STE WILLIAMS

Yahoo! webmail accounts are being hijacked by hackers exploiting an eight-month-old bug in the web giant’s blog, security biz Bitdefender warns.

Messages with a short link to an apparently harmless MSNBC web-page are being spread to compromise mailboxes: the link actually points to a completely different website hosting malicious JavaScript code that swipes the victim’s browser cookie used to log into Yahoo! mail.

Once this cookie is in the hands of miscreants, they can use it to access the vicim’s mail account. The domain serving up this cross-site scripting attack code was registered in Ukraine on 27 January and the web server is hosted in Cyprus.

The JavaScript exploits an old WordPress blog security hole in developer.yahoo.com to lift the user’s the mail.yahoo.com cookie. Using this harvested information, crooks can masquerade as the victim to send spam or pinch contacts’ e-mail addresses.

“The attack focuses on the Yahoo Developers Blog, which uses a buggy version of WordPress that has a security flaw known as CVE-2012-3414,” said Catalin Cosoi, chief security strategist at Bitdefender, referring to this Flash applet bug.

“This flaw has been patched since WordPress version 3.3.2. Since it is located on a sub-domain of the yahoo.com website, the attackers trigger the bug and pass a command that steals the cookie and sends it ‘home’. At this point, they have full access to the victim’s contact list until the current session expires or the user logs out.”

Bitdefender said the ongoing campaign highlights two risks: the dangers of clicking on links in emails and problems that can arise when a website is vulnerable to cross-site scripting attacks, a common class of security vulnerability. The Yahoo! hijack also illustrates the important role played by cookies in applications such as webmail.

“Security on the web is based on the same-origin policy, a complex mechanism that won’t allow Site A to access resources of Site B, such as cookies,” Cosoi said.

“Cookies are small snippets of text created when the user logs into a system, and they are used to (among other things) remember that the account holder has already passed the authentication once. Otherwise, the user will have to log in whenever they read another e-mail or when they navigate from one page to another.

“So, in this context, it is obvious that a piece of code running on Site A can’t steal a cookie set by Site B. However, a subdomain of Site B can access the resources of Site B, and this is what the attackers did.”

Bitdefender has a write-up of the attack on its antivirus labs blog here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/01/yahoo_webmail_hijacks/

Sick software nasty uses child abuse pics to extort infected victims

Pay €100 ‘fine’ to rid PCs of horror images

By John Leyden • Get more from this author

Posted in Security, 1st February 2013 08:04 GMT

Free whitepaper – A private Cloud-based approach

Depraved miscreants are spreading vile ransomware that displays images of child abuse on infected PCs and demands payment to remove them.

Typically, this sort of malware pretends to be an official piece of police software that pops up a message accusing victims of breaking the law – usually downloading copyrighted material or dodgy pornography – and locks down the computer until the user coughs up a fine.

But this new Trojan stoops to an all-time low by displaying the actual pictures of child sex abuse the victim is accused of viewing. The ransomware sports logos of the German Federal Office for Information Security (BSI) and the German Society for the Prosecution of Copyright Infringement (GVU) to lend an air of authenticity to proceedings.

Owners of infected machines are ordered to pay an on-the-spot fine of €100 in order to get a code that unlocks the computer.

Germany’s Federal Criminal Police Office (Bundeskriminalamt) put out a warning about the disturbing new tactic in ransomware extortion on Tuesday; an advisory in German can be found here. Victims are advised to not be intimidated by the extortionists’ threats. ®

Free whitepaper – Operationalizing Information Security

• Send corrections
• 1 commentPost a comment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/01/ransomware_trojan/

Symantec has taken the unusual step of commenting on a story about a customer, issuing a robust statement denying its anti-virus products were to blame for sophisticated targeted attack on the New York Times.

The Gray Lady revealed yesterday that it had been persistently attacked for four months by China-based cyber insurgents. They used classic APT-style techniques to breach defences before lifting New York Times staff passwords in an attempt to find out more information on an expose run by the paper into outgoing Premier Wen Jiabao.

The killer paragraph for Symantec, however, was the following, which could be interpreted as the NYT attempting to shift blame for the breach onto its security provider.

“Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant”.

Although Symantec’s policy is not to comment on its customers, it wasn’t long before it released the following as a “follow-up” to the Times story.

“Advanced attacks like the ones the New York Times described … underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions. The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behaviour-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.”

Symantec obviously falls short of clarifying whether the New York Times had these extra capabilities, and if it did whether they were “switched on”, although the careful wording of the statement would indicate not.

Most security vendors today have supplemented their standard signature-based AV offerings with more advanced tools to spot zero day malware – which is usually employed in attacks like this.

While CSOs are wisely cautious of believing every piece of FUD-based “intelligence” from the information security vendor community, a tipping point does seem to have been reached where it’s now wise to invest in such tools, especially if you’re a high profile organisation.

As if to re-iterate its message on the prevalence of advanced targeted attacks, Symantec warned in a new blog post published on Friday of a sophisticated spear phishing campaign targeting the directors and VPs of aerospace and defence firms. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/01/symantec_responds_nyt_apt/

Two killjoy researchers from the University of Cambridge have cast doubt on whether quantum cryptography can be regarded as ‘provably secure’ – and are asking whether today’s quantum computing experimentation is demonstrating classical rather than quantum effects.

Computer scientists Ross Anderson and Robert Brady have published their discussion at Arxiv, here. In the paper, they examine two key issues in quantum research. As well as looking at the cryptography question, they also examine why quantum computing research is finding it hard to scale beyond three qubits.

“Despite the investment of tremendous funding resources worldwide, we don’t have working testbeds; we’re still stuck at factoring 15 using a three-qubit algorithm”, the paper notes. It suggests that current experiments have not yet proven that “local realism” (that is, classical behaviour without the “spooky action at a distance” that so bothered Einstein) is violated.

The question the paper seeks to raise (not answer: although the paper proposes experiments to test the theory) is this: can current experiments that appear to demonstrate purely quantum behaviours actually be explained by classical physics?

A metaphorical explanation is given by the example of a droplet that is phase-locked with a wave, as illustrated in this YouTube video:

Watch Video

Such experiments “show clear phenomena corresponding to those of quantum mechanics, including single-slit diffraction, double-slit diffraction, quantised energy levels and tunneling through a barrier.”

Entanglement says that two entangled particles (say, photons) will reflect each others’ state at a rate greater than the speed of light.

Anderson and Brady are asserting that experiments conducted to date observe coherence between distant particles, but fail to eliminate the possibility that the two particles are responding to an identical third stimulus – like the bouncing droplet in the video. In other words: two boats on a lake, bouncing on the waves, aren’t demonstrating quantum physics, they’re responding to the same ripples.

Hence their doubts about cryptography: “As the experiments done to test the Bell inequalities have failed to rule out a classical hidden-variable theory of quantum mechanics such as the soliton model, the security case for quantum cryptography based on EPR [The Register – Einstein – Podolsky Rosen] pairs has not been made.”

In a statement that’s bound to spark hot debate among both theorists and experimentalists, the paper asserts that “experimental work which appeared to demonstrate a violation of Bell’s inequalities might not actually do so; regardless of whether it is a correct description of the world, it exposes a flaw in the logic of the Bell tests.”

El Reg is completely unqualified to ask whether the new experiments proposed by the paper will settle the debate, but it might be a good time for physics-watchers to grab the popcorn. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/01/cambridge_boffins_doubt_quantum_experiments/

The UK Information Commissioner’s Office (ICO), the agency charged with implementing the EU’s ePrivacy Directive insisting web publishers tell their readers about how they use cookies, has changed its own cookie policy to one of implied consent rather than asking visitors to its website to formally opt in to receiving cookies. The change will also see cookies set “from the time users arrive” on the agency’s site.

The Directive was designed to enhance citizens’ privacy by, among other things, letting them know that web publishers record information about them and their use of web sites with cookies. Once so informed, consumers were held to be in a position to understand the deadly threat posed to their wellbeing and liberty by any form of data collection. The Directive was signed into law in 2011, but the UK held off implanting it until May 2012, when the ICO waved a big stick and pointed it at fine print indicating colossal fines for non-compliance.

In response to the Directive, many publishers posted a page like our own cookies page or popped up a quick dialog box to lead users to similar pages or secure their consent for the use of cookies.

Overall, however, compliance levels were low and examples of enforcement activity hard to find.

Eight months down the track, the ICO feels all that activity has worked and the general public are now so well-informed about cookies that it can take things down a notch.

Here’s the Office’s reasoning on the matter:

“We first introduced a notice about cookies in May 2011, and at that time we chose to ask for explicit consent for cookies. We felt this was appropriate at the time, considering that many people didn’t know much about cookies and what they were used for. We also considered that asking for explicit consent would help raise awareness about cookies, both for users and website owners. Since then, many more people are aware of cookies – both because of what we’ve been doing, and other websites taking their own steps to comply. We now consider it’s appropriate for us to rely on a responsible implementation of implied consent, as indeed have many other websites.”

Cookie notifications aren’t disappearing from the agency’s site, as a new banner will continue to inform visitors about cookie use on a new cookie page. The ICO is “also taking advantage of a feature which limits the geographical information collected by our analytics cookies.”

And why does the ICO need cookies at all? The agency says “We are making this change so that we can get reliable information to make our website better.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/01/ico_cookie_policy_change/

It’s been a rough couple of weeks for Java. Security issues are dogging the code, the latest fix may cause almost as many problems as it solves, and now Apple has decided to block Java completely.

French blog MacGeneration originally picked up the blockade, noticing that an update to Apple’s XProtect now blocks all versions of Java on OS X 10.6 (aka Snow Leopard) and above, the second time in two weeks Apple has blocked Oracle’s code.

Apple, along with browser manufacturers, started blocking Java when a major security hole was discovered in the code earlier in the month. Oracle downplayed its significance, but then was forced to admit that it had a problem and rushed out a code patch (with the obligatory offers to install crapware at the same time).

Now Apple has blocked it again, and other players are starting to make moves to get rid of Java as far as possible. On Tuesday, Mozilla announced it was ending the auto-loading of plug-ins for Firefox – while not actually mentioning Java by name – and Apple has already stopped bundling it with OS X by default.

‘No Java for you!’, says Apple (source: MacGeneration)

The security status of Java has been under review for some time, with increasing numbers of people removing it as a precaution. Given Oracle’s somewhat lackadaisical attitude towards patching its software, developers are increasingly looking for other options to avoid introducing weaknesses into their code.

But Apple’s decision could spur the Java team to sort out their issues once and for all. Certainly if feedback from El Reg readers on our forums is any indication, the code is about as popular as an explosive piñata.

Both Oracle and Apple have felt unable to respond to a request for information on the issue. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/02/01/apple_blocks_java_mac/

An application developer reports that the latest Java 7 update “silently” deletes Java 6, breaking applications in the process.

Java 7 update 11 was released two weeks ago to deal with an unpatched vulnerability which had gone mainstream with its incorporation into cybercrook toolkits such as the Blackhole Exploit Kit in the days beforehand. Attacks were restricted to systems running Java browser add-ons.

But Oracle’s response appears to have caused some collateral damage.

JNBridge, which provides Java and .NET interoperability tools, reports that customers of software providers who use its technology came a cropper in cases where users had applied the latest Java update (Java 7u11). The software developer blogged about the issue here.

Oracle has decided that, in order to fix extensively reported security problems, they will not only update Java 7 (their latest version of Java), they will also completely delete a completely separate product.

Worse, it appears that they are taking it upon themselves to replace installations of Java 6 with Java 7 even if the users have only Java 6 on their machines.

We followed up with Wayne Citrin, chief technology officer at JNBridge, who shed some light on the practical issues created by Oracle’s recent Java update. “We provide a Java/.NET bridge, and one of the interoperability mechanisms allows the .NET and Java to run in the same process,” Citrin explained. “To do this, the user needs to supply the absolute path to the jvm.dll file belonging to the JRE that they plan to use.

“The customer, an ISV that uses our product, and who uses Java 6, told us that several of their customers had updated their Java 7 and our customer’s product had stopped working. When they reconfigured our product to use Java 7’s jvm.dll, things started working again. They wanted to know whether our product had problems with the latest update to Java 7. That seemed strange to us because the customer’s product wasn’t using Java 7 (and in any case we work just fine with Java 7). Our researchers showed that the problem was that Java 6 had been removed.”

Citrin added that the problem isn’t directly related to Oracle decision to change Java security settings to “high” by default with the release of Java 7 update 11. “I don’t think it directly relates to the Java 6 removal, though. It does affect running of Java in browsers, which I think is a good safeguard,” he explained.

While consumers ought to be running the latest version of Java, the situation is more complicated in enterprise environments. “There are definitely ISVs shipping code that runs on older versions of Java (our customer’s product was running on Java 6 r32, for example), which means that there are users that will want to have the old versions around,” Citrin explained. “And there are developers (like us, and our aforementioned ISV customer) who will need the old versions around for development and support purposes. But I agree that it’s not “normal” – most casual users of Java can probably get away with just the latest version of Java 7.”

Citrin said JNBridge, at least, hadn’t run into similar problems with prior Java updates. “Oracle’s web notice said that the same thing happened with Java 5 at some point when Java 6 was updated, but I can’t recall Java 5 disappearing, and neither can any of our developers,” he said, adding that irrespective of its security problems, Java 6 is still widely deployed.

Andrew Storms, director of security operations for nCircle, said that Oracle’s security update shouldn’t be interfering with – much less removing – older versions of Java.

“The issue isn’t whether Oracle continues to support legacy products or not. The question is how the Java 7 update behaves when it finds older versions of Java. If they are removed as part of the update process, it could easily render other applications unusable,” Storms explained.

Oracle’s lack of communication compounds the apparent problem, Storms added.

“For many applications, Java acts like an application library vendors rely on – they need Java to perform as expected in order for their products to function correctly. What would happen if Microsoft automatically removed .NET version 3 when the user installed a security update to .NET version 4?

“At an absolute minimum, users should be notified before they update that if an older version of Java is found it will be removed. Removing it without offering the user clear communication  about the impact of the update appears to be extremely short-sighted and seems to reveal a serious lack of understanding regarding how businesses employ Java,” he concluded.

The Register contacted Oracle about the issue but it had not yet responded at the time of publishing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/31/java_security_update/

Former climate change alarmist Dr James Lovelock, famous for popularising the “Gaia” metaphor, continues his journey back to rationality.

Lovelock is objecting to a “medium sized” (240ft high) erection planned for his neighbourhood in North Devon by infamous windfarm operator Ecotricity. The UK currently has 3,000 onshore turbines and 6,000 are planned: this is the main reason why electricity bills are soaring out of control in order to pay for the inefficient, highly expensive windmills. Lovelock calls the runaway windmill building “industrial vandalism”.

In an objection to the planning application made to Tiverton council, Lovelock points out that one nuclear power station provides as much power as 3,200 industrial wind turbines, without the environmental damage. In fact, he seems to be understating the case: we would calculate* one nuclear powerplant as equivalent to 5,400 wind towers of the sort discussed above.

He concludes:

I am an environmentalist and founder member of the Greens but I bow my head in shame at the thought that our original good intentions should have been so misunderstood and misapplied. We never intended a fundamentalist Green movement that rejected all energy sources other than renewable, nor did we expect the Greens to cast aside our priceless ecological heritage because of their failure to understand that the needs of the Earth are not separable from human needs. We need to take care that the spinning windmills do not become like the statues on Easter Island, monuments of a failed civilisation.

Lovelock is a long-time advocate of nuclear energy. But he also supports switching to lower-emission fossil fuels too, arguing they also do the job.

“Let’s be pragmatic and sensible and get Britain to switch everything to methane. We should be going mad on it [fracking]”, Lovelock The Grauniad last year.

The USA has cut CO₂ emissions drastically over three years, thanks to the switch from coal to gas. Gas therefore provides greenhouse gas abatement at about one tenth of the cost of wind power. Scaling back the renewable energy strategy would also inject a much-needed £120bn into the economy.

You can find more here (pdf).

Lovelock’s books include Gaia: The Practical Science of Planetary Medicine, The Ages of Gaia, Healing Gaia, The Vanishing Face of Gaia and The Revenge of Gaia.

Can you spot the theme?®

Bootnote

*Ecotricity claims maximum output of 0.5 megawatt. Over time the turbine will not do better than 25 per cent of this. By comparison, Sizewell B produces 4.7 terawatt-hours every year. So Wolfram Alpha tells us than Sizewell B produces as much juice as 5,400 such turbines (and that’s before you get into all the other windfarm issues of intermittency etc).

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/31/lovelock_wind_fu/

It’s not the first time boffins have proposed the use of smartphone accelerometers as an attack vector, but it’s scarily efficient: with as few as five guesses, Swarthmore College researchers say they can use phone moments to reveal user PINs.

As noted in his paper (PDF – Practicality of Accelerometer Side Channels on Smartphones, lead author Dr Adam Aviv says phones’ movements have been investigated as an attack vector before. Prior work has, however, used the phone’s gyroscope – or a combination of gyro and accelerometer – as the input sensor, and with relatively low accuracy (he cites a test that gave a worst case needing 81 guesses to arrive at the correct PIN).

This new study collected 9,600 samples from 24 users both sitting and walking, and tested both pinpad and swipe-pattern data entry. The data-gathering apps installed on the test phones captured the phones’ movements during PIN/swipe entry, and matched these against a database of known patterns:

“In controlled settings … with the participants sitting still] our prediction model can on average classify the PIN entered 43% of the time and pattern 73% of the time within 5 attempts when selecting from a test set of 50 PINs and 50 patterns. In uncontrolled settings, while users are walking, our model can still classify 20% of the PINs and 40% of the patterns within 5 attempts.”

The paper suggests that accelerometer data should be denied to untrusted applications “when sensitive touchscreen input is being provided to other applications” – noting, however, that the all-or-nothing model for trusting Android applications is insufficient to protect against such attacks.

The phones tested in the study were the Nexus One, Nexus S, HTC’s Droid Incredible, and the T-Mobile G2. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/31/smartphone_accelerometer_data_leak/

The Chinese computer scientists who helped build the country’s infamous Great Firewall may have been responsible for a man-in-the-middle attack on users of GitHub after they were named and shamed on the social code sharing site.

This is the theory put forward by GreatFire.org, a not-for-profit organisation which monitors and reports on online censorship in China. It explained in a blog post that users trying to access GitHub last weekend were faced with browser messages warning of an invalid SSL certificate – a tell-tale sign of a man-in-the-middle attack.

“The attack happened on a Saturday night. It was very crude, in that the fake certificate was signed by an unknown authority and bound to be detected quickly. The attack stopped after about an hour,” said GreatFire.org.

Its theory is that the attack was connected to a high profile petition created on the White House web site the day before.

This petition – which has now amassed over 9,000 signatures and could theoretically end up influencing US policy – calls on the Obama administration to deny entry to the architects of the Great Firewall, should they try and visit the US in the future.

A link on the petition takes the user to another GitHub page listing the names and some contact details of three key figures responsible for the Great Firewall.

Among the comments are the supposed address and ID number of Fang Binxing – often dubbed Father of the Great Firewall – and a link to another list with scores of others named and shamed.

GreatFire argued that because GitHub is HTTPS only, the authorities in China cannot block individual pages but only the entire site. This actually happened around a fortnight ago but after pretty vocal protests from developers who rely on the site to collaborate, it was unblocked again.

In this way, “the only tool left in the censorship toolbox is man-in-the-middle attacks” which can help the attackers intercept and monitor traffic, said GreatFirewall, adding the following:

“The whole episode seems rather irrational. It’s conceivable that one or several individuals identified on these lists as enemies of a free internet decided to take action into their own hands. They are the technical people behind the Great Firewall and so they would clearly be capable of implementing this attack. They had a motive in that they were personally being targeted by the people behind the White House petition. And they had no other options since they had been barred from blocking GitHub completely.”

The Party has certainly been unafraid in the past to completely block sites or even cut the internet for large swathes of the population if social order is threatened.

However, it faces a more difficult problem if the sites in question are deemed too important to the international competitiveness of Chinese businesses to take down completely – as GitHub’s supporters argued.

This is where man-in-the-middle comes in. Although the attack last weekend was limited in scope, pretty crude and flagged by most browsers, GreatFire warned that such attacks may become more common and sophisticated in the future, especially if the number of sites in China using HTTPS keeps growing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/31/github_ssl_man_in_the_middle_attack/