STE WILLIAMS

Between Google search, GMail, YouTube, and other sites, a vast number of internet users now access Google services every day. So it makes some sense that the Chocolate Factory has implemented a new system that lets you tell it how long you need to have stopped Googling before it assumes you must be dead.

Dubbed the Inactive Account Manager, the new feature allows Google account holders to specify automated steps for the online giant to take if they should conspicuously drop offline – presumably into the hereafter.

“Not many of us like thinking about death – especially our own,” Google product manager Andreas Tuerk wrote in a blog post on Thursday. “But making plans for what happens after you’re gone is really important for the people you leave behind.”

The feature, which is available now and is configurable from the settings page of any Google account, lets you set the duration of inactivity that must pass before Google starts measuring your virtual coffin.

The choices aren’t exactly fine grained. The minimum timeout is three months and the maximum is a year. Once the feature is enabled, Google says it will issue you an alert via mobile phone or email one month before your chosen deadline elapses, to give you one last chance to let it know you don’t want to go on the cart.

Assuming your account remains silent, Google can initiate several actions at your prior request. First, it can notify up to ten people of your demise via email – and you can draft a custom-crafted message for each, so have fun with that.

Optionally, you can also share your data from Google services with your ten trusted contacts. Types of data you can choose to offer include your mail, contacts, Google+ stream and circles, YouTube videos, Picasa web albums, and files from Google Drive, to name a few. You can even share your feeds from Google Reader – which, ironically, is itself deceased.

Your contacts have just three months to access your data before it’s locked up for good, and as an additional security measure, they’ll need a verification code to access your accounts. Google will send them the code via their mobile phones, so you’ll need to make sure you know their phone numbers to activate this part of the service (and you’d better hope they don’t change).

Finally, after all your other requested actions have been completed, you can have Google delete your account. This will erase all of your data from all of the Googly services you use; you can’t delete your Gmail but preserve your YouTube videos for posterity, for example. Everything goes.

Here at El Reg, we think this is a valuable service and it should give some solace to people who worry about just what will happen to the growing pile of data they’ve stored in Google’s cloud once they’ve passed on.

But, as even Google’s Tuerk pointed out in his blog post, “Inactive Account Manager” just doesn’t have the right ring to it for such a – ahem – grave matter. Can Reg readers come up with a better name for the Chocolate Factory’s latest feature? Post your suggestions in the Comments. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/11/google_inactive_account_manager/

Security researchers have discovered an active cyber-crime campaign that targets online gaming companies worldwide.

According to Kaspersky Lab, the Winnti crew has been attacking companies in the online gaming industry since 2009, stealing digital certificates signed by legitimate software vendors in addition to intellectual property, including the source code of online game projects.

The whole caper is arguably the best large-scale example of traditional profit-motivated cybercrooks using techniques first developed and refined by state-sponsored cyber-espionage groups. The same techniques have been used by government-sponsored cyberspook attacks against military contractors, IT firms such as Google and Apple, human right activists, smart-grid tech providers, governments and the rest.

Kaspersky researchers first across Winnti malicious activities in the autumn of 2011, when a malicious Trojan was detected on a large number of end-user computers worldwide. Infected computers were linked by the fact that victims were fans of a popular (unnamed) online game.

Soon afterwards it emerged that the malware used in the attack was spread as part of a regular update from the gaming company’s official server.

After the dust settled, it later emerged that malware was installed on the players’ computers by accident, and the cybercriminals were actually targeting the video game company. Kaspersky Lab researchers were called in to investigate the outbreak.

The Trojan turned out to be a DLL library compiled for a 64-bit Windows environments and signed with a digital certificate. The malware – which gave its controllers backdoor access to and control of the infected machines – was the first of its type to incorporate use of a valid digital signature.

And the digital signature involved belonged to another video game vendor – a private company known as KOG, based in South Korea – and not the primary victim of the attack.

Subsequent analysis over many months by Kaspersky Lab’s experts unearthed evidence that the Winnti group had hit more than 30 companies in the video games industry. The majority of victims were located in South East Asia. However, online gaming companies located in Germany, the US, Japan, China, Russia, Brazil, Peru, and Belarus were also paned by the Winnti group.

The group’s main modus operandi involved stealing digital certificates which it then used to sign malware in future attacks against other targets.

These digital certificates appeared to have been used in attacks organised by other hacking groups, presumably located in China, according to Kaspersky Lab researchers.

For example, in an attack against South Korean social networks Cyworld and Nate in 2011 the attackers used a Trojan that was digitally signed using a certificate from YNK Japan, a video game outfit.

Another YNK-signed digital certificate was abused recently last month in Trojans deployed against Tibetan and Uyghur activists.

The Winnti group turned a dishonest profit through its activities by either looting in-game currencies and selling it for real money. This activity was facilitated by the use of “stolen source code from online game servers to search for vulnerabilities inside games to augment and accelerate the manipulation of in-game currency and its accumulation without suspicion”. The crooks even used stolen source code to run versions of the games from their own pirated servers, according to Kaspersky Lab.

The Winnti group remains active and Kaspersky Lab’s investigation is ongoing. Experts from the Russian security firm are working with the IT security community, online gaming industry and certificate authorities to identify additional infected servers. Meanwhile stolen digital certificates are being identified and revoked. In addition, Kaspersky Lab has added detection for strains of Trojans and rootkits associated with the Winnti crew’s villainy in its security software.

A blog post by explaining its investigation into the Winnti crew can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/11/video_game_cyberespionage/

Analysis A computer hardware maker that leaked the source code to American Megatrends Inc’s PC firmware did not reveal private keys for signing firmware updates – contrary to early reports.

The blueprints for AMI’s UEFI firmware were found by a security researcher on a wide-open Taiwanese FTP server along with what appeared to be sensitive code-signing keys.

The firmware is typically stored in flash chips on a computer motherboard and is the first piece of code to execute when a computer is turned on: it kickstarts the hardware and boots the operating system.

For security reasons, new versions of the firmware can only be installed if they are cryptographically signed by the motherboard maker’s private key. This ensures only software issued by the manufacturer is loaded. The firmware checks the update is appropriately signed before committing the new data to chip. There’s more information on this process here [PDF].

Any miscreant with this private key could therefore sign his or her own malicious firmware and permanently install it on a victim’s machine by tricking the user or compromising the PC. This malicious code runs underneath the operating system, and could therefore set itself up to spy on everything the user does without being spotted.

It was feared the signing key for AMI firmware upgrades for the Taiwanese vendor’s motherboards had been leaked, sparking a global security scare, but AMI insists the key is a dud.

Security blogger Adam Caudill and his research partner Brandon Wilson first stumbled across ‪AMI‬’s UEFI (Unified Extensible Firmware Interface) source code, the key and a cache of internal documents late last week, and blogged about it. The data was later distributed as a torrent by a third party, and the code dates from February 2012 according to comments in the source.

The information was found on a public server operated by an unnamed AMI customer in Taiwan, and not by AMI itself. The signing key exposed in the “Ivy Bridge” archive is a default test key, we’re told.

AMI – which supplies its AMI UEFI firmware to PC and server motherboard makers – instructs customers to change the dummy key before building the software for a production system. However it’s unclear whether or not the customer followed this advice and the wide variety of other sensitive information – internal emails, various system images, private specification sheets, Excel documents and more – hardly inspires confidence.

“Assuming the vendor was following AMI’s instructions, the private key found on the vendor’s public FTP server should have little practical value; though how this vendor was handling keys isn’t known, so the usefulness of the key is also unknown. There is also the possibility of other AMI customers violating AMI’s instructions. We know we have a key; we don’t know how it’s been used,” Caudill wrote in an update to his blog post.

“Publicly revealing the source code still has some potentially interesting implications, even with the assumption that the vendor was following AMI’s instructions on key handling. As this code may be under additional scrutiny from researchers, it’s likely that new flaws will be found that would have been missed otherwise,” he added.

‘The ability to create a nearly undetectable hole is ideal’

“This kind of leak is a dream come true for advanced corporate espionage or intelligence operations. The ability to create a nearly undetectable, permanent hole in a system’s security is an ideal scenario for covert information collection,” Caudill warned.

AMI played down the potential impact of the problem by saying “this is not a general security threat which could ‘create a nearly undetectable, permanent hole in a system’s security’ if the manner in which production-level BIOS is signed and created uses a production key.”

“AMI has examined the security keys referenced in the blog post and confirmed that the keys in question are test keys,” it said in a statement. “Test keys are normally used for development and test purposes since developers do not have access to production keys. For production-level BIOS that would be shipped to consumers, AMI’s procedures for creating such a BIOS require the customer to procure or generate production keys. As such, AMI expects that a key such as the one disclosed to the public today will be used for testing purposes only.”

The leaked test keys can’t be used to derive production keys, so there ought to be no effect for systems in the field, according to AMI.

Subramonian Shankar, American Megatrends chief exec and president, added: “AMI would like to reassure its customers and partners in no uncertain terms that this should not be a security concern for them. If they follow standard operating procedure for BIOS signing, the security features in our BIOS source code and secure signing process will function as designed and remain 100 per cent secure.”

The problem doesn’t entirely stop there, though: the leak of AMI source code is problematic for the company because it exposes its intellectual property. It also exposes the code to scrutiny by bug hunters. This is something of a mixed blessing for ordinary punters: someone who finds a flaw could report it to AMI to be fixed, or exploit it. AMI partners and worldwide firmware customers are advised to get in touch with their AMI sales rep or AMI technical marketing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/11/ami_uefi_key_leak/

A presentation at the Hack In The Box security summit in Amsterdam has demonstrated that it’s possible to take control of aircraft flight systems and communications using an Android smartphone and some specialized attack code.

Hugo Teso, a security researcher at N.Runs and a commercial airline pilot, spent three years developing the code, buying second-hand commercial flight system software and hardware online and finding vulnerabilities within it. His presentation will cause a few sleepless nights among those with an interest in aircraft security.

Teso’s attack code, dubbed SIMON, along with an Android app called PlaneSploit, can take full control of flight systems and the pilot’s displays. The hacked aircraft could even be controlled using a smartphone’s accelerometer to vary its course and speed by moving the handset about.

“You can use this system to modify approximately everything related to the navigation of the plane,” Teso told Forbes. “That includes a lot of nasty things.”

First, Teso looked at the Automatic Dependent Surveillance-Broadcast (ADS-B) system that updates ground controllers on an aircraft’s position over a 1Mb/s data link. This has no security at all, he found, and could be used to passively eavesdrop on an aircraft’s communications and also actively interrupt broadcasts or feed in misinformation.

Also vulnerable is the Aircraft Communications Addressing and Reporting System (ACARS), the communication relay used between pilots and ground controllers. Using a Samsung Galaxy handset, he demonstrated how to use ACARS to redirect an aircraft’s navigation systems to different map coordinates.

“ACARS has no security at all. The airplane has no means to know if the messages it receives are valid or not,” he said. “So they accept them and you can use them to upload data to the airplane that triggers these vulnerabilities. And then it’s game over.”

Teso was also able to use flaws in ACARS to insert code into a virtual aircraft’s Flight Management System. By running the code between the aircraft’s computer unit and the pilot’s display he was able to take control of what the aircrew would be seeing in the cockpit and change the direction, altitude, and speed of the compromised craft.

He admitted that some of this was moot, given that the human pilot could always override the automatic systems, but the software could be used to make cockpit displays go haywire or control other functions, like deploying oxygen masks or lights.

The precise nature of the code flaws wasn’t released – for understandable reasons – but Teso says the Federal Aviation Administration and the European Aviation Safety Administration have both been informed and are working on fixing the issue. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/11/hacking_aircraft_with_android_handset/

Tatu Ylonen, author of the SSH protocol, isn’t afraid of criticising his own work: he’s calling for a new version of the Secure Shell to make it more manageable and get rid of the problem of undocumented rogue keys.

In this IETF Draft, Ylonen proposes a regime for key management, including key discovery, to overcome the problem. The draft, co-authored by NIST’s Murugiah Souppaya and Secure IT’s Greg Kent, proposes guidelines for “discovering, remediating, and continuously managing SSH user keys and other authentication credentials”.

The draft notes that there are often a great many more SSH keys in existence in an organisation than there are users – “hundreds of thousands, even over a million SSH keys authorising access have been found … [in] many large organizations. This is many times more than they have interactive users.”

Of course, having credentials wandering around loose in a company “present a real risk to information security”, the draft notes – and places a premium on finding out just what’s out there.

This draft, open for comment until October, focuses on processes and key management, but according to Ylonen, a new SSH will be needed (the current version, SSH-2, dates from 2006).

Some of the recommendations in the draft appear to reveal a surprising state of affairs, at least among companies whose SSH implementations have been reviewed by Ylonen’s company, SSH Security. The draft recommends:

• Moving keys to protected locations;
• Removing unused keys;
• Associating authorised keys with a business process or application;
• Removing keys for which no valid purpose can be found;
• Rotating keys;
• Restricting what can be done with each authorised key;
• Establishing a process for approving new keys.

The list looks somewhat like what companies should already have been doing in managing their SSH access – but it’s probable that someone configuring new kit finds it simpler to create such things ad-hoc. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/11/ssh_security_undermined_by_management/

Microsoft has issued nine patches for vulnerabilities in its software on the computer-murk jamboree day that is Patch Tuesday.

The updates plug two “critical” vulnerabilities in Internet Explorer and Windows that allow for remote code execution, and seven “important” vulns that allow for privilege escalation, denial of service attacks, and data leakage.

One of the critical patches fixes a set of two vulnerabilities within all versions of Internet Explorer including IE 10, that are made more severe if users have administrative rights on the system.

The other critical patch plugs a privately reported vulnerability in Windows Remote Desktop Client that affects many versions of Windows excluding Win 8, Server 2012, and Windows RT.

As expected, the other seven patches deal with less concerning or severe bugs, though two of these – “Vulnerability in Microsoft Antimalware Client Could Allow Elevation of Privilige (MS13-034),” and “Vulnerabilities in Kernel-Mode Driver Could Allow Elevation of Privilige (MS13-036)” – merit a “1” on Redmond’s exploitability index, making “exploit code likely.”

As is typical, these patches are delivered by Windows Update. Intel, Google, and HP researchers reported the vulnerabilities to Microsoft, among others.

Alongside the typical updates, Tuesday also brought patches for Microsoft’s “Surface” line of fondleslabs. These marked the fifth time the Surface RT slabs have been given a software touch-up, and the third time for the Surface Pros. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/09/microsoft_patch_tuesday_april/

A 26-year-old British man pleaded guilty to one count of computer hacking today after admitting he was a member of Anonymous splinter group LulzSec.

Ryan Ackroyd, 26, from South Yorkshire, appeared at Southwark Crown Court, where he faced charges of launching attacks on the websites of high-profile companies including Nintendo, News International, 20th Century Fox, Sony Group and the NHS. He will not face trial on the count of operating a denial of service attack, which will lie on file.

Ackroyd will be sentenced next month along with two other men on similar charges.

Mustafa Al-Bassam, 18, from Peckham, and Jake Davis, 20, from Lerwick, Shetland, have previously pleaded guilty to computer hacking.

LulzSec is a group of hackers which broke off from Anonymous in 2011 and went on to claim a number of attacks, including an audacious hack on News International’s website in which a story was put up falsely claiming that owner Rupert Murdoch had died.

It is also credited with attacks on the CIA and Fox News.

LulzSec hacker Ryan Cleary admitted to six counts of hacking, including an attack on computers at the Pentagon. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/09/lulzsec_hacker_court/

The Mozilla Foundation has shipped a second public beta of its Persona web-login technology featuring a new capability called Identity Bridging, which makes it easier for users to access sites using only their email addresses and no additional passwords.

“The goal of Persona is simple: we want to eliminate passwords on the Web,” Mozilla director of identity Ben Adida wrote in a blog post announcing the release on Tuesday.

Mozilla unveiled the first beta of Persona – formerly known as BrowserID – in September 2012. With that version of the technology, users who registered an email address with server called a Persona Identity Provider (IdP) could then log into Persona-enabled websites without a password, via an authentication system based on public-key cryptography.

The new version of Persona still supports that login process, but the addition of Identity Bridging makes it possible for users who have accounts with leading email providers to use their existing email addresses to log into Persona-enabled sites without explicitly registering their addresses with a Persona IdP.

It works because most of the large public email providers already support OpenID or OAuth as a way of offering their users easy authentication on other websites. What Mozilla has done, according to a technical blog post, is build a server that acts as a bridge between these other protocols and Persona.

This first beta release of the Identity Bridging feature only works with Yahoo.com email addresses for the time being, but Mozilla says it plans to switch on support for other providers in the coming months. By the time it’s done, Mozilla says, it expects Persona logins to be available to “over half of the worldwide internet population.”

   

Identity Bridging only works with Yahoo! for now, but support for more email providers is coming

For now, anyone with a Yahoo.com email account can use their address to access Persona-enabled sites simply by entering it into the login field. No additional steps are required and you don’t need to re-enter your password. As long as you are logged into your Yahoo.com account, the login to the Persona-enabled site is automatic.

Of course, at this early stage of the project, finding a website that supports Persona can be a challenge. Mozilla lists the Born This Way Foundation, Discourse, and the Eclipse Foundation’s OrionHub as a few places you can try it out online, but the technology has yet to win adoption by major sites such as Facebook or Twitter.

In addition to adding Identity Bridging, Mozilla says the new version of Persona loads twice as fast as the previous one, particularly on slow data connections, and that it has also baked support for Persona into Firefox OS, so that apps built for Mozillafied mobes will all be able to offer simple, password-free login and authentication.

Site builders who want more information on Persona might want to read this interview with lead engineer Lloyd Hilaiel or peruse the detailed technical documentation on Mozilla’s developer website. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/09/persona_beta_2_identity_bridging/

Sneaky cybercrooks are disguising links to malicious sites in spam emails posing as messages from Hewlett-Packard ScanJet printers.

The attack takes advantage of the fact corporate users often receive emailed messages from scanners and multi-function printers located in their own offices, which contain attachments of the scan that the device has just completed. In this case the scam messages contain links to a site hosting malware.

The ruse is an extenuation of earlier scams where fake scanner results contained a malicious attachment. Malicious attachments of this type are easier to catch than links to malicious websites, hence the decision by cybercrooks to switch tactics.

In one case recently encountered by Sophos, the link of the supposed scan result page directed the user to a Russian-hosted website riddled with malware. Scam messages contain forged header information designed to hoodwink prospective marks into thinking that the dodgy message came from inside their corporate LAN rather than from external cybercrooks.

Sophos has a full write-up of that attack in an advisory notice on its Naked Security blog.

The abuse of HP’s brand in the attack is purely incidental. Cybercrooks could easily run exactly the same attack using messages purporting to come from a Lexmark or Brother device, for example.

“As always, be very careful dealing with unsolicited emails and wary of clicking on unknown links – even if you do think at first that they could have been sent to you by one of the printers or photocopiers in your office building,” Graham Cluley, senior technology consultant at Sophos, advises. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/09/scanner_malware_scam/

German independent security firm AV-Test has released evaluations of security software for Windows 8 for the first time, and – not entirely surprisingly – it once again found Microsoft’s own products were among the weaker performers.

The firm tested its usual batch of 25 antivirus products for consumers, plus eight aimed at corporate users, during the first two months of 2013. It published its results on Saturday.

Microsoft Windows Defender – the rebadged version of Microsoft Security Essentials that comes bundled with Windows 8 – scored just 2.0 out of 6 in AV-Test’s Protection rankings. Redmond’s enterprise-oriented System Center Endpoint Protection scored a paltry 1.5.

According to AV-Test, Windows Defender managed to spot just 82 per cent of zero-day malware attacks during January and 81 per cent during February, based on 125 samples. The industry average was 95 per cent.

Windows Defender did a little better at detecting “widespread and prevalent” malware, catching 98 per cent of samples thrown at it in January and 99 per cent in February. But that still wasn’t quite as good as the industry average, which was 99 per cent.

On the enterprise side, System Center Endpoint Protection caught a consistent 98 per cent of widespread malware samples across both months. That was another subpar showing, though, given that on average, the other enterprise products identified all the samples.

And Endpoint Protection’s track record for zero-day malware was even worse than Windows Defender’s, spotting just 80 per cent of the samples in January and 83 per cent in February.

Both of Microsoft’s products ranked fairly well in other aspects AV-Test looked at. In particular, both scored 6 out of 6 for Usability, with no false positives spotted and no legitimate actions being blocked erroneously. Both offered reasonably good performance as well, although here Endpoint Protection had the edge over Windows Defender.

Many customers might argue, however, that high usability and fast performance aren’t much good when the product isn’t so hot at what it purports to do: stopping malware.

But others are likely to disagree with AV-Test’s assessment of Redmond’s security products – not least of which is Microsoft itself. AV-Test has butted heads with the software giant over its testing methodology in the past, which Microsoft says uses malware samples that “don’t represent what our customers encounter.”

Be that as it may, several other products significantly outperformed Microsoft’s on the Protection portion of this round of AV-Test’s evaluations. Leading the pack in the consumer sector were products from F-Secure, G Data, Bitdefender, Kaspersky, BullGuard, and Trend Micro, all of which earned perfect scores. Kaspersky and F-Secure topped the list of the enterprise products.

The full results of AV-Test’s January-February testing can be found on the company’s website. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/04/09/av_test_first_windows_8_results/