STE WILLIAMS

Microsoft is bringing two-factor authentication to its users’ accounts over the next couple of days.

“With this release you can choose to protect your entire account with two-step verification, regardless of what service (or device) you are using with your Microsoft account,” Eric Doerr, group program manager for Microsoft accounts, wrote in a blog post. “It’s your choice whether you want to enable this, but for those of you that are looking for ways to add additional security to your account, we’ve worked hard to make set-up really easy.”

Microsoft has been bringing two-step verification to some “critical activities” (like editing credit card information or accessing files on another computer through SkyDrive.com) for a year, but now it is making two-step verification optional for all Microsoft accounts. Microsoft accounts provide access to Windows Phone, Xbox, Outlook.com, SkyDrive, Skype, Office365 and, in the Windows 8 era, the operating system itself.

Microsoft has built an Authentication app for Windows Phone, and punters on other platforms are encouraged to download alternate authentication apps. The system has been designed to work even when offline.

Users can either choose to use a one-time password, or simply plug a password in once on devices that they use regularly, though if they don’t use the service for 60 days, they’ll need to enter a new code.

“If you have an app or device that doesn’t directly support two-step verification (like your Xbox, or setting up email on your smartphone), you can still use two-step verification. For these devices, we’ll help you set up an app password unique to each application or device.”

Punters that want to add the two-factor authentication tech to their accounts need to be careful, Doerr cautioned, as “if you know your password but lose access to your secondary security proof, customer support cannot update it for you.” Instead, people will have to go through a recovery process that enforces a 30-day wait, which is as good as a death sentence for any business or individual that depends on their Microsoft account.

Users who can’t remember their password and have misplaced their authentication device will “not be able to regain access” to their account at all, Microsoft said.

Microsoft is somewhat late to bringing the technology to users: Apple rolled out two-factor authentication to all Apple ID users in March, Google has offered two-step authentication across several of its products for years – the technology came to app customers in late 2010, and Gmail in February, 2011, and cloud storage player Dropbox began offering two-factor authentication for Windows, Mac, and Linux users in August 2012.

Better late than never, we say. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/17/microsoft_two_factor_authentication/

The scummier end of the online community has been quick to use Monday’s bombing of the Boston Marathon as bait for multiple malware dispersals, plus a spot of old-fashioned online fraud along the way.

Within 24 hours of the blasts, the ISC reported that 234 potentially fake domains have been registered featuring mention of the attack. Some have started soliciting donations (including one asking for Bitcoins – evidently confident that the current $90 unit price will rise again) but there are no reports of spammers using them, as yet.

It should be pointed out that a few of these domains were bought by people looking to stop squatters, and most are “parked” or dead-end links at this stage. John Bambenek, ISC member and founder of Bambenek Consulting, said the figures were rather a positive sign.

“I would have thought this would have picked up quicker than it had,” he said. “That said, it did give me the impetus to finish scripting a few things to basically monitor these domains automatically to start looking for indicators and to see when (or if) they ever come out of ‘parked’ status.”

Meanwhile, malware distributors are relying on the age-old principle that people will click on URLs without thinking if they’re really interesting in the subject. It’s a tactic that has worked for over a decade and probably always will, given the fundamental Layer Eight problem of human curiosity and stupidity.

Sophos, Kaspersky, and AVG are warning of the tactic being used to spread the Windows Trojan Tepfer, usually in emails entitled “Explosion at Boston Marathon.” The link for more information comes with an IP address and an HTML page ending in “news.html” or “boston.htm” that leads to a page of videos. 60 seconds later the Trojan tries to install itself in the background.

Not to be left out, scammers are trying to seed a second piece of malware, this time a JAR file aimed at getting past flaws in Oracle’s Java. This URL, in a similar format, redirects the user to three other URLs that try and install the malware if it detects an unpatched vulnerability. Oracle released a combination patch for Java on Tuesday and users are advised to get it installed.

It’s the Westboro Baptists again!

Meanwhile, it has been reported that Anonymous has taken over the Facebook page of America’s least-favorite poster-children for free expression, the Westboro Baptist Church (WBC).

This small cult of around 100 members, based around the Phelps-Roper family in Kansas, passes its days protesting at funerals of military and high-profile celebrities with the message that everything bad in America happens because of its acceptance of the homosexuality. As a sideline, WBC members include many lawyers fond of suing people for large damages if they get punched.

Shortly after the twin blasts at the finishing line of the Boston Marathon, the WBC issued a press release saying that they would be attending the funerals of the three people killed, replete with their customized “God sent the bombs” signs. They also said they planned to protest Thursday’s memorial service at the city’s Cathedral of the Holy Cross.

“Massachusetts invited this special wrath from God Almighty when it was the FIRST STATE to pass same-sex marriage on May 17, 2004,” the WBC said. “As a direct and immediate result of that first step down the slippery slope to nationwide fag marriage, God sent the devastating bombs to the Boston Marathon.”

This prompted a response from the Twitter feed of @YourAnonNews threatening the WBC with the usual “expect us” warning. Then crackers claiming to be from Anonymous appeared to have taken over the Facebook page of the WBC to post pictures of kittens, jokes, and inspirational sayings.

This was originally reported as a hack, but looks more like a case of brand-jacking. The WBC deny having a Facebook page (preferring to tweet instead) and Anonymous have pointed out that @YourAnonNews is not an official organ of communication. ®

Bootnote

While not a Bostonian, this El Reg hack has many friends born and bred there and once spent a memorable Thanksgiving in that wonderful city that permanently damaged his liver. It’s going to be very tempting (and somewhat in keeping with the city’s character) for Bostonians to take a swing at the WBC, but please refrain; it only encourages them.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/17/malware_squatters_boston_marathon_bombing/

Oracle has issued a critical update patch for Java as the database giant works to shore up confidence in the widely used code.

The security update fixes 42 security flaws, 19 of which merit a 10 (most severe) rating acording to the CVVS metric the company uses to evaluate the software. Along with this, Oracle has also sought to give users more information about the Java apps that want to execute code within the browser.

The patch comes at a time when many security pros are questioning the value of Java, with many seeing its presence in user’s browsers as a liability rather than a benefit.

Of the 42 security flaws patched by Oracle in April, 39 of them “may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” Oracle wrote in the patch notes.

The most severe vulnerabilities exploit problems in the 2D, Deployment, Hotspot, Install, JAXP, JavaFX, RMI, Libraries and Beans sub-components of the Java runtime environment.

The majority of these exploits apply to client Java deployments, and can only be exploited through untrusted Java Web Start applications, and untrusted applets.

The vulnerabilities affect JDK and JRE 5.0, 5 and 7, along with JavaFX 2.2.7. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible,” the company said.

Alongside the patch fixes, Oracle is also rolling out an update (Java 7 Update 21) that lets the plugin more clearly telegraph to users when it could potentially be dangerous to let Java code be executed in their browsers (not all the time? – Ed).

Low-risk apps will cause a simple message to be displayed, while high-risk apps will be indicated by either an exclamation mark within a yellow triangle (applications with untrusted or expired certificates), or a yellow shield (applications with unsigned and/or invalid certificates)

This patch follows a rather insecure three months for Java: In January, Oracle admitted that Java’s security was less than perfect, saying at the time that its grand plan for Java security was to fix it and communicate its security efforts more widely.

In February, a zero day flaw in Java was exploited to let unscrupulous types gnaw at the innards of major companies like Apple, Facebook, and Microsoft. In March, Oracle was forced to issue another emergency patch to deal with another zero day.

We can only wonder what May could bring… ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/17/oracle_java_security_update/

Oracle is issuing a hefty patch batch that seals 128 serious security vulnerabilities across the database company’s vast product suite.

The Critical Patch Update for April 2013 is due to come out on Tuesday and “Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible,” the company warns.

Security problems span all of Oracle’s key products, including MySQL Server; Solaris; Siebel Enterprise Application Integration; PeopleSoft Enterprise PeopleTools; Oracle WebLogic Server; and Oracle Database Server Application Express, Network Layer, and Workload Manager.

Two of Oracle’s key products – Oracle Database Server and Oracle Fusion Middleware – have vulnerabilities that merit the maximum security (brown alert) rating of 10.000, as measured by the Common Vulnerability Scoting System 2.0 metric.

Oracle uses the ‘Common Vulnerability Scoring System” to give severity ratings for its bug fixes. The rating reflects the severity of the threat, the ease with which it can be capitalized on, and how the threat works in relation to its overall software environment.

Other vulns range in severity from relatively calm 4.3 ratings (Oracle Supply Chain Products, and Oracle Sun Middleware), up to the more worrying 6.9 for Oracle Support Tools. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/16/oracle_critical_patch_april/

Google has hired a former hacker who has spent the last three years working for the US Department of Defense’s secretive military research bureau.

The Chocolate factory poached Peiter “Mudge” Zatko from the Defense Advanced Research Projects Agency (DARPA) and will put him to work in its own research skunkworks.

He will take up an unspecified role at Motorola Mobility’s Advanced Technology and Projects division.

Google snapped up Motorola’s phone biz for $12.5bn two years ago. At the time, it was believed that Google’s acquisition was motivated by its hunger for Motorola’s essential mobile phone patents as it prepared to enter the telephone hardware market.

Zatko joins his former DARPA boss Regina Dugan at Google after she was hired last year.

He tweeted:

Given what we all pulled off within the USG, let’s see if it can be done even better from outside.Goodbye DARPA, hello Google!

— .mudge (@dotMudge) April 13, 2013

“Mudge” started out as a hacker with the L0pht hacker thinktank in the 1980s. He then led a drive to encourage companies and governments to be more honest about their security flaws, resulting in the release of widely used software called AntiSniff, which monitors and counteracts sniffer software used to intercept packets of data passing over a network.

Zatko was one of the first hackers to testify in front of the US Senate, warning that the internet could be bought down in a matter of minutes. He was then summoned to meet Bill Clinton to explain the first vicious DDoS attack. In 2010 he was hired by DARPA as a cybersecurity expert.

On its website, the Googlerola department he will work for is described as “skunkworks-inspired”. The company said:

Optimized for speed. Small, lean, resourced. With agility, freedom from bureaucratic constraints, and a willingness to embrace risk as core attributes. ATAP is focused on harnessing best-in-class, interdisciplinary talent from inside and outside Motorola Mobility, as well as technological developments from whatever the source.

®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/16/google_hacker/

Crooks claim they gained access to server hosting biz Linode’s customer passwords and credit card numbers.

On Friday, Linode said someone tried to compromise one of its clients’ machines, but insisted no financially sensitive information was leaked. Linode reset all account passwords as a precautionary measure. The virtual server provider stated:

Linode administrators have discovered and blocked suspicious activity on the Linode network. This activity appears to have been a coordinated attempt to access the account of one of our customers. This customer is aware of this activity and we have determined its extent and impact. We have found no evidence that any Linode data of any other customer was accessed. In addition, we have found no evidence that payment information of any customer was accessed.

We have been advised that law enforcement officials are aware of the intrusion into this customer’s systems. We have implemented all appropriate measures to provide the maximum amount of protection to our customers. Out of an abundance of caution, however, we have decided to implement a Linode Manager password reset.

But on Monday, the hackers broke cover to dispute Linode’s version of events: the miscreants revealed hashed passwords, source code snippets and directory listings to substantiate their claims that they obtained credit card details and the hashed password database from a Linode management system.

The infiltrators sneaked into the server via an insecure installation of web app maker Adobe ColdFusion, according to a transcript of the hackers’ IRC chatter. “It’s surprising that anyone is still running ColdFusion – that’s like connecting a Windows 98 box to the internet without a firewall,” said “Ryan”, a representative of the HTP black-hat crew that apparently slurped the data.

Ryan claimed Linode encrypted its customers’ credit card information but “both the private and public keys were stored on the web server”, implying that the cache could be decrypted.

Today Linode, which operates a cloud of Linux virtual servers, responded to these claims with an updated statement denying that customer credit card data was leaked. It blamed a ColdFusion bug for allowing in the hackers:

Yesterday, a group named HTP claimed responsibility for accessing Linode Manager web servers, we believe by exploiting a previously unknown zero-day vulnerability in Adobe’s ColdFusion application server. The vulnerabilities have only recently been addressed in Adobe’s APSB13-10 hotfix (CVE-2013-1387 and CVE-2013-1388) which was released less than a week ago.

As a result of the vulnerability, this group gained access to a web server, parts of our source code, and ultimately, our database. We have been working around the clock since discovering this vulnerability. Our investigation reveals that this group did not have access to any other component of the Linode infrastructure, including access to the host machines or any other server or service that runs our infrastructure.

Credit card numbers in our database are stored in encrypted format, using public and private key encryption. The private key is itself encrypted with passphrase encryption and the complex passphrase is not stored electronically. Along with the encrypted credit card, the last four digits are stored in clear text to assist in lookups and for display on things like your Account tab and payment receipt emails. We have no evidence decrypted credit card numbers were obtained.

Linode has come under attack from black hats before. Last year Linode was hacked by cyber-thieves who made off with a stash of bitcoins worth $71,000 after breaking into the digital safety deposit boxes of eight of its customers. Linode promised to revamp its security procedures in the wake of the robbery. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/16/linode_breach/

Sophos plans to shed 150 jobs as part of restructuring exercise, according to a source who tipped off El Reg.

The security-software maker confirmed to The Register that cuts in some areas of its business were on the cards. But it declined to discuss the specifics of the planned redundancies; for example, it did not say which departments will be affected nor did it comment on the figure supplied to El Reg by our tipster.

However, Sophos did say it will attempt to place people facing redundancy elsewhere in the firm.

The previous job slash happened in November last year, when Sophos said it was cutting 35 roles in some areas of development to focus on growth areas, such as security-as-a-service (SaaS) and unified threat management (UTM).

This time around, Sophos said it was announcing “plans to reduce our staff in certain areas of our business and increase it in others”. It said it expected that the overall headcount would actually rise:

At Sophos, we constantly innovate to deliver our customers and partners complete security without complexity, and that means shifting our resources to the highest-growth and most strategic areas of our business.

As a result, today we have announced plans to reduce our staff in certain areas of our business and increase it in others. While it is difficult to make any reductions in our team, we are confident these actions will help to drive our long-term success, and allow us to drive greater value for our customers and partners.

In terms of the overall company, we actually expect our staff levels to increase on a year-over-year basis.

The privately held firm employs more than 1,500 people globally, most working in its offices in Boston, USA, and near Oxford in the UK.

Sophos reported sales of $402.9m in the year ending 31 March 2012, up 17 per cent on the year before. Earnings before interest, taxes, depreciation and amortisation (EBITDA) came in at $107.9m, up 14 per cent year on year, in the infosec firm’s last set of accounts, which were released in July 2012. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/16/sophos_restructuring/

Anonymous hackers have sent North Korean despot Kim Jong-un a little present on the anniversary of his grandfather’s birthday: they vandalised key Nork websites and posted their handiwork on a hijacked Twitter account.

The @uriminzokkiri account was taken over earlier this month in the first round of attacks against North Korean government websites and propaganda outlets. That offensive was launched after the Jong-un regime ratcheted up its warmongering rhetoric against the US and its allies.

The attack was notable for the apparent teamwork shown by sworn internet foes – hacktivist clan Anonymous and hacker The Jester – in targeting the reclusive totalitarian state.

In an update on Monday the hacked urimizokkiri account warned: “More of North Korean websites are in our hand. They will be brought down.”

News site uriminzokkiri and ryugongclip.com were subsequently knocked offline this week, we’re told, and hackers defaced three sites with a cartoon depicting Kim Jong-un as a pig: jajusasang.com, minjok.com and paekdu-hanna.com.

At the time of writing uriminzokkiri and jajusasang.com were back online but the others appeared unavailable.

April 15 is the birth date of DPRK founder, “Eternal President” and “Great Leader” Kim Il-sung and usually a public holiday of stage-managed celebrations and celebratory parades, although by all accounts yesterday passed in relatively low-key style.

It should be noted that attacks on Nork websites is unlikely to have much of an impact on the hermit state’s population, given that most locals aren’t permitted access to the world wide web. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/16/happy_birthday_norks_hack/

Firefox-maker Mozilla could issue a “death sentence” to TeliaSonera’s SSL business over allegations the telecoms giant sold Orwellian surveillance tech to dictators.

The punishment would be an embarrassing blow to the company: it would effectively cut off HTTPS-encrypted websites verified by TeliaSonera from Firefox users, who make up one-fifth of the planet’s web surfers.

Crucially, it will be seen as a tough stance against corporations that trade with authoritarian states.

TeliaSonera, which has globe-spanning operations and sells SSL certificates to Nordic websites, asked Mozilla to include its new root certificate in Firefox’s list of trusted Certificate Authorities (CAs).

Mozilla, as a matter of routine, asked its community of users for their views on the request – but the software foundation was told a Swedish documentary had investigated claims that TeliaSonera was selling spooks technology to snoop on citizens’ private communications. That alone may be enough to persuade Moz staff to refuse the new root certificate.

When a browser visits a HTTPS website – such as Google, Amazon or a bank – it must verify that it is talking to the genuine site, rather than a malicious server silently attempting to intercept the sensitive communication. Put simply, the website hands over its SSL certificate, which is like an ID card, to the browser, which checks this document’s authenticity using the trusted root certificate belonging to the company that sold the SSL cert. If this chain of trust checks out, the connection can be trusted and encrypted.

If Mozilla decides to reject TeliaSonera’s new root certificate, Firefox users who visit a website that uses an SSL cert generated from the new root certificate will be strongly warned they are visiting an untrusted website. Website operators would therefore steer clear of buying SSL certificates from TeliaSonera.

There are more details on the secure certificate system here [PDF].

Mozilla has asked folks to collate specific details about TeliaSonera’s internet and phone services which are allegedly being used by dictators to carry out surveillance.

A spokesperson for the ISP giant told The Reg it is “concerned” about Mozilla’s course of action. It added that TeliaSonera has a “clean record” and, like “all operators”, it honours requests for “lawful interception” by governments.

It is claimed Azerbaijan, Kazakhstan, Georgia, Uzbekistan and Tajikistan – where TeliaSonera operates subsidiaries or is heavily invested – are using the ISP’s networks to eavesdrop on their citizens. TeliaSonera is the dominant telco in Sweden and Finland but also operates in Denmark, Spain and Russia. The company’s operations in Eurasia are detailed here [PDF].

Mozilla’s concern is that TeliaSonera has possibly issued certificates that allow hardline government servers to masquerade as legitimate websites – so-called man-in-the-middle (MitM) attacks – and decrypt web traffic. This alleged activity would contradict Mozilla’s policy against “knowingly issuing certificates without the knowledge of the entities whose information is referenced in the certificates”.

But a TeliaSonera representative told the Moz community that its new root certificate will “issue public [SSL] certificates only to Swedish and Finnish customers and citizens … All our processes and certificates are following Mozilla requirements and are validated yearly in a Webtrust audit”.

The case has echoes of online security biz Trustwave, which generated a “skeleton key” SSL certificate so that an unnamed company could intercept and decrypt workers’ HTTPS-encrypted communications. The revelation sparked calls for Firefox to stop accepting Trustwave-granted certificates.

The possibility of action against TeliaSonera was warmly welcomed by Washington DC-based privacy researcher and activist Chris Soghoian. He told The Reg the telco would “pay the price” for “getting into bed with some seriously nasty governments”.

Next page: ‘Trusted CAs must not supply surveillance equipment to repressive regimes’

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/16/mozilla_threatens_teliasonera/

Silent Circle, the private communications venture set up by the founders of PGP and two former US Navy SEALs, has added encrypted emails to its protected text and voice services.

Keeping comms quiet

As expected, the new email application uses custom code developed by Phil Zimmermann, Jon Callas, and other members of the PGP encryption team to provide totally encrypted communications. It’s a no-cost add-on to existing Silent Circle subscribers, and IT managers can either use their own encryption key management or use Silent Circle’s system, which generates keys on native devices.

The company came out of stealth mode last June and launched a pair of iOS and Android apps that allow secure text messages, voice, and video calls for $20 per month in October. Silent Circle was one of the most talked-about applications at this year’s RSA 2013 show, and has plans for a rapid expansion, based on demand so far.

So far the company has servers in Canada and Switzerland, countries which have the right legal framework for the company’s operations, but CEO Mike Janke told The Register that the company would soon be setting up in Singapore at the request of that country’s government.

“They came and recruited us, which was very odd,” he continued. “Singapore government representatives have been to our offices four times because they are looking to rebrand Singapore as the world’s cyber-defense hub, and wooed us to come out there with a lot of incentives.”

The company plans another six launches by the end of the year, including encrypted voicemail, encrypted contact lists, its own mail app, and a secure service that can operate over public switched telephone networks (PSTN).

Janke said that in addition to the iOS and Android versions of Silent Circle, the company has received numerous requests from government sources for a BlackBerry build of the system, which they’re looking into, he said. So far there’s no mention of much demand for a Windows Phone 8 version, however.

To support this is going to take some more expansion, with 20 regional server units set up around the world, coordinated from offices in Washington DC, San Francisco, Oregon, and London.

“We don’t disclose user numbers, but let me tell you this: we’re had to move to bigger offices three times in four months,” the ex-SEAL says. “We’ve outgrown anything we’d ever thought, and a lot of the growth is coming is enterprise and government. We just didn’t expect the size of the bulk orders – so much or so big. We need to be at about 90 people, but we have 48.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/16/silent_circle_launches_encrypted_email/