STE WILLIAMS

SaaS data loss: The problem you didn’t know you had

The UK Ministry of Defence has enlisted the help of nine weapons firms, tech companies and telcos to beef up the country’s cyber defences and fend off hacking and other attacks.

The alliance, aptly named the Defence Cyber Protection Partnership (DCPP), will share intelligence on the threats that the government and firms are facing.

“This is a clear demonstration that government and industry can work together – sharing information, experience and expertise – to make sure we do everything we can to protect these critical networks, ensuring that the business of defence is robustly protected,” said Philip Dunne, the minister for defence equipment, support and technology.

Cyber criminals subject government and industry networks in Blighty to around 70 sophisticated attacks every month, 15 per cent of which are aimed at the defence sector, spook centre GCHQ has said.

The government is hoping that the new alliance will “act as a useful template” to be followed by the commercial sector as well. It said that the DCPP would focus on three areas this year, “increasing awareness of cyber risks across the supply chain, defining risk-driven approaches to applying cybersecurity standards and sharing threat intelligence”.

The companies involved are BAE Systems, Lockheed Martin, HP, BT, Thales, Cassidian, CGI, Selex and Rolls Royce. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/05/uk_gov_defence_cyber_partnership/

SaaS data loss: The problem you didn’t know you had

Fans of rapper Jay-Z who thought they’d grabbed hold of an app granting them access to an early release of his new album Magna Carta Holy Grail have found themselves on the receiving end of an anti-PRISM Android Trojan designed to slurp all their data, according to security researchers. It is not yet clear if the data-stealing functionality is being used by the malware-flingers, however.

The malicious code poses as a real app released through the official Google Play store and designed to mark the recent release of Magna Carta Holy Grail. The legit version is exclusively available on Samsung devices.

The malicious (pirated) version of the software, discovered on unofficial Android app sites by researchers at McAfee, starts a service called “NSAListenerService” which surreptitiously uploads data from compromised devices every time the phone restarts. It’s also programmed to download additional malware components every time it phones home.

Yesterday, on the 4th of July, the malware broke cover. Android-AntiObscan is programmed to change the infected device’s wallpaper to an image of Barack Obama wearing headphones under a banner of “YES WE SCAN” along with the sub-headline “We are watching you”.

The image is a reference to the “YES WE CAN” iconic first-term election posters used by the Obama campaign. The whole set-up goes even further back to the era of old-school politically motivated malware, reminiscent of a more innocent time before cybercrooks and state-sponsored cyberspies dominated the malware landscape.

However the mobile application is still designed to steal information from compromised devices, so it’s perhaps too early to dismiss its activity as a harmless political prank, security researchers warn.

“What we have here appears at first glance to be old-school politically-motivated malware, designed to make a point and spread a message rather than necessarily make money for its creators,” writes independent anti-virus expert Graham Cluley.

“However, the fact that McAfee claims that some information is shared with a third-party server and the malware downloads additional code does raise alarm bells.

“The official Play store, governed by Google, hasn’t been entirely successful at keeping malware out in the past – but it is certainly a safer place to get your apps than some of the third-party unofficial Android marketplaces out there,” Cluley added.

McAfee researcher Irfan Asrar adds: “The image and the service name NSAListener suggest a hacktivist agenda, but we haven’t ruled out the possibility that additional malware may target financial transactions or other data.” ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/05/antiprism_android_trojan/

SaaS data loss: The problem you didn’t know you had

Mastercard has broken ranks with other payment providers such as PayPal and Visa and begun allowing payments to WikiLeaks.

Visa, MasterCard, PayPal, the Bank of America and Western Union all suspended payment processing for WikiLeaks days after the site began publishing leaked US diplomatic cables in November 2010. The decision aroused the ire of hacktivist collective Anonymous which launched denial of service attacks against the websites of Mastercard, Visa et al in retaliation.

In April WikiLeaks and DataCell won a lawsuit against Valitor, the Icelandic partner for Visa and MasterCard, for breach of contract over blocking WikiLeaks’ donations at the behest of credit card firms and other financial giants. The Icelandic Supreme Court ordered Valitor to recommence processing donations to WikiLeaks. Damages, if any, will be decided by a separate ongoing legal action.

According to Wikileaks, Valitor complied and reopened its payment gateway while giving notice it intended to terminate its contract on 1 July. In the meantime it sought the opinions of MasterCard International and Visa. Mastercard said it no longer wished to continue with the block against WikiLeaks, while Visa is yet to respond.

In response, Valitor reportedly changed its mind about terminating its contract and decided to continue processing payments to WikiLeaks through DataCell indefinitely. We asked Valitor to comment on these changed circumstances and will update this story as and when we learn more.

Donations by credit cards to WikiLeaks can be made through https://paygate.datacell.com. Bank transfers have always been an option but payments through PayPal, Western Union and Bank of America remain blocked. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/05/wikileaks_credit_card_donations_restored/

SaaS data loss: The problem you didn’t know you had

The European Parliament has agreed to toughen criminal penalties across the EU for cyber attacks, especially any that threaten national infrastructure or are deemed to be aimed at stealing sensitive data.

The new directive forces the 28 member states to impose national maximum sentences of at least two years in prison for trying to break into any information systems. But if the attack is against a critical infrastructure network, like a power plant, transport or government network, the maximum penalty jumps to at least five years, higher than most member states currently have in force. Maximum sentences also go up to at least three years for botnet attacks or cyber intrusions that result in financial costs or loss of personal data.

“I am pleased that formal approval has been reached on new rules concerning the definition of criminal offences and the sanctions in the area of cybercrime,” the EU commish for home affairs Cecilia Malmström said. “The perpetrators of increasingly sophisticated attacks and the producers of related and malicious software can now be prosecuted, and will face heavier criminal sanctions.”

But security bods aren’t so sure that upping the jail time is the right way to go about defeating cybercrime. Etay Maor, fraud prevention manager at security firm Trusteer, said that governments needed to be aware that the people behind cyber attacks like botnets were often nowhere near the actual attack.

“Unfortunately, in most cases the people who get caught are the money mules (that may not even be aware they are committing a crime) and not the bot masters or ring leaders,” he said. “To apprehend these masterminds, law enforcement agencies will need to have cooperation with local agencies all around the world.

“This is not an easy task, and cyber-criminals know this. This is why they usually reside in a country where they will stay safe from most western governments.”

The directive is also trying to improve communication and cooperation between law enforcement in European countries. According to the new rules, member states will be under an obligation to answer urgent requests from each other within eight hours and will be required to collect basic statistical data on cybercrimes.

“Together with the launch of the European Cybercrime Centre and the adoption of the EU Cyber-security Strategy, the new Directive will strengthen our overall response to cybercrime and contribute to improve cyber security for all our citizens,” Malmström said.

Individual countries will have two years two years to input the decision into national law. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/05/eu_tougher_sentences_for_hackers/

Customer Success Testimonial: Recovery is Everything

Google has been ordered by Britain’s data watchdog to make changes to its privacy policy within the next three months, or else face a possible fine for failing to comply with the Data Protection Act.

The Information Commissioner’s Office said late on Thursday:

We have today written to Google to confirm our findings relating to the update of the company’s privacy policy. In our letter we confirm that its updated privacy policy raises serious questions about its compliance with the UK Data Protection Act.

In particular, we believe that the updated policy does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products.

The ICO said that Google needed to make its privacy policy “more informative” for its users and warned that, if it failed to do so, the ad giant could be leaving itself “open to the possibility of formal enforcement action.”

Last month, data authorities in France ruled that Google had breached the country’s Data Protection Act, and ordered Mountain View to comply with the law within three months or else face sanctions.

At the same time, data watchdogs in the UK, Spain, Germany, Italy, and the Netherlands also launched enforcement actions against Google.

France’s Commission Nationale de l’Informatique et des Libertés (CNIL) was tasked by Brussels’ Article 29 Working Party with investigating Google’s controversial privacy policy changes in March 2012. In April this year it found that the ad giant had not implemented any “significant compliance measures.”

Google was not immediately available for comment at time of writing. It previously told The Register that its “privacy policy respects European law”. ®

SaaS data loss: The problem you didn’t know you had

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/05/ico_threatens_to_fine_google_over_privacy_policy_tweaks/

SaaS data loss: The problem you didn’t know you had

The encrypted online chat service Cryptocat is urging users to install a new version, following the revelation that its encryption could be cracked by brute force.

Making the announcement here, Cryptocat says the vulnerability existed in the way key pairs were generated. It claims that the bug existed in any 2.0 version prior to 2.0.42, a period of seven months.

Steve Thomas, who describes the bug here, gives the issue a longer lifetime, saying his Decryptocat software “cracks the ECC public keys generated by Cryptocat versions 1.1.147 through 2.0.41” – from October 2011 to June 2013. And while Cryptocat has thanked him for his input, his assessment is less polite: “Cryptocat is run by people that don’t know crypto, make stupid mistakes, and not enough eyes are looking at their code to find the bugs.”

His lengthy critique goes on: “The bug that lasted 347 days was the confusion between a string and an array of integers. This made the ECC private keys ridiculously small because they passed a string of decimal digits into a function expecting an array of 17, 15 bit integers. Each character was considered an element in the array. So each of those “15 bit integers” were only the values 0 to 9 (3.32 bits). Also the least significant 3 bits are zeroed giving you a key space of 2*10^16 (2^54.15).”

The bug only applied to group chats, Cryptocat asserts, not one-on-one chats, and its SSL keys were not compromised.

“For some reason, there are rumors that our SSL keys were compromised. To the best of our knowledge, this is not the case. All Cryptocat data still passed over SSL, and that offers a small layer of protection that may help with this issue. Of course, it does not in any way save from the fact that due to our blunder, seven months of conversations were easier to crack,” the group says. “We are continuing in the process of auditing all aspects of Cryptocat’s development.” ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/04/cryptocat_wide_open_new_version_a_must/

Customer Success Testimonial: Recovery is Everything

A four-year-old Android bug could be used to plant malware on 99 per cent of Android devices on the market, according to security researchers.

Bluebox Security CTO Jeff Forristal said the vulnerability in Android’s security model creates a means for hackers to modify an Android app’s APK code without breaking its cryptographic signature.

This means that any legitimate application – even those afforded elevated privileges by the device manufacturer – could be turned into a malicious Trojan before being offered for download. The difference between the two would not be readily detectable by either the smartphone or the app store – much less an end user.

The security weakness has been around at least since the release of Android 1.6 (codename: “Donut”) in September 2009, according to Bluebox. It offers the potential for all manner of malfeasance – from data theft (due to elevated privileges of dodgy apps which the phone thinks are legitimate), up to and including the creation of a massive zombie mobile botnet.

Bluebox has worked with Google in identifying the issue, which will take a firmware update on affected devices to resolve, as a blog post by the mobile security startup explains.

The vulnerability involves discrepancies in how Android applications are cryptographically verified installed, allowing for APK code modification without breaking the cryptographic signature.

All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn’t been tampered with or modified. This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.

Details of Android security bug 8219321 were responsibly disclosed through Bluebox Security’s close relationship with Google in February 2013. It’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question.

More technical details of the issue, along with related material, are due to be released by to Bluebox as part of Forristal’s upcoming presentation at Black Hat USA, which is pencilled in for 1 August.

Noted mobile security experts such as Charlie Miller are taking the issue seriously, while remaining keen to defer judgment pending the release of more information. However there doesn’t seem to be an immediate need to put Android smartphones in the nearest available fridge until software updates become available.

Tech blog GigaOM notes that Google recently banned Google Play Store apps from updating outside the Play update mechanisms (see Dangerous Products section here). “It has also fixed its Play Store security mechanisms, that should keep most users safe,” writes analyst David Meyer in an updated blog post on the issue.

So the vulnerability is more of a risk for users who take advantage of third-party Android app marketplaces, a widespread practice. Nonetheless, the flaw is “less dangerous than it initially seemed,” Meyer concludes.

Righard Zwienenberg, senior research fellow at anti-malware firm ESET, said that getting patches onto phones even after Google pushes out an update promises to become a headache.

“The biggest problem for consumers is the enormous number of old phones running Android that are still in use, for which the operators will not release a new version,” Zwienenberg said.

“I’d estimate that at least a third of phones still run the very popular, but outdated, Gingerbread Android platform. Regardless of whether Google releases patches for these versions, the phones will remain vulnerable. More recent models, like the Samsung Galaxy S3, Galaxy S4 or the HTC One, will most likely be patched. But the question is when? Even if Google is updating the stock Androids, manufacturers and operators also need to be involved to ensure all-round protection,” commented Zwienenberg.

“Different obfuscation techniques can be deployed to bypass Google Security spotting it and getting malicious code via Play Store on the phone. And once downloaded onto a phone these can create havoc for the user and their phone bill,” he added. ®

Steps to Take Before Choosing a Business Continuity Partner

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/04/android_master_key_vuln/

Customer Success Testimonial: Recovery is Everything

A four-year-old Android bug could be used to plant malware on 99 per cent of Android devices on the market, according to security researchers.

Bluebox Security CTO Jeff Forristal said the vulnerability in Android’s security model creates a means for hackers to modify an Android app’s APK code without breaking its cryptographic signature.

This means that any legitimate application – even those afforded elevated privileges by the device manufacturer – could be turned into a malicious Trojan before being offered for download. The difference between the two would not be readily detectable by either the smartphone or the app store – much less an end user.

The security weakness has been around at least since the release of Android 1.6 (codename: “Donut”) in September 2009, according to Bluebox. It offers the potential for all manner of malfeasance – from data theft (due to elevated privileges of dodgy apps which the phone thinks are legitimate), up to and including the creation of a massive zombie mobile botnet.

Bluebox has worked with Google in identifying the issue, which will take a firmware update on affected devices to resolve, as a blog post by the mobile security startup explains.

The vulnerability involves discrepancies in how Android applications are cryptographically verified installed, allowing for APK code modification without breaking the cryptographic signature.

All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn’t been tampered with or modified. This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.

Details of Android security bug 8219321 were responsibly disclosed through Bluebox Security’s close relationship with Google in February 2013. It’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question.

More technical details of the issue, along with related material, are due to be released by to Bluebox as part of Forristal’s upcoming presentation at Black Hat USA, which is pencilled in for 1 August.

Noted mobile security experts such as Charlie Miller are taking the issue seriously, while remaining keen to defer judgment pending the release of more information. However there doesn’t seem to be an immediate need to put Android smartphones in the nearest available fridge until software updates become available.

Tech blog GigaOM notes that Google recently banned Google Play Store apps from updating outside the Play update mechanisms (see Dangerous Products section here). “It has also fixed its Play Store security mechanisms, that should keep most users safe,” writes analyst David Meyer in an updated blog post on the issue.

So the vulnerability is more of a risk for users who take advantage of third-party Android app marketplaces, a widespread practice. Nonetheless, the flaw is “less dangerous than it initially seemed,” Meyer concludes.

Righard Zwienenberg, senior research fellow at anti-malware firm ESET, said that getting patches onto phones even after Google pushes out an update promises to become a headache.

“The biggest problem for consumers is the enormous number of old phones running Android that are still in use, for which the operators will not release a new version,” Zwienenberg said.

“I’d estimate that at least a third of phones still run the very popular, but outdated, Gingerbread Android platform. Regardless of whether Google releases patches for these versions, the phones will remain vulnerable. More recent models, like the Samsung Galaxy S3, Galaxy S4 or the HTC One, will most likely be patched. But the question is when? Even if Google is updating the stock Androids, manufacturers and operators also need to be involved to ensure all-round protection,” commented Zwienenberg.

“Different obfuscation techniques can be deployed to bypass Google Security spotting it and getting malicious code via Play Store on the phone. And once downloaded onto a phone these can create havoc for the user and their phone bill,” he added. ®

Steps to Take Before Choosing a Business Continuity Partner

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/04/android_master_key_vuln/

Customer Success Testimonial: Recovery is Everything

A four-year-old Android bug could be used to plant malware on 99 per cent of Android devices on the market, according to security researchers.

Bluebox Security CTO Jeff Forristal said the vulnerability in Android’s security model creates a means for hackers to modify an Android app’s APK code without breaking its cryptographic signature.

This means that any legitimate application – even those afforded elevated privileges by the device manufacturer – could be turned into a malicious Trojan before being offered for download. The difference between the two would not be readily detectable by either the smartphone or the app store – much less an end user.

The security weakness has been around at least since the release of Android 1.6 (codename: “Donut”) in September 2009, according to Bluebox. It offers the potential for all manner of malfeasance – from data theft (due to elevated privileges of dodgy apps which the phone thinks are legitimate), up to and including the creation of a massive zombie mobile botnet.

Bluebox has worked with Google in identifying the issue, which will take a firmware update on affected devices to resolve, as a blog post by the mobile security startup explains.

The vulnerability involves discrepancies in how Android applications are cryptographically verified installed, allowing for APK code modification without breaking the cryptographic signature.

All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn’t been tampered with or modified. This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.

Details of Android security bug 8219321 were responsibly disclosed through Bluebox Security’s close relationship with Google in February 2013. It’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question.

More technical details of the issue, along with related material, are due to be released by to Bluebox as part of Forristal’s upcoming presentation at Black Hat USA, which is pencilled in for 1 August.

Noted mobile security experts such as Charlie Miller are taking the issue seriously, while remaining keen to defer judgment pending the release of more information. However there doesn’t seem to be an immediate need to put Android smartphones in the nearest available fridge until software updates become available.

Tech blog GigaOM notes that Google recently banned Google Play Store apps from updating outside the Play update mechanisms (see Dangerous Products section here). “It has also fixed its Play Store security mechanisms, that should keep most users safe,” writes analyst David Meyer in an updated blog post on the issue.

So the vulnerability is more of a risk for users who take advantage of third-party Android app marketplaces, a widespread practice. Nonetheless, the flaw is “less dangerous than it initially seemed,” Meyer concludes.

Righard Zwienenberg, senior research fellow at anti-malware firm ESET, said that getting patches onto phones even after Google pushes out an update promises to become a headache.

“The biggest problem for consumers is the enormous number of old phones running Android that are still in use, for which the operators will not release a new version,” Zwienenberg said.

“I’d estimate that at least a third of phones still run the very popular, but outdated, Gingerbread Android platform. Regardless of whether Google releases patches for these versions, the phones will remain vulnerable. More recent models, like the Samsung Galaxy S3, Galaxy S4 or the HTC One, will most likely be patched. But the question is when? Even if Google is updating the stock Androids, manufacturers and operators also need to be involved to ensure all-round protection,” commented Zwienenberg.

“Different obfuscation techniques can be deployed to bypass Google Security spotting it and getting malicious code via Play Store on the phone. And once downloaded onto a phone these can create havoc for the user and their phone bill,” he added. ®

Steps to Take Before Choosing a Business Continuity Partner

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/04/android_master_key_vuln/

Customer Success Testimonial: Recovery is Everything

Soi-disant patriot hacker “The Jester” is taking aim at nations seen as offering aid and comfort to NSA sysadmin turned whistleblower Edward Snowden.

The Jester claimed responsibility for taking down a government-run Ecuadorian tourism site and the email server of the Ecuadorian stock exchange on Monday, before turning his attention to other potential targets.

“‪en.ecuador.travel ‬ – TANGO DOWN – Because fuck you Equador – Harboring Assange and hoping to give asylum to ‪#snowden‬,” the contra-hacktivist said in a Twitter update.

Snowden applied for asylum to 20 countries in Latin America, Asia and Europe earlier this week. An additional request to apply for asylum in Russia was withdrawn after President Putin said he should stop “harming our American partners” as a pre-condition for a possible asylum request in Russia. Ecuador granted Snowden temporary travel documents that allowed him to travel between Hong Kong and Moscow two weeks ago but has since cooled on the possibility of offering asylum.

Several other countries rejected the possibility of granting Snowden asylum outright, while European nations mostly said that asylum requests can only be made by people physically in their territories, so further narrowing Snowden’s options.

After Venezuela emerged as a likely candidate for refuge for Snowden, The Jester turned his attention towards the south American country.

“There’s 52 VENEZUELEN Government servers visible to the internet, including 27 email servers. Who knew? ‪http://goo.gl/5kh2i‬,” he tweeted.

The Jester is known for denial of service attacks against Jihadist recruitment websites as well as his antipathy towards Wikileaks in general, and founder Julian Assange (still lurking in Ecuador’s London embassy) in particular. The Jester claimed responsibility for knocking Wikileaks servers offline back in late 2010, shortly after it began the controversial release of US State Department cables.

“As jihadis groom Muslims online to commit acts against us, so [Julian Assange] grooms government personnel like [Army private and accused leaker Bradley] Manning and Snowden to do his dirty work,” the Jester told FoxNews.com. ®

Steps to Take Before Choosing a Business Continuity Partner

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/07/04/patriot_hacker_takes_aim_snowden_asylum_candidates/