STE WILLIAMS

We shall CRUSH you, puny ROBOT… with CHESS

• 
• 
• 

Zugzwang, overlords: Chess puzzle acts as CAPTCHA

By John Leyden • Get more from this author

Posted in Security, 14th March 2013 13:38 GMT

Free whitepaper – EMA advanced performance analytics report

An online forum is using chess puzzles as CAPTCHAs rather than the more traditional challenge-response tests which ask the user to identify distorted text.

The CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a way for a website or online service to establish that a human has come calling rather than a piece of automated software. Typically a few visually distorted words are shown and punters have to type them into a dialogue box. Robots tend to be stumped by this verification process. The technology is often used to frustrate spambots from automatically signing up to web mail accounts and similar services.

The people behind online chess forum lichess.org have taken a different line by using a simple chess puzzle test instead. Although it’s perfect for the forum in question the test is unlikely to go mainstream because it would completely fox anyone who had never played chess and not just the bots it wants to block.

And, as Graham Cluley of Sophos points out, computers have been better than humans (at below grandmaster level) at playing chess for many years.

At least the test isn’t as obscure as a calculus-based CAPTCHA posited by eggheads at Croatia’s Ruđer Bošković Institute a couple of years ago. ®

Free whitepaper – Enabling efficient data center monitoring

• Send corrections
• 4 commentsPost a comment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/14/chess_based_captcha/

Doctors at Ferraz de Vasconcelos hospital in Sao Paulo, Brazil, have reportedly fabricated fake fingers to fool biometric scanners.

The scam came to light on Globo Television, whose text and video report shows one of the fake digits and a disguised interviewee.

Sadly, your correspondent’s Portuguese language skills only extend to ordering cool beverages and giant Francesinha sandwiches. We’ve therefore turned to Agence France Press’ account of the incident, that says hospital staff use the fake fingers to clock on up to 300 phantom staff.

Real-world staffers create fingers with their own prints, somehow also create a phantom worker and someone then clocks on for both. The fingers, pictured below, don’t look particularly hard to make given silicon is nicely malleable when liquid. The mark on the cloudy cylindrical case at the finger’s base might even be an identifier of some sort, used to make the scam work among multiple scammers.

Give your boss this finger and he or she might just give you an extra pay packet

AFP and other sources haven’t explored just what fingerprint readers are in use at Ferraz de Vasconcelos, but it’s hard to imagine they won’t be upgraded shortly or that the facility’s DBAs are about to have a busy day trying to sort real from pretend workers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/14/brazilian_fake_fingers/

Blue Coat Systems, Microsoft’s Skype and Chinese IM service QQ have all helped repressive states labelled “enemies of the internet” to snoop on their citizens, according to a new cyber censorship report from press freedom group Reporters Without Borders.

Given China’s increasingly rigorous censorship of web-borne content and general crackdown on freedom of expression online through VPN blocking and other measures, it’s perhaps not a great surprise that it makes the group’s 2013 report as an “enemy of the internet”. Bahrain, Iran, Syria and Vietnam “won” the same status.

Aside from the activities of the state-maintained Great Firewall, the report also draws attention to the self-policing work which private technology providers are required by law to carry out in the Middle Kingdom.

The hugely popular QQ app run by domestic web giant Tencent, for example, was branded “a giant Trojan horse” by allowing the authorities to monitor conversations by “certain keywords and expressions” and easily traceable user numbers.

The company also operates a QQ International service for users outside of China. Although the report did not specifically address whether its surveillance concerns extend to this service, if the QQ International servers are located in China, Tencent would technically have to comply with the same rules.

Tencent was recently forced to explain itself after it appeared to censor messages on its Whatsapp-like WeChat service – albeit in Chinese characters – even though they were being sent by users outside of China.

The company later claimed this was down to a “technical glitch”.

Reporters Without Borders also highlighted how the Chinese language version of Skype, made available through local media partner TOM, automatically monitors the text chats of its users and blocks any messages containing specific keywords before saving a copy of the offending message to a TOM-Skype server.

These allegations have been around since a 2008 OpenNet Initiative Asia report but are more relevant now given Skype parent company Microsoft’s advocacy of online freedom of expression.

Bloomberg has a detailed analysis of how researcher Jeffrey Knockel uncovered Skype’s role in China’s online surveillance activities. His research can be found here.

As Skype automatically defaults to the TOM-Skype page inside the Great Firewall – which looks pretty similar to the original – some of China’s 96 million-odd users of the service may be using the local version unaware that their security is at risk, the report claimed.

For its part, Microsoft sent The Reg the following statement, re-iterating that Skype is a JV in China:

As the majority partner in the joint venture, TOM Online has established procedures to meet its obligations under local laws. Even as a minority partner we understand we also have responsibilities. Microsoft is working to adopt appropriate changes that can be made to address the issues raised. We understand the passion our users have for Skype and are committed to taking concrete steps to further increase transparency and accountability.

For the first time, the Reporters Without Borders report also highlighted five corporate “enemies of internet”, which it claims “all sell products that are liable to be used by governments to violate human rights and freedom of information”.

The report claims these firms either sold direct to authoritarian regimes and therefore “must have known that their products could be used to spy on journalists, dissidents and netizens”, or failed to track their products properly, which “means they did not care if their technology was misused and did not care about the vulnerability of those who defend human rights”.

Information security vendor Blue Coat Systems is slammed for “providing filtering and censorship devices for countries such as Syria and Burma”.

The report also singles out the Deep Packet Inspection (DPI) capabilities of BlueCoat’s PacketShaper product as problematic, although if DPI is a requirement for getting in the report we can expect an avalanche of additional security vendor being added to the “enemy” list in the future.

Blue Coat sent a statement to Cnet which basically repeats the arguments of this corporate blog post from February.

In short, it claims that the vendor “respects and supports freedom of expression”, respects the laws of the countries in which it does business, and does not design “products or condone their use to suppress human rights”.

Also singled out in the report are French spyware firm Amesys, which is claimed to have sold to the Gadaffi regime; UK/German spyware maker Gamma International; Italian firm Hacking Team, which provides “lawful interception” kit; and German firm Trovicor. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/14/china_enemy_internet_blue_coat_skype/

Bromium has arrived as a sales force in the UK market with its strategy for making desktop computers secure using virtualisation technology.

The firm, which already employs a RD/engineering team in Cambridge, has now added sales and support operations for the UK and wider European market. It’s also looking to recruit channel partners in a bid to ramp up sales.

Rather than attempting to detect malware or hacker attacks, Bromium is focusing on providing strong isolation on virtual machines, based on its vSentry software. vSentry is built on the Bromium Microvisor, a security-focused hypervisor designed to automatically isolate each vulnerable Microsoft Windows task in a micro-VM that is prevented from modifying Windows. The same technology restricts a micro-VM instance from accessing intranet resources or databases.

Whenever a task isolated within vSentry attempts to access files or interact with the user, the hardware interrupts execution and passes control to the Microvisor, which enforces task-specific policies. The same bouncer-style approach is applied when attempts are made to access networks, devices or the clipboard on a user’s PC.

The whole approach is designed to tackle the problem of end-point security, according to Ian Pratt, co-founder and SVP of products at Bromium. Pratt contends that the “protection through isolation” approach allows scores of micro-VM instances to be run on a PC without causing a performance hit. A user’s experience is the same even though every time a user opens a file or clicks on an email they start a new virtual machine. This virtual machine is thrown away as soon as an task is finished, so if a user opens a booby-trapped email or visits a dodgy website it doesn’t matter.

“There’s no persistent effect,” Pratt told the Reg during a run-through of the technology.

This type of software seemingly defies comparison with anti-virus products, firewalls, intrusion detection and all the more common techniques of thwarting hacking and malware attacks. It’s loosely comparable to thin-client computing, married to the greater flexibility of a fat client experience, tied together with management and some forensic capabilities.

All this is far more secure than ‘sandboxing’, according to Bromium.

vSentry from Bromium is currently available for Windows 7, Explorer and MS Office environments with other platforms in development. In addition, vSentry incorporates Live Attack Visualization and Analysis (LAVA), an analytics engine that allows Bromium to monitor and record attempted attacks within the quarantine offered by an isolated Micro-VM. Both vSentry and LAVA can be configured and managed through the Bromium Management Server.

A more detailed run-down of the virtualisation technology pulling the strings behind Bromium’s technology can be found in an earlier report by Reg enterprise systems editor Timothy Prickett Morgan.

In independent tests ran by NSS Labs, Bromium vSentry isolated all attacks against desktop applications thrown against it, preventing them from compromising or altering the system, while incurring a total performance overhead of 9 per cent. The test includes drive-by exploits and embedded exploits in a PDF and custom malware.

This is impressive but it’d be both complacent and dangerous for Bromium developers to kick back and spark up a large cigar just yet. Any security depends on a machine being clean of rookits or other deep lying malware in the first place.

The technology, initially targeted at security-conscious enterprises, was originally developed for the intelligence community before the founders of Bromium decided to develop the technology commercially.

“We see this as a broad market,” Pratt said, adding that the technology can run on any modern PC.

Bromium launched the products in North America last October. This week’s launch in the UK will allow it to address the local market as well as branching out into continental Europe. The firm was founded by the techies who brought us the Xen open-source hypervisor at Cambridge University. They commercialized it as XenSource, and sold it for $500m to Citrix Systems in September 2007. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/14/bromium_threat_isolation/

The US government’s online catalog of cyber-vulnerabilities has been taken offline – ironically, due to a software vulnerability.

The National Institute of Standards and Technology’s National Vulnerability Database’s (NVD) public-facing website and other services have been offline since Friday due to a malware infection on two web servers, it emerged on Wednesday.

The Register received an anonymous tip-off about the infection on Wednesday afternoon, which led us to a Google+ post containing information from NIST.

“On Friday March 8, a NIST firewall detected suspicious activity and took steps to block unusual traffic from reaching the Internet,” Gail Porter of NIST’s public inquiries office told a concerned chief security officer in an email, according to the post.

“NIST began investigating the cause of the unusual activity and the servers were taken offline. Malware was discovered on two NIST Web servers and was then traced to a software vulnerability.”

There is no evidence that NIST web pages were used to serve malware, Porter wrote, and the organization is “continuing to respond to the incident.”

So far, NIST is doing everything by the literal book, as section 4.3.4 of its own Guide to Malware Incident Prevention and Handling (PDF) says that if you do get infected by malware, “containing incidents by placing temporary restrictions on network connectivity can be very effective”.

The Register has requested more information on the problem, but NIST had not responded at the time of filing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/14/us_malware_catalogue_hacked/

JPMorgan Chase’s website went kaput yesterday when the bank became the latest US financial institution to find itself on the business end of a distributed denial-of-service assault.

Visitors to chase.com were shown a “website temporarily down” message on the front page, although the bank’s mobile apps were said to be working.

Iran and a group of Islamic activists called the Izz ad-Din al-Qassam Cyber Fighters have been linked to internet attacks on major American banks, including US Bancorp, Citigroup, Wells Fargo and Bank of America.

The hacktivists claimed responsibility for a series of distributed denial-of-service attacks that hit those financial organisations in September, and declared JPMorgan Chase, SunTrust and PNC Financial Services Group were all possible targets for a second stage in its operations.

“In new phase, the wideness and the number of attacks will increase explicitly; and offenders and subsequently their governmental supporters will not be able to imagine and forecast the widespread and greatness of these attacks,” the group said in a statement posted on the Pastebin website in December.

the Cyber Fighters said that the reason for the computer network offensive was the continued availability of the inflammatory Innocence of Muslims video on YouTube. However, when the video was taken down, the group said it had suspended its attacks.

A former American government official claimed earlier this year that Iran was orchestrating the attacks. James Lewis of the Centre for Strategic and International Studies in Washington believed that the aim was retaliation over the nuclear-fuel-centrifuge-knackering virus Stuxnet and other cyber-barrages against Iran.

JPMorgan Chase’s site now appears to be working, although DDoS attacks can result in intermittent service. In December, Wells Fargo customers had trouble using the bank’s site for at least four days as it dropped in and out of view. But security experts have said that there’s no real evidence to show that Iranian officials are behind the campaign. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/13/jpmorgan_chase_ddos_attack/

Microsoft carried out a fairly comprehensive spring cleaning of vulnerabilities on Tuesday, fixing 20 vulnerabilities with seven bulletins, four of which are rated critical.

Heading the critical list is an update for Internet Explorer (MS13-021) that tackles nine vulnerabilities, including a zero-day vulnerability in IE 8.

“This bulletin alone composes almost half of the vulnerabilities addressed this month,” said Marc Maiffret, CTO at BeyondTrust. “Every supported version of Internet Explorer (6 through 10) is affected, thus implicitly making all supported Windows platforms (including Windows RT) a target for attackers.”

IE was the subject of two bulletins in February and one in March. Further updates in April are likely as a result of flaws uncovered at the recent Pwn2Own competition at CanSecWest, according to Maiffret.

“It does not appear that the Internet Explorer 10 vulnerabilities exploited by Vupen at Pwn2Own have been addressed in this patch, but we do anticipate seeing them addressed next month,” he says.

Both Mozilla and Google pushed browser updates within hours of their browser software getting turned over during Pwn2Own.

Other critical updates from Microsoft grapple with remote code execution vulnerabilities in Silverlight 5 (MS13-022) and Visio Viewer 2010 (MS13-023). The Silverlight vuln is potentially capable of lending itself to a drive-by-download style attack, while the Visio Viewer flaw is more a risk when it comes to opening malicious email attachments.

Last on the critical list are updates for Microsoft’s SharePoint server software that cover three elevation-of-privilege vulnerabilities and a denial of service vulnerability.

The patch batch also addresses less serious (“important”) security bugs in OneNote 2010 (MS13-025) and Office 2008/2011 for Mac (MS13-026), both involving information disclosure vulnerabilities.

Lastly, MS13-027 addresses multiple vulnerabilities within Windows kernel-mode drivers, specifically within certain USB drivers.

“These vulnerabilities could be exploited by attackers to gain the ability to execute code in the kernel, but the attacker must be physically at the computer and able to insert a USB device into the vulnerable machine,” Maiffret explains. French exploit brokers Vupen noted that despite its limitation the flaw might be handy for Stuxnet-style attackers.

Redmond’s March Black Tuesday announcement is here. A graphical overview on the updates from the SANS Institute’s Internet Storm Centre is here.

Tuesday also marked the release by Adobe of a new version of Flash player, which addresses four critical vulnerabilities.

“Flash users on Windows, Mac OS X and Android are affected and should update as quickly as possible,” notes Wolfgang Kandek, CTO of Qualys in a blog post. He also offers commentary on the Microsoft updates.

El Reg‘s security desk notes that Adobe has now patched Flash FOUR times in less than FIVE weeks, since updates on February 7. This is irksome because Flash is a prime target for targeted attacks and asking consumers or corporate users to turn it off, like Java in the browser, isn’t easy because the technology is so widely used on the web.

Internet Explorer 10 on Windows 8 enables Flash content to be handled by default, following recent changes by Microsoft, a change that reflects wider changes on the web as much as anything. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/13/march_black_tuesday_update/

Google has reached a peanut-sized $7m settlement with 38 US states, after its controversial Street View prowl cars deliberately collected payload data including emails and passwords from unencrypted Wi-Fi networks across America.

The company said in a statement that it was pleased to have inked an agreement with Connecticut Attorney General George Jepsen, who led an eight-state executive committee probe into the way Google’s cars intercepted sensitive data around the globe.

Jepsen claimed that the $7m figure was “significant”, before adding:

Consumers have a reasonable expectation of privacy. This agreement recognises those rights and ensures that Google will not use similar tactics in the future to collect personal information without permission from unsuspecting consumers.

Google had previously coughed to wrongdoing but declined to name the engineer supposedly responsible for the wireless data slurping that happened in many countries around the world and went unchecked for several years.

The mysterious “Engineer Doe” at the heart of the affair was later revealed to be YouTube coder Marius Milner.

Google said in an official statement regarding the $7m fine:

We work hard to get privacy right at Google. But in this case we didn’t, which is why we quickly tightened up our systems to address the issue. The project leaders never wanted this data, and didn’t use it or even look at it.

In April last year, Google claimed to the US Federal Communications Commission (FCC) that protecting the identity of the engineer responsible for the Street View data slurp had no consequences for the watchdog’s investigation.

That probe ended with the FCC fining Google $25,000 for impeding its inquiry and concluded that some execs at Mountain View must have known about the data slurp.

Because the data scooped up by Street View had been unencrypted, the Commission ruled at the time that Google’s actions could not be considered illegal under the US Wiretap Act. Instead the company received only a paltry financial penalty for hampering the Feds’ 18-month-long investigation.

Under the multi-state agreement Google signed with Jepsen on Tuesday, the company is required – among other things – to undertake a comprehensive employee education scheme about user data privacy and confidentiality. It is also expected to “eventually destroy” the data its Street View fleet of cars hoovered up “between 2008 and March 2010”.

There has been a worldwide outcry against Google’s wireless packet hoarding, but so far the complaints are yet to result in any fines or penalties which might actually bother the vast advertising operation. France, for example, slapped a €100,000 penalty on the company.

Here in the UK, the Information Commissioner’s Office re-opened its own investigation of Google’s Street View tech in June 2012 after the FCC concluded that it seemed “likely that such information was deliberately captured” by the prowling surveillance cars. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/13/google_wifi_multi_million_dollar_settlement/

Antivirus firm Avast has said that it was not responsible for a breach on a website of a German reseller selling its security products that resulted in the apparent leak of the payment details of thousands of consumers over the weekend.

Turkish hacker Maxn3y defaced avadas.de on Saturday (archive here) before dumping what the hacker claimed were customer details online.

The purportedly leaked information included incomplete configuration files for the shop.avadas.de domain, what appeared to be authentic admin login details with encrypted passwords, and (most seriously), what security experts believe is the PayPal payment information for an estimated 20,000 consumers.

According to Cyberwarnews.info, which analysed the data dump, the hackers also grabbed the email addresses, user names, encrypted passwords as well as certain bank and payment details of the customers.

Procello, the German distributor that ran the site, admitted its customer database had been breached and that some of its customers info had been compromised but said it was unclear how many Avast customers were among those affected.

It played down the possibility of that the breach might result in fraud by saying that passwords were encrypted and it stored only the minimum information on its website, according to a German language statement on the front page of its website. It said the attackers had been trying to penetrate its systems for weeks before the breach, and that it had taken temporarily taken its systems offline as a precautionary measure.

Avast, the Czech security firm best known for its freebie antivirus scanner, said in a statement that the breach involved an unofficial website (run by a local reseller), that has since been suspended.

We are aware that a site appearing to be an official site, AVADAS.DE  (linked from AVAST.DE),  was hacked and compromised. However, this is not an official site and does not belong to Avast Software. Instead, it has been owned and operated for many years by Procello, a German reseller. We have demanded, and we have been refused, the return of the AVAST.DE domain name many times over the past years. We expect with this latest incident that the site will shortly be disabled and will never again be used by Procello.

Since yesterday [Monday], the reseller has shut down the AVAST.DE domain [including] its subdomains and is only using his own website.

More on the fallout from the breach can be found in an English language report by Softonic in its OnSoftware blog here. Several German language reports on the breach from the likes of Heise and others can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/12/avast_reseller_breach/

An open-source IT monitoring software firm has clashed with a security consultancy over the seriousness of a security bug in its technology.

GroundWork’s technology provides a platform for IT operations management (network, system, application, and cloud monitoring) that is used by customers including Hitachi Data Systems, the Royal Bank of Canada, NATO, National Australia Bank, Siemens, and Tivo, among many others.

Security bods at SEC Consult last week published an advisory warning of “multiple critical vulnerabilities” in the GroundWork Monitor Enterprise platform. The firm said that many of the flaws cover authentication problems and claimed they are so serious that customers ought to avoid using the technology until the flaws are patched. The Austrian security consultancy also published a separate bulletin warning of other “high risk” bugs.

In response, GroundWork said its users were looking for “ease of use” rather than “maximum security”. It didn’t release a patch and told its users that tightening up settings was optional.

GroundWork uses the JBoss Portal’s Single Sign-On technology to restrict access to GroundWork components and improve many of their own security capabilities. Most GroundWork customers have expressed a preference for ease of use rather than maximum security, and the default settings reflect those wishes.

These are suggestions and not mandatory for a GroundWork Monitor installation.

Johannes Greil, the security researcher at SEC Consult l who discovered the bugs in GroundWork’s software, strongly disagreed with this assessment. “The identified vulnerabilities have nothing to do with ‘maximum security’ but rather conforming to web application security standards and guidelines such as OWASP Top 10,” he told El Reg.

“Furthermore, GroundWork is not going to fix the vulnerabilities within the source code, but will only add an authentication layer and implement some changes in authorization (roles) through an optional technical bulletin,” Greil told us in an email (his emphasis).

We put Greil’s allegations to GroundWork last week but have yet to hear back. We’ll update if we do.

Greil said he is also irked by GroundWork’s lack of urgency about issues first reported to it two months ago. “The slow response and insufficient measures by Groundwork are not a responsible way to react for a vendor who supplies software for government agencies and large data centers,” he said.

“An attacker who is (easily) able to take over this monitoring software is, for example, able to gain access to plaintext passwords of the monitored systems and spread the attack within the internal network,” Greil claimed. “In order to mitigate the risk, the vulnerabilities have to be fixed within the source code. In secure environments, such as operating centers where this software is for instance used, it is highly undesirable to use insecure applications. Furthermore, we advise against using this software in the current state of security.”

“We have identified multiple different critical vulnerabilities with different impacts. The most severe problems are that an unauthenticated attacker is able to elevate his privileges (admin access), execute arbitrary operating system commands, take over the whole monitoring system and gain access to sensitive configuration files with clear text passwords of the monitored systems. An attacker is therefore easily able to spread the attack within the internal network,” Greil added.

SEC Consult’s previous research includes the discovery of undocumented backdoors in data centre kit from Barracuda Networks. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/12/open_source_monitoring_software_bug/