STE WILLIAMS

Today’s networking infrastructure relies on the domain name system–not only a company’s public-facing Web servers and Internet appliances but much of its private infrastructure as well.

But enterprises need to better protect their DNS environments, as last week’s attack on a reseller of domain registrar MelbourneIT and the subsequent redirection of the New York Times, the Huffington Post, and two subsidiary Twitter domains, demonstrated. While the attacks should not have come as a surprise, the vast majority of companies are unprepared for such malicious attention.

Only a small fraction of companies are taking the security measures necessary to protect their domains from attack, says Danny McPherson, vice president and chief security officer for VeriSign. Even companies and individuals that are conscious of security issues, tend to give their domain name registrations short shrift, he says.

“People invest tens or even hundreds of millions of dollars on content distribution infrastructure, data centers and other things, and they use a fixed password with their registrar and a $10 domain name,” he says.

Following last week’s compromise, companies jumped to protect their domains from changes using a registry security feature known as a registry lock. Yet, McPherson and others point out that a registry lock, while an essential step to protecting a business’s domain, is not sufficient. Companies need to take an in-depth look at how they handle their domains, access to those domains, and the vetting of their registrars, he says.

Two documents produced by the Internet Corporation for Assigned Names and Numbers (ICANN) are a good starting point for companies. Produced by ICANN’s Security and Stability Advisory Committee, the documents–SAC040 and SAC044–inform companies about the measures their registrar uses to protect registration services against misuse and advises businesses about how to protect their own domain names.

As described, a registry lock protects domains against changes, deletion and transfers using registrar status codes. But security experts and the documents recommend other steps as well:

1. Check out your registrar
By all accounts, MelbourneIT is a responsible, security-conscious registrar. Despite that good reputation, hacktivists circumvented the company’s business processes to gain control of its domain administration system for a short time.

Like any third party, registrars should be quizzed on their security measures, says Jaime Blasco, director of research for unified-security provider AlienVault. While smaller firms may not have the clout of larger firms, they can still shop around and ask for additional security measures for their domain, he says.

“If you are a big company, ask the registrar what security mechanisms do they have in place as part of your risk-assessment process,” Blasco says. “Taking into account how secure the registrar is should be one of the priorities for companies right now.”

2. Passwords are not good enough
Securing the foundation of business infrastructure with a simple password, no matter how complex, is dangerous. Any business that does not take more stringent security measures is a single phishing attack away from losing their domains, says Rodney Joffe, senior vice president and technologist at domain-registry Neustar.

Companies should have at least two-factor authentication in place, so that any change to the domain records requires a passcode sent or generated through another channel. Because e-mail accounts tend to be a first target of attackers, using two-factor authentication that relies on e-mail is not good enough, Joffe says.

“Obviously if a domain holder’s email account has been compromised, the hijacker can still get the second factor and make changes, so the better systems typically utilize text messages to cell phone numbers,” he says.

3. Track access to DNS records
While two-factor authentication can shrink the attack surface area that leads to a company’s domain records, businesses also need to minimize the number of employees with the ability to change a domain records. At the same time, having multiple points of contact can add redundancy that is important in an emergency.

Overall, companies should make sure that each step of the domain name system has adequate points of contact and verify that only the people who need to access the systems have authorization, says VeriSign’s McPherson.

“It’s important for people to consider the ecosystem, all the way from the registrant, all the way forward to something like DNSSEC to even validating recursive name servers in the infrastructure,” he says. “It helps you to minimize your attack surface in the active infrastructure.”

[A report has sparked a new round of discussions about policing the Internet ecosystem and whether the Internet Corporation for Assigned Names and Numbers (ICANN) is doing enough to combat the problem. See Rogue Domain Registrars Pose Challenges.]

4. Monitor your DNS records for changes
Registry locks, DNS Security and other technologies are not infallible protections against attackers, but are methods of raising the bar higher. But just as important, in circumventing the protections, attackers will essentially set off alarms.

For that reasons, companies need to be monitoring their DNS records to any unauthorized changes, says AlienVault’s Blasco.

“Implementing monitoring and health checks of the infrastructure is one of the key things that companies can do,” he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/domain-security-needs-more-than-registry/240160797

Researchers regularly come up with revolutionary ideas to replace the clunky, fiddly and mostly rather insecure passwords we use for almost all of our authentication needs.

The latest schemes to hit the headlines involve using features of our bodies, internal or external, to reassure our devices that we are who we claim to be.

Will any of them ever become the new standard for authentication? Are we going to be stuck with passwords forever, or is there a brighter future out there somewhere?

Security folk talk a lot about passwords. How long or complex they need to be, how bad people tend to be at choosing them and not reusing them, how they should be recorded and stored, how easily they can be cracked.

Occasionally a shiny new idea pops up – most recently we saw biostamps and swallowable dongles – but they generally disappear again just as quickly, leaving us stuck with the status quo.

In your face

In the news this week, Australian researchers have been promoting their work on facial recognition as a means of authentication.

As an idea this seems obvious – faces are the main means we use to identify each other in the real world, if we want to avoid being identified a mask is a standard first step. So it makes sense to have computers recognise our faces, or at least bits of our faces, too.

It’s an approach that has become fairly common of late, with PC login systems and mobile apps trying to use our faces to authenticate us to various things. Only a few weeks ago we heard about a Finnish company’s plans to use faces in place of credit cards.

In general these schemes have proven less than perfect, either easily fooled by photos, similar-looking people or technical tricks, or failing to authenticate real users thanks to bad hair days or bad moods affecting how we look.

Similar issues have blighted fingerprint-based authentication, which remains too unstable and unreliable for general use.

It’s not yet entirely clear what will separate the work being done by the University of Queensland researchers from the crowd, other than vague mentions of improved accuracy and security, and being able to work from a single initial still image and recognise the face from different angles and in different lighting conditions, which sounds like a must for any decent recognition system.

Either way, they don’t expect to have a working prototype for at least another year.

The way you move

The good thing about the face recognition approach is that it’s relatively low-tech, using a component (the rear-facing camera) that has become a standard component of most of the devices we use.

Another potential password replacement emerging from the world of smartphones and tablets is gesture-based authentication. Hand movements repeated often enough can lead to muscle-memory, so quite complex patterns can become quite easy to reproduce reliably and accurately.

This is the basis of a very venerable form of authentication, the signature. It should be harder to compromise though, as unlike signatures swipes leave few visible traces to be copied, other than a few greasy smears perhaps.

Android phones have long had swipe-pattern unlock features, and Windows 8 includes a system based on a few swipes around a picture. Some research presented at the recent Usenix conference has poked some serious holes in this approach though, showing that people are just as bad at picking hard-to-guess shapes as they are at choosing passwords.

A combination of face recognition and gestures, recognising patterns of unusual facial expressions, has also been proposed but is widely seen as no more than a gimmick, provoking humorous images of people gurning and grimacing into their webcams.

In a heartbeat

All of these use physical features, aspects of how our bodies look or move, in contrast to the purely cerebral requirements of passwords, which reside only in our minds (in theory at least – they may also reside on post-it notes attached to our monitors).

The biostamp idea proposed a hybrid of body and technology.

Another spin on this hybrid approach uses a bracelet device which measures heart rhythms to check who we are, and then connects to our devices via Bluetooth to pass on that confirmation.

The “Nymi” bracelet, developed by a Canadian startup, certainly sounds like a promising idea.

The actual authentication takes place only when the bracelet is first put on, requiring a quick touch of some sensors, and from then on will continue to confirm you’re you until it’s removed.

It includes motion sensors, so the basic authentication can also be combined with movements and gestures to create multi-factor passwords, using both the body and the mind of the attached user. Gestures could be used to unlock cars, for example.

I’m no expert on heart rhythm patterns, but according to the developers they’re as unique as fingerprints. Just how resilient the authentication will be to stress, fitness, aging and so on may well be a major factor in the success of the idea.

There are also security concerns of course. The connection to the authenticating devices will have to be very secure, and the bracelet will have to ensure it remains connected to a live wrist; as with biostamps, if it can simply be slid (or hacked) off and still work, it’ll be no good.

Also like biostamps, there’s a potential issue with proximity; if it’s simply broadcasting a “yes” to any request for ID, it would seem trivial to sneak up behind someone and steal their login.

The gesture system might help here, to ensure the user actually wants to be identified, and it should also be fairly simple (and unintrusive) to require re-authentication for major transactions – a simple touch of the wristband checks the heart pattern.

It’s also a relatively hi-tech solution, requiring dedicated hardware. The cost is not prohibitively high though; pre-orders are already available at under $80, although it’s not clear how much of that would be subsidised by the device and service providers the makers hope to attract.

With mass adoption and the cost reductions that would bring, it wouldn’t be unreasonable to expect governments to hand one out to every citizen to cover all their ID needs, although here we stray into civil rights territory – not a huge leap from there to barcodes on our foreheads, some will say.

In the future

Over the years the password systems we use have seen various improvements, both in usability (ranging from simple but nowadays indispensable systems for replacing forgotten passwords to the latest secure password management utilities) and security, for example two-factor authentication schemes using dongles or smartphones combined with our computers.

All have helped in some ways, but have also introduced further opportunities for insecurity – recovery systems can be tricked, management tools can have vulnerabilities or simply be insecurely designed, and two-factor approaches can be defeated by man-in-the-mobile techniques.

Despite all the problems, the insecurities on one side and the impeded workflows on the other, passwords remain the simplest solution to the authentication problem. Finding a universal panacea to replace them is going to be difficult.

What it really comes down to is how we define who we are, whether we are the contents of our brains, the shapes, textures and rhythms of our bodies, or the tools and devices we create and use. Perhaps an approach which uses aspects of all of these will best cover all our needs.

A lot depends on popular uptake of course, perhaps more than actual technical innovation, but it could just be that one of these new techniques will become the passwords of the future.

Follow @VirusBtn
Follow @NakedSecurity

Image of funkified thumbprint courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/eQIdJrcdoNo/

Last month we gave you 5 tips to make your Facebook account safer. Following on from that, here’s another five…

1. Stop search engines from indexing your profile

Facebook’s great for keeping in touch with friends and family but you might not want just anyone finding your profile via Google or other search engines. Here’s how to fix that:

Click on the cog icon at the top right of your screen and then click Privacy Settings.

Now that you are in the Privacy Settings and Tools area of Facebook, find ‘Who can look me up?’ and the setting that says ‘Do you want other search engines to link to your timeline?’

This is likely on by default, so click Edit and then remove the tick from the box which says ‘Let other search engines link to your timeline’.

Note: It may take a bit of time for search engines to stop showing the link to your timeline in their results so don’t expect it to disappear immediately from search results.

2. Block someone on Facebook

Just as in real life, some people on the web can prove challenging for a number of reasons. If you don’t want someone to see your profile or things you write on Facebook, you can block them – and here’s how to do just that.

Click on the padlock icon that you see in the top right hand corner of the screen. Now click on How do I stop someone from bothering me?

Now either enter a name or email address and click Block.

The person you block won’t get any notification that they’ve been blocked and they will now no longer be able to initiate conversations with you or see anything that you post on your timeline either.

3. Public computer? Use a one-time password

If you would like to use Facebook from a public location, such as a computer in an internet cafe or library, you can use a one-time password to access your Facebook account, keeping your actual password safe. This password is sent to you by text message and will expire after 20 minutes.

Note: you do have to link your mobile number with your Facebook account in order to use this function.

All you need to do is send “otp” as a text message to the number listed next to your country and mobile carrier on the one-time password list on Facebook. If you’re in the US, you can send the same message to 32665. Unfortunately, it isn’t available everywhere, and the number of countries and carriers is fairly limited at the moment.

After you’ve sent the message, you will receive a reply from Facebook with your one-time, 8-character password (or with instructions on how to link your mobile to your Facebook account).

You can now login to Facebook in the normal way, substituting this temporary password for your regular one.

*Always* remember to sign out of Facebook once you are finished, especially if you are signed in on a public machine. If you do leave your account signed in the next person to use the computer will have access to it, even without your password.

4. Block an app from accessing your information

If you already have an app installed on Facebook but you now want to prevent it from accessing your personal information then blocking it is quite simple.

Click on the cog icon found at the top right of the screen and then click on Account Settings.

Look to the left pane and click on the fifth option from the top; Blocking.

Then look for the last option – Block apps.

All you need to do is put in the name of the app you want to block and then press enter.

5. Remove something from your timeline

If you or someone else has put something on your timeline which you want to remove, it’s pretty easy to do.

Firstly, navigate to your timeline and find the story you wish to block from appearing. Next, move your mouse to the top right corner of the story and you will see what looks like an arrow head appear. Click on that and you’ll be shown a box.

You now have two options here. You can either choose to Hide from timeline which will stop the post from showing on your page (but it will still appear in newsfeeds and search).

Or you can remove it completely by clicking on Delete.

This is just a small selection of tips to help you safeguard your Facebook profile. If you have any others please do add them in the comments below.

And if you would like to stay up to date on the latest Facebook scams and other internet threats then please do consider liking the Naked Security page on Facebook if you haven’t done so already.

Follow @SecurityFAQs
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/UaoyK6vEorU/

Win a top of the range HP Spectre laptop

Citadel, the aggressive botnet at the heart of a widely criticised takedown by Microsoft back in June, is back and stealing banking credentials from Japanese users, according to Trend Micro.

The security vendor claimed to have found “at least 9 IP addresses”, mostly located in Europe and the US, functioning as the botnet’s command and control servers.

Some 96 per cent of connections to these CC servers come from Japan, proving that most of the banking Trojan infections are from that country alone, it said.

Trend Micro added the following in a blog post:

During a six-day period, we detected no less than 20,000 unique IP addresses connecting to these servers, with only a very minimal decrease from beginning to end. This means that there is still a large number of infected systems still stealing online banking credentials and sending them to the cybercriminals responsible.

The banks and financial institutions targeted in this campaign have already released warnings and advisories to their customers and loyalists regarding the attack itself. Users are reminded to read these warnings properly before logging into their online banking accounts.

As well as Japanese financial and banking organisations, the botnet has been targeting popular webmail services such as Gmail, Hotmail and Yahoo Mail, Trend Micro said.

Citadel was the subject of Operation b54, what Microsoft described back in June as its “most aggressive botnet operation to date”. Working with the FBI, financial institutions and other technology firms, Redmond said it disrupted some 1,400 botnets associated with the Trojan, which had nabbed more than $500m from bank accounts around the world.

However, the initiative was slammed by the security community after Microsoft allegedly seized hundreds of domains as part of its swoop which were already being sinkholed by researchers to find out more about the botnet.

What’s more, UK security vendor Sophos claimed at the time that the takedown wasn’t nearly as successful as was initially made out.

Threat researcher James Wyke said in a blog post that only half of the 72 Citadel CC servers Sophos was tracking appeared on Microsoft’s list.

Even worse, one in five of those on Redmond’s list failed to point to a sinkhole, implying “either that the sinkholing was unsuccessful or that the domains have already been re-appropriated by the Citadel botnet owners”, he added.

“Takedown efforts such as this can provide immediate benefit to the public by effectively disabling the control channels used to administer a very dangerous piece of malware,” said Wyke.

“However, the long-term effect of this particular takedown on Citadel is unlikely to be significant: it looks as though many of the botnets weren’t knocked out, and rebuilding those that were taken down will not take long.”

It appears that those concerns were well founded. ®

Win a top of the range HP Spectre laptop

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/04/citadel_wreaks_havoc_in_japan/

The major UK broadband providers are being asked to create a database of customers who illegally download films, music and other protected content from the internet.

This latest move is likely borne out of frustration with the Digital Economy Act 2010 which was designed to give more power in fighting piracy but has seen delays push its full implementation date back to 2014 at the earliest.

If Virgin Media, BT, BSkyB and TalkTalk sign off on the proposal, it’s anticipated that the data they collate could then be used to serve warning letters, apply for disconnections or prosecute repeat offenders.

Curbing digital piracy will be one of the topics discussed when record labels and their trade association, the BPI, meet with Prime Minister David Cameron at a Downing Street breakfast on September 12.

Film and music companies will ask broadband providers to sign up to a voluntary code which will, arguably, see them tasked with policing the internet on the behalf of the content creation industry. The Guardian reports that negotiations have already been happening for months with the BPI and the British Video Association, of which the BBC and Hollywood studios are members.

The voluntary code, should it be adopted, will see internet service providers (ISPs) tasked with creating a database of repeat offenders. These offenders would be sent warning letters stating that their internet address had been used for illegal downloads.

The letters would warn of further consequences for continued copyright infringement and would point users towards legal services for their film and musical needs.

Should the offenders ignore the letters then sanctions would be imposed, such as having access to certain sites blocked, slowing of internet connections or even prosecution.

There are some potential issues for ISPs should they adopt these measures though. Firstly, if they were to create and maintain such a database then who would pay for it? Would they pick up the tab or would it be funded by the content creators themselves?

Personally I suspect it would be option three – the consumer – who would see an increase in their broadband costs, irrespective of whether they themselves had downloaded anything illegally or not.

Secondly, keeping a database of warning notices could put the broadband providers on the wrong side of the Data Protection Act which states that companies can only store information about individuals for commercial reasons.

A spokesperson for TalkTalk told the Guardian that while they would, “like to reach a voluntary agreement” their “customers’ rights always come first” and they would “never agree to anything that would compromise them.”

A spokeswoman for Virgin Media also had similar concerns, commenting that the current proposal is “unworkable.”

When I contacted the BPI and asked them for their views on both of these issues I was told the planned meeting at No.10 was solely in response to an invitation from David Cameron after he attended a BPI 40th anniversary event in June. The only comment a spokesperson would give me was:

Record labels are key investors in British music, and, contrary to some media reports, we expect the forthcoming meeting with the Prime Minister to focus on a range of positive measures that will enable further investment in British talent, promote exports and support the continuing growth of the UK’s digital music market.

I’ll leave you to ponder what this tells us along with a quote from Loz Kaye, leader of Pirate Party UK, who said:

The content industry seems intent on turning Internet Service Providers in to the music NSA.

Harsh words indeed, but ones that may well resonate with people who already have concerns about the government’s digital policies, especially in the wake of surveillance claims and attempts to censor certain types of content on the internet.

Follow @SecurityFAQs
Follow @NakedSecurity

Images of download key and skull and crossbones courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Y07EW0q5bRA/

As the world waits to see what the United States and its allies will do in response to Syria’s purported chemical weapons attacks and much of the media mulls the repercussions of action, versus doing nothing at all, the usual talking heads have started their inevitable riff on the usual cyber conflict hype playlist (attacks against the power grid and so on). In contrast to the relatively well informed dialogue on most news channels, regarding Syrian weapons systems and trade agreements with allies such as Russia; dialogue around how cyber may play a role seems to lack any sophistication or depth what so ever. Since main stream media is missing a trick here, it seemed like a good opportunity for a little more dialogue on the subject.

In 1999, a pair of Chinese PLA Colonels published a book entitled Unrestricted Warfare. The topic of the publication was to document ways in which a technologically inferior nation state (such as China), may overcome its disadvantage through the use of unconventional warfare. In many ways, Unrestricted Warfare is a modern adaptation of the more subtle philosophies discussed in the Art of War. Methods discussed include economic warfare, terrorism, “lawfare” (a term for political activism aimed at causing legislative change) and electronic warfare. Strategically speaking, in lieu of an ability to mount a conventional militarily response to action by the US, such an approach puts cyber front and center in terms of a viable response for Syria. Further to this, if we consider the political turmoil faced both in the US and Britain as to how the world might respond to a chemical attack; consider the challenges and political collateral associated with similarly conceiving a proportionate response to a cyber-counter-offensive by Syria. I can’t imagine that UN weapons inspectors have a great deal of experience attributing exploit payloads.

Thus far, most of what we know (in the public domain) about Syria’s cyber capability is limited to the Syrian Electronic Army (or SEA), who have been responsible for a handful of DDoS attacks, website defacements and perhaps most notably, the compromise of an Associated Press’s twitter account, which was utilized to post misinformation regarding an act of terrorism; leading to a $200 billion dip in the stock market. Although many of the capabilities demonstrated by the SEA are far from those that we might expect from a state-level information operations program, there is currently very little evidence that the SEA is any way representative of the cyber muscle that Syria may be able to bring to bear if sufficiently provoked. Further to this, it is almost impossible to fully account for the cyber technology transfers that may occur, if Syrian sympathizers such as Iran elect to come to Syria’s aid in the event of a US or allied military strike.

Although a successful offensive against the US media’s favorite cyber warfare target (the power grid) is extremely unlikely; if nothing else, the SEA was able to undeniably prove the viability, potential effectiveness and their ability to couple two of the key principals discussed in the Chinese colonels publication: electronic and economic warfare. While I find it unlikely that Syria is sufficiently prepared to affect a cyber-counter offensive of any significance by itself, unlike arms transfers in the kinetic warfare domain, allies and groups sympathizing with the Syrians could likely prove a significant force multiplier, without drawing the attention that conventional military assistance may result in, possibly making such a strategy an even more attractive option for the Syrian regime.

Should a cyber-orientated cyber offensive occur, Syria may very well attempt to cast the same uncertainty and doubt on who is behind the attack, which they have rather successfully applied to the reported chemical weapons attacks. The media response, public outrage and political circus that would likely follow would unlikely put an end to their troubles, but may throw a curve ball that few are prepared to fully address.

Tom Parker is CTO at FusionX

Article source: http://www.darkreading.com/advanced-threats/an-unrestricted-syria/240160753

LYON, France – With the physical and virtual worlds becoming increasingly interconnected, INTERPOL Secretary General Ronald K. Noble told the Underground Economy 2013 conference at the world police body’s headquarters that the only way to protect cyberspace against criminal abuse is through a global network of partners.

Speaking on Tuesday at the five-day (2-6 September) conference, organized jointly by INTERPOL and Team Cymru Inc. and attended by some 300 participants, Mr Noble said the biggest challenge to cybersecurity is the increasing intersection between cyberspace and the daily lives of the world’s citizens, as advances in technology are blurring the distinction between the real world and the online one.

“Welcome to the World, version 3.0. A world providing unbelievable opportunities to mankind, but also formidable challenges to those entrusted with making it a safer place,” said the INTERPOL Chief.

Noting that the number of Internet users increased by 76% in the past five years to nearly 2.8 billion individuals – the number of households in Africa with access to the Internet has tripled during the same period – Secretary General Noble said the spread of Internet accessibility was just one element of the evolving challenge for law enforcement.

“It’s not just about how many people are online, it’s also a matter of how big a role the Internet plays in their daily lives, and how those lives can be directly impacted by what goes on online. Only by considering both dimensions, will we get a full picture of what is at stake,” said Mr Noble.

As an example of how criminals can exploit the porous boundaries between the real and virtual worlds, the audience heard how a computer file containing the blueprint for a gun was used to print a plastic weapon using a 3D printer, thus creating an untraceable weapon which could be replicated by anyone with the right technology.

To stay ahead of the criminals seeking to exploit the interconnected cyberworld, in 2010 INTERPOL ‘s member countries unanimously approved the creation of the INTERPOL Global Complex for Innovation (IGCI) in Singapore, a state-of-the-art facility dedicated to becoming a global centre in the fight against cybercrime when it opens in 2014.

A key objective of the IGCI is to bring together digital security experts from law enforcement, academia and the private sector to work in partnership towards the common goal of protecting cyberspace from abuse.

“Team Cymru is honoured to continue our five years of partnership with INTERPOL. This event breaks down barriers between law enforcement and the IT security community and builds capacity with the training and case studies presented,” said Team Cymru Manager of Outreach, Steve Santorelli.

“The relationships built this week will undoubtedly result in successful joint investigations for years to come,” he concluded.

INTERPOL is working with its partners in law enforcement and the cybersecurity industry to address the growing cyberthreat. Last month, two operations against the production and sharing of child sexual abuse material via online forums in Latin America and Europe led to some 100 arrests and the seizure of thousands of devices containing abuse images.

Article source: http://www.darkreading.com/end-user/interpol-head-says-partnerships-key-to-p/240160752

Win a Samsung 40-inch LED HDTV with The Reg and HP!

Indian security researcher Arul Kumar has netted himself $12,500 after spotting a critical flaw in Facebook’s image handling code that allowed anyone to delete pictures from the site at will.

As he describes in a blog post, the crack requires two legitimate Facebook accounts to work, and is exploited by the way the Facebook Support Dashboard handles requests for photo deletion. If a user wants a photo taken down then can opt to mail the request directly, and doing so generates a URL for the image.

Kumar found that some of the parameters in the URL can be altered; specifically the “Photo_id” value identifying the image and the “Profile_id” that identifies the recipient of the takedown request. A Photo_id is easy to find, since it has a “fbid” identifier assigned by Facebook based on its URL, and Photo_ids can be discovered using Facebook’s Graph tool.

By redirecting takedown requests between the two accounts, manned by Kumar and an unidentified “Hindusthanii hacker,” any posted or shared photo could be deleted, along with pictures on Facebook Pages or Groups, and advertisers’ Suggested Post images – all without any notification to the victim.

As behooves his white-hat status, Kumar contacted Facebook’s security team with details about the flaw. However, it gave him the cold shoulder. A team member said that he had “messed around with this for the last 40 minutes” and the issue wasn’t serious enough to fix.

Kumar then sent the team a video showing exactly how the hack could be used to delete the photos of Facebook’s glorious leader without anyone knowing. Kumar said that he didn’t delete any images, but proved it could be done, and after seeing the behoodied one pwned, the security team were much more amenable.

“OK, found the bug, fixing the bug. The fix should be live some time early tomorrow,” emailed security team member Emrakul. “I will let you know when it is live so you can retest. Wanted to say your video was very good and helpful, wish all bug reports had such a video :)”.

It does seem that if you want to get the Facebook’s security team member’s attention, a video is the way to go. Last month Palestinian IT student Khalil Shreateh recounted how he’d alerted the team to a critical flaw that could allow images to be posted on anyone’s Facebook page. He was rebuffed, and only taken seriously after he sent Facebook a video of him posting an image on Zuckerberg’s profile page.

Facebook fixed the flaw, but denied Shreateh any payment of a bug bounty for finding it and booted him off the social network for breaking its terms and conditions. Facebook’s chief security officer Joe Sullivan apologized to the student and pledged a revamp of the team’s handling of flaw reports, and annoyed security researchers started a contributions campaign for Shreateh which raised $13,125 for his discovery

Facebook is paying out in this case, as Kumar didn’t actually crack anyone’s account, and the Indian researcher got $12,500 for the flaw, along with $1,500 for other bugs. It seems showing vulnerabilities in Facebook’s Supreme Leader is the way to go if you want to get the security team’s attention. ®

Win a Samsung 40-inch LED HDTV with The Reg and HP!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/03/researcher_bags_12500_after_showing_how_to_hack_zucks_pics/

What was touted as the first banking Trojan to attack all major Linux distributions so far isn’t as lethal as was predicted. The so-called Hand of Thief, or HoT, malware kit that recently hit the underground currently has little or no “grabbing” capabilities, according to new research.

The HoT malware kit came on the underground Russian cybercrime market in late July, selling for $2,000 including free updates. The first iteration was touted to include form grabbers and backdoors, and claims to run on 15 different Linux distributions, including Ubuntu, Fedora, and Debian. But researchers at RSA’s FraudAction team recently obtained and tested HoT binaries and its builder and found its features aren’t so hot after all.

“Our research and analysis shows that, in reality, HoT’s grabbing abilities are very limited if not absent, which would make the malware a prototype that needs a lot more work before it can be considered a commercially viable banking Trojan,” says Yotam Gottesman, senior security researcher for RSA FraudAction Research Labs.

The Trojan—which has not yet been detected in any attacks at this time—includes a builder, a Windows executable that allows a botmaster to generate new variants of the malware on-demand.

“In his sales adverts, Hand of Thief’s developer explained that he is in the final stages of implementing the web-injection mechanism for the malware. Researching the Trojan proved that no injections are currently in place, but the preparation for such a mechanism is,” Gottesman says in a blog post today about the research.

RSA tested the Trojan and found it could indeed inject itself into a browser process, but in most cases, froze or crashed the browser. “When using Firefox on the infected machine, HoT captured only empty requests with no information being delivered to the drop server. When browsing with Google Chrome HoT did manage to capture some requests and relay them to its server,” Gottesman says.

But the Trojan had no way to filter information, so it would capture all requests from the browser in a generic manner, which would clog the drop server with “useless data,” according to RSA.

RSA says HoT’s developer doesn’t offer a recommended method of infection besides email or social engineering tactics. But it does come with some anti-virtual machine functions to deter researchers, RSA found. It also employs packing to avoid detection. “Beyond using a packer and string obfuscation, it appears that HoT’s developer invested in additional anti-research functions, one of which is Anti-Virtual Machines,” Gottesman says.

The bottom line is HoT is more of a work-in-progress than a commercial tool as yet. “Although it initially appeared to be a compelling new Trojan entrant, RSA’s in-depth analysis of the code proves it is a prototype more than true commercially viable malware, crashing the browsers on the infected machines and displaying overall inability to properly grab data,” Gottesman says.

It’s also easy to eradicate. “Furthermore, HoT can also be easily removed from the machine by deleting the files dropped during the HoT installation process,” he says.

The full blog post, including screen shots, is available
here.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/hand-of-thief-linux-trojan-not-ready-for/240160760

One of the most important first steps to any database security strategy is also coincidentally one of the most likely to be forgotten: enumerating the databases an organization manages. After all, unless an enterprise knows how many databases it has and which ones contain sensitive information, it is pretty difficult to prioritize them based on risk and implement appropriate controls. And yet, many organizations are operating in the dark with regard to database discovery.

“Many companies struggle to locate and accurately maintain an inventory of all their data across databases,” says Anu Yamunan, senior product manager at Imperva.

It’s true, says Paul Borchardt of Vigilant by Deloitte, who sees many organizations fail to maintain any kind of centralized inventory of databases or applications across the enterprise.

“This sounds so simple and logical, but an accurate asset inventory is frequently nonexistent or, if it exists, is fragmented and managed by disparate asset managers such as DBAs and developers,” says Borchardt, senior manager for Vigilant. “Failing to identify the one database containing the PII of your clients because you didn’t know about it will not please the regulators or the court of public opinion.”

Part of the issue is one of scale. Many organizations operate hundreds of databases across their IT infrastructure, some more visible than others. According to the recent IOUG Enterprise Data Security Survey, 38 percent of organizations have over 100 databases, with 18 percent managing over 1000 databases. Add to that the dynamic nature of databases and the applications they feed with data and it becomes clearer why such a seemingly simple task remains on the IT to-do list.

[Are you missing the downsides of big data security analysis? See 3 Inconvenient Truths About Big Data In Security Analysis.]

“The main issue with databases is the complexity and constant change makes it virtually impossible for manual processes to keep up (with discovery),” says Kevin O’Malley, vice president of marketing and product strategy for MENTIS Software.

Additionally, other business and technology trends are amplifying the problem of finding and tracking databases across the board, says Yamunan.

“Virtualization is one of these,” Yamunan says. “For example, an administrator can easily create a new virtual image of a database with sensitive information. This virtual image now contains a ‘rogue’ database that is not under IT security controls.”

Similarly, backing up data stores to the cloud has created potential issues for discovering and adequately protecting databases. Not only could snapshot features create copies of the database that could be difficult to track down, but they often don’t feature encryption capabilities. For example, Amazon AWS has a relational database service (RDS) which has no option to encrypt database snapshots.

“Additionally, Amazon has a redundant failover option that keeps an up-to-date hot replica of your database in case the primary fails,” says Fred Thiele of Laconic Security. “Again, if you have unencrypted data in your DB, the unencrypted data is replicated to a different part of Amazon-land in plaintext.”

Regardless of the complications, organizations should be finding ways to scan infrastructure automatically to accomplish discovery and to institute data classification to centrally keep track of databases and the information contained within. O’Malley suggests full scans on a monthly or quarterly basis at minimum to ensure organizations are turning over all the rocks necessary to find sensitive data. Doing this regularly is important, as the contents of a database could shift over time and a seemingly innocuous set of data could become sensitive as time goes on.

“Organizations should layer on top of that the ability to identify and remediate infrastructure vulnerabilities and misconfigurations, and assess who has access to sensitive data on an ongoing basis,” says Yamunan, explaining that will make it easier to identify and remediate sensitive database that’s vulnerable or overly accessible. Doing this essentially creates risk scores for various data sets across different databases. “In essence, these steps help organizations generate risk scores for the various data sets in the enterprise. For example, a database that is not kept up to date with the latest patches, containing credit card information and accessed by external users and applications is a high risk asset.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/database/do-you-know-where-your-databases-are/240160750