STE WILLIAMS

SaaS data loss: The problem you didn’t know you had

Cisco has issued a patch for vulnerabilities that exposed its IronPort AsyncOS software for the Cisco e-mail security appliance to cover denial-of-service and command injection problems.

The vulnerability, described here, exposed several IronPort components. Its Web framework would allow and authenticated remote user to execute arbitrary commands with elevated privileges.

“An authenticated but unprivileged attacker could exploit this vulnerability by sending a crafted URL to the affected system, or by convincing a valid user to click on a malicious URL. A successful exploit could allow an attacker with sufficient knowledge to take complete control of the affected device,” Cisco notes.

Cisco also notes that the IronPort spam quarantine and its management GUI are both vulnerable to denial-of-service attacks. The spam quarantine has an improper handling of TCP connection requests at high speed, while the GUI is vulnerable to DoS attacks on HTTP and HTTPS connections.

Cisco has patches available for affected software. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/28/cisco_issues_ironport_patch/

SaaS data loss: The problem you didn’t know you had

A Facebook bug that would allow attackers to take over user accounts with minimal effort has netted $US20,000 for a UK-based security researcher.

As detailed on his blog, Jack Whitten, writing as fin1te, found that accounts could be traversed by exploiting a bug in how Facebook linked user accounts to mobile phones. The registration code sent to users linking phones to accounts arrives with an editable profile_id field, which Whitten demonstrated could be changed to another user.

“The flaw lies in the /ajax/settings/mobile/confirm_phone.php end-point. This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id, which is the account to link the number to,” he writes.

Facebook allows the registration code sent to the attacker to be used to access the victim’s account – meaning that the victim’s account is then linked to the attacker’s phone. Whitten then requested a password reset on the target account, received the changed password form, and took over the account.

According to Whitten’s account, Facebook fixed the flaw five days after he reported it. The fix is simple enough: “Facebook responded by no longer accepting the profile_id parameter from the user,” he writes.

“The bounty assigned to this bug was $20,000, clearly demonstrating the severity of the issue,” he concluded. ®

Cloud storage: Lower cost and increase uptime

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/28/facebook_fix_a_bounty_boon_for_researcher/

Steps to Take Before Choosing a Business Continuity Partner

The Electronic Frontier Foundation has filed a suit against the Feds to force the bureau to reveal information about its planned biometrics database.

The EFF said that it had submitted three Freedom of Information Act requests to the FBI last year to try to get info on the database and the agency’s use of facial recognition, but hadn’t received any answer.

The law enforcement agency is busily beefing up its Next Generation Identification (NGI) database, which will include biometric information like iris scans, palm prints, face-recognition-ready pics and voice data, adding to its existing database of fingerprints for law enforcement agencies across the US.

“NGI will result in a massive expansion of government data collection for both criminal and noncriminal purposes,” EFF attorney Jennifer Lynch said in a canned statement.

“Biometrics programmes present critical threats to civil liberties and privacy. Face-recognition technology is among the most alarming new developments, because Americans cannot easily take precautions against the covert, remote, and mass capture of their images.”

The pressure group is asking a California court to enforce the FOIA requests and force the Feds to hand over info on the face-recognition programme, including information on the reliability of the technology and details of the FBI’s plans to merge “civilian” and criminal records into one database.

Lynch, who has also testified before the US Senate on the privacy implications of facial recognition tech, said that public debate was needed before the G-Men were allowed to expand their surveillance powers – and that debate was only possible once the public were informed about the programme.

According to the EFF, the FBI hasn’t updated its Privacy Impact Assessment since 2008, well before it started on the new system and signed with several states for early roll-out of the programme. ®

What you need to know about cloud backup

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/27/eff_sues_fbi_over_biometrics_database_info/

Steps to Take Before Choosing a Business Continuity Partner

America’s most secret court will allow Google and Microsoft to reveal details of their legal battle to lift a gag order preventing them from disclosing how much data they give to spooks.

The tech giants want the right to tell the world exactly how much information they hand over to spies and have demanded the secretive Foreign Intelligence Surveillance Act (FISA) Court lifts a gagging order preventing them from doing so.

Both Microsoft and Google are fighting to clear their names after it was alleged they gave agents working on the National Security Agency’s PRISM programme full access to their servers – a claim the pair flatly deny. The tech giants insist they only hand over data when a specific legal request is made, backed up by a court order, which is very different from simply giving spooks an unlocked back door into their systems.

Normally, any FISA case would be cloaked in secrecy. But according to tech site CNET, Reggie Walton, presiding judge of the court, told US President Barack Obama he will allow both firms to disclose “procedural information” about their case.

John Carlin, acting assistant attorney general for national security, also told the website that neither of the firm’s legal filings contain “contain information that is now classified, nor information that should be held under seal”, two objections which would allow the Justice Department to demand the case is heard in secret.

Google and Microsoft want to reveal the number of requests the court made under Section 702 of the FISA Amendment Act, which was passed in 2008 and allows the court to approve plans to spy on foreign targets, as long as reasonable steps are taken to make sure the surveillance programmme does not focus on American citizens.

Judge Walton has given the Justice Department until 9 July to respond to Google and Microsoft’s requests, who then have until 16 July to reply.

Microsoft said spooks had made 6,000 to 7,000 requests for information, while Google received 8,438 requests. However, both firms want the right to be more specific about who made the requests, allowing them to tell the public how many were for regular criminal matters – like information on missing people or suspected paedophiles – and how many were surveillance requests made under FISA legislation.

Meanwhile, as Microsoft and Google fight to clear their names, the man who put them into hot water in the first place is still on the run in Russia, where he is thought to be hiding out in an airport awaiting a flight to Ecuador.

Perhaps in a bid to stave off American fury at the fact they allowed Edward Snowden to leave Hong Kong on a jet plane, the island’s authorities have claimed US agents got the whistleblower’s middle name wrong on documents demanding his arrest.

Hong Kong’s justice secretary, Rimsky Yuen, claimed the Americans had not even bothered to put Snowden’s passport number on the documentation, while giving him the middle name James, rather than Joseph.

Latest reports suggest that the US has revoked Snowden’s passport, which, if he is still in Russia, would strand him beyond the legal reach of furious US spooks. ®

What you need to know about cloud backup

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/27/google_microsoft_fisa/

Cloud based data management

The appearance of an animated Sepp Blatter dancing on what appeared to be a World Cup website caused confusion in anti-virus circles on Tuesday.

Tweets such as “Brazil 2014 website hacked to show a dancing Sepp Blatter on the home page http://www.fifa-brazil-2014.com” were forwarded to El Reg‘s security desk, sports subsection early on Tuesday.

The dancing Blatter “trick” is the one commonly used by phishing/clickjacking and could be perhaps seen as a skewed tribute to the Fifa president.

“Looking at the source code I wouldn’t be surprised if it flagged some heuristics-based scanners,” Martijn Grooten, anti-spam test director at Virus Bulletin, told El Reg.

Independent security researcher Darrel Rendell noted concerns about the WHOIS and hosting provider of the dancing Sepp site.

However Rik Ferguson, VP of security research at Trend Micro, was able to rule out foul play. “It’s not a hack but a clever viral marketing campaign using a typo-squatted domain,” Ferguson explained.

The official site is: http://www.fifa.com/worldcup/index.html and the campaign site is: http://www.fifa-brazil-2014.com (beware: there’s a cheesy soundtrack and Blatter boogies to the sound of kettle drums).

“It was done through a private domain registration through DomainsbyProxy, though it’s pretty clear who registered it,” Ferguson added.

The launch of the viral marketing campaign coincides with street protests across Brazil against the amount of funds poured into building World Cup facilities, while basic public services remain rudimentary. The dancing Blatter merchants appears to be linked to people running an online campaign for a “fair” World Cup in Brazil next year. ®

Customer Success Testimonial: Recovery is Everything

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/27/dancing_sepp_wc_site_silliness/

Cloud based data management

Opera is giving users the standard upgrade advice after a successful attack on its network allowed evil-doers to copy a software-signing certificate.

As a result, they would be able to craft malware that would authenticate as coming from Opera.

In this blog post, Opera’s Sigbjørn Vik explains that the software company identified and halted the attack on June 19. Although it’s confident that “there is no evidence of user data being compromised … the attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware.”

Opera believes the impact is limited to “a few thousand Windows users” who may have automatically received and subsequently installed the malware. Opera directs users to Virustotal for an overview of which packages will detect the malware.

In spite of the reassuring tone of the post, Sophos’ Paul Ducklin notes that the attackers apparently managed to upload at least one malicious file back into Opera’s servers.

Opera says it is now working to ship an update of its browser, and advises users to install it as soon as it becomes available. ®

Customer Success Testimonial: Recovery is Everything

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/27/opera_network_cracked_cert_stolen/

Cloud based data management

Miscreants have begun abusing SlideShare, the web-based slide hosting service, to run movie stream scams supposedly offering a sneak peak at hot new films such as Man of Steel, Monsters University and zombie post-apocalypse action flick World War Z.

Numerous spam accounts have gone live on SlideShare in recent days, promoting “streaming sites” with reviews and previews of the latest hit movies, according to Chris Boyd, a senior threat researcher at ThreatTrack Security. Typically these accounts punt supposed links to streaming sites, whose ultimate destination is disguised through the use of URL shortening services.

In reality the links to streaming sites actually point to image files, including screenshots of the caption that normally proceeds a movie such as “The following film has been approved for all audiences”, presumably in a bid to trick marks into thinking they’re about to see Superman in all his glory.

Users are encouraged to create an account at the spamvertised streaming site, a process that involves jumping through numerous hoops, but with no reward at the end.

“The ultimate aim seems to be having fans of the touted movies signing up to subscription based movie streaming services, though there is some question as to what content these sites contain if the main thrust of this spam is for movies that aren’t legally available online yet,” Boyd told El Reg. “Most likely it’s out of control affiliates attempting to drive traffic to the sites, whether the advertised movies are there or not.”

“We’ve not seen anything in the way of surveys, mobile sign-ups or anything else yet,” he added.

ThreatTrack has also recorded spam documents on SlideShare that are little more than fake video boxes with a play button, which send users off to blogs advertising free rugby and other spam accounts promoting a variety of streaming sites and services.

The whole scam is explained in a blog post (featuring numerous screenshots) by Boyd here.

Cybercrooks are essentially using SlideShare as an avenue for movie spam scams of a type that has long been prominent on YouTube. The change of venue is already bearing fruit for miscreants, according to Boyd.

“The original account promoting the Man of Steel “stream” has just over 700 views after four hours between his three uploads, so there’s certainly an audience for it. In fact, the spam uploads are themselves attracting more spam, in the form of comments all jostling to sell you their movie streams,” Boyd explained.

“Thankfully SlideShare allows users to report documents that they feel shouldn’t be on there, so it’s entirely possible this spam run will walk smack bang into its very own form of Kryptonite,” he concluded. ®

Customer Success Testimonial: Recovery is Everything

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/27/slideshare_movie_spam_scam/

Cloud based data management

While the mobile industry is still deciding if there’s a market for two, three, or four smartphone operating systems, mobile malware writers have picked their target and are flocking to Android, according to the latest annual security report data from Juniper Networks.

The company’s Mobile Threat Center has analyzed nearly two million mobile applications over the last year and seen the number of dodgy Android apps rise from 38,689 in Q1 2011 to 276,259 a year later.

Part of this 614 per cent rise comes from the cratering state of Symbian, BlackBerry, and Windows Phone sales, but the shift to Android comes mainly from the operating system’s prevalence and Apple’s tight control of iOS apps.

“Apple does a really good job with checking apps,” Michael Callahan, vice president of global security at Juniper told The Register. “Google does a good job with the Play store as well, but there are hundreds of third-party Android apps stores. They’re enticing because you think ‘I can get this app for free’ and they don’t realize it’s malware.”

Apple users will typically only go to the official store for apps, he said, although there is an increased risk for iPhone users who have decided to jailbreak their handsets. But the further geographically you get from the US, the more Android users are going to look to local stores for their applications.

Unfortunately, some of these stores are hosting malware. China leads the pack with 173 storefronts allowing dodgy code; Russia is a close second at 132 hosts, and the US third with 76 dangerous sites. But there’s a strong language bias towards English – if you’re after apps in German or Dutch, the number of infected app stores drops to 16 and 13 respectively on world markets.

Easy money

The most typical form of malware seeks to send SMS messages to premium rate lines, yielding an average of $10 per infection, the report states. But that can add up to a pretty chunk of change, and because the laws governing premium-line repayments are so outdated it’s easy money, Callahan said – the culprit is long gone with the cash before the carrier realizes it has been scammed.

There’s also a focus on mobile banking as a lucrative target. Mobile malware like ZeuS-in-the-Mobile is proving ever-more popular and third-party mobile wallet systems aren’t immune to cracking, with near-field communications opening up a new attack window, Juniper warns.

The report also spotted increasingly successful botnet software for smartphones. In December 2012, the Tascudap Trojan began spreading on handsets, setting up regular pings to command and control servers at a domain registered as gzqtmtsnidcdwxoborizslk.com. Once a device is infected, the CC system can upload attack code as needed and investigate any enterprise network the handset is connected to.

“It’s the very early stages of starting to do reconnaissance from a mobile device to understand the vulnerabilities of a network,” Callahan said. “This is the same movie that played on the desktop. With an open-access Trojan they get to see what the privileges are, they escalate through, and ultimately can steal whatever they want to steal.”

Deck the phones with sprigs of malware

The report’s data also shows a surprising sophistication in the mobile malware market release schedule. Malware activity plateaus in the summer months, but then rises sharply over the Christmas period to coincide with the busiest season for smartphone purchases.

“During those months people are getting new devices and they’re all excited – they’re on the hunt for apps,” Callahan explained. “We see that malware developers know they have a customer that’s going to be looking, so they put a lot of product out there. Between November and February there’s a lot of malware out there for people who are going to be looking for new applications.”

Firm data on the malware writers themselves is difficult to come by, but Callahan said it was “not that big a jump” to assume that the traditional players in the PC malware industry were simply applying their methods to the mobile market. There are some new players in the mobile field, however, that hadn’t been seen before.

The update problem

Android’s pivotal problem is the fractured nature of its market, Callahan said. The Gingerbread 2.3 Android build is still the most used mobile OS and it lacks crucial protections.

Over three quarters of the current malware out there could be blocked if handsets were running the latest Android build, the survey found. Even if hardware restrictions make running the higher levels of the OS impossible, then some sort of basic security patch should be possible for older operating systems, he suggested.

Android’s fragmentation was a point Tim Cook was keen to make earlier this month at WWDC. Cook claimed iOS 6 was the world’s most popular mobile OS, since 93 per net of Apple users were updated, and he twisted the knife with some pointed stats on Apple developer’s revenue per app as well.

El Reg hasn’t heard from Google on the report’s findings, but Callahan said the Chocolate Factory is better than some at fixing problems on the latest builds as they come up. Distributing those fixes to older systems looks to be an issue that Google will have to address. ®

Customer Success Testimonial: Recovery is Everything

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/26/android_malware_bloom_security_updates/

Cloud based data management

HP has advised The Register that a patch is now available for its StoreOnce storage systems.

Yesterday, we reported that a blogger with the handle Technion had identified an undocumented administrator account in some of its StoreOnce systems. He had also posted the hash of the password associated with the HPSupport account.

Technion had complained, in strong terms, that HP had been unresponsive to his attempts to notify it of the vulnerability.

The vendor has now contacted The Register with the following statement:

“HP identified a potential security issue with older HP StoreOnce models. This does not affect StoreOnce systems with the current version 3.0 software, including the HP StoreOnce B6200 and HP StoreOnce VSA product offerings.

“HP takes security issues very seriously and is working actively on a fix. A customer security bulletin is available here.”

The advisory notes that while the HPSupport account does not offer access to data backed up on the system, it does allow the system to be reset to factory defaults.

In all, twenty variants of its StoreOnce backup systems are affected by the bug, running software versions 2.2.17 or older and 1.2.17 or older. ®

Customer Success Testimonial: Recovery is Everything

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/26/storeonce_hp_issues_patch/

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

An obscure feature of SSL/TLS called Forward Secrecy may offer greater privacy, according to security experts who have begun promoting the technology in the wake of revelations about mass surveillance by the NSA and GCHQ.

Every SSL connection begins with a handshake, during which the two parties in an encrypted message exchange perform authentication and agree on their session keys, through a process called key exchange. The session keys are used for a limited time and deleted afterwards. The key exchange phase is designed to allow two users to exchange keys without allowing an eavesdropper to intercept or capture these credentials.

Several key exchange mechanisms exist but the most widely used mechanism is based on the well-known RSA algorithm, explains Ivan Ristic, director of engineering at Qualys. This approach relies on the server’s private key to protect session keys.

“This is an efficient key exchange approach, but it has an important side-effect: anyone with access to a copy of the server’s private key can also uncover the session keys and thus decrypt everything,” Ristic warns.

This capability makes it possible for enterprise security tools – such as intrusion detection and web application firewalls – to screen otherwise undecipherable SSL encrypted traffic, given a server’s private keys. This feature has become a serious liability in the era of mass surveillance.

GCHQ have been secretly tapping hundreds of fibre-optic cables to tap data, The Guardian reported last week, based on documents leaked to the paper by former NSA contractor turned whistleblower Edward Snowden. The NSA also carries out deep packet inspection analysis of traffic passing through US fibre optic networks.

Related revelations show that the NSA applies particular attention – and special rules – to encrypted communications, such as PGP-encrypted emails and SSL encrypted messages. Captured data should really be destroyed within five years, unless it consists of “communications that are enciphered or reasonably believed to contain secret meaning, and sufficient duration may consist of any period of time during which encrypted material is subject to, or of use in, cryptanalysis”, according to the terms of a leaked Foreign Intelligence Surveillance Court order.

The upshot is that intelligence agencies are collecting all the traffic they can physically capture before attempting to snoop upon encrypted content, where possible. These techniques are currently only practical for intelligence agencies but this may change over time – and those interested in protecting privacy need to act sooner rather than later, Ristic argues.

“Your adversaries might not have your private key today, but what they can do now is record all your encrypted traffic,” Ristic explains. “Eventually, they might obtain the key in one way or another – for example, by bribing someone, obtaining a warrant, or by breaking the key after sufficient technology advances. At that point, they will be able to go back in time to decrypt everything.”

The Diffie–Hellman protocol offers an alternative algorithm to RSA for cryptographic key exchange. Diffie–Hellman is slower but generates more secure session keys that can’t be recovered simply by knowing the server’s private key, a protocol feature called Forward Secrecy.

“Breaking strong session keys is clearly much more difficult than obtaining servers’ private keys, especially if you can get them via a warrant,” Ristic explains. “Furthermore, in order to decrypt all communication, now you can no longer compromise just one key – the server’s – but you have to compromise the session keys belonging to every individual communication session.”

Someone with access to the server’s private key can perform an active man-in-the-middle attack and impersonate the target server. However, they can do that only at the time the communication is taking place. It is not possible to pile up mountains of encrypted traffic for later decryption. So, Forward Secrecy still creates a significant obstacle against industrial scale snooping.

SSL supports Forward Secrecy using two algorithms: Diffie-Hellman (DHE) and the adapted version for use with Elliptic Curve cryptography (ECDHE). The main obstacle to using Forward Secrecy has been that Diffie-Hellman is significantly slower, leading to a decision by many website operators to disable the feature in order to get better performance.

“In recent years, we’ve seen DHE fall out of fashion. Internet Explorer 9 and 10, for example, support DHE only in combination with obsolete DSA keys,” Ristic explains, adding that ECDHE is bit faster than DHE but still slower than RSA. In addition, ECDHE algorithms are relatively new and not as widely supported in web server software packages.

The vast majority of modern browsers support ECDHE. Website admins who add support for the encryption technique would help the majority of their privacy-conscious customers and adding DHE allows Forward Secrecy to be offered to the rest.

A blog post by Ristic explains how to enable Forward Secrecy on SSL web servers, a well as providing a good explanation about the technology is beneficial for privacy – as well as noting the limitations of the technique.

“Although the use of Diffie-Hellman key exchange eliminates the main attack vector, there are other actions a powerful adversary could take,” Ristic warns. “For example, they could convince the server operator to simply record all session keys.”

“Server-side session management mechanisms could also impact Forward Secrecy. For performance reasons, session keys might be kept for many hours after the conversation had been terminated.

“In addition, there is an alternative session management mechanism called session tickets, which uses separate encryption keys that are rarely rotated – possibly never in extreme cases.

“Unless you understand your session tickets implementation very well, this feature is best disabled to ensure it does not compromise Forward Secrecy,” Ristic concludes.

Ristic founded SSL Labs, a research project to measure and track the effective security of SSL on the internet. He has over time worked with other security luminaries such as Taher Elgamal, one of the creators of the SSL protocol, and Moxie Marlinspike, creator of Convergence, to tackle SSL governance and implementation issues and promote best practice.

Whether sysadmins switch to more privacy-friendly key exchange methods in spite of performance drawbacks is by no means sure, but publicising the issue at least gives them the chance to decide for themselves. ®

Customer Success Testimonial: Recovery is Everything

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/26/ssl_forward_secrecy/