STE WILLIAMS

Free whitepaper : Supercharge your infrastructure

The Commonwealth Bank, Australia’s largest bank, has close accounts belonging to Australian Bitcoin payment processor CoinJar.

CoinJar, which offers tools to buy or sell Bitcoins, and accept them as payment, has blogged about its experiences. The post says it has experienced some dodgy transactions, but no more than most e-commerce outfits.

Founder Asher Tan told The Reg the company handles around 100 transactions a day and that fraudulent transactions have reached single figures over weeks. Tan added that CoinJar wears the cost of dodgy transactions.

He’s therefore at a loss to explain why the bank stopped processing automatic payments for the business, then shut the business’ accounts and those of Tan and his co-founder.

“It’s frustrating because we can’t escalate: our Bank manager doesn’t know how to handle this ,” he said. Other bank staffers have told him special notes have been made on his account.

Tan said he’s always been up-front about the nature of CoinJar’s business: that it offers Bitcoin-related services should come as no surprise to The Commonwealth Bank. He’s therefore unsure if the bank has closed the accounts because of the small number of fraudulent transactions or because it fears Bitcoin.

Happily, CoinJar has found a new and willing banker in the form of rival National Australia Bank, which knows it deals in BitCoin and doesn’t mind. His blog post recommends any other Australian startup make the same choice.

The Reg has asked The Commonwealth Bank to comment on the situation, but at the time of writing has received no reply. ®

Bootnote: The Commonwealth Bank yesterday announced a record profit of $AUD7.8bn. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/15/oz_bank_closes_bitcoin_business_bank_accounts/

Win Spectre Laptop with HP and The Register

A Texas father ripped out the baby video monitor he’d installed to watch over his two year-old daughter after he heard a British or European man using the device to address the child by name.

Father of two Marc Gilbert told ABC News that he heard a male voice coming from inside his daughter’s bedroom, calling out her name and making lewd comments to the child, calling her a “little slut.”

When Marc and his wife entered the room the voice began cussing them out, calling him a moron and his wife a “bitch,” before Gilbert forcibly disconnected the device. The couple’s other child was not disturbed by the incident.

“[I] Couldn’t see the guy. All you could do was hear his voice and [that] he was controlling the camera,” Gilbert said, adding that his daughter wasn’t woken by the hacker because she’s deaf. “It’s somewhat of a blessing,” he added. “If she had heard it it would have been a big problem.”

He said that both the camera and the family’s wireless network are firewalled and password protected, but that this hadn’t stopped the European miscreant from gaining control of the device.

“It’s quite possible that this had been going on more than one day,” he said. “Security vulnerabilities exist.”

Gilbert didn’t contact the police but did call his internet service provider, who recommended changing the passwords on the device as a way of locking it down. But Gilbert says it’s a case of once bitten twice shy and he won’t be turning the monitor back on.

“I don’t think it ever will be connected again,” he said. “I think we are going to go without the baby monitor now.” ®

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/14/eurohacker_shouts_obscenities_at_texas_tot_via_hijacked_baby_monitor/

Win Spectre Laptop with HP and The Register

The website of The New York Times was unavailable for at least an hour on Wednesday morning, but the newspaper says the outage wasn’t due to malicious attacks, as some had feared.

The NYT website first went dark around 11:30am Eastern Time and continued to display nothing but a terse “Service Unavailable” error for several hours.

When the outage first struck, staffers used the paper’s Twitter account to let readers know that the problem was being addressed, but said only that the site was “experiencing technical difficulties” and that it would be back up shortly. The NYT email server was reportedly also affected.

The paper’s edit staff posted details of breaking stories to the official Times Facebook feed during the downtime, an unusual move that was criticized by the anti-Zuck set.

What’s more, the timing of the outage led some to speculate that it may have been the result of a deliberate attack. It coincided with several important events, most notably Egypt’s bloody crackdown of protests by supporters of ousted president Mohamed Morsi.

The NYT has been the victim of hacking attacks in the past. In January it reported that its staffers’ email accounts had been compromised by hackers linked to the Chinese military. On Wednesday, security research firm FireEye said the same group responsible for those attacks could be ready for more mischief.

Once the Times‘s website was restored late Wednesday afternoon, however, the paper’s IT bods said that no outside forces were to blame for the morning’s service interruption. In a message titled “To Our Customers,” an anonymous staffer wrote:

As you may know, our Web site was unavailable for a period of time earlier today. The outage occurred within seconds of a scheduled maintenance update, which we believe was the cause. We are working on fully restoring service and apologize for any inconvenience.

Just which portions of the site’s infrastructure still need repairs isn’t clear. According to reports from around the web, the newspaper’s full contents were available to readers in most regions by the time it posted the apology.

In all, it was a much shorter and less damaging outage than the Outlook and SkyDrive debacle that Microsoft suffered on Wednesday, which began in the early morning and which – as this Reg hack goes to press the big, red “Post” button – has yet to be resolved. ®

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/15/new_york_times_outage/

Win Spectre Laptop with HP and The Register

Encryption systems may be a lot less secure than we thought, according to new research into the maths underpinning today’s cryptography.

Boffins in the US and Ireland have managed to poke holes in modern information theory, an area of mathematics used to prove the strength of cryptographic systems before they are trusted and widely deployed.

As a result, the scientists claim it’s easier to take encrypted files and deduce their original unencrypted contents than one would expect.

In other words, computers can find correlations between encrypted data and its unencrypted form far faster than previously thought, and eventually crack the lot. Code-breaking software needs to find just one reliable correlation before it can hit the jackpot.

Cracking an encrypted file will still be a hard slog, we’re reassured, but just not quite as tough: an attacker could unlock a file far sooner than the many months or years of processing time previously estimated.

That’s because information theory, built on work by Claude Shannon in 1948, assumes certain things about the entropy of digital information – simply put, how disordered the data is in a message. Analyses of modern cryptographic algorithms assume perfectly uniform sources of information, in which the mix of binary 1s and 0s is perfectly random and hopelessly unpredictable.

In reality, data is never that perfect: parts of files can be guessed and those bytes used as a foothold in cracking open the data by brute force.

“It’s still exponentially hard, but it’s exponentially easier than we thought,” said Ken Duffy, of the National University of Ireland (NUI), who co-wrote this latest research.

“Attackers often use graphics processors to distribute the problem. You’d be surprised at how quickly you can guess stuff.”

Duffy and three other scientists from the Massachusetts Institute of Technology (MIT) and the NUI presented their work, Brute force searching, the typical set and guesswork, at the International Symposium on Information Theory [PDF]. A follow-up paper, due to be unveiled this autumn at the Asilomar Conference on Signals and Systems, will take the research one step further: it will demonstrate that keyless door locks that work with wireless keycards may not be as secure as previously thought.

Matthieu Bloch, an assistant professor of electrical and computer engineering at the Georgia Institute of Technology, said the above research does not mean cryptographic systems in wide use today are fundamentally insecure, rather that they are less secure than we’ve all been led to believe.

“My guess is that it will show that some of them are slightly less secure than we had hoped, but usually in the process, we’ll also figure out a way of patching them,” he said. “It’s essentially saying, ‘Hey, we have to be careful.’ But it also provides a methodology to go back and reanalyse all these things.” ®

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/14/research_shakes_crypto_foundations/

Win Spectre Laptop with HP and The Register

Internet users looking for a US Green Card are at risk of being conned by a fake advert into installing an adware-laden version of Firefox, security researchers have warned.

The ruse was spotted over the weekend after it began appearing in online ads peddling supposed US Green Card lotteries. Regardless of what make or version of browser surfers are using, punters served content from websites co-opted into the scam will be greeted with a warning that their browser is out-of-date, before they are encouraged into downloading and installing a version of Firefox.

“The browser build appears to be genuine, however it has been compromised with a multitude of add-ons, adware, toolbars and other malicious and irritating accompaniments that will find their way onto the user’s PC as part of the install,” Christopher Boyd, a senior threat researcher at ThreatTrack Security, explains.

Boyd added that users would have to click on the rogue ad to get exposed to the attack, rather than getting hit simply by visiting a website featuring a dodgy ad stream.

“It looks like users would have to physically click the Green Card ad to be taken to the page – even if the ad in question redirected automatically, there is no “exploit install” with hidden additions,” Boyd told El Reg. “The user would still have to download the executable and click through the installer prompts.”

The Green Card entitles the bearer to permanent residency in the United States, and are highly prized by emigrants to the US and migrants already in America who do not have permanent resident status.

Digital detritus pushed through the ruse includes Delta Toolbar, Webcake, Optimizer Pro, QuickShare and an ad for “unlimited cloud storage”, according to a write-up of the scam featuring numerous screenshots on ThreatTrack’s website. Any and all of these components have the effect of slowing down computers, littering desktops and generally making the online experience on infected PCs pretty wretched.

“If you attempt to install while offline, it won’t work as the install needs to download various components. However, should the install break it will abort but send you to a webpage promoting other offers and installs instead,” Boyd explains.

The scam was first detected by security researchers at StopMalvertising, who have tied the scam back to malicious scripts hosted at c0n3.info.

StopMalvertising adds that the malicious installer downgrades a user’s Firefox browser to version 13 as well installing several PUAs (Potentially Unwanted Applications, otherwise known as crapware). The current version of Firefox is version 23.

Version 13 came out more than a year ago in June 2012, since when numerous security updates have been applied to Mozilla’s web browser software. Surfing the web with an obsolete browser opens the way for drive-by download attacks from compromised websites, so surfers who are hit by the adware are wide open to secondary infection from far more potent nasties such as banking trojans. ®

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/13/fake_firefox_update_adware_scam/

Win Spectre Laptop with HP and The Register

The Philips Hue “smart lighting” system uses a dumb-as-a-sack-of-hammers device authentication scheme that allows anyone with the iPhone control app to issue instructions to the controller via HTTP.

According to researcher Nitesh Dhanjani, who has form looking at iPhone security, the “perpetual blackout” (PDF) vulnerability arises from how Hue system authenticates devices. It uses a simple and irrevocable hash of a device’s MAC address to create the authentication token.

“The secret whitelist token was not random but the MD53 hash of the MAC address of the desktop or laptop or the iPhone or iPad. This leaves open a vulnerability whereby malware on the internal network can capture the MAC address active on the wire (using the ARP cache of the infected machine)”, he notes.

If an attacker within wireless reach of the local network the Hue bridge is connected to (on the local network or, The Register supposes, a neighbouring apartment that can receive the WiFi signal), Dhanjani writes, it would be easy enough to cycle through those addresses to find the Hue bridge and issue it instructions.

For his demonstration (video below), Dhanjani uses the attack to issue sustained “lights off” commands to the test system.

Watch Video

And, in the kind of brain explosion that will probably characterise the emerging Internet of Things, Philips has made the whitelist tokens irrevocable to the ordinary user: “there is no administrative functionality to unauthorise the device,” Dhanjani writes. “Since the authorisation is performed using the MAC address, an authorised device will continued to enjoy access to the bridge (unless the user is technically savvy enough to use the http://bridge ip address/debug/clip.html debugger).”

Other attacks against Hue that Dhanjani documents are the weak passwords Philips permits for the Internet application that provides remote control over Hue; and “recipe poisoning”.

The Internet app will accept a six-character password, and as we all know, users have a distressing habit of re-using passwords for lots of different sites – meaning that if a password leaks, an attacker can remotely control the system.

And Hue also has a “feature” that probably had the marketing team in a spasm of hypegasm when it was devised: users can set up “recipes” that let the lights respond to the state of other apps. For example, the hue of the Hue can be made to respond to the user’s Facebook activity for a service call “If This Then That” (IFTTT).

If the lights’ colour was set to respond to a tagged photo on Facebook, for example, then simply sending a black photo would activate the recipe and turn the lights off. ®

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/14/switch_off_your_neighbours_lights_with_an_app/

Win Spectre Laptop with HP and The Register

The Syrian Electronic Army hijacked the Twitter and Facebook feeds of lively tabloid the New York Post – after compromising social networking outfit SocialFlow.

The hackers, who back Syria’s President Bashar al-Assad, claimed on their website that they had managed to seize control of the Post‘s major news and business news tweets, its Facebook page and the Twitter profiles of three of the newspaper’s journalists. The Syrian Electronic Army (SEA) also claimed that it had hacked SocialFlow’s website.

SocialFlow said an employee’s email account had been compromised in a phishing attack, leading to its Twitter and Facebook accounts being hacked. But the firm didn’t confirm the attack on its website.

“No customer access or data was compromised in this attack. As part of our security controls, we immediately took our service offline,” the company added.

The SEA tweeted back:

@SocialFlow Advice: Don’t lie on your customers, Your main website and blog was hacked too. :)

— SyrianElectronicArmy (@Official_SEA16) August 13, 2013

Previous victims of the SEA have included the BBC and Reuters. In the latter attack, the hacktivist group posted pro-Assad propaganda on the account.

The group only appears to have posted messages that “Syrian Electronic Army Was Here” on Twitter accounts taken over in the SocialFlow hack. The New York Post – a Reg favourite for its sensationalist headlines – hasn’t commented on the security breach as of yet. ®

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/14/syrian_electronic_army_new_york_post_hack/

Win Spectre Laptop with HP and The Register

It may be possible for a “single dedicated attacker” to run an internet “carpet-bombing” attack by applying Big Data and distributed computing technologies, security researcher Alejandro Caceres warns.

The traditional botnet, or network of hijacked computers, has been used for distributed computing problems, such as Bitcoin mining or DDoS attacks, for years.

But now attacking hundreds of thousands or even millions of targets at once – such as IP addresses or web applications – can be done using cheap hardware, open-source tools and a standard internet connection.

An attacker could potentially run an attack using a distributed Hadoop cluster using either cloud services (such as Amazon’s Elastic MapReduce) or commodity hardware, Caceres explained during a presentation at Def Con earlier this month.

The platform for the attack would be a cluster of machines or a cloud-based system rather than a botnet of compromised machines, said Caceres.

Botnets have been the main vector of cybercrime for more than a decade, so the possibility that a different approach might be brought into play is possibly as significant as when spammers switched from using open mail relays to malware-infected PCs.

“This is not using a botnet. Botnets are generally ‘dumb’ systems used for DDoS or other similar attacks using compromised systems,” Caceres, owner of software development firm Hyperion Gray and founder of the PunkSPIDER project told El Reg.

“What I’m talking about here is building your own distributed cluster of machines at home or in the cloud and using them for highly coordinated, complex attacks,” he added.

Potential attacks could be geared towards hacking websites, stealing data or spreading malware, among other possibilities.

‘Extremely effective’ in tests

During a presentation of his research at Def Con, Caceres explained how automated, distributed SQL injection tool might be run over an Apache Hadoop cluster. Tests showed this approach to be “extremely effective” against a large test bed of websites. “We were able to inject 61 targets in just 45 seconds (typically a SQL injection attack on a single target would take at least 1 minute if done in a non-distributed way),” Caceres explained.

Caceres also demonstrated two other open-source custom-written distributed computing attack tools during the same talk.

One of them is a new version of PunkSCAN (the scanner that powers PunkSPIDER) for distributed vulnerability location and reconnaissance. The second is PunkCRACK, a distributed password-cracker that can be used over a Hadoop cluster, and would be suitable for applications such as distributed post-exploitation analysis.

Leveraging “Big Data” technology allows us to greatly reduce the time required to conduct a well-coordinated attack on a large number of targets in general, according to Caceres.

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/14/big_data_hack_tool_peril/

Win Spectre Laptop with HP and The Register

The UK has launched two cyber incident response schemes geared towards helping businesses cope better with the aftermath of malware outbreaks and other hacking attacks.

The schemes were launched on Tuesday by the Communications Electronics Security Group (known as CESG), the information security arm of GCHQ, and the Centre for the Protection of National Infrastructure (CPNI), in partnership with the Council of Registered Ethical Security Testers (CREST), the professional body representing security consultants who specialise in penetration testing.

Cyber-incident response services are necessary because, even with a well-thought-out corporate security policy, malware outbreaks and hacker attacks are more or less inevitable. The trick becomes to detect attacks early and thwart them before any real damage is done, which is where firms with computer forensics and cyber response skills come into play.

CESG ran a pilot scheme last November involving four hand-picked firms – BAE Systems Detica, Cassidian (the defence and security unit of EADS), Context Information Security and US-based Mandiant – providing cyber-incident response services to critical national infrastructure organisations such as banks, utilities and transport firms.

The aim was always to roll out similar services to a wider range of public sector firms. The results from the pilot led to the decision that a wider rollout was best accomplished using a twin track approach for certified Cyber Incident Response services.

At the top end comes a small and focused government-run Cyber Incident Response scheme, certified by GCHQ and CPNI, and designed to respond to “sophisticated, targeted attacks against networks of national significance”.

Such a scheme would be overkill, not to mention too expensive, for mainstream business and e-commerce firms; hence a decision to also offer a second (more mainstream) scheme led by CREST and endorsed by GCHQ that’s focuses on appropriate standards for incident response for industry, the wider public sector and academia.

Both schemes will offer a list of government-assured and certified providers of security response and clean-up services. Think Mr Wolf from Pulp Fiction, but take away the gory body part expertise and add computer forensics and malware eradication skills.

CREST will audit the service providers against standards for cyber incident response and ensure compliance through codes of conduct, which will be combined with professional qualifications for individuals. In the same way that SMEs look for a CORGI-certified gas fitter when they are seeking to install a gas boiler, the idea is that the CREST certifications will keep the cowboys out and help to ensure good standards in the tricky world of computer security incident response.

The government-endorsed twin track approach to offering certified cyber incident response services is designed to dovetail with wider government goals of making the UK more resilient to hacking attacks and cyber-espionage.

Chloë Smith, minister for cyber security said: “The best defence for organisations is to have processes and measures in place to prevent attacks getting through, but we also have to recognise that there will be times when attacks do penetrate our systems and organisations want to know who they can reliably turn to for help.”

“This scheme and others like it, together with the “10 Steps to Cyber Security” guidance for business launched last year, are an important part of our effort to provide assistance to industry and government in order to protect UK interests in cyberspace,” she added. ®

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/14/uk_cyber_incident_response_schemes/

Win Spectre Laptop with HP and The Register

The Philips Hue “smart lighting” system uses a dumb-as-a-sack-of-hammers device authentication scheme that allows anyone with the iPhone control app to issue instructions to the controller via HTTP.

According to researcher Nitesh Dhanjani, who has form looking at iPhone security, the “perpetual blackout” (PDF) vulnerability arises from how Hue system authenticates devices. It uses a simple and irrevocable hash of a device’s MAC address to create the authentication token.

“The secret whitelist token was not random but the MD53 hash of the MAC address of the desktop or laptop or the iPhone or iPad. This leaves open a vulnerability whereby malware on the internal network can capture the MAC address active on the wire (using the ARP cache of the infected machine)”, he notes.

If an attacker within wireless reach of the local network the Hue bridge is connected to (on the local network or, The Register supposes, a neighbouring apartment that can receive the WiFi signal), Dhanjani writes, it would be easy enough to cycle through those addresses to find the Hue bridge and issue it instructions.

For his demonstration (video below), Dhanjani uses the attack to issue sustained “lights off” commands to the test system.

Watch Video

And, in the kind of brain explosion that will probably characterise the emerging Internet of Things, Philips has made the whitelist tokens irrevocable to the ordinary user: “there is no administrative functionality to unauthorise the device,” Dhanjani writes. “Since the authorisation is performed using the MAC address, an authorised device will continued to enjoy access to the bridge (unless the user is technically savvy enough to use the http://bridge ip address/debug/clip.html debugger).”

Other attacks against Hue that Dhanjani documents are the weak passwords Philips permits for the Internet application that provides remote control over Hue; and “recipe poisoning”.

The Internet app will accept a six-character password, and as we all know, users have a distressing habit of re-using passwords for lots of different sites – meaning that if a password leaks, an attacker can remotely control the system.

And Hue also has a “feature” that probably had the marketing team in a spasm of hypegasm when it was devised: users can set up “recipes” that let the lights respond to the state of other apps. For example, the hue of the Hue can be made to respond to the user’s Facebook activity for a service call “If This Then That” (IFTTT).

If the lights’ colour was set to respond to a tagged photo on Facebook, for example, then simply sending a black photo would activate the recipe and turn the lights off. ®

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/14/switch_off_your_neighbours_lights_with_an_app/