TSA said: “After reading the title of this post, your first thought probably was, ‘That’s obvious’. Not always so.”

Inert or fake grenades won’t actually go bang, the TSA continued, but will cause a security alert which could hold up flights. They would also cause a few interesting scenes on board a plane if someone was to show off their souvenir.

“So remember, real or not, if it looks like a grenade or any other type of explosive device, it cannot be packed in your carry-on or checked baggage,” the TSA added.”Grenade-shaped belt buckles, lighters, soap, candles, MP3 players, paperweights, inert training grenades, and other items can all look like the real item on the X-ray monitor. Please leave these items at home, or find another way of getting them to your destination.”

TSA officers at Dallas Fort Worth actually found a proper 40mm High Explosive Dual Purpose Projectile grenade in a carry-on bag last year, but because the passenger was a soldier who “made a mistake”, he was let off with a slap on the wrist.

Most recently, the TSA was in these hallowed pages because of a furore over its pervy scanners, which have since been upgraded so that they highlight only “potentially dangerous objects” rather than bodily features. Nevertheless, one angry techie still found their general security screening far too invasive, and stripped naked in protest. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/12/flying_to_america_remember_to_leave_your_grenades_at_home/

Email delivery: Hate phishing emails? You’ll love DMARC

French newspaper L’Express has published a memo it says comes from Christophe Chantepy, chief of staff to French prime minister Jean-Marc Ayrault, and which recommends French cabinet ministers stop using smartphones for phone calls because they are not secure.

The paper’s report includes three images of the memo, one for each of its pages.

Native French speaker Elodie Quievre, who works in the office where Vulture South camps, was kind enough to translate all three and we rammed L’Express’ report through Google and Bing to help out.

Dated August 19th, the memo opens by referring obliquely to recent Snowden-related events and suggesting the make now an ideal time for to “remind elementary rules which must be applied within the administration.”

Those rules state the following0:

• BYOD is forbidden
• Mobile phones are a bad idea: landline phones secured by Thales’ TEOREM technology for voice calls are far better idea
• Smartphones should be secured by French spook house ANSSI before being used for anything
• ANSSI will make sure you encrypt everything
• TXT? Fuggedaboutit!
• Intranet-based secure email is mandatory for even low-level secrets
• Computers and phones should be in the same room as ministers when overseas, and beware snooping when abroad
• Twelve-character passwords please, using letters and numbers, changed every six months and use different passwords for personal and work devices please!
• Are you sure that attachment is safe to click on? Don’t unless you are.

Cabinet ministers are busy folks who may not encounter basic infosec advice often, so the suggestions in the document don’t look like evidence France has been caught with its pants down. The mere fact the memo was issued, and the fact it says it will be backed up by an official ANSSI edict, does however show that Edward Snowden’s revelations have made at least one nation feel it is time to get the basics right among a user population that represents an obvious target. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/13/french_ministers_told_to_use_only_secure_comms_postprism/

Free ESG report : Seamless data management with Avere FXT

Microsoft has added support for Internet message access protocol (IMAP) to Outlook.com, its web-based email service.

Announced first on Reddit and later in a blog post, there’s little practical impact in the change, other than posisbly encouraging more developers and users to point their email clients at Outlook.com.

As Microsoft puts it, “While we believe that Exchange ActiveSync is the most robust protocol for connecting to your email … IMAP is widely supported on feature phones and other email clients such as those on a Mac.” Switching on IMAP therefore makes it more likely those not utterly committed to Microsoft might consider Outlook.com,

That IMAP is venerable and leaving it out of Outlook.com has not gone un-noticed, as the Tweet below shows.

**slow clap** Well done MSFT – http://t.co/mhgJQuRqh7 now supports an email protocol that has been the backbone of email since 1986

— ajfisher (@ajfisher) September 13, 2013

Adding OAuth means Redmond can let all manner of web app providers hook into Outlook inboxes, the better to siphon out email and mash it up. Examples offered include using the travel site Tripit, which thanks to oAuth “can now detect emails with travel confirmations in any Outlook.com inbox, and automatically import them into a TripIt itinerary.”

With many users less-than-entirely comfortable with even text ads appearing alongside their email, what could possibly go wrong with an app like that? ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/13/outlookcom_adds_imap_oauth/

Free ESG report : Seamless data management with Avere FXT

Quotw This was the week when Linus Torvalds, chief Penguin of LinuxLand, unleashed not one, but two mighty rants on the interwebs. First, Torvalds said he resented recent attacks on the integrity of the kernel’s security.

This is after a call was made for the use of Intel processor instruction RdRand for generating random numbers to be pulled from the kernel, purportedly by a lad from Yorkshire who reckoned it could be influenced by US spooks to produce cryptographically weak values.

He branded a petition asking for it to be pulled “ignorant”. In a comparatively restrained rant, he said:

Where do I start a petition to raise the IQ and kernel knowledge of people? Guys, go read drivers/char/random.c. Then, learn about cryptography. Finally, come back here and admit to the world that you were wrong.

Short answer: we actually know what we are doing. You don’t.

Clearly, that little episode was enough to ramp his irritation up to its max, because the next time he lost it, he really lost it. Replying to a debate about ARM systems-on-a-chip (SoC) and how they need to be handled under Linux 3.12, he said:

I still really despise the absolute incredible sh*t that is non-discoverable buses, and I hope that ARM SoC hardware designers all die in some incredibly painful accident.

So if you see any, send them my love, and possibly puncture the brake-lines on their car and put a little surprise in their coffee, ok?

Speaking of US spooks, the NSA apparently can’t believe how easy we all make it for them to spy on us, according to the latest revelations. New documents detailed by Spiegel Online refer to the ease of getting data through iPhones, BlackBerrys and Android mobes with one analyst presentation talking about how extensive surveillance methods against fanbois already are:

Who knew in 1984 that [Steve Jobs] would be Big Brother and the zombies would be paying customers?

In other iPhone news this week, Apple had a typical song-and-dance introduction to its latest iMobes, the 5S and 5C, though they don’t seem to have blown anyone’s socks off. In fact, some folks are actively against them, including the Free Software Foundation, which reckons that the new fingerprint recognition feature is an absolutely terrible idea. Executive director John Sullivan said:

We can’t imagine a more hostile reaction to the wave of privacy concerns sweeping the world right now than debuting a proprietary, network-accessible fingerprint scanner as your new ‘feature’.

Apple has given us new hardware with the same old restrictions, allowing only Apple-approved software, putting users – along with their data, their privacy, and their freedom of expression – at the mercy of programs whose operations are secret and demonstrably untrustworthy.

But others, like Rik Ferguson, veep of security research at Trend Micro, thought the privacy concerns were a bit overegged:

Why is a fingerprint sensor on an iPhone such a violation of privacy when laptops have featured them for years and no one even blinked? Giving our fingerprints to Wintel PCs and various border control for years but Apple = NSA? This is crazy.

This was also the week when Intel came to tell us that Moore’s Law is not dead after all, because it’s got the first 14-nanometre PC. CEO Brian Krzanich said at the Intel Developer Forum:

This is it, folks. Fourteen nanometres is here, it’s working, and will be shipping by the end of this year.

While Intel president Renée James added:

Moore’s Law has been declared dead at least once a decade since I’ve been at Intel and as you know – you heard from Brian – we have 14 nanometre working and we can see beyond that. I assure you it’s alive and well.

And finally, Britain’s favourite guy-with-animals-off-the-telly David Attenborough has claimed that humans have managed to stop the process of natural selection:

I think that we’ve stopped evolving. Because if natural selection, as proposed by Darwin, is the main mechanism of evolution – there may be other things, but it does look as though that’s the case – then we’ve stopped natural selection.

We stopped natural selection as soon as we started being able to rear 95-99 per cent of our babies that are born. We are the only species to have put a halt to natural selection – of its own free will, as it were.

But fear not. While we might not be getting telepathic powers or doing some other cool thing with that unused bit of brain we cart around, it’s not time to despair yet:

Stopping natural selection is not as important, or as depressing, as it might sound – because our evolutionary process is now cultural.

Humans have a great cultural inheritance as well as a physical, genetic inheritance – we can inherit a knowledge of computers or television, electronics, aeroplanes and so on. Each generation has got all these books that tell them these things, so our cultural evolution is proceeding with extraordinary swiftness. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/13/quotw_ending_november_13/

Free ESG report : Seamless data management with Avere FXT

Major data aggregators have been compromised “for months”, according to prominent security blogger Brian Krebs, including Lexis-Nexis and Dun Bradstreet.

Writing at Krebsonsecurity, Krebs says the ID theft invasion of the brokers’ servers dated back at least as far as April this year, and that “the miscreants behind this ID theft service controlled at least five infected systems at different U.S.-based consumer and business data aggregators.”

His work started with an attempt to investigate the data sources of a service called ssndob.ms (which has since gone offline), which provided lookups for Americans’ social security and other background-check data. An attack on Ssndob put a copy of its database in front of Krebs, which while not revealing its data sources, indicated that multiple sources existed for its data.

However, Krebs writes, “But late last month, an analysis of the networks, network activity and credentials used by SSNDOB administrators indicate that these individuals also were responsible for operating a small but very potent botnet” – a botnet with access to the aggregators Lexis-Nexis, Dun Bradstreet, and Kroll Background America.

While admitting that its servers were compromised, Lexis-Nexis claimed to Krebs that there was no evidence that customer or consumer data were compromised. DB and Kroll’s owner Altegrity declined to comment on the potential compromise of customer data, reverting to canned “security is our priority” statements and promising investigations. The companies are also in touch with federal authorities, Krebs said.

Whether or not Krebs has discovered a new breach at Lexis-Nexis, The Register notes that the broker has fallen prey to data thieves before. Back in 2005, its systems were rooted, and while it initially stated that 32,000 records were copied, the final count ended up at 310,000 individuals affected.

Back then, Lexis-Nexis ultimately admitted to Senate Judiciary Committee hearings that data breaches were routinely covered up since no law required disclosure. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/25/krebs_lexisnexis_db_and_kroll_hacked/