STE WILLIAMS

Reports are emerging that Internet registrar Name.com has suffered a data breach and is resetting all user passwords.

The breach has been revealed in an e-mail to customers published by TheNextWeb, stating that compromised information could include usernames, e-mail addresses, passwords and credit card information – the last two of which were, however, encrypted.

The company has confirmed the attack with the Tweet below, later backing that up with news that it has used RSA 4096-bit encryption, and the private keys required for the encrypted data were stored in a separate, remote location that wasn’t compromised. Similarly, the EPP domain transfer keys were also remotely stored and not accessed.

If you’ve just tuned in, we had some hackers go after a customer. CCs and domains are safe, but you will get an email to change passwords.

— Name.com (@namedotcom) May 8, 2013

The company believes the security breach was “motivated by an attempt to gain information on a single, large commercial account at Name.com”.

“As a response to these developments, and as a precautionary measure, we are requiring that all customers reset their passwords before logging in. If you use your previous Name.com password in other online systems, we also strongly recommend that you change your password in each of those systems as well”, the company has said in its notification e-mail. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/09/name_dot_com_data_leak/

Privacy advocates are up in arms after the Indian government began quietly rolling out a Rs.4 billion(£47.8m) Central Monitoring System (CMS) designed to give the authorities sweeping access to citizens’ phone calls and internet comms in the name of national security.

The scheme is initially thought to have been conceived as a response to the threat of terrorism, such as the 2008 Mumbai attacks which killed over 150 people and injured hundreds more.

However, the CMS will not only be used by law enforcement but also the tax authorities and offers the government a single point of access to “lawfully” intercept voice calls and texts, emails, social media and the geographical location of individuals, Times of India reported.

Unsurprisingly the authorities have been pretty quiet about the scheme, although it is thought to have begun operation last month.

Its activities are backed up by legislation – specifically the Information Technology Act 2000 and its amendments – which allows the government to “intercept, monitor or decrypt” any info “generated, transmitted, received or stored in any computer resource” if security and public order are at risk.

Activists are worried because they claim India’s privacy laws are not strong enough to protect individuals in the face of such potentially invasive powers.

The “StopICMS” campaign blog argued the following:

[Government of India] GoI mainly asks Google to remove defamatory content. Why is that? Security for themselves, in the name of safety of citizens? Content removal requests have increased by 90 per cent from the GoI. 33 per cent of the requests from the GoI are about either hate speech, defamation or government criticism. Therefore, we can conclude that after implementation of ICMS GoI will primarily use it against “hate speeches” and government criticism.

While the concerns regarding monitoring of mobile phone calls are justified, the CMS won’t be able to monitor the private social media conversations of foreign services like Twitter and Facebook without a court order.

That said, the Indian government under PM Manmohan Singh has taken an increasingly uncompromising stance when it comes to online freedoms, with the stated aim usually to preserve social order and national security or fight “harmful” defamation.

In response to bloody sectarian clashes across the country last August it banned the sending of bulk SMS messages and blocked numerous Twitter accounts and content sharing sites.

In August last year it even blocked one of its own websites after a controversial court ruling on defamatory content. According to NGO Freedom House’s Freedom on the Net 2012 report, India remains only “partly free” with a score of 39 – a notable decline from the previous year. By contrast the UK’s score was 25 and the US 12. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/08/india_privacy_woes_central_monitoring_system/

A new report to Congress by the US Department of Defense (DoD) includes some of the strongest language yet implicating the People’s Republic of China in recent global cyber-attacks.

“In 2012, numerous computer systems around the world, including those owned by the U.S. government, continued to be targeted for intrusions,” the report states, “some of which appear to be attributable directly to the Chinese government and military.”

The main purpose of these government-sponsored attacks was to extract information, the report claims, presumably to benefit China’s defense or high-tech industries – although determining which is which can be tricky.

“Differentiating between civil and military end-use is very challenging in China due to opaque corporate structures, hidden asset ownership, and the connections of commercial personnel with the central government,” the report explains.

As a result, the DoD investigators claim, China’s armed forces have directly benefited from the expanding Chinese civilian economy, in which Chinese companies with access to foreign technology in areas such as aerospace, night-vision devices, microwave integrated circuits, and information technologies have transferred their knowledge to the military.

The DoD’s line is in keeping with earlier reports from other government agencies and advisors. For example, in November a Congressional committee found that Chinese state-sponsored actors regularly attempted to exploit sensitive US government and private-sector systems, while in February the White House issued a report claiming that industrial espionage by Chinese actors was at an all-time high.

Private companies, too, have pointed the finger at China. Just last month, Verizon found that where cyber-attacks could be traced back to state-affiliated hackers, China was responsible in 96 per cent of cases.

Concerns over the PRC’s involvement in such attacks have already led to a ban on purchases of Chinese-made IT equipment by federal government agencies, a move that Chinese networking equipment maker Huawei has slammed as “protectionism.”

For its part, the Chinese government has consistently denied any involvement in cyber-attacks against the US and its allies, accusing US government officials of hanging onto a “Cold War mentality” and arguing that China “resolutely opposes internet attacks and has established relevant laws.”

But according to the DoD report, China’s vision for how to prevent cyber-attacks largely revolves around increased state control of internet traffic, where “governments exercise sovereign authority over the flow of information and control of content in cyberspace” – a philosophy shared by Russia, but which the US strongly opposes.

What’s more, the report says, doctrinal writings of the People’s Liberation Army identify “information warfare” as one of the most important aspects of modern combat, with computer network attacks being one key technique in that area.

The report further observes that while China’s officially reported military budget increased to $114bn in 2013, the country’s actual military-related spending in all areas is likely somewhere between $135bn and $215bn.

By comparison, the US’s defense budget for fiscal year 2013 is expected to fall at around $590bn – the part we know about, at least. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/07/us_dod_china_warfare_report/

The building housing Google Australia’s lavish Sydney headquarters is running the known-vulnerable Tridium Niagara building management system, and has been compromised by the Cylance researchers who have made Niagara their mission.

The researchers identified the underlying system – QNX on an embedded system – and extracted the admin password from the system’s config file. After that, as the company’s blog post explains, they were able to wander around the control environment pretty much at will.

Billy Rios and Terry McCorkle demonstrate the successful attack by posting the building’s Level 3 layout, water, and air-conditioning systems with the blog post. They also mention an “after hours button” they said they were “afraid to test” because of its hammer symbol in the system (hint: it probably merely activates the doors so people can get out after the doors have been switched off).

The Cylance gents admit that this vulnerability posting – which has been reported to Google – is linkbait in the service of awareness-raising.

Plumber pr0n: The Level 3 water and HVAC layout of an office inhabited by Google Australia

“At the time of this blog post, this exact issue affects tens of thousands of devices on the Internet and thousands of different organizations. Thank you Google for helping us raise awareness on this issue!” they write.

They noted that the Google vulnerability was present because the building in which the company resides was running an older version of the Niagara system, so there’s likely to be a contractor with some explaining to do.

The Tridium kit had a patch in August 2012, after Cylance went public over its vulnerabilities. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/06/google_building_automation_fail/

Controversial Chinese software vendor Qihoo 360 has its eyes on world domination after controversial founder Zhou Hongyi told the local press he wants to turn the firm into the planet’s biggest web security biz.

Qihoo made its name flogging free AV to bargain-seeking Chinese punters and has since gone on to build a successful business around products in several related areas including web browsing, search and internet portals.

Never one to resist an opportunity to engage in some blatant self promotion, Zhou was quoted in the Changjiang Daily News late last week arguing that just as products made in China are now sold throughout the world, so his firm should take the freemium web security model global.

“Just like made-in-China, we must go out and promote China’s uniquely-innovated free antivirus business model to the world, and make [Qihoo 360] the biggest web security company in the world,” he said (tr TechInAsia).

As to whether he can achieve these ambitious goals, the firm has already managed to overhaul Google in the Chinese search market after only a few short months, thanks in part to replacing the US giant with its own so.360.cn search tool on its popular hao.360.cn directory site.

However, controversy has dogged Qihoo for years. In February 2012 all of its products were kicked off iTunes and a year later the Chinese government slapped the firm with an official warning after alleging unfair competition.

The warning claimed that Qihoo effectively used its security software to trick users into downloading its browser and made the AV software 360 Safeguard particularly difficult to uninstall.

Qihoo has also been accused of deliberately exaggerating the traffic figures for is hao.360.cn portal in a bid to attract more advertisers.

To top things off, the controversial firm recently lost two lawsuits brought by rivals Baidu and Tencent over unfair competition.

With this kind of negative publicity, Zhou will face an uphill task flogging his security software outside of China especially in regions where there is already suspicion of anything hailing from the People’s Republic.

It will also have to displace well-established freemium rivals like Avast, AVG, Avira and Microsoft Security Essentials.

Even local arch rival Baidu recently launched a free English language AV product for Windows, although this was more likely a way of testing the product ahead of a China launch than a serious attempt to crack foreign markets.

Undettered, however, Qihoo and Zhou will launch a free security product in English later this year. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/06/qihoo_security_world_beater/

Microsoft has confirmed a bug in Internet Explorer 8, CVE-2013-1347, which exposes user machines to remote code execution.

In an advisory, Microsoft says the vulnerability “exists in the way that Internet Explorer [accesses] an object in memory that has been deleted or has not been properly allocated.”

That, in turn, opens the door to memory corruption and remote code execution in the current user context.

According to this blog post by Eric Roman: “A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the document and used again during rendering, an invalid memory that’s controllable is used, and allows arbitrary code execution under the context of the user.”

That post also notes that an exploit has been seen in the wild. Last week, security companies AlienVault and Invincea reported that a site on a sub-domain of the US Department of Labor was serving malware, and Roman’s blog post states that it was serving up an attack on the CVE-2013-1347 vulnerability.

According to Invincea, the Department of Labor exploit was installing the Poison Ivy backdoor Trojan.

The venerable version might be using a walking frame to get around, but according to W3counter.com it’s still the second-most popular attack vector version of IE in the wild.

Microsoft is considering whether to issue an out-of-cycle patch for the vulnerability. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/05/zero_day_ie8_vuln/

BlackBerry has secured access to a critical market – the US military – for its new operating system and handsets and version 10 of its Enterprise Service software.

Sighs of relief at the news may well be rattling the windows at BlackBerry’s headquarters, because the company has staked its future on secure messaging. Winning approval for BlackBerry 10 devices to be used on US Department of Defense networks means the company has a chance of winning business at a colossal customer and can also tell world+dog all about its certification whenever it tries to sell secure messaging elsewhere.

The company is, understandably, crowing about the win and its place on the Unified Communications Approved Product List (UCAPL) maintained by the Defense Information Systems Agency. The content of that crowing is a little curious, as a canned statement from Scott Totzke, a senior veep for security at BlackBerry says “This approval will enable DoD customers to connect their BlackBerry Z10 or BlackBerry Q10 smartphones to DoD networks and securely access assets from work, while enjoying the wealth of consumer-oriented functionality that BlackBerry 10 brings to market.”

Whether Totzke was referring to the “Balance” feature of BB10 that creates a walled garden to facilitate BYOD or a scenario in which military personnel will use generic BlackBerry messaging apps while also being able to use Angry Birds was not explained. On balance, one imagines Totzke was referring to Balance, a suggestion we offer while we wait for BlackBerry to appear on the UCAPL, which at the time of writing mentioned only BlackBerry products from RIM.

The certification applies to both the Q10 and Z10 handsets and the PlayBook tablet. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/03/bbos_10_approved_by_us_defense_department/

A group of IBM researchers has released a Githib project that implements a homomorphic encryption system – a way to work on encrypted data in a file without first decrypting the whole file.

Why would anyone want to do that? Partly because if you have to decrypt the file to work on it, it’s going to exist as plaintext somewhere. IBM has other ideas about this as well: leaving the encrypted file encrypted would keep data protected in the cloud while still letting users work on it. Big Blue even envisages such schemes as offering truly private Internet search.

The Github project is called HElib – the homomorphic encryption library. Its authors describe it as “an implementation of the Brakerski-Gentry-Vaikuntanathan (BGV) scheme, along with many optimizations to make homomorphic evaluation runs faster, focusing mostly on effective use of the Smart-Vercauteren ciphertext packing techniques and the Gentry-Halevi-Smart optimizations.”

The challenge is getting it to run efficiently, something described by IBM’s Craig Gentry in 2009, and improved upon in later work.

In addition to algorithms for key generation, encryption, and decryption, the homomorphic scheme adds an “Evaluate” function.

The encrypted file – if The Register understands the paper correctly – embeds actions that are permitted on that file (for example, the ability to read and write to parts or all of the file. The Evaluate function is able to use the combination of the public key and permitted actions (described as circuits) to operate on the file without decrypting it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/03/ibm_open_source_homomorphic_crypto/

Just when it looked like US-China relations couldn’t get any more frosty, news has emerged that defence contractor QinetiQ suffered a massive breach of classified data over three years which may have leaked advanced military secrets to the infamous PLA-linked hacking gang Comment Crew.

Bloomberg spoke to Verizon’s Terremark security division, HB Gary and Mandiant – all security firms which were hired by QinetiQ to deal with the problem – and sifted through reports and emails made public by the 2011 Anonymous hack of HBGary, in order to get a clear picture of the scale of the breach.

The report reveals poor security practice and misjudgement allowed the hackers to siphon off terabytes of data, potentially compromising national security.

“We found traces of the intruders in many of their divisions and across most of their product lines,” former Terremark SVP Christopher Day told the newswire. “There was virtually no place we looked where we didn’t find them.”

QinetiQ is thought to have been among around 30 defence contractors targeted by hackers in a campaign dating back to 2007, with a group Comment Crew apparently pegged by investigators as the perpetrators – although there’s no explanation for how they arrived at this decision.

The group was famously outed by Mandiant in a high profile report back in February as linked to People’s Liberation Army Unit 61398 and responsible for over 100 other attacks.

QinetiQ was apparently first notified of an intrusion back in 2007, when an agent from the Naval Criminal Investigative Service warned that two employees working at the firm’s US HQ in McLean, Virginia, had their laptops compromised.

The agent had stumbled upon the breach as part of a separate investigation but apparently left out many key details including the fact that other contractors were being hit. QinetiQ limited the following forensic trawl to a few days and mistakenly treated it and several succeeding incidents as unconnected.

Even when NASA warned the firm that it was being attacked by hackers from one of QinetiQ’s computers the firm apparently continued to treat incidents in isolation.

The attackers’ MO appears to have been classic APT-style attack. Once inside the network they appear to have moved laterally to nab internal passwords, allowing them access to highly classified data including source code from the Technology Solutions Group.

Huge amounts of data were apparently smuggled out of the company in small packets to evade detection by traditional filters.

It is claimed that QinetiQ didn’t operate a two-factor authentication system, which could have prevented the hackers logging on with the stolen passwords, and that when Mandiant suggested a simple fix to the problem it was ignored.

Investigators also found in 2008 that QinetiQ’s corporate network could be accessed using unsecured Wi-Fi from a car park outside a facility in Waltham, Massachusetts, the report claimed.

The hackers targeted advanced drone and robotics technology and compromised hundreds of machines in QinetiQ’s facilities all over the US, including St. Louis, Mississippi, Alabama and New Mexico, according to Bloomberg.

Last year China made a splash at the Zuhai air show with a range of drone aircraft similar in design to their US equivalents but pitched at a lower price point.

As if the persistent hacking incursions weren’t enough, investigators brought in to help apparently made matters worse by arguing with each other.

Then software installed by HBGary to monitor for malicious activity wouldn’t function properly and was deleted by many employees because it apparently used too much processing power.

The investigators even found evidence that Russian hackers had been stealing QinetiQ secrets for over two years through a compromised PC belonging to a secretary.

The report comes just a day after news that the Pentagon has leased a Chinese commercial satellite for communications in Africa. It also emerged this week that Comment Crew is very much still operating, despite being named and shamed in the Mandiant report earlier this year. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/02/china_us_hacking_qinetiq_apt/

Attackers with a desire to rummage around inside the PCs of Notes users can do so merely by sending HTML emails containing a Java applet or JavaScript, IBM has admitted in a security advisory.

Full Disclosure describes the effects as potentially nasty, saying “This can be used to load arbitrary Java applets from remote sources (making it an information disclosure as well as it can be used to trigger an HTTP request once the mail is previewed/opened)”

“Combined with known Java sandbox escape vulnerabilities, it can be used to fully compromise the user reading the email,” the site adds.

It’s not sure just what “fully compromise” means in this context, but it is not hard to imagine the consequences of a successful attack could be unpleasant, given the Notes client links to Notes apps that in turn link to databases full of a business’ important information.

Sean Richmond, a senior technology consultant at Sophos, said the ability to run Java and JavaScript in an email “could be an entry to corporate assets” and also expressed mild incredulity about the vulnerabilty. “JavaScript in email attributes is considered bad.”

Things could be worse if an applet is able to emerge from Notes into a PC’s Java virtual machine, a scenario Richardson hopes won’t come about because email gateways’ settings should be maximally hostile to .JAR files. Of course one would also imagine an email client would be maximally hostile to HTML emails calling .JAR files.

Happily, one fix is easy: just turn off the preferences that allow Java and JavaScript to run inside Notes. Another requires tickling some .ini files.

The problem affects Notes 8.5.3 and the new Notes 9. IBM promises fixes real soon now. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/02/java_runs_in_note_email/