STE WILLIAMS

Google study finds users ignore Chrome security warnings

Magic Quadrant for Enterprise Backup/Recovery

You’re surfing the ‘net when Chrome decides not to bring you the web site of your choice, but instead a page warning that the site you’d hoped to visit might be bogus or contain malware.

Do you:

(a) Click on “Proceed anyway” because you really want to see the cat picture someone Tweeted to you; (b) Click “Back to safety” because it’s not worth having crims empty your bank account for a peek at one cute kitty.

If you picked the first option and ended up being pwned by something nasty, there’s no need to feel completely stupid: a new study by Google has found that over 70 per cent of people ignore some such warnings.

The study, Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness ((PDF) collected “25,405,944 warning impressions in Google Chrome and Mozilla Firefox in May and June 2013” and found that plenty were ignored.

Here’s the basic data.

Data from Google's study into browser warnings

Interestingly, users are less circumspect when using early versions of software, as this block of data reveals.

More data from Google's browser security study

Keen-eyed Reg readers have probably noticed the table above also shows Chrome users ignoring more warnings than most.

The study’s authors, one Googler and Devdatta Akhawe of the University of California, Berkeley, are not sure why Chrome users are so blasé. False positives are one possible reason, differing levels of competence among users are also found to account for another point or two of difference. “Warning fatigue” is advanced as another reason users ignore warnings, and the study re-learns one of the lessons of Windows Vista by pondering if fewer warnings may be one way to improve security.

“Our findings motivate more work on browser security warnings, with particular attention paid to demographics,” the paper concludes. “At Google, we have begun experimenting with new warning designs to further improve our warnings.” ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/15/google_study_finds_chrome_is_leastsecure_browser/

Internet evildoers stitch together vile ransomware-survey scam chimaera

Magic Quadrant for Enterprise Backup/Recovery

Internet Igors have fused genomes from two of the web’s most noxious scam strains to create a repulsive chimaera.

The new ransomware doing the rounds locks up victims’ PCs before forcing their users to complete a survey in order to receive an unlock code.


Traditional ransomware scams typically involving locking up systems before accusing prospective marks of some fictitious crime, from distributing music or films on file-sharing networks to circulating child-abuse images. Victims are typically coerced into coughing up a “fine” of about £100 using untraceable cash vouchers in order to obtain codes to unlock their computers.

Tying things up in survey scams is a new and arguably less ambitious tactic. Survey scams typically involve attempts by dodgy marketing affiliates to trick consumers into completing a survey that offers the “chance” to win an iPad or similar. In reality the ruse is purely designed to harvest personal information. In more extreme cases victims are tricked into handing over their mobile number and signed up for expensive but lame premium rate services, such as daily horoscopes by SMS.

Packaged scams to get victims (referred to as “slaves”) to complete online surveys using ransomware have begun appearing in underground cybercrime forums. Webroot has a write-up on one such scam, together with screeenshots, in a blog post here.

The ransomware strain blocks Task Manager, CMD, Regedit and the Start Menu.

“Despite the fact that the ransomware doesn’t pose any sophisticated features … it [still] provides an example of an efficient business model aiming to utilize cost-per-action (CPA) affiliate networks in an attempt to generate revenue for the market participants,” writes malware researcher Dancho Danchev. ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/15/ransomware_survey_scam_hybrid/

Botch Tuesday: Redmond frags video codec

Magic Quadrant for Enterprise Backup/Recovery

Last week’s Patch Tuesday has reportedly gone sour, with one of patches released by Redmond causing trouble for video playback.

The 34-bug patches issued on July 9 include a fix for Microsoft’s WMV codec used in wmv9vcm.dll, wmvdmod.dll for WMF Runtime 9 and 9.5, and wmvdecod.dll in WMF runtime 11 and Windows Media Player 11 and 12. The vulnerability in the codecs could be attacked with a crafted media file that gets past input validation features, crashing them and giving remote attackers the ability to execute arbitrary code.

However, InfoWorld is now reporting that the patch is causing problems in video playback, with the most common symptom being that it blacks out the top half of the video content.

Adobe users have found that the blackout applies to high-quality large video files under Premier Pro CS6, with the symptom also appearing in exported files. Adobe describes the problem here, with the recommendation that if users need WMV files, they need to roll back the relevant patch.

Other reports of the problem listed by InfoWorld include TechSmith’s Camtasia Studio and Serif MoviePlus X6.

The video cutoff, shown in Camtasia Studio

The bug’s also upsetting people in gamer-land: as soon as they installed the update, Steam users started suffering the same symptom in cut scenes for Dust: An Elysian Tail and Ion Assault.

The only workaround right now is to uninstall the patch associated with MS13-057. ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/15/botch_tuesday_redmond_frags_video_codec/

Amazon button leaked user traffic

Magic Quadrant for Enterprise Backup/Recovery

Amazon is the latest company to come under fire for misusing its browser extension bar, with security researcher Krzysztof Kotowicz accusing the company of invading privacy via its 1Button extension for Chrome.

The blogger, in a post entitled Jealous of PRISM? Use “Amazon 1 Button” Chrome extension to sniff all HTTPS websites! says 1Button not only provides a side-channel attack for SSL encrypted data on user machines: it sends some user Web activity information over plain text.

And even worse: as he points out, if you’re a 1Button for Chrome user, you’ve given the extension permission to do all of this stuff.

Kotowicz’s accusations are extensive and specific. He says the Chrome extension:

  • Reports URLs users visit to Amazon (using HTTPS);
  • Attaches an external script (currently harmless) to Websites users visit;
  • Reports the content of some Websites users visit back to Alexa – including Google searches over HTTPS and some search results.

It’s this last that Kotowicz describes as “evil”: URLs and extracted page information travelled to widgets.alexa.com as plain text over HTTP.

Then there’s the configuration files. As Kotowicz writes: “upon installation (and then periodically) [the 1Button extension] requests and processes two config files.

“[The] first file defines what HTTPS sites can be inspected. The second file defines URL patterns to watch for, and XPath expressions to extract content being reported back to Alexa. The files are fetched from these URLs:

  • http://www.amazon.com/gp/bit/toolbar/3.0/toolbar/httpsdatalist.dat
  • http://www.amazon.com/gp/bit/toolbar/3.0/toolbar/search_conf.js

“Yes. The configuration for reporting extremely private data is sent over plaintext HTTP. WTF, Amazon?”

He posted exploit code at github, an action was sufficient to persuade Amazon to repair one flaw: data is now sent over HTTPS instead of HTTP.

Amazon Chrome 1Button Permission Screenshot

Check your permissions: why would you click ‘yes’?

However, extent of the data captured by the button suggests it’s far more invasive than is necessary for a shopping button. ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/15/amazon_button_leaked_user_traffic/

Oz Green’s plans exempt some phone metadata from warrants

What you need to know about cloud backup

Australia’s debate about warrantless access to telecommunications metadata has been heated of late, fuelled by revelations that just about anyone can access such records. Even local councils’ have been named in the federal Attorney-General’s department’s Annual Report (PDF)) as having looked up phone data.

Rural newspapers like the Wyndham Weekly puts it, have noted that the requests aren’t being made to catch organised criminals or beat terrorists, but “to catch litterbugs and owners of unregistered pets”.


Nor was Wyndham the only local government to play the telecommunications records game: Bankstown Council in NSW received four authorisations in 2011-2012.

The council-level snooping was not made under Section 313 of the Telecommunications Act – the provision notoriously used by the Australian Securities and Investments Commission to block Websites – but rather under the Telecommunications (Interception and Access) Act 1979. That Act allows requests for “existing documents” – such as call records – rather than for wiretaps.

Senator Scott Ludlam of the Greens’ response to such requests is the Telecommunications Amendment (Get a Warrant) Bill 2013, which plans to amend the last-mentioned bill so that metadata requests can’t be made without a warrant.

But The Reg can reveal one provision of the Bill will still allow warrantless metadata requests, namely tracking missing persons.

Vulture South has experience of the power of such requests, thanks to a personal experience when a person known to a co-author disappeared. Police’s ability to quickly determine if the missing person’s mobile phone was on meant the search could be focussed. Detection of the phone brought comfort to relatives. Combined with sightings, the search was quickly and positively resolved.

Ludlum’s office was aware that the interception provisions of the Act already allow for warrantless requests to find missing persons, and when it drafted the Get A Warrant Bill and made sure it stayed. Plenty of people will be happy about those warrantless requests.

But Ludlum’s office also acknowledged that some missing people don’t want to be found. Such folk are probably as ticked off about warrantless metadata searches as those who prompted Ludlum to pen his bill. reg

Cloud based data management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/14/local_government_plays_the_snoop_game_in_oz/

Go ahead, Asia, have a look in your Dropbox… We DARE you

Customer Success Testimonial: Recovery is Everything

The Chinese hacking crew that made headlines worldwide after a high-profile series of attacks against the New York Times last year has returned with assaults against South East Asia, at least according to threat intelligence firm Cyber Squared.

The latest attacks are unusual because instead of using standard tactics such as spear phishing, they feature a malicious document delivered via Dropbox.


The innocent-looking Word document contains a malicious embedded custom backdoor that interacts with a WordPress blog used as the command-and-control channel by the hackers.

The attackers have simply registered for a free Dropbox account, uploaded a document that contains embedded malware, and then publicly shared it with their targeted users.

The shift in tactics offers benefits for cyberspies because it means that victims are less likely to realise they are even under attack.

Many organisations are not scrutinising web traffic to services such as WordPress or Dropbox, which are far less likely to raise alarm bells than unexplained links to IRC chat servers in China, for example. As an added bonus, malware can be distributed via essentially anonymous accounts on Dropbox, so attackers are less likely to be traced.

How it works

The malicious documents deliver a backdoor called Yayih using a Flash exploit, as a blog post by Cyber Squared on the attack explains. Yayih has previously been associated with other APT-style attacks.

After the malware has placed copies of itself in the victim’s PC’s systems folders, it contacts a hacker-controlled WordPress blog, which also contains links to other blogs containing coded instructions for compromised zombie drones.

“Traditionally attackers compromise their midpoint infrastructure – such as web servers and SMTP relays – to launch and maintain their targeted attacks,” Adam Vincent, chief exec of Cyber Squared, explained.

“In this case, the attacker used Dropbox to distribute the malware and WordPress for first-stage command and control. This represents a shift from existing methods where attackers leverage their own infrastructure to directly spear-phish and interact with their victims.”

Political motivations?

The attack appears to be targeted at individuals and organisations associated with commerce and trade within the Association of Southeast Asian Nations (ASEAN) member nations.

“One of the documents used in the attack (the decoy document) was a US-ASEAN business council internal memo,” Vincent explained. “The document that was opened when the victim clicked on the malicious attachment was a decoy document so the user was unaware that they had been compromised.

“This suggests the recipients would likely have an interest in, or an affiliation with the ASEAN [so] most likely [would be] individuals or representatives of regional member nations.

“The ASEAN itself, as well as many of the associated regional member nations, would be of strategic diplomatic, economic, or military interest to China,” he added.

The ASEAN is an international, non-governmental, geo-political and economic association that represents the interests of 10 south-east Asian countries. Cyber Squared reckons a Chinese hacking crew is to blame.

“Based on threat intelligence of this particular threat developed within ThreatConnect.com, it is highly likely that this activity is part of the same Chinese APT threat group that compromised the New York Times for several months during the fall of 2012 and again in the spring of 2013,” the security intelligence firm concludes.

“This incident reinforces that Comment Crew, aka APT1, is not the only Chinese Advanced Persistent Threat (APT) group using web-enabled content as a command and control technique to interact with their victim’s hosts.”

Vincent told El Reg: “Anyone within ASEAN would have been fair game.”

The Dropbox ASEAN hackers are thought to be based in Beijing and are sometimes known as the DNSCalc gang, the researchers claim. The group has targeted media organisations in the Philippines and other victims in the region before.

The more famous APT1 crew has been linked to a PLA division based in the suburbs of Shanghai.

Rob Kraus, a director of research at managed security services firm Solutionary, said Cyber Squared’s findings illustrate the need for Dropbox and WordPress to develop a “process for taking down or disabling accounts if they are identified as malware/APT CC hosts”.

It came from the CLOUD

The abuse of cloud-based systems by malware authors and cyberspies itself comes as no great surprise, according to Kraus.

“Cloud infrastructure has been used to host malware content used in conjunction with droppers and downloader components for malware for some time,” Kraus explained.

“Regardless of whether or not this is an APT or standard mass-distributed malware, it is not real surprise the attackers are using legitimate infrastructure and cloud computing to accomplish their goals.”

Cyber Squared reached its findings based on data from its ThreatConnect community, a collaborative cyber intelligence exchange whose members include government agencies, banks, non-profits, and manufacturers in various industries. The exchange – run by Cyber Squared and akin to a neighbourhood watch scheme – collects, analyses and shares threat intelligence. ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/12/apt_crew_abuse_dropbox_hit_se_asia/

New draft cybersecurity law: US Senate hits ctrl-alt-del, reboot

Customer Success Testimonial: Recovery is Everything

The US Senate has started circulating a revised draft cyber-security law following failed attempts to pass a similar bill last term.

The proposed dictum, produced by the committee for commerce, science and transportation and backed by committee head Jay Rockefeller (D, W Va) and ranking member John Thune (R, SD), is another try at setting up voluntary computer security standards for critical industries.


Specifically, the paperwork calls on the president to “[enhance] the security and resiliency of public and private communications and information networks against cyber attack by nation-states, terrorists, and cyber criminals”. It also demands more research and development in computer security defences, more sharing of software vulnerability information, more done to tackle identity theft, and you get the gist.

Rockefeller is expecting the draft act to be debated by the committee later this month, sources told The Hill blog and Reuters.

The proposed cyber-law follows President Obama’s executive order last year that compelled federal agencies to develop guidelines for safeguarding power, water and other critical infrastructure from hackers. The new bill asks the Commerce Department’s National Institute of Standards and Technology (NIST) to come up with a similar set of voluntary standards and best practices.

Previous iterations of the bill were held up by Senate Republicans, who didn’t like a provision that would have given the Department of Homeland Security the authority to enforce mandatory electronic security standards. Rockefeller and other backers said making the standards mandatory was necessary to thwart hackers, but the Republicans saw it as unnecessary overregulation.

Rockefeller’s bill is part of a raft of legislation that’s moving through various government bodies in different parts, after the single comprehensive bill brought to the Senate in Obama’s previous term failed to get through. ®

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/12/senate_critical_infrastructure_cybersecurity_bill/

Screw it, says NSA leaker Snowden: I’m applying for asylum in Russia

Magic Quadrant for Enterprise Backup/Recovery

Cornered NSA whistleblower Edward Snowden has surfaced in Moscow’s Sheremetevo International Airport – and he’s seeking temporary asylum in Russia.

Snowden, who blew the lid off the Americans’ mass surveillance of the planet’s internet, previously requested asylum in the country, but withdrew it after President Vladimir Putin said that would only be possible if the leaker stopped harming the US (he must “cease his work aimed at inflicting damage on our American partners”, as the ex-KGB officer put it).


But it was revealed during a press conference today that the whistleblower has again applied for political asylum in Moscow to avoid extradition to the States.

Snowden sat before the media alongside representatives from WikiLeaks, Amnesty and Human Rights Watch in the airport where he has been in hiding for weeks.

The American government, seeking to capture the ex-spook contractor, has been lobbying countries to turn away Snowden, and cancelled his passport shortly before he travelled between Hong Kong and Moscow on 23 May.

The US authorities are also suspected of incorrectly warning European nations that Snowden was onboard the presidential jet of Bolivian premier Evo Morales as it flew over Austria from Russia last week.

That rumour prompted officials to ground the aircraft in Vienna and search the plane for Snowden. Morales’ private jet was en route from an energy conference in Moscow to his home in La Paz, Bolivia. In addition, the US has preemptively filed extradition requests to countries considering offering Snowden a bolt-hole.

Nicaragua, Venezuela and Bolivia all said they would offer asylum to the NSA leaker in the wake of the Bolivian president plane inspection, which ignited indignation among left-leaning Latin American governments. That still leaves the problem of how he might reach South American soil without passing through either US or a friendly nation’s airspace.

Snowden and his team reckon the only way he can guarantee his safety for now, before attempting to obtain asylum in Latin America countries, is to gain temporary asylum in Russia. Snowden’s physical security in his precarious position ultimately depends on keeping the Russians on-side so the move makes sense, it would seem.

Disappointingly, there was no word from the press conference on what Snowden made of smoking-hot though ineffective former Russian spy-turned-TV-presenter/model Anna Chapman’s marriage proposal, which would presumably involve a more permanent stay in Russia. ®

Cloud based data management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/12/snowden_temp_asylum_russia/

‘New’ document shows how US forces carriers to allow snooping

Magic Quadrant for Enterprise Backup/Recovery

Post-Snowden sensitivities to American spookery have been further inflamed after Australian website Crikey revealed a document that it says is a contract between the Federal Bureau of Investigation, the US Department of Justice and submarine cable operator Reach that allows the US entities to tap Reach’s cables for national security purposes.

The document’s making waves because it is easy to verify – (PDF) it is dated November 29th, 2001, and bears the signatures Deputy Assistant Attorney General John G Malcolm and FBI general Counsel Larry R. Parkinson. A web search quickly produces little reason to doubt their signatures are genuine, while this document (PDF) appears to be a superset of the one Crikey found and looks decently official. Another signatory, Alex Arena of Reach’s half-owner Pacific Century CyberWorks (PCCW), also likely worked for that company at the time.

But it’s also easy to find documents that carry identical terms and conditions, such as this one (PDF) signed by carrier TerreStar.

We can therefore set aside any conclusion that the documents represent new revelations into the US spookery apparatus. But they remain of interest, for two reasons.

The first is that at the time the deal was signed, Reach was half-owned by Australia’s dominant Telstra, which at the time had the government of Australia as its majority shareholder. The document therefore represents, if one looks at it in just the right way, one government giving another the right to inspect traffic and store data carried by an entity it owns. Throw in the fact that Australia’s government of the day was a very, very, firm US ally and things get even more interesting.

The second notable element is that the document offers more detail about how the USA’s intelligence agencies go about their business.

The TerreStar document is text and the Reach document is a scan, so in the name of authenticity it’s best if we bring you screen grabs of its contents rather than transcribing it. If you want to verify the text, the TerreStar document gives you the chance to do so.

Here’s a telling clause on data retention:

Article 2.1

Article 2.1 (b) of the document

Here’s an example of what the FBI and DoJ expected Reach would “have the ability to provide in the United states,” if and when asked nicely.

Article 2.3

Article 2.3, clauses (d) and (e)

There’s even a reporting requirement in case some other pesky government makes a monitoring request.

Reach Article 3.4

Little seems to have changed from the time of the Reach document’s signing, 2001, and the 2009 date on the TerreStar document.

In these post-Snowden times, it’s not hard to suggest the document looks like another smoking gun for those building a case that US snooping knows no bounds and no shame. Throw in the fact that the Reach document was signed just weeks after 9/11 may see conspiracy-lovers get even foamier, although the missing signature from Telstra may cool that ardour. A sounder conclusion could be that this is more or less a pro forma document, albeit a pro forma that confirms the US is peering into all sorts of stuff.

One last thing to consider: PCCW now operates UK Broadband, provider of the Now wireless broadband service. We’re sure its customers will be interested to know its owner has form signing up for snooping charters. ®

Cloud based data management

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/12/us_forced_submarine_cable_operator_to_allow_snooping/

Feds BANNED from DEF CON by founder (who is Obama’s cyber-expert)

Customer Success Testimonial: Recovery is Everything

DEF CON 21 Jeff Moss – the US government security advisor who founded the DEF CON hacking convention – has urged federal agents to stay away from the conference next month.

For the first time in the annual event’s 20-year history, g-men and spooks have been made unwelcome. Exactly how effective the request will be remains to be seen.


Moss’s anti-invitation was laid out in a note posted on the DEF CON website titled Feds, We Need Some Time Apart. And it reads like a text from someone who has realised an acquaintance they invite to a big blowout party every year has either been stealing from their stash or been especially mean to their other friends*:

For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory. Our community operates in the spirit of openness, verified trust, and mutual respect.

When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship. Therefore, I think it would be best for everyone involved if the feds call a “time-out” and not attend DEF CON this year.

This will give everybody time to think about how we got here, and what comes next.

The Dark Tangent

Moss, aka Dark Tangent, was appointed to the US government’s Homeland Security Advisory Council by President Obama in 2009, and is chief security officer for internet overlord, ICANN. He also founded the DEF CON and Black Hat computer security conferences, both regularly held in Las Vegas, Nevada.

It’s presumed Moss’s warning was in part sparked by recent revelations about the NSA and its monitoring of the world’s internet connections – see the bootnote below. Feds are welcome to turn up to the top hacking conventions, provided they’re transparent about it and can put up with a little ribbing from attendees. But perhaps in light of recent events, the presence of any g-men could spoil the atmosphere.

Among the security experts and hacker types who have reflected on the DEF CON blog post, some think the ban won’t be enforced and the invitation is purely for show; others think it’s a sensible move towards defusing potential antagonism that might otherwise spoil the whole event for everyone.

“I wonder if this means that the Feds will be escorted out of DEF CON, like those reporters who fail to register themselves as such,” mulled Jeremiah Grossman, founder and CTO of WhiteHat Security, in a Twitter update.

Robert Graham of Errata Security has a characteristically thoughtful blog post supporting the cooling off move.

“A highly visible fed presence is likely to trigger conflict with people upset over Snowden-gate,” Graham wrote. “From shouting matches, to physical violence, to ‘hack the fed’, something bad might occur. Or, simply attendees will choose to stay away. Any reasonable conference organizer, be they pro-fed or anti-fed, would want to reduce the likelihood of this conflict.

“The easiest way to do this is by reducing the number of feds at DEF CON, by asking them not to come. This is horribly unfair to them, of course, since they aren’t the ones who would be starting these fights. But here’s the thing: it’s not a fed convention but a hacker party. The feds don’t have a right to be there — the hackers do. If bad behaving hackers are going to stir up trouble with innocent feds, it’s still the feds who have to go.”

Tor developer and longtime NSA critic Jacob Applebaum called on other conferences to follow suit. “I hope ‪#OHM2013‬ makes a statement similar to ‪#DefCon‬ – the feds and cops won’t follow it but saying it sets expectations,” he said in a Twitter update.

Applebaum’s post is a reference to OHM2013: Observe. Hack. Make. which is due to take place between 31 July and 4 August in Amsterdam, the Netherlands.

BSides and Black Hat events will also be held in Vegas in the run-up to this year’s DEF CON. Federal agents are welcome at both of these conferences, at least the time of writing. In fact the opening day keynote at Black Hat is due to be delivered by General Keith Alexander, the head of the NSA. DEF CON is due to start the day after, running from 1 to 4 August at the Rio Hotel and Casino.

Vegas promises to be action all the way over the next few weeks. ®

Bootnote

* For “stealing from their stash” read “tapping into their emails spools and browsing their web history via the PRISM programme”. And for “been especially mean to their other friends”, perhaps read “the controversial prosecution of Andrew ‘weev’ Auernheimer over the ATT iPad hack case and/or the prosecution of Aaron Swartz in a separate case that some blame for the internet activist’s suicide”.

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/12/defcon_bans_feds/