STE WILLIAMS

Win a top of the range HP Spectre laptop

Security researchers have discovery a vulnerability in mobile versions of the Yahoo! Fantasy [American] Football app that created a means for hackers to change team lineups and post imposter comments on message boards.

Yahoo! has plugged the security hole, but users who fail to update their mobile app to the most recent version are at risk of having their lineups manipulated by other league managers or troublemaking hackers, warns NT OBJECTives, the application security testing firm that uncovered the snafu.

NT OBJECTives discovered the fantasy football app to be vulnerable to session hijacking, the process of authenticating genuine users, during a vulnerability-testing exercise. The security hole created a means for pranksters to manipulate other players’ lineups, putting injured or poor performing players in the weekly lineup, while benching top-rated players on that individual’s team. The issue arose as a result of a catalog of related security shortcomings.

The API used by the Yahoo!’s American Football mobile app failed to use SSL, so even a simple rogue WiFi hotspot could see the traffic between the mobile app and the Yahoo! Fantasy Football API. In addition, session cookies lasted for over a month, meaning once snaffled, hackers could abuse stolen session cookies to make changes in team lineups and more for an extended period, likely covering an entire season of the gridiron game. The app relied on simple session cookies rather than anything signed by a private token to authenticate requests.

Lastly, requests from the mobile web application included full blown SQL statements revealing the tables and columns, opening the door to SQL injection vulnerabilities. “An attacker simply needed to look at the SQL statement, and see that the value to the ‘mbody’ column is an XML document of the full lineup,” NT OBJECTives explains. “By simply extracting that XML, the hacker could make any desired changes and then toss it back into the SQL statement and send it on.”

“Imagine a scenario where the hacker provides WiFi access on draft day and steals everyone’s session tokens. During the season, he can then change the lineup of his opponents whenever he wants to ensure a win for the week,” explained Dan Kuykendall, CTO of NT OBJECTives.

“Mobile web applications store information about the client, like a secret encoder ring, and the server stores all the secret decoder rings. If the server recognises the secret, it knows the request is valid,” he said. “When using shared secrets, developers must be sure both the client and server know the value, and that once the secret token is given to the client, it is never again transmitted.”

The security firm is careful not to overstate the impact of this particular vulnerability, which it says doesn’t amount to a major risk. However, similar classes of vulnerabilities (weak or nonexistent session management) in more sensitive mobile applications can cause all sorts of problems. Insecure mobile applications are often developed and delivered too quickly without proper security testing, it warns.

Yahoo! was notified of the vulnerability and the newest version now requires SSL.

A demonstration of how the mobile hack works can be found in a whiteboard-style video featuring NT OBJECTives’ Kuykendall. ®

Win a Samsung 40-inch LED HDTV with The Reg and HP!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/06/yahoo_gridiron_game_uncryption/

Win a top of the range HP Spectre laptop

Kaspersky Lab has reported the first sighting of mobile malware (Android, of course) that piggybacks on the back of a separate mobile botnet and uses the resources of other malware once it’s installed.

“For the first time malware is being distributed using botnets that were created using completely different mobile malware,” said Kaspersky Lab expert Roman Unuchek in a report.

The culprit is trojan called Obad.a, which the company has already branded the most sophisticated piece of mobile malware it has spotted. It comes in 12 flavors so far, and usually spreads via SMS, hacked apps websites, or in the dodgier end of the Android market scene.

Now it appears the Obad boys have teamed up with the makers of malware called Opfake.a, which uses a separate method of propagation by exploiting a flaw in Google Cloud Messaging. GCM was designed to ping out updates and fix phone settings remotely, and allows the sending of 4KB messages to anyone using a specific application.

Kaspersky have found more than a million installers of Opfake in circulation so far. The code sets up a backdoor communications channel to CC servers, then starts pinging out premium text messages, stealing contacts, and spamming itself outwards – but now some copies are carrying Obad as an extra payload.

Once Opfake is installed, it uses GCM to send out a message of an update (in once case 600 of the things in five hours) and loads Obad.a under the names of mms.apk or mmska.apk. Once installed, the pernicious malware gains Device Administrator privileges and hides itself from file searches, before contacting its CC servers and spamming itself out in a splurge of activity.

Obad gets busy

“These peaks are the result of using third-party botnet resources – mobile devices infected with other malware,” said Unuchek. “That means that the owners of Backdoor.AndroidOS.Obad.a not only command their own software to spread itself, they also take advantage of Trojans operated by other cybercriminals.”

The Obad payload isn’t carried on all Opfake samples, and Unuchek concludes that the malware team “rented part of a mobile botnet to spread their brainchild.” So far, 83 per cent of Obad infections have come from Russia, with outbreaks reported in Kazakhstan, Uzbekistan, Belarus, and Ukraine.

After consultations with the Chocolate Factory, Kaspersky reports that the flaw that allows Obad to embed itself has been patched, but only in the Android 4.3 build – meaning that unless you have one of a very few Nexus devices, you’re wide open. ®

Win a Samsung 40-inch LED HDTV with The Reg and HP!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/06/android_malware_spotting_hitching_a_ride_on_mobile_botnet/

That the U.S. is stocking its cyberarsenal should come as little surprise, but recent revelations from documents leaked by fugitive Edward Snowden revealed just how much.

Today, reports by The New York Times and The Guardian revealed that theNational Security Agency (NSA) and its U.K. equivalent, Government Communications Headquarters (GCHQ), have engaged in a long-running and wide-ranging effort to defeat the encryption widely used on the Web, including SSL, VPN technologies, and new protections used on 4G smartphones.

The disclosure follows the release of a mountain of information contained in documents leaked recently to The Washington Post that provide a peek at just how much the United States has embraced offensive cyberactivity — something security experts say is likely to continue as other countries build cyberarsenals of their own.

“The best way I can explain why is to paraphrase a maxim echoed throughout history, which is: ‘The best defense is a good offense,'” says Leo Versola, vice president of technology at security solution provider AhnLab. “Defense has always been much harder to successfully implement than offense for obvious reasons. However, I don’t think this will necessarily change the way [the U.S. approaches] other countries suspected of conducting similar operations.”

“Warfare,” says Versola, “is shifting from a physical to a virtual battlefield and the rules of engagement are evolving.”

According to documents obtained by The Washington Post, U.S. intelligence services carried out 231 offensive cyberoperations in 2011. In addition, under a $652 million project code-named GENIE, U.S. specialists broke into foreign computer networks and placed malware dubbed “implants” on tens of thousands of machines every year.

By the end of 2013, GENIE is expected to control at least 85,000 implants in machines across the globe — roughly four times the number available in 2008, according to the U.S. intelligence budget. Many of the NSA implants are designed by the agency, but $25.1 million was set aside this year to make covert purchase of software vulnerabilities as well.

“Offensive cyberoperations will continue to play a key part of the government’s strategy in the future; it only makes sense from a tactical and strategic perspective,” says Rob Kraus, director of research with Solutionary’s Security Engineering Research Team (SERT), adding that “disarming a country through the use of cyberwarfare can be very powerful and can be very effective without ever requiring boots on the ground.”

Perhaps the most famous reputed example of America’s offensive capabilities is the Stuxnet malware designed to target Iran as part of an intelligence effort code-named “Olympic Games.” The operation has still not been officially acknowledged by the government despite The New York Times unmasking it in 2012. Snowden has also credited the United and Israel with creating Stuxnet.

The expansion of these activities is tricky given the lack of precedent and clear public lines of responsibility for the execution of direct cyberwarfare, says Philip Lieberman, president of Lieberman Software.

“Many existing branches of the military have undertaken an expansion of their missions into cyberwarfare, but details of actual operations are sparse,” he adds. “The USA vs. China intelligence and cyberwarfare scenarios have been complex and opaque, with both sides accusing the other with both having difficulty in attribution of actions to either side. Welcome to the world of the other side being a friend and enemy simultaneously.”

The use of cyberweapons by the U.S., however, comes with a major drawback: the prospect of another country returning the favor, says Kraus.

“One thing to consider is that we are one of the best-connected countries in the world, which also provides our adversaries with a larger base of targets to choose from and cause harm to the U.S.,” he says. “So it is not all about offense, but defense must be considered. This is why it is important for the U.S. to continue spending on protecting critical infrastructure.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/privacy/security-experts-expect-us-cyberoffensiv/240160914

CUPERTINO, Calif., Sept. 5, 2013 – The social media privacy management tool is featured in today’s release of Trend Micro’s Titaniumtrade 2014 family of consumer security products. Titanium Security 2014 is a customizable security solution built on Trend Micro’s 25 years of leadership in Internet security.

Titanium Security 2014 solutions provide industry-leading, anti-virus and Web-threat protection that identifies and blocks dangerous links in websites, social networks, emails and instant messaging. It also detects spam emails containing phishing scams that can trick users into revealing private personal information. According to the August 2013 AV Comparatives report, Trend Micro Titanium offers the broadest combination of privacy and Web threat protections for Facebook, Google+, and Twitter across PCs and Macs among 31 security products reviewed (Social Network Protection Review, August 2013, AV Comparatives).

Trend Micro has expanded its unique social network privacy technology, which identifies privacy settings that may leave personal or inappropriate information publicly available or vulnerable to identity theft. Trend Micro also gives users control over which apps can access biographical data, and who can tag and see photos. These features are critical today, considering only 24% of Facebook users change their privacy settings each month or more often, according to the same survey of social media users. The same poll showed that 27% of Twitter users and 30% of Google+ users have never checked their privacy settings and 34% of Twitter users and 39% of Google + users have never updated their privacy settings. Trend Micro’s robust personal privacy management tool now dramatically simplifies privacy settings on Twitter and Google+, and Facebook – for both Mac and PC. Facebook settings can also now be managed on-the-go via an Android app.

To help fight identity theft, Trend Micro’s password management feature in Titanium Security 2014 includes a secure browser to conduct safe online commerce that is specifically designed to support secure online banking. Based on users from the same poll, respondents have an average of 12 accounts requiring passwords, but are using only eight passwords among those dozen accounts. An identify thief can do more damage to a victim that uses the same password in multiple accounts.

Additionally included in Trend Micro’s customized solutions are robust parental controls to help families protect children from the dangers inherent to Internet use. Titanium Security 2014 empowers parents to restrict and filter their children’s online access, protecting them from inappropriate or harmful websites. In addition, the security solution includes a way to monitor kids’ behavior online – to help parents protect their kids from cyber bullying and encounters with online predators.

For Android smartphone and tablet users, Titanium Security 2014 includes the Facebook privacy management app within the Trend Microtrade Mobile Security. Mobile Security is designed to find a lost or stolen device, identify data-stealing mobile apps, back-up and restore data stored on a device, and remotely lock and wipe out data.

“Life is difficult enough without having to worry whether or not your reputation, your data or your identity is protected,” says Omikawa. “Trend Micro tackles this enormous challenge with Titanium Security 2014. This comprehensive solution provides users with all-in-one protection on PCs, Macs and mobiles devices for practically everything you do online, so you can enjoy your digital life safely.”

For more information on Trend Micro Titanium Security 2014, go to: http://www.trendmicro.com/us/index.html

About Trend Micro

Trend Micro Incorporated, a global leader in security software, strives to make the world safe for exchanging digital information. Our solutions for consumers, businesses and governments provide layered data security to protect information on mobile devices, endpoints, gateways, servers and the cloud. Trend Micro enables the smart protection of information, with innovative security technology that is simple to deploy and manage, and fits an evolving ecosystem. All of our solutions are powered by cloud-based global threat intelligence, the Trend Microtrade Smart Protection Networktrade infrastructure, and are supported by over 1,200 threat experts around the globe. For more information, visit TrendMicro.com.

Article source: http://www.darkreading.com/privacy/trend-micro-releases-titanium-security-2/240160974

LAS VEGAS, NV – September 5, 2013 – LaunchKey, a company that provides a secure approach to allow individuals to sign in or authenticate on websites, applications or networked systems through smartphones and tablets without passwords, today introduced anonymous user authentication capabilities as part of its technology platform that kills passwords.

The new multi-factor authentication technology architected by LaunchKey, which is also celebrating its first year in business, decentralizes credentials from personal identification information, further strengthening the privacy and security of enterprise organizations, developers and individuals alike. The company launched its private beta in May and its public beta in July.

“LaunchKey’s technology will shift the way personal and corporate data are protected and secured and how proprietary information is accessed,” said Zach Ware, CEO of Project 100 and VegasTechFund partner. “As logins and passwords quickly become obsolete, tools like LaunchKey will become the secure de facto solution for user authentication.”

LaunchKey was discovered at Startup Weekend Las Vegas in July 2012, and investors and advisors have taken note. LaunchKey earned its first round of funding in December 2012. Co-founders Geoff Sanders, Yo Sub Kwon and Devin Egan are successful entrepreneurs who collectively have extensive experience in systems security, architecture and design and were recently named to Inc. Magazine’s prestigious “30 Under 30” list of entrepreneurs for 2013.

“Passwords have become increasingly ineffective as their inherent weaknesses are exacerbated by a continual rise of computing power and diligence of hackers,” said Sanders. “By moving away from this flawed authentication process, we provide users a safe and secure way to sign in and remove the burden and exposure presented when users have to remember a multitude of passwords — many of which are tied to personal data.”

LaunchKey Vision: Business Authentication Tool of Choice

According to market research, the multi-factor authentication market is expected to reach $5.45 billion by 2017. When a security breach or cyber attack occurs, it can cost companies upwards of hundreds of millions of dollars and jeopardizes personal and confidential information. Major enterprises and Fortune 500 companies are looking to LaunchKey to become their authentication tool of choice to access and protect company files, applications, websites and network infrastructure. LaunchKey’s vision is to become a part of the daily lives of individuals, connecting them to critical information while providing enhanced security and ease of access.

“LaunchKey is the perfect example of what the Switch SUPERNAP sees as the integration of infrastructure, innovation and community pushing the envelope of what is possible to bring about change that shifts paradigms,” said Rob Roy, CEO and founder of Switch SUPERNAP. “I couldn’t be prouder of LaunchKey and the change they will make in my own world when passwords are eliminated. The world-class nature of their solutions speak volumes about the startups in Las Vegas.”

The Benefits of Anonymous Architecture

Passwords are inherently insecure, so LaunchKey authenticates users to websites, applications and other networked systems by pushing authentication requests to a user’s paired smartphone or tablet for physical authorization without requiring passwords. This system allows users to securely and privately authenticate without relinquishing personally identifiable information in the process.

The password-less authentication process combines the benefits of strong out-of-band authentication with the security of multiple authentication factors. LaunchKey’s multi-factor authentication involves all three factors: possession (device factor), inherence (geofencing) and knowledge (combo and pin lock). When activated, all three must be used correctly together for authorization to be granted.

Personal identification remains anonymous and is not used in the authentication process — a major advancement in the world of online security. LaunchKey ensures security while improving the ease and overall experience of authentication. Users can remotely manage their sessions from any of their smartphones and tablets, and simply log out with a swipe of a finger.

The LaunchKey application is available in Google Play and the App Store. The company’s RESTful API is now in public beta with customized software development kits in the most common languages for both websites and native apps, plugins for popular content management systems including WordPress and Drupal, and support for popular protocols including OAuth and OpenID. LaunchKey is currently in the process of negotiating partnerships with leading technology providers.

For more information, visit www.launchkey.com.

About LaunchKey

LaunchKey is evolving user authentication and eliminating passwords with anonymous multi-factor authentication through smartphones and tablets. LaunchKey’s free app enables users on websites, applications and other networked systems to securely and privately authenticate without passwords. For developers, LaunchKey provides a trustworthy alternative to password-based user authentication while reducing the liability passwords create. The founders were recently named to Inc. Magazine’s prestigious “30 Under 30” list of entrepreneurs for 2013.

Article source: http://www.darkreading.com/intrusion-prevention/launchkey-introduces-anonymous-user-auth/240160955

LONDON, September 5, 2013 /PRNewswire/ —

TRUSTe Unveils Latest Consumer Mobile Privacy Research, Kicks Off Global

‘Powering Trust’ Roadshow

TRUSTe [http://www.truste.com ], the leading global data privacy management

(DPM) company, today released findings from its 2013 UK Consumer Data Privacy

Study: Mobile Edition [http://www.truste.com/uk-mobile-privacy-index-2013 ] conducted online by Harris Interactive on behalf of TRUSTe among more than 900 UK smartphone users between 12 June – 19 June 2013. The study provides a valuable barometer on current consumer perceptions and mobile privacy trends by examining issues, such as data collection, geo-location tracking, mobile advertising and privacy management responsibility. TRUSTe will share the full research results in a series of “Powering Trust [http://www.truste.com/events/roadshow ]” roadshow events to provide brands and publishers with information and tools to manage the privacy challenges in today’s data economy.

Among the top findings: many smartphone users are more concerned about mobile privacy than a phone’s brand, screen size, camera resolution or weight; more than three-quarters of smartphone users won’t download an app they don’t trust; and although the majority of those surveyed don’t like the concept of tracking, nearly half (46%) of smartphone users are still unaware it even happens.

“With mobile privacy concerns running higher than ever, the business implications simply can’t be ignored,” said Chris Babel, CEO for TRUSTe. “If a user won’t download an app or share location data, mobile commerce – and technology innovation – takes a hit. To secure their future growth, companies must address mobile privacy concerns now – giving users what they’re asking for with more transparency and control over their privacy choices.”

Coinciding with the release of its UK mobile survey, TRUSTe also announced findings from its “2013 US Consumer Data Privacy Study: Mobile Edition.” See study here [http://www.truste.com/us-mobile-privacy-index-2013 ]

2013 UK Consumer Data Privacy Study: Mobile Edition – Detailed Findings

Mobile privacy concerns increasing

– 76% of smartphone users surveyed won’t download an app they don’t trust,

(up from 68% in 2012)

– Privacy is the primary concern for 20% of smartphone users when using mobile

apps, second only to battery life at 45% – but more than other phone attributes, like

brand (13%) screen size (11%), camera resolution (3%), weight (2%)

– 54% of smartphone users are frequently or always concerned about privacy when

banking online, the online activity causing mobile users the greatest concern,

followed by shopping online (50%)

Awareness of mobile tracking is low

Awareness of mobile behavioural advertising is relatively low, and, regardless of awareness, the majority of those surveyed do not like tracking. Specifically:

– 46% of smartphone users are not aware that tracking takes place on mobile

(compared with 24% being unaware on the desktop)

– 70% of smartphone users surveyed do not like the idea of being tracked on

their mobile phones (compared with 47% on the desktop)

Mobile users are less willing to share personal data than a year ago

47% of smartphone users surveyed will not share any personal information in exchange for free or lower cost mobile apps. The study found that smartphone users are less willing to share personal data in general compared with TRUSTe’s

2012 research

[http://www.truste.com/window.php?url=http://download.truste.com/TVarsTf=7EDO6P8Z-187

]. The vast majority of users will NOT share: contact information (98%); precise location data (92%).or web surfing behaviour (91%).

While offering apps for free or at a reduced cost will entice 35% of smartphone users to share some information, this is down from 40% in 2012 – and 47% still refuse to share any information.

Mobile users still hold themselves most responsible for protecting privacy

– 69% of those surveyed responded that they are ultimately responsible for protecting their own privacy

Mobile users checking for privacy policies and trust marks 37% of smartphone users surveyed said they check to make sure whether a mobile app has a privacy policy, and nearly 17% check to see if the app has a privacy trust mark or seal. Additionally, 32% research apps online and 22% check with friends before sharing personal information.

Full details of TRUSTe’s findings can be found here

[http://www.truste.com/uk-mobile-privacy-report-2013 ]

Article source: http://www.darkreading.com/mobile/truste-study-shows-many-consumers-more-c/240160977

Adrian-Tiberiu Oprea, the Romanian ringleader of a gang which heisted payment card data from hundreds of Subway branches in the US, has been sentenced to a hefty 15 years in jail for his crimes.

Oprea pleaded guilty in May to his part in the scheme, in which the crew compromised vulnerable point-of-sale systems, planted malware on them and harvested details of payment cards fed in or swiped.

Several hundred businesses were hit, including 250 Subway franchises. Details were gathered for over 100,000 cards, with money stolen and clean-up costs coming to over $17.5 million.

The sentence was announced this week by a New Hampshire court. Oprea’s sidekick Iulian Dolan got a comparatively light 7 year sentence after pleading guilty a year ago, while another co-conspirator, Cezar Butu, got 21 months back in January.

Several of the gang were apparently tricked and lured to the US by federal agents offering free casino visits or posing as amorous waitresses. It sounds like their visits will be rather longer than they expected, not to mention considerably less pleasant.

In other sentencing news, a former president of logistics firm Exel has been given 63 months (or five-and-a-bit years) in jail by a Texas federal judge for his part in “hacking” his former employers’ computer systems to access customer data.

Michael Musacchio is alleged to have used the data to start up his own rival business, stealing files from Exel with the help of two fellow employees who went on to join him in his new venture.

Given the description, it sounds likely that the hacking involved little more than using an account, which should have been shut down, and moving data out of the company network, which should really have been prevented by stricter policies and better protections.

Prosecutors wanted Musacchio to face 15 years, and have argued he should pay $10 million in restitution against a loss of business for Exel, which some estimates put at up to $166 million.

Musacchio’s legal team suggest the losses could be much lower, at between $71k and $200k. The final charge will be decided in the next few months.

Also in Texas, a Dallas judge has imposed a gagging order on Barrett Brown, who’s up on federal charges for alleged involvement in the Anonymous heist of data from government contractor firm Stratfor back in 2011.

The order means Brown and his legal team cannot publicly discuss anything involving the case – even what the charges brought against him are.

The reasoning behind the order is to avoid biasing a potential jury in a case which apparently carries a rather aggressive potential penalty of up to 100 years in jail. The trial itself is not due to start until next April, although Brown has been in custody since last year.

Meanwhile, over in South Africa police have rounded up a gang of 54 believed to be involved in a phishing scam in the country, thought to have netted 15 million Rand (US$1.5 million).

Most have since been released on bail, but the 9 main suspects have been remanded in custody.

All in all, a busy week for the cybercrime cops; hopefully some of these sentences will deter a few would-be digital crooks and put them back on the straight and narrow.

Follow @VirusBtn
Follow @NakedSecurity

Image of point-of-sale machine and man in jail courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/y7Zg9Y2u4eY/

Win a top of the range HP Spectre laptop

Reg reader research Effective IT security is both important and hard to implement, and it isn’t getting any easier. Central systems are becoming more complex, and keeping up with the ever-changing threat landscape is an ongoing challenge.

Then there’s the fact that end users are more mobile than ever and increasingly reckon they should be able to use any device they like to access corporate systems and data.

Relate to any of this? Need some guidance? Well we might be able to help.

Based on feedback from 977 Reg readers who took part in a recent survey, Freeform Dynamics has written a report looking at how to work through the complexity and piece together the security jigsaw.

We identify six key components that make it possible to secure IT systems and data without blowing your entire budget or stressing the IT team beyond breaking point.

Want to find out more? Take a look here. This independent research is sponsored by McAfee and registration is required. ®

Win a Samsung 40-inch LED HDTV with The Reg and HP!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/06/putting_the_security_jigsaw_together/

Win a top of the range HP Spectre laptop

Microsoft will squash 14 sets of security vulnerabilities – four of which are deemed critical – in the next edition of its monthly batch of Patch Tuesday updates, due next week.

Those four critical patches will address flaws in the Sharepoint server software, the Outlook component of Microsoft Office 2007 and 2010, Internet Explorer (versions 6, 7 and 8) and older versions of Windows (XP and Server 2003). All four critical bugs, plus four “important” ones, allow attackers to remotely execute code on a vulnerable system.

In fact, besides those four critical holes, all the remaining 10 so-called bulletins are rated “important”. Redmond is holding off details on the vulnerabilities pending the delivery of fixes this coming Tuesday, so for now we only know which software packages are due to be fixed without knowing why they need updating.

Ziv Mador, director of security research at infosec firm Trustwave, said: “This month Microsoft continues the recent tradition of large Patch Tuesday with fourteen bulletins this month. No less than eight of them are categorised as remote code execution but only four of them are rated as critical.”

In the first three quarters of 2013, Microsoft has issued 80 security patches, well ahead of the 63 released in the nine months to September 2012. “The increased numbers come from the important [bugs], not the critical [vulnerabilities],” notes Paul Henry, a security and forensics analyst at Lumension. “Microsoft told us this would be the case this year.”

The vulnerability in Microsoft Office 2007 and 2010, which “can be triggered simply by previewing an email in Outlook, even without explicitly opening the email”, obviously needs to be patched as soon as possible. The Internet Explorer fixes also need to be rushed through.

Microsoft’s prerelease announcement can be found here. Additional comment from Wolfgang Kandek, CTO at cloud security firm Qualys, is here.

Tuesday will also mark the delivery of a critical update for Adobe’s Reader and Acrobat PDF software packages. Adobe Reader/Acrobat XI (11.0.03) and earlier versions for Windows and Mac OS X as well as Adobe Reader/Acrobat X (10.1.7) and earlier 10.x for Windows and OS X will all need updating, as explained in an advisory by Adobe here. ®

Win a Samsung 40-inch LED HDTV with The Reg and HP!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/06/ms_patch_tuesday_prealert/

Win a Samsung 40-inch LED HDTV with The Reg and HP!

Analysis In July 2012, Britain’s top spook Charles Farr made a rare public appearance: sat across a table from MPs in Parliament, he was quizzed by backbenchers scrutinising Home Secretary Theresa May’s widely criticised plan to snoop on Brits’ internet connections.

At the time, the government was trying to get politicos to agree that there was a solid case for massively increasing the surveillance of our online activities by granting the police and intelligence agencies in Blighty greater spying powers.

It was the latest Home Office push to hand more control to the likes of the UK’s eavesdropping nerve-centre – the Government Communications Headquarters (GCHQ). And readers of these pages will be only too familiar with the regular attempts by successive administrations over more than a decade to write legislation that allows British spies to have deep access to our online communications, much like they already do with our telephone system.

All the while, technology companies have insisted that systems that protect sensitive information – such as credit card details and passwords – while in transit over the net are largely secure. Websites, VPN gear and similar online services that ordinary punters use to buy goods, send emails and share pictures rely on the TLS/SSL encryption protocol to keep data beyond the reach of eavesdroppers.

In the last two years, some of the biggest internet players including Google, Yahoo!, Microsoft and Facebook have all enabled SSL, switching their web communications to HTTPS.

The tech titans hoped the move would reassure their users that their in-transit data is safe. Now we’ve learnt that America’s NSA has poured hundreds of millions of dollars into mathematically cracking, or otherwise ruthlessly undermining, the protocol family and related crypto technologies. If the agency can’t use maths to decrypt data, it can turn to backdoors in equipment and flaws in algorithms it helped plant, in order to snaffle the information.

Quite recently, Wikipedia founder Jimmy Wales – who has increased his lobbying against various aspects of UK government policy in the past year – reasserted that his online encyclopaedia will encrypt its connections in the wake of revelations from one-time NSA sysadmin Edward Snowden, who blew the whistle on spooks’ activities on both sides of the Atlantic.

Jimbo said in August that Wikipedia would start using HTTPS by default on its site once it overcomes some problems with how its “current architecture” fails to handle the secure protocol.

Logged in users should now be redirected to HTTPS. But there is no timescale set for when the website will be encrypted for all its visitors. Jimbo insisted at the time that it was “highly unlikely” that US spooks could decrypt HTTPS.

But last night the New York Times and allied publications reported that Brit spooks and their American counterparts at the National Security Agency had in fact been doing what was expected of them: breaking encryption.

And included on that list was the trusted SSL protocol – which is used throughout the world to “secure” websites where personal data is carried across the net.

But should we really be that surprised that the NSA claims it can bypass that security? The clues were arguably there to show that such everyday access was already largely in play.

Hidden in plain sight

One need only sift through the evidence from the joint select committee hearings in 2012 that looked painstakingly over May’s now shelved Communications Data bill, dubbed colloquially as the Snoopers’ Charter, to recognise the level of complacency on display around matters such as SSL.

Just as Facebook and chums were switching to HTTPS by default, Britain’s security services were showing little signs of discomfort with the move.

Politically, at least, it was an opportunity for May to argue the case for beefing up spooks’ communications access powers. But Farr and other top-ranking Home Office officials did not complain about how their online surveillance work might be deeply disrupted by sites shifting to SSL. The g-men shrugged off Brits encrypting their network traffic, a move that should have have hampered or halted the analysis of said communications.

Here’s one such exchange from 10 July 2012 [PDF] between Tory MP Stephen Mosley and Director of Communications Capability Directorate Richard Alcock:

Stephen Mosley: When it comes to cryptic communication, for instance, SSL or something, the encrypted communications data might be in the content of that communication. How is that classified?

Richard Alcock: Through the Bill, we will only be able to store communications data. The means by which we access communications data, our preferred route, will be working in partnership with the communications service providers, who will hold unencrypted data on their own services, i.e. the services that they are providing for their customers. We will be working with them to retain, in some cases, some aspects of communications data and, in that case, it is very easy to separate content from CD [communications data]. Though I must stress, through the Bill it is illegal for us to collect content. We will only be able to retrieve and store communications data. We will not be applying any systems that cannot reliably extract CD from content through whatever data streams. So, in essence, by working with communications service providers, we can ensure a very reliable means by which we can ensure that we only collect communications data and store that appropriately.

Tellingly, Farr then added this response to whether internet security protocols such as SSL was actually “an issue at all.” He told the MPs:

We have already, of course, relations with many, but by no means all, overseas providers, including those who are household names and are the big suppliers into this country. We have that relationship, for all sorts of reasons, under existing legislation. Those relationships are co-operative and collaborative and, as some of those providers have made clear, they provide data, to the extent that they can — I would emphasise that — in accordance with existing legislation.

It is our hope and expectation that that collaborative relationship would continue and it would be part of the purpose of this legislation to facilitate that wherever we can. You are right, however, that the obligations do apply to overseas providers and in the event, which I regard as unlikely, that co-operation was not possible, an enforcement route would be open to Ministers, if they chose to exercise it, through civil action. This would apply as much to overseas providers as to domestic providers. I emphasise that is not the purpose of this legislation. The purpose is to facilitate a collaborative, co-operative relationship, building on the relationships that we have already.

Indeed, one of the key points raised in the latest revelations from the NYT and others is that spooks, without naming names, were “collaborating with technology companies in the United States and abroad to build entry points into their products”.

As our American cousins might put it: you do the math.

BT refuses to attack its security guru for working with Snowden

Bruce Schneier, who is one of the world’s most respected security experts, has been working directly with journalists on the latest revelations from Snowden. As part of that collaboration, the Guardian published an essay by Schneier in which he called for people who helped the NSA build backdoors into internet technologies to come forward and blow the whistle.

Meanwhile, the crypto boffin said on his blog: “Basically, the NSA is able to decrypt most of the internet. They’re doing it primarily by cheating, not by mathematics.”

One of Schneier’s day jobs is a critical one for telecoms in the UK: he is BT’s security futurologist.

The Register asked BT if his direct involvement with Snowden in any way compromised the one-time national telco’s position. BT told us: “These are Bruce’s personal views.” ®

Win a Samsung 40-inch LED HDTV with The Reg and HP!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/06/how_uk_spooks_revealed_they_did_not_fear_ssl_encryption/