STE WILLIAMS

Secret ROYAL BABY birth VIDEO leaked! (And other malware scams)

Magic Quadrant for Enterprise Backup/Recovery

It’s the moment malware writers worldwide have been waiting ages for: millions of royal-watchers at home and at work will be in front of their computers, hunting for the first pictures of the soon-to-be-born third heir to the throne.

The Duchess of Cambridge’s labour has started, it was confirmed this morning. Any baby (whatever its sex) will be third in line to become the Britain’s king or queen following recent changes in UK law.


And as with many a popular story – be it a natural disaster or celebrity death – malware-flingers have long been gestating plenty of scams and malware which they are more than ready to deliver.

“Malware authors worldwide have been waiting ages for this,” according to anti-malware veteran turned independent security blogger Graham Cluley. “Exclusive first pictures”, “Secret video from inside delivery room” and “Sex revealed” images from the royal birth might become the theme of scams, according to Cluley. “I don’t want to scaremonger, but it’s easy to imagine,” he said.

The story of a royal birth will be so big that it’s inevitable the bad guys will jump on the bandwagon, according to Cluley, who pointed out that malicious actors had previously menaced Wills and Kate.

Cybercriminals were quick to exploit Kate and Wills’ engagement. They were also quick to latch onto a story about a possible pregnant Kate Middleton doll in an attempt to entrap user in malware scams.

High-profile news stories are often used to trick surfers into visiting scareware portals or exploit-ridden sites using search engine manipulation, or blackhat SEO tactics. But virus writers are unreliable types at the best of times, so scams do not always appear.

Sean Sullivan, a security adviser at F-Secure, joked that scams might be more likely if Kate gives birth to twins.

He said: “So, it it were twins, and a C-section, is it the doctor that decides the line of succession. Are there protocols?” ®

Magic Quadrant for Enterprise Backup/Recovery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/22/beware_royal_baby_malware_scams_warns_expert/

Bloke raises hand in vid, claims: I sparked Apple dev site hack panic

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

A Turkish security bod calling himself Ibrahim Balic claims his bug reports to Apple sparked the shutdown of Cupertino’s Developer Centre website.

The iPhone giant pulled the plug on its online home for app programmers last Thursday fearing someone was attempting to hacking into its databases.

Now Balic has alleged he found 13 security vulnerabilities in the system and exploited them to pull up information on 73 Apple staff. He also claimed he gained access to more than 100,000 developers’ private data. But he insists he did this to demonstrate the apparent flaws – reported via bugreport.apple.com – and uploaded this video to protest his innocence:

In an extended mea culpa written after the initial media storm over the Developer Centre outage, the researcher huffed: “I’m not feeling very happy with what I read and I’m a bit irritated, as I did not do this research [to cause] harm or damage.

“I didn’t attempt to publish or share this situation with anybody else. My aim was to report bugs and collect the data for the purpose of seeing how deep I can go within this scope. I have over 100,000 users’ details and Apple is informed about this. I didn’t attempt to get the data first and report then, instead I have reported first.”

Balic claims the developer website was shutdown just four hours after he contacted Apple; he added that the fondleslab titan did not respond to his bug reports. The Reg cannot confirm his allegations, and Apple has not yet commented on Balic’s claims.

He added: “I do not want my name to be on a blacklist. I’m keeping all the evidence, emails and images. Also I have the records of the bugs that I made through Apple’s bug-report [system].”

Security market expert Graham Cluley has predicted that Apple may be tempted to take tough action to dissuade any other researchers from probing too hard.

He wrote: “Balic may not have been motivated by malice if he did, as appears to be the case, exploit a security hole in Apple’s Developer Centre. But he clearly was operating without Apple’s permission.

“As such, the extracting of developers’ personal data from the site could be argued to be unauthorised access, and Apple could – if it wanted – pursue legal action against the researcher.

“Whether Apple will choose to pursue legal action in this case remains to be seen. Although it may be bad for its brand image to pursue a researcher who doesn’t appear to have had cybercrime in mind, Apple is a very strange company. Who can forget when Apple encouraged police to look into the loss of its iPhone prototype in a bar, which resulted in the editor of Gizmodo having his house raided?”

“Apple is under new management now, but the possibility remains that it may want to make an example of him,” he added. ®

Magic Quadrant for Enterprise Backup/Recovery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/22/im_not_a_hacker_says_apple_bloke/

SIM crypto CRACKED by a SINGLE text, mobes stuffed with spyware

Cloud storage: Lower cost and increase uptime

A quarter of mobiles phones using DES encryption rather than the newer triple-DES for their SIM cards are vulnerable to an attack via SMS that results in a complete takeover of the phone.

German security researcher Karsten Nohl, founder of Berlin’s Security Research Labs, who previously busted GPRS encryption and cracked transport smartcard encryption keys with a microscope, has told the New York Times and Forbes about the attack, which he will outline to the August Black Hat conference in Las Vegas.


While Nohl is holding back some details of the attack until his Black Hat convention talk, he says he has developed a technique that allows him to obtain the 56-bit DES encryption key of a SIM by sending a text message that spoofs the phone’s operator. With the key in hand, a second text message will install software on the target device that takes over the phone completely – including eavesdropping and impersonation attacks.

“We can spy on you. We know your encryption keys for calls. We can read your SMSs. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account”, Nohl told the NYT.

Forbes’ report suggests Java Card, an Oracle product Big Red says “provides a secure environment for applications that run on smart cards and other devices with very limited memory and processing capabilities”, is the source of the vulnerability.

Of the six billion mobiles currently in service, about half still use DES encryption. In a sample of 1,000 SIMs tested over two years, Nohl said one-quarter were vulnerable – which suggests as many as 750 million vulnerable devices are in the field.

Nohl has disclosed the vulnerability in full to the GSM Association, and the ITU is planning an advisory to all mobile phone operators. ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/21/researcher_cracks_sim_crypto_to_own_phones_via_sms/

Titsup Apple Developer Centre mystery: Database interloper fingered

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

After days of silence over an outage that’s outraged developers, Apple has announced that its Developer Centre was subject to an attempted intrusion.

Since Thursday, 18 July, the Developer Centre website has been offline with this message:

Apple

Cupertino’s silence has led to increasing speculation that the outage was due to a database breach, and has angered programmers who spent a weekend on the Refresh button wondering when the site would return. As Australian Developer Centre user Josh McKinnon blogged: “Apple is a seriously customer-focused company, and they are treating us developers with contempt because we are not their customers.”

Apple has now decided to come clean, to an extent. Macworld is now reporting an e-mail sent to developers:

“Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

“In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologise for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.”

According to Cnet, some users have complained about receiving password reset e-mails, indicating that although passwords were not compromised in the intrusion, the attacker had obtained a number of Apple developer account IDs.

The company has noted that any developers unable to renew their App Store accounts would have their subscriptions extended until the outage is over. ®

Bootnote

A UK-based chap calling himself Ibrahim Balic claims he reported a dozen or so security vulnerabilities in the Developer Centre to Apple shortly before Cupertino yanked the website offline last week. It’s believed his discovery was treated by staff as a compromise of the system, but yesterday he denied any wrongdoing and insisted: “This is definitely not a hack attack.”

Magic Quadrant for Enterprise Backup/Recovery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/22/apple_pulls_dev_centre_after_intrusion_attempt/

HP closes StoreVirtual backdoor, slings key

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Hewlett-Packard has issued a patch for the StoreVirtual vulnerability under which an undocumented factory account existed in a number of products running its LeftHand (or SAN iQ) software older than version 10.5.

The vulnerability was brought to the attention of The Register (and of HP) by blogger Technion, who had earlier pointed out a similar issue in the company’s StoreOnce products.


The latest patch, available here, identifies 21 affected products, including Dell’s PowerEdge 2950 and the IBM System x3650, to which the patch should be applied.

In both the StoreOnce and StoreVirtual products, the factory accounts were intended for support use. However, as Technion pointed out to Vulture South, if the accounts had fixed passwords and those passwords became known, any system visible to the Internet would be vulnerable to unauthorised remote access.

The patch now protects the factory accounts with a challenge-response-based one-time password. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/22/hp_closes_backdoor_slings_key/

Rotten hackers feast on mouldy Java flaws

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Most enterprise networks are riddled with vulnerable Java installations, according to a new study whose release coincides with the discovery of another 0-day Java flaw.

Less than one per cent of organisations are running the latest version of Java, according to a study by security software firm Bit9. The most frequently encountered version of Java running on endpoints is version 6 update 20, found on 9 per cent of systems and subject to 96 high-severity vulnerabilities.


The average enterprise has more than 50 versions of Java installed across its PCs and servers, while five per cent of those enterprises have more than 100 versions of Java installed.

This creates a smorgasbord of mouldy vulnerabilities for hackers to feast upon. At least part of the reason for this sorry state of affairs is that the Java installation and update process often does not remove older versions of the widely used technology.

Most endpoints have multiple versions of Java installed, which means hackers can fairly easily determine what versions of Java an enterprise is running before targeting the oldest, most vulnerable versions. Eighty-two per cent of the endpoints analysed by Bit9 were running version 6 series of Java, which has the most known vulnerabilities of any version of Java.

All these factors make Java a hacker and cyberspy favourite or the “endpoint technology most targeted by cyber attacks,” as Bit 9 puts it.

Bit9’s study, put together in a report entitled Java Vulnerabilities: Write Once, Pwn Anywhere, is based on an analysis of Java deployment statistics on approximately 1 million endpoints at hundreds of enterprises worldwide.

Oracle only recently revamped the Java update process so that older versions were purged. But these changes have done nothing by themselves to address legacy or orphaned Java installations, some of which date back to the dawn of personal computing, according to Bit9. In trying to minimise compatibility problems, a legacy of insecurity has been created.

“For the past 15 years or so, IT administrators have been under the misconception that updating Java would address its security issues,” explained Harry Sverdlove, Bit9’s chief technology officer. “They have been told that to improve security, they should continuously and aggressively deploy Java updates on all of their endpoints. Unfortunately, updating is not the same as upgrading.

“Until very recently, those updates have failed to deliver the promised security upgrade because they have not removed older, highly vulnerable versions of Java they were intended to replace. As a result, most organisations have multiple versions of Java on their endpoints, including some that were released at the same time as Windows 95,” he added.

Sorting out the mess involves picking up the cyber-security equivalent of an emergency audit. Enterprises should first evaluate how many versions of Java are running before deciding whether these older versions are needed for valid business reasons and, in particular, whether Java should be running in browsers.

Several security firms routinely advise consumers and business to disable Java browser add-ons, which are seldom needed to surf the ‘net but sometimes needed for internet applications. Users can then use security technologies from the likes of Bit9 and others to enforce these policy decisions.

A video featuring Bit9 CTO Harry Sverdlove discussing the Java problem can be found here.

Groundhog 0-day

Separately‎‎, Poland-based security research outfit Security Exploration claim to have unearthed a flaw that bypasses the security sandbox on Java 7, exposing host systems to malicious attacks. Adam Gowdiak, chief exec and founder of Security Explorations, explained the flaw in a post on a Full Disclosure mailing list.

Security Explorations has created proof-of-concept exploit code PoC exploit code that does the business against Java SE 7 Update 25 and earlier. The vulnerability arises because of flaws in Reflection API (application programming interface), a technology that debuted in Java 7 SE and which has been the font of earlier security problems involving the latest version of the frequently abused software technology.

The upshot is that the latest version of Java can be attacked by types of attack that are more than 10 years old, according to Gowdiak, who slammed Oracle for permitting a through-route to such a well-known attack, which he argues should have been straightforward to defend against.

“If Oracle had any Software Security Assurance procedures adopted for Java SE, most of simple Reflection API flaws along with a known, 10+ years old attack should have been eliminated prior to Java SE 7 release. This didn’t happen, thus it is reasonable to assume that Oracle’s security policies and procedures are either not worth much or their implementation is far from perfect.”

Gowdiak’s find means the Java zero-day counter was reset on Thursday, yet again. Oracle is yet to respond to Gowdiak’s discovery, so it’s unclear if and when a fix might become available. The security giant last released a batch of Java updates in June (details here) and the next scheduled update is not due until October. ®

Magic Quadrant for Enterprise Backup/Recovery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/22/java_security_omnishambles/

Apple pulls Dev Centre after intrusion attempt

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

After days of silence over an outage that’s outraged developers, Apple has announced that its Developer Centre was subject to an attempted intrusion.

Since Thursday July 18, the Developer Centre has been offline with this message:

Apple

Cupertino’s silence has led to increasing speculation that the outage was due to a database breach, and has angered developers who spent a weekend on the Refresh button wondering when the site would return. As Australian Developer Centre user Josh McKinnon blogged: “Apple is a seriously customer-focused company, and they are treating us developers with contempt because we are not their customers.”

Apple has now decided to come clean, to an extent. Macworld is now reporting an e-mail sent to developers:

“Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

“In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologise for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.”

According to Cnet, some users have complained about receiving password reset e-mails, indicating that although passwords were not compromised in the intrusion, the attacker had obtained a number of Apple developer account IDs.

The company has noted that any developers unable to renew their AppStore accounts would have their subscriptions extended until the outage is over. ®

Magic Quadrant for Enterprise Backup/Recovery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/22/apple_pulls_dev_centre_after_intrusion_attempt/

Ubuntu forums breached, 1.8m passwords pinched

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Ubuntuforums.org, the Linux distribution’s online community, has shut down for maintenance after a security breach.

It’s not a pretty one: the site’s operators say “Unfortunately the attackers have gotten every user’s local username, password, and email address from the Ubuntu Forums database.”


The good news is that “The passwords are not stored in plain text, they are stored as salted hashes.”

The second piece of bad news is that a quick trip to the site through the wayback machine produces a page stating the site has 1,824,159 members, of whom 19,493 are classified as “active”. That’s a lot of users who may not be visiting the site often enough to know of the breach. Little wonder then that the announcement on the site recommends “if you were using the same password as your Ubuntu Forums one on another service (such as email), you are strongly encouraged to change the password on the other service ASAP.”

The site was taken down on Saturday evening, UK time, after being defaced earlier in the day. The defacement has been attributed to a twitter user @Sputn1k_, who’s not exactly the Internet’s best friend right now.

The site is still down at the time of writing, which could indicate the attack was severe or that Canonical, the company backing Ubuntu, hasn’t been able to get a lot of engineers back on duty over the weekend.

Other Ubuntu services, namely Ubuntu One and Launchpad, aren’t impacted by the breach. ®

Magic Quadrant for Enterprise Backup/Recovery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/21/ubuntu_forums_breached_18_passwords_pinched/

Researcher cracks SIM crypto to own phones via SMS

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

A quarter of mobiles phones using DES encryption rather than the newer triple-DES for their SIM cards are vulnerable to an attack via SMS that results in a complete takeover of the phone.

German security researcher Karsten Nohl, founder of Berlin’s Security Research Labs, who previously busted GPRS encryption and cracked transport smartcard encryption keys with a microscope, has told the New York Times and Forbes about the attack, which he will outline to the August Black Hat conference in Las Vegas.


While Nohl is holding back some details of the attack until his Black Hat talk, he says he has developed a technique that allows him to obtain the 56-bit DES encryption key of a SIM by sending a text message that spoofs the phone’s operator. With the key in hand, a second text message will install software on the target device that takes over the phone completely – including eavesdropping and impersonation attacks.

“We can spy on you. We know your encryption keys for calls. We can read your SMSs. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account”, Nohl told the NYT.

Forbes’ report suggests Java Card, an Oracle product Big Red says “provides a secure environment for applications that run on smart cards and other devices with very limited memory and processing capabilities”, is the source of the vulnerability.

Of the six billion mobiles currently in service, about half still use DES encryption. In a sample of 1,000 SIMs tested over two years, Nohl said one-quarter were vulnerable – which suggests as many as 750 million vulnerable devices are in the field.

Nohl has disclosed the vulnerability in full to the GSM Association, and the ITU is planning an advisory to all mobile phone operators. ®

Magic Quadrant for Enterprise Backup/Recovery

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/21/researcher_cracks_sim_crypto_to_own_phones_via_sms/

Legal eagles pit Apple v. Samsung in thievery test

Magic Quadrant for Enterprise Backup/Recovery

Sick of the number of reported phone thefts in their jurisdictions, lawmakers have decided to hold a contest to discover how easy it is to crack stolen smartphones for resale.

New York attorney general Eric Schneiderman and San Francisco district attorney George Gascón have hired Northern California Regional Intelligence Center staff to try to crack the activation lock on an iPhone 5 and a Samsung Galaxy S 4 that was running $29.95 per year Lojack software.


“Finding technical solutions that will remove the economic value of stolen smartphones is critical to ending the national epidemic of violent street crimes commonly known as ‘Apple Picking’,” said the pair.

“While we are appreciative of the efforts made by Apple and Samsung to improve security of the devices they sell, we are not going to take them at their word,” they said. “Today we will assess the solutions they are proposing and see if they stand up to the tactics commonly employed by thieves.”

The testing will involve breaking into the handset and disabling any features that would allow the owner to track the phone. Once these have been broken, the device can usually be wiped, reset, and sold on.

Thieves are getting increasingly savvy about getting around these smartphone tracking features, and police report that taking electronic tracking into account is all part of the criminal business these days.

Certainly smartphone theft is increasingly common, with the FCC reporting that one in three robberies in major cities now involve the theft of such devices. We’re carrying something with the price of a laptop computer in our pockets, and thieves follow the money.

Last month the two lawmakers launched the Secure our Smartphones Initiative (SOS – predictably) to push mobile phone makers into installing a “kill switch” into their code that would allow the device to be rendered useless in the event of a loss or theft.

“Together, we are working to ensure that the industry imbeds persistent technology that is effective, ubiquitous and free to consumers in every smartphone introduced to the market by next year,” they said.

Nevertheless, El Reg has to take issue with the math behind some of the lawmaker’s claims. According to their statement “roughly 113 smartphones” are stolen or stolen every minute in the US. That’s 162,720 per day, or 59.3 million per year.

Smartphone usage rates are high in the US, but not that high. Taking out those too young, poor, or uninterested in owning such a device, then that “roughly” sounds somewhat overstated. ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/19/apple_against_samsung_in_theft_test/