STE WILLIAMS

Win Spectre Laptop with HP and The Register

Security vendor FireEye believes it’s spotted signs that the attackers who breached the New York Times’ network last year are busy again – and that they’ve improved the malware they’re using.

The vendor says the group, dubbed APT 12, has revised the Aumlib and “lxeshe” malware in the time between January and now. January was when the NYT first went public about the attacks. FireEye says its researchers found the new versions while analysing a client attack.

“The previous versions of Aumlib had not changed since at least May 2011, and Ixeshe had not evolved since at least December 2011,” FireEye claims.

Aumlib, the post says, has had its attack – a POST command – altered to change the URI and to encode the POST body, in an attempt to evade signature-based IDS.

The Backdoor.APT.Ixeshe, used in attacks since 2009, has also been altered to try and change its signature. But it’s gained another characteristic in line with the increasing sophistication of attacks: a “campaign” marker so the “threat actors”* can keep track of the success and failure of different attacks. ®

Bootnote: *”Threat actor”: the kind of language that’s invading IT security discussions, now that military intelligence is trying to claim it security as its own. And we all know how well that’s working out. ®

Free whitepaper : Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/14/nyt_crackers_get_busy_again_claims_vendor/

Win Spectre Laptop with HP and The Register

Miscreants broke into the Twitter profile of prominent advertising bloke Footloose star Kevin Bacon to scam his fans.

The 300,000-plus followers of the actor – who these days is just as well known for the “six degrees of Kevin Bacon” trivia game as his starring roles in films such as Apollo 13 – were spammed with web links titled: “Did anyone else see this? She is way too young for that ‪[redacted]”.‬ Victims who followed the URLs were taken to a bogus Twitter login page that would gobble up usernames and passwords.

“If you did find yourself clicking on the link, whose true destination had been hidden by use of the bit.do (not to be confused with bit.ly) URL shortening service, you would find your browser had taken you to what appeared to be a Twitter login page,” explains veteran security watcher Graham Cluley.

Cluley has put together a blog post featuring screenshot of the hacked account and the fake Twitter login page it promoted here.

@kevinbacon is a verified account but that’s doesn’t mean it can’t be hacked, using phishing or some other ruse. Thankfully Bacon managed to quickly regain his account, warned his fans and even managed to crack a funny about changing his password without trivialising the incident.

I was hacked tonight but thanks to your suggestions I changed my password to EggsN’ and now I think I’m ok

— Kevin Bacon (@kevinbacon) August 12, 2013

Bacon is yet to delete the phishing posts from his tweet feed at the time of writing on Tuesday afternoon.

Previous celebrity victims of Twitter profile hijacking include such diverse figures as former Doctor who star Karen Gillan, Barack Obama and (repeatedly) Britney “Hit Hack Me One More Time” Spears. Hacking techniques applied to take over these accounts are a matter of guesswork, but are thought to include phishing, passwords shared with sites that become the victim of hacking attacks and in some cases keystroke-logging malware. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/13/kevin_bacon_twitter_hack/

Win Spectre Laptop with HP and The Register

Internet users looking for a US Green Card are at risk of being conned by a fake advert into installing an adware-laden version of Firefox, security researchers have warned.

The ruse was spotted over the weekend after it began appearing in online ads peddling supposed US Green Card lotteries. Regardless of what make or version of browser surfers are using, punters served content from websites co-opted into the scam will be greeted with a warning that their browser is out-of-date, before they are encouraged into downloading and installing a version of Firefox.

“The browser build appears to be genuine, however it has been compromised with a multitude of add-ons, adware, toolbars and other malicious and irritating accompaniments that will find their way onto the user’s PC as part of the install,” Christopher Boyd, a senior threat researcher at ThreatTrack Security, explains.

Boyd added that users would have to click on the rogue ad to get exposed to the attack, rather than getting hit simply by visiting a website featuring a dodgy ad stream.

“It looks like users would have to physically click the Green Card ad to be taken to the page – even if the ad in question redirected automatically, there is no “exploit install” with hidden additions,” Boyd told El Reg. “The user would still have to download the executable and click through the installer prompts.”

The Green Card entitles the bearer to permanent residency in the United States, and are highly prized by emigrants to the US and migrants already in America who do not have permanent resident status.

Digital detritus pushed through the ruse includes Delta Toolbar, Webcake, Optimizer Pro, QuickShare and an ad for “unlimited cloud storage”, according to a write-up of the scam featuring numerous screenshots on ThreatTrack’s website. Any and all of these components have the effect of slowing down computers, littering desktops and generally making the online experience on infected PCs pretty wretched.

“If you attempt to install while offline, it won’t work as the install needs to download various components. However, should the install break it will abort but send you to a webpage promoting other offers and installs instead,” Boyd explains.

The scam was first detected by security researchers at StopMalvertising, who have tied the scam back to malicious scripts hosted at c0n3.info.

StopMalvertising adds that the malicious installer downgrades a user’s Firefox browser to version 13 as well installing several PUAs (Potentially Unwanted Applications, otherwise known as crapware). The current version of Firefox is version 23.

Version 13 came out more than a year ago in June 2012, since when numerous security updates have been applied to Mozilla’s web browser software. Surfing the web with an obsolete browser opens the way for drive-by download attacks from compromised websites, so surfers who are hit by the adware are wide open to secondary infection from far more potent nasties such as banking trojans. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/13/fake_firefox_update_adware_scam/

Win Spectre Laptop with HP and The Register

The American military is looking for number-crunching wizards able to tackle the national security threat posed by, erm… publicly available data.

The Defense Advanced Research Projects Agency (DARPA) is searching for boffins to “measure the national security impact of public data and to defend against the malicious use of public data against national interests”.

DARPA is apparently worried that enemy agents could use publicly available data to build up a map of their targets, using the information to prepare an attack aimed right at the unprotected soft bits of a public – or private – organisation.

So, DARPA wants data scientists to get in touch and propose new methods of protecting data from the bad guys.

The secret squirrel design agency wants to work out the best methods for “anonymization and de-anonymization of data sources”, while developing tools and frameworks to “measure the national security impact of public data and to defend against the malicious use of public data against national interests”.

DARPA said: “Could a modestly funded group deliver nation-state type effects using only public data? The threat of active data spills and breaches of corporate and government information systems are being addressed by many private, commercial, and government organizations. The purpose of this research is to investigate data sources that are readily available for any individual to purchase, mine, and exploit.”

It continued: “Does the availability of data for purchase or for free… provide a determined adversary with the tools necessary to inflict nation-state level damage?”

It has long been known that the pen is mightier than the sword, but DARPA seems to be saying that numbers in spreadsheets could be as damaging as nukes.

DARPA cited the 2009 Netflix scandal as an example of how vulnerable targets are once their data is released into the wild. Netflix published supposedly anonymous information relating to the viewing habits of 480,000 customers as part of a $1m competition to improve its recommendation system.

But by joining a few digital dots, the supposedly anonymous information could be used to identify customers by name, leading to a lawsuit from a closeted lesbian who claimed the world might guess her sexual orientation from her rental choice of Brokeback Mountain and that this might negatively affect her professional life.

“An unintended consequence of the Netflix Challenge was the discovery that it was possible to de-anonymize the entire contest data set with very little additional data,” DARPA added. “This de-anonymization led to a federal lawsuit and the cancellation of the sequel challenge. The purpose of this topic is to understand the national level vulnerabilities that may be exploited through the use of public data available in the open or for purchase.”

Boffins whose application is successful will first be asked to investigate what data is currently available and which sets are the most vulnerable. They will then be asked to design a proof-of-concept device for sampling data from multiple sources and then providing automated feedback on how risky these numbers are.

Finally, DARPA wants to design a real-world tool that can monitor open source data sets in real time, measure vulnerabilities and then provide defensive countermeasures. This will then be used as the template for “a series of capabilities relevant to both government and commercial organizations to defend against threats due to the proliferation of purchasable or public data sets”.

Of course, some of us might say the NSA already has a handle on how to use big data, seeing as the PRISM surveillance programme managed to collect the details of millions of people every day.

Still, if you’re not bothered by the apparent lack of joined-up thinking among the world’s most secretive government agencies, you can join in the race to become the world’s first spreadsheet superhero by getting your application in to DARPA by 25 September. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/13/big_data_is_a_big_threat_to_national_security/

Win Spectre Laptop with HP and The Register

Electronic BINS in the heart of London must stop tracking hundreds of thousands of passing smartphones, officials have demanded.

A dozen or so high-tech rubbish cans – which display adverts and information on built-in flat-screens and are dotted around the capital’s financial district’s pavements – were set up to collect data from nearby phones.

The recycling bins, operated by Renew London, used Wi-Fi networking to identify devices using their individual MAC addresses, effectively handing over the “proximity, speed … and manufacturer” of the gizmos. MAC addys are unique to each network interface out there, although they can be easily altered by software if one is in the know; the addresses also reveal the maker of the networking chipset.

The company said it used these so-called bin-based ORBs to silently detect 4,009,676 devices in one week, although that really amounts to 530,000 unique phones.

Renew, which said the collected data was “anonymised” before it was analysed, hoped to use this technology to track footfall in shopping areas and perhaps even show tailored adverts to people as they walked by the bins.

But the first pilot testing the Orb system has now been cancelled after The City of London Corporation, which oversees the centre of the Big Smoke, pulled the plug. The authority only found out about the trial when journalists got hold of the study, a source told The Register. A report has also been made to Blighty’s privacy watchdog, the Information Commissioner.

A spokesman for the corporation said: “We have already asked the firm concerned to stop this data collection immediately and we have also taken the issue to the Information Commissioner’s Office. Irrespective of what’s technically possible, anything that happens like this on the streets needs to be done carefully, with the backing of an informed public.

“This latest development was precipitate and clearly needs much more thought. In the meantime data collection – even if it is anonymised – needs to stop.”

(Don’t forget that modern smartphone makers already track your movements by default: both Apple and Google already track people through their location services features, although these can be disabled. Unlike the tracking in the bins.)

In a statement, Renew boss Kaveh Memari claimed the reaction to his firm’s technology was blown out of proportion.

He said: “I’m afraid that in the interest of a good headline and story there has been an emphasis on style over substance that makes our technology trial slightly more interesting than it is.

“During our initial trials, which we are no longer conducting, a limited number of pods had been testing and collecting anonymised and aggregated MAC addresses from the street and sending one report every three minutes concerning total footfall data from the sites. A lot of what had been extrapolated is capabilities that could be developed and none of which are workable right now.” ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/12/spy_bins_scrapped_from_london_streets/

Win Spectre Laptop with HP and The Register

Black Hat 2013 A pair of security researchers probing the Z-Wave home-automation standard managed to unlock doors and disable sensors controlled by the technology.

Behrang Fouladi and Sahand Ghanoun took a long hard look at Z-Wave for their presentation at last week’s Black Hat hacking conference in Las Vegas. The wireless standard dominates home-automation in the US, but the pair discovered some worrying flaws.

Not only were they able to switch off a motion sensor with a relatively simple replay attack, but they also managed to take control of a wireless door lock by supplanting the proper control centre, potentially allowing a burglar to walk right in and make himself comfortable.

The Z-Wave specifications are only available to paying customers after they’ve signed the non-disclosure agreement, which makes analysis of the standard difficult by preventing open discussion of potential flaws. It also makes manufacturers lazy in their implementations, which proved crucial to the success of the hack.

Before Fouladi and Ghanoun could find any vulnerabilities, the researchers had to work out how the security was supposed to work, a challenge in itself. There’s very little open-source code available for the unpublished standard, but by extending the OpenZ-Wave toolkit the pair were able to analyse over-the-air communications with a motion sensor and discovered it was vulnerable to a simple replay attack.

Even without understanding the protocol the pair just captured the legitimate signal sent to deactivate the sensor, perhaps by lurking near a target’s house, then played back the recorded series of wireless packets to successfully switch off the sensor.

That shouldn’t be possible – replay attacks are the most basic of penetrative techniques and any modern system should be immune to them, but for some reason the tested Z-Wave sensor wasn’t.

More formidable was a Z-Wave door lock, as it should be. Commands sent to the lock from the network controller are encrypted using AES128, well beyond the reach of all but the best-funded government agencies, but as is so often the case it’s the implementation, not the encryption, that proved to be flawed.

Raise your hand when you spot the non-deliberate mistake

An automated home will have a single Z-Wave network, operating in the low-frequency industrial, scientific and medical (ISM) band (868MHz in Europe and 908MHz in the US), and each network is secured with a unique network key.

That network key is created by the device that appoints itself as network controller (normally a home hub of some sort) and distributed to other devices when they join the network, encrypted using a global key hard coded onto every Z-Wave device.

Cryptographers should be blanching at that statement, fully aware that any shared secret is a vulnerability that won’t stay secret for long. The Z-Wave global key is only used during network setup – meaning it is of no value to anyone attacking an established network even if it remains a concern in some circumstances. But it turns out the global key isn’t necessary to hijack at least one model of lock.

When the lock is first set up, and receives the network key from the controller, the user is required to press a physical button on the bottom of the keypad to acknowledge the new device. But once installed the lock can reconnect to a controller (say, after a battery failure) without user interaction, and it turns out that it isn’t very picky about the network controller to which it connects.

Our attacker just identifies a lock on the network and sends it a new network key from his own network controller; the fickle door lock happily forgets its previous attachment and stands ready to respond to new commands, suitably encrypted using the new key, such as “open the door, please”.

Speaking to El Reg, the hacker team declined to name the manufacturers of the lock and the sensor, but said they’d both been informed and both had claimed the flaws were rare implementation errors and that they would shortly be fixed. Fouladi and Ghanoun aren’t convinced.

More testing is needed, but the pair’s hypothesis is that both companies are using example code provided in the Z-Wave software development kit, and that the example code is intended to be just that – an example not to intended for use in actual products. Without seeing the kit it’s hard to be certain, and the Z-Wave Alliance (which maintains and sells the SDK) is apparently working on a new revision, but didn’t respond to our inquiries on the matter.

Fouladi and Ghanoun will demonstrate all this again in London at 44Con in September. And, lest we forget, security through obscurity has, yet again, arguably proved to be worse than no security at all. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/13/wave_goodbye_to_security_with_zwave/

Win Spectre Laptop with HP and The Register

British author HM Forsyth was working on a book in the British Library last week when he needed to read Shakespeare’s Hamlet, so he did what anyone would do these days: he Googled it, safe in the knowledge that MIT has put the Bard’s entire output online.

And that’s when something nasty happened: The Library’s WiFi denied him access to the play because it was deemed too violent for the gentle folk who uses its networks.

Forsyth felt blocking Hamlet was a fine example of how conscience doth make cowards of us all, determined it best not to endure the the slings and arrows of outrageous fortune and instead decided to take arms against a sea of troubles by approaching Library staff to ask what was going on. The woman he spoke to had no idea what was going on and doth protest too much.

Feeling something was rotten in the state of Denmark and that madness in great ones must not unwatched go, Forsyth fired off what he’s described as “an angry e-mail”. He also penned the blog post we’ve linked to above and hit Twitter to publicise it.

The Library quickly responded, on Twitter, that it has fixed its filters so The Bard is no longer barred.

@Inkyfool Not any more! We’ve made adjustments to the filtering software :)

— BL Reference Service (@BL_Ref_Services) August 7, 2013

Forsyth’s now rather happier that Shakespeare, who has been described in the Twitter stream flowing from his original posts as “an important British author”, is now available over the Library’s WiFi.

Here at The Reg, we think Forsyth’s actions recall another Hamlet quote:

“This above all: to thine own self be true

And it must follow, as the night the day

Thou canst not then be false to any man.”

®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/13/hamlet_blocked_by_british_library_for_being_too_violent/

Win Spectre Laptop with HP and The Register

Analysis German hackers have poured scorn on Deutsche Telekom’s plan to offer “secure email”, describing it as little more than a marketing gimmick.

Deutsche Telekom and partner United Internet are rolling out SSL-encrypted connections between users’ computers and the companies’ mail servers as part of the “Email made in Germany” offer.

Deutsche Telekom’s email service T-Online or United Internet’s GMX and Web.de services will also avoid routing customers’ email traffic through US-hosted infrastructure – and thus avoid surveillance by Uncle Sam’s spooks.

René Obermann, chief exec of Deutsche Telekom, described the offer as a response to the NSA PRISM and XKEYSCORE global internet dragnet controversy: “Germans are deeply unsettled by the latest reports on the potential interception of communication data. Our initiative is designed to counteract this concern and make email communication throughout Germany more secure in general.”

The two firms said in a statement that the scheme would offer secure communication for two-thirds of all email users in Germany.

Ralph Dommermuth, chief exec of United Internet AG, added: “Alongside email encryption and the designation of secure e-mail addresses, a third key element relates to data processing and archiving, which is carried out in Germany. This ensures that Germany’s stringent data privacy laws are complied with.”

Der Spiegel reported that Germany is a focus of the NSA’s surveillance operation, which hoovers metadata on up to half a billion communications per month – including emails, text messages and phone calls.

Messages sent to mail servers outside Germany will not be encrypted in transit, at least initially, which means the data can be intercepted by network taps, installed in the internet’s arteries worldwide, that are run by the NSA and the UK’s eavesdropping centre, GCHQ.

Any service offered within Germany will be subject to EU data retention laws and rules allowing cops and g-men to lawfully intercept or seize data (see El Reg‘s recent analysis of the Lavabit and Silent Mail shutdowns for details). Metadata collection is unavoidable in the EU and US, so all the “Email Made in Germany” scheme offers is some protection against crooks snooping on email exchanges, rather than anything genuinely spy-proof.

“Email Made in Germany” only promises that email will be protected in transit with no guarantees that it will be stored in an encrypted format. Lavabit offered encrypted storage before it shut up shop last week, perhaps permanently, as a result of pressure from the US authorities to hand over those messages.

German hackers at the Chaos Computer Club dismissed Deutsche Telekom and United Internet’s offer as a shrewdly timed marketing stunt. Like security experts, they repeat the advice that end-to-end encryption using packages such as PGP are the only way to ensure email privacy:

Advertising these changes under the label “E-Mail Made in Germany” seems like a desperate effort to bring the already failed project “De-Mail” back into the spotlight. Indeed, these providers are claiming that De-Mail would even improve upon the new practice “in features”.

The supposed improvement is in effect only a shameless game with the users’ increasing problem awareness precipitated by the NSA scandal. It is comical at best if providers are now selling a well-aged technology as a groundbreaking innovation.

What users of these mail services are not being told is that encrypting traffic between mail providers does not mean that the e-mails themselves will also be stored encrypted. Rather, the NSA scandal has shown that centralised services can not be regarded as trustworthy with regard to access from intelligence agencies.

Ultimately, the technologies employed are not capable of preventing the installation of wiretapping infrastructure within the system. The provider and intelligence agencies still have complete access to the contents of e-mails and, consequently, will be able to fully analyze them.

The CCC stands by its recommendation of end-to-end encryption using GnuPG/PGP or S/MIME as a sensible instrument to prevent unauthorised access to e-mail.

Chaos Computer Club’s statement refers to De-Mail, a German encrypted email service that links users’ addresses with verified identities, confirmed during the sign-up process using state-issued identification cards. De-Mail can be used to complete official documents, such as tax returns, online.

Andre Meister, writing in German on the Netzpolitik.org blog, adds: “The basic problem with email is that it’s a postcard readable by all — [and this] changes nothing. The contents of the mail aren’t encrypted, even if the e-mails are stored on encrypted hard drives.” ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/13/deutsche_mail_scorned_by_hackers/

Win Spectre Laptop with HP and The Register

Over the weekend, it emerged that a flaw in Android’s Java-derived pseudo-random number generator (PRNG) created a vulnerability that allowed the theft of Bitcoins.

The individual responsible identifying the nasty bug, Jean-Pierre Rupp, has now contacted The Register by e-mail to confirm how he was able to track down the problem.

Rupp says his investigations began as the result of a complaint from a friend, who suspected that his Android phone had been hacked. However, Rupp says, he considered a successful remote Bitcoin-theft hack was unlikely. This, Rupp told Vulture South, led him instead to speculate that “somebody found his private key through cryptanalysis on the Bitcoin blockchain (the public ledger where all transactions are kept).”

Rupp’s investigations then led him to a similar complaint in July (here). His reply to that post (as user Xeno-Genesis) reported his friends experience and noted that he was investigating the problem.

“The common factor seemed to be Android, and I immediately thought about the possibility of a flaw in its pseudo-random number generator (PRNG),” Rupp told The Register.

Rupp identified this conference paper, also linked in The Register’s earlier story, and brought it to the attention of Google security engineer Mike Hearn. “I also pointed to him that his BitcoinJ code was using that PRNG in the regular non-seeded way, which triggered the flaw,” Rupp told The Register.

“I originally suggested that private key collisions may have being found and exploited. Later on the weekend a reply to the Bitcoin forum post by johoe clarified that the issue with the PRNG was leading to collisions in the random number parameter /k/ that the elliptic curve signature algorithm needs in order to be secure, making it trivial to extract the private key from two transactions that used the same /k/,” Rupp told Vulture South.

Hearn has told The Register that one of the posts, referred to in yesterday’s story relates to a different key-collision issue.

“Nils’ [ Schneider] blog post isn’t anything to do with this incident. If you read to the end, the bad transaction he found was generated using a prototype hardware wallet not an Android device. His blog post is a nice walkthrough of the maths involved with recovering a private key given two colliding signatures, but it has no relevance beyond that.”

The Register is happy to include this correction. We have also asked Google to comment on why developers were not warned earlier about issues with using SecureRandom, given the March publication date of the RSA conference paper. ®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/13/how_the_bitcoin_android_bug_was_tracked_down/

Win Spectre Laptop with HP and The Register

British author H.M. Forsyth was working on a book in the British Library last week when he needed to read Shakespeare’s Hamlet, so he did what anyone would do these days: he Googled it, safe in the knowledge that MIT has put the Bard’s entire output online.

And that’s when something nasty happened: The Library’s WiFi denied him access to the play because it was deemed too violent for the gentle folk who uses its networks.

Forsyth felt blocking Hamlet was a fine example of how conscience doth make cowards of us all, determined it best not to endure the the slings and arrows of outrageous fortune and instead decided to take arms against a sea of troubles by approaching Library staff to ask what was going on. The woman he spoke too had no idea what was going on and doth protest too much.

Feeling something was rotten in the state of Denmark and that madness in great ones must not unwatched go, Forsyth fired off what he’s described as “an angry e-mail”. He also penned the blog post we’ve linked to above and hit Twitter to publicise it.

The Library quickly responded, on Twitter, that it has fixed its filters so The Bard is no longer barred.

@Inkyfool Not any more! We’ve made adjustments to the filtering software :)

— BL Reference Service (@BL_Ref_Services) August 7, 2013

Forsyth’s now rather happier that Shakespeare, who has been described in the Twitter stream flowing from his original posts as “an important British author”, is now available over the Library’s WiFi.

Here at The Reg, we think Forsyth’s actions recall another Hamlet quote:

“This above all: to thine own self be true

And it must follow, as the night the day

Thou canst not then be false to any man.”

®

Win Spectre Laptop with HP and The Register

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/08/13/hamlet_blocked_by_british_library_for_being_too_violent/