STE WILLIAMS

A new online petition has called for the firing of district attorney Carmen Ortiz for pursuing Aaron Swartz with charges that could have put him in prison for at least three decades.

Meanwhile, Democrat congresswoman Zoe Lofgren has drawn up a new bill called “Aaron’s Law” to amend the US Computer Fraud and Abuse Act used to prosecute Swartz until his death last week.

Internet prodigy Swartz, 26, took his life on Friday in the midst of a lengthy computer fraud case against him. The charges were brought after he copied 4.8 million scientific articles from the nonprofit journal archive JSTOR to allegedly redistribute online.

In the days after he was found dead at his New York home on Friday, Swartz’s family said their son’s suicide was “the product of a criminal justice system rife with intimidation and prosecutorial overreach”.

Now Lofgren has announced her intention to propose Aaron’s Law on Reddit, the immensely popular discussion website Swartz helped build. The bill aims to tighten up the Act’s definition of fraud.

“There’s no way to reverse the tragedy of Aaron’s death, but we can work to prevent a repeat of the abuses of power he experienced,” she wrote.

“The government was able to bring such disproportionate charges against Aaron because of the broad scope of the Computer Fraud and Abuse Act (CFAA) and the wire fraud statute. It looks like the government used the vague wording of those laws to claim that violating an online service’s user agreement or terms of service is a violation of the CFAA and the wire fraud statute.

“Using the law in this way could criminalise many everyday activities and allow for outlandishly severe penalties.”

Her proposed bill, which would need to be discussed and passed around the House of Representatives and the Senate to take effect, asks to change the CFAA to make it more specific by excluding certain violations of user agreements.

Meanwhile, a White House website petition to have district attorney Ortiz removed from office for “overreach” in Swartz’s case has surpassed the 25,000 signatures it needs to land an official response. More than 35,000 people have signed the petition since it was created on Saturday.

Swartz was known to be depressed and took his life shortly after his legal team was unable to convince prosecuting lawyers to reduce the charges for “liberating” the JSTOR archive and help him avoid a long spell behind bars. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/16/congresswoman_petition_aaron_swartz/

A security audit of a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor and was spending all his work time playing around on the internet.

The firm’s telecommunications supplier Verizon was called in after the company set up a basic VPN system with two-factor authentication so staff could work at home. The VPN traffic logs showed a regular series of logins to the company’s main server from Shenyang, China, using the credentials of the firm’s top programmer, “Bob”.

“The company’s IT personnel were sure that the issue had to do with some kind of zero day malware that was able to initiate VPN connections from Bob’s desktop workstation via external proxy and then route that VPN traffic to China, only to be routed back to their concentrator,” said Verizon. “Yes, it is a bit of a convoluted theory, and like most convoluted theories, an incorrect one.”

After getting permission to study Bob’s computer habits, Verizon investigators found that he had hired a software consultancy in Shenyang to do his programming work for him, and had FedExed them his two-factor authentication token so they could log into his account. He was paying them a fifth of his six-figure salary to do the work and spent the rest of his time on other activities.

The analysis of his workstation found hundreds of PDF invoices from the Chinese contractors and determined that Bob’s typical work day consisted of:

9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos

11:30 a.m. – Take lunch

1:00 p.m. – Ebay time

2:00-ish p.m – Facebook updates, LinkedIn

4:30 p.m. – End-of-day update e-mail to management

5:00 p.m. – Go home

The scheme worked very well for Bob. In his performance assessments by the firm’s human resources department, he was the firm’s top coder for many quarters and was considered expert in C, C++, Perl, Java, Ruby, PHP, and Python.

Further investigation found that the enterprising Bob had actually taken jobs with other firms and had outsourced that work too, netting him hundreds of thousands of dollars in profit as well as lots of time to hang around on internet messaging boards and checking out the latest Detective Mittens video.

Bob is no longer employed by the firm. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/16/developer_oursources_job_china/

A security audit of a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor and was spending all his work time playing around on the internet.

The firm’s telecommunications supplier Verizon was called in after the company set up a basic VPN system with two-factor authentication so staff could work at home. The VPN traffic logs showed a regular series of logins to the company’s main server from Shenyang, China, using the credentials of the firm’s top programmer, “Bob”.

“The company’s IT personnel were sure that the issue had to do with some kind of zero day malware that was able to initiate VPN connections from Bob’s desktop workstation via external proxy and then route that VPN traffic to China, only to be routed back to their concentrator,” said Verizon. “Yes, it is a bit of a convoluted theory, and like most convoluted theories, an incorrect one.”

After getting permission to study Bob’s computer habits, Verizon investigators found that he had hired a software consultancy in Shenyang to do his programming work for him, and had FedExed them his two-factor authentication token so they could log into his account. He was paying them a fifth of his six-figure salary to do the work and spent the rest of his time on other activities.

The analysis of his workstation found hundreds of PDF invoices from the Chinese contractors and determined that Bob’s typical work day consisted of:

9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos

11:30 a.m. – Take lunch

1:00 p.m. – Ebay time

2:00-ish p.m – Facebook updates, LinkedIn

4:30 p.m. – End-of-day update e-mail to management

5:00 p.m. – Go home

The scheme worked very well for Bob. In his performance assessments by the firm’s human resources department, he was the firm’s top coder for many quarters and was considered expert in C, C++, Perl, Java, Ruby, PHP, and Python.

Further investigation found that the enterprising Bob had actually taken jobs with other firms and had outsourced that work too, netting him hundreds of thousands of dollars in profit as well as lots of time to hang around on internet messaging boards and checking out the latest Detective Mittens video.

Bob is no longer employed by the firm. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/16/developer_oursources_job_china/

Security experts advise users to not run Java in their web browsers despite a patch from Oracle that mitigates a widely exploited security vulnerability.

The database giant issued an emergency out-of-band patch on Sunday, but despite this the US Department of Homeland Security continues to warn citizens to disable Java plugins.

“Unless it is absolutely necessary to run Java in web browsers, disable it even after updating to [Java 7 update 11],” the US-CERT team said in an update yesterday. “This will help mitigate other Java vulnerabilities that may be discovered in the future.”

The security flaw (CVE-2013-0422) was weaponised last week and bundled into popular cyber-crook toolkits, such as the Blackhole Exploit Kit. These toolboxes plant malicious scripts on compromised websites that exploit security holes in passing visitors’ computers to infect them with malware.

The Java 7 bug, now squashed by Oracle in its latest update, allowed miscreants to execute their own code on a victim’s system and attempt to take full control of the machine. Attacks relying on this security flaw actually exploit a combination of two vulnerabilities: both involve subverting the programming platform to bypass its security manager and access restricted Java classes. Oracle’s 7u11 update also patches a second albeit less serious hole.

Ross Barrett, senior manager of security engineering at Metasploit developers Rapid7, said the update is worth applying but only goes so far: further zero-day security bugs in Java are likely if not inevitable.

“This fix changes the default Java browser security settings to require user consent to execute Java applets which are not digitally signed, or are self-signed, which indicates that Oracle has made a minor concession against ease-of-use to try to protect users from the next time a Java vulnerability is exploited in the wild,” Barrett said.

HD Moore, founder of Rapid7, added that Oracle is likely to spend at least two years sorting out shortcomings in Java’s security management without even factoring in the discovery of additional bugs.

“Oracle has already spent a year working through these issues … but will likely need another two years to fix them completely,” he said.

Other security experts, such as the bods at Sophos, also back the view that running Java in the browser has become a total no-no, especially for consumers who have more control over their software than office workers using IT dept-mandated setups.

“If you can’t avoid using a handful of websites that demand your browser supports Java, then why not have a different browser specifically for visiting those sites?” Sophos suggested. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/15/avoid_java_in_browsers/

The effectiveness of antivirus products has declined, according to tests by German testing outfit AV-Test.org.

AV-Test put 25 antivirus products for home users and eight corporate endpoint protection software applications through their paces in November and December 2012.

Only an average of 92 per cent of the zero-day attacks were blocked during the tests, it said, a result that suggests that one out of 10 malware attacks succeeded. The products were able to clean 91 per cent of the infected systems, however, only 60 per cent could be put back in a condition similar to the pre-infection state, the firm said.

The tests were carried out on Windows 7 (SP1, 64-bit) machines. The firm said that three of the 25 consumer antivirus products failed to make the grade, including Microsoft Security Essentials and products from PC Tools and AhnLabs.

The eight corporate products came out better, but even so Microsoft Forefront Endpoint Protection flunked the exam after scoring protection against zero-day malware of just 78 per cent in the December tests (although this was an improvement on its score of 67 per cent in November).

Andreas Marx, chief exec of AV-Test, said: “More products than usual had difficulties [meeting] our high standards and therefore failed to receive the AV-Test certification.”

The overall results of the test are far better than those obtained from a controversial set of tests run by Imperva in November, which concluded that most antivirus software detects less than 5 per cent of new malware.

Imperva’s antivirus test used VirusTotal, but detractors argue that the online service is not designed to determine whether an antivirus product actually blocks a threat since it only looks at whether a signature is on file, not at other lines of defence. VirusTotal itself describes this practice as a “bad idea”. The use of VT as a testing tool and other criticisms of Imperva’s study are summarised at some length by David Hartley of Eset, an antivirus supplier, here.

Rob Rachwald of Imperva defended its methodology in a combative blog post last week. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/15/anti_virus_test/

Security researchers in China are warning Android users to be on their guard after claiming to have discovered a million-strong botnet lurking on the platform.

The Android.Troj.mdk Trojan, first spotted by security firm Kingsoft Duba back in early 2011, is thought to be hidden in over 7,000 apps today, including many popular games such as Fishing Joy and Temple Run.

Once installed it allows the attacker to remotely control the victim’s smartphone for a variety of nefarious ends including harvesting contact and messaging details, generating nuisance adware, committing click fraud and downloading additional apps, Xinhua reported.

The million-node-plus botnet represents a small proportion of the 150 million users of Android phones in China today, but its relative success thus far points to a worrying lack of user awareness around the dangers of downloading apps from unofficial third party stores.

Aside from installing mobile security software, China is urging users to keep an eye on their call history and data traffic and to beware of any gaming apps seeking unusual permissions, such as access to SMS or other content, according to Xinhua.

China has been a hotbed of Android malware for several years. Last year the government was even forced to publicly reprimand operators China Mobile and China Telecom for persistently allowing security vulnerabilities in their application stores. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/15/android_malware_botnet_china/

The Singaporean government has passed amendments to the city-state’s Computer Misuse Act, renaming it the Computer Misuse and Cybersecurity Act, and granting itself powers to take proactive measures against a potential cyber threat before it disrupts critical infrastructure.

The Ministry of Home Affairs released a statement on Monday detailing the updates to the law and explaining the changes as necessary given Singapore’s increasing reliance on cyberspace. That reliance, the statement says, means the island nation faces “new risks and vulnerabilities” to the critical information infrastructure (CII) from the likes of Stuxnet (which got a mention in Parliamentary debate on the amendments).

The amendments to Section 15 now state that the relevant minister can order a CII-related person or organisation to “take measures or comply with requirements necessary to prevent, detect or counter a threat to the national security, essential services, defence or foreign relations of Singapore”.

Such requirements may include data breach reporting, or supplying technical information including network design architecture, firewall rules, and software algorithms in order to provide early-warning of an attack or help deal with an ongoing threat.

The general idea, according Singapore’s Ministry of Home Affairs,is to enable “proactive and upstream action against a threat before it materialises to cause any harm”. In the past, a minister could only respond to an attack once it had been launched.

Failure to comply with the new law could land an individual with a 10-year prison term and $S50,000 (£25,400) fine.

As for which organisations qualify to assist in this new “cyber pre-crime” strategy, the amendment also added a host of new industries to the usual CII suspects of banking, utilities and communications, including land transport infrastructure, aviation, shipping, and health services.

The Singaporean government does not muck about when it comes to passing legislation. The amendments were only proposed two months ago. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/15/singapore_passes_precrime_cyber_law/

With more than 70 million home networking devices in service, a zero-day for Linksys has a very wide reach. According to DefenseCode, an information security consultancy that’s just what turned up in a recent product evaluation for a client.

The company has not released full details of the root access vulnerability yet, but has posted a demonstration video (below) to YouTube:

In the video, DefenseCode researchers open the router’s shell (without authentication) and list the contents of files and directories.

According to Help-Net Security, it took DefenseCode just 12 days to develop the exploit. The company says it contacted Cisco, Linksys’s owner, “months ago”.

The vulnerability affects all versions of Linksys firmware up to and including the current version, 4.30.14. DefenseCode intends to release a full description of the vulnerability within two weeks.

It’s an unwelcome development for Cisco, which in December began casting around for potential buyers for the consumer kit brand. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/14/cisco_linksys_zero_day/

The story of antivirus pioneer–cum–blogging fugitive John McAfee could soon hit the big screen, with Warner Bros. reportedly having optioned the tale for a possible feature film.

This isn’t the first time McAfee has been approached about a movie based on his exploits. In December, he inked a deal for the rights to his story with Montreal-based production company Impact Future Media. Vice magazine, which covered his flight from his home in Belize, was reportedly also interested in developing a film.

With a deal in place at Warner Bros., however, McAfee could actually see his story brought to theaters by a major Hollywood studio.

According to The Hollywood Reporter, the script for said film will be adapted from “John McAfee’s Last Stand”, an article on the eccentric recluse that originally appeared in Wired magazine and has since been re-released as an ebook.

The article recounts McAfee’s early life in the computing industry, how he became wealthy after founding the early computer-security company McAfee Associates, and how in the late 2000s he would eventually give up his high-flying life of luxury in the US and move into a series of bungalows in rural Belize.

Ostensibly, McAfee spent his time in Belize trying to develop naturally derived antibiotics. What actually went on is much murkier, but by accounts it seems to have involved lots of partying, stockpiles of guns, underage girls, and repeated run-ins with local government officials and police.

When McAfee’s neighbor in Belize, Greg Faull – who had clashed with McAfee over the latter’s unruly dogs – turned up dead of a gunshot wound, McAfee went on the lam, declaring that he was being framed for murder and that the government of Belize would kill him if he were caught.

Since escaping to Guatemala and eventually being deported to the US, McAfee has continued to blog about his purported exploits in Belize, offering tales that seem to grow more implausible with each new entry.

As of last week, McAfee was claiming to have operated an elaborate spy ring, in which he and a team of “operatives” extracted secrets from Belizean government officials through social engineering, covert wire taps, and by distributing laptops loaded with keyloggers. Naturally, his own life was at risk every step of the way.

It’s hard to tell just what, if any of this, to believe, especially considering McAfee’s rather fluid relationship with the truth. When asked whether his self-professed consumption of designer drugs called “bath salts” might have altered his perceptions, McAfee retorted that he hadn’t used any kind of drugs since 1983, and that his earlier claims of having manufactured and distributed mass quantities of bath salts in Belize were just a prank.

He later faked a heart attack while being held in a Guatemalan jail, and has since admitted to posting further false statements on his blog, purportedly as a way of misdirecting Belizean authorities.

Still, Hollywood is no stranger to implausible stories, and even if a script based on “John McAfee’s Last Stand” stretched the truth, it would certainly be a change from such comparatively bland computer-industry biopics as David Fincher’s The Social Network and the upcoming film based on the life of the late Steve Jobs.

Warner’s offer is presumably also more lucrative for McAfee than his previous deals, although no figure has been named. That should be good news for him, since his cost of living has spiked somewhat lately. After getting the boot from Guatemala, McAfee has settled in Portland, Oregon – a rather more expensive region than Belize – reportedly to work on various autobiographical projects, including a book and a graphic novel in addition to films. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/14/john_mcafee_warner_bros_biopic/

Computer scientists claim security vulnerabilities in Cisco VoIP phones allowed them to eavesdrop on calls and turn devices into bugging equipment.

Ang Cui has demonstrated how malicious code injected into 14 of the networking vendor’s Unified IP Phone models could be used to record private conversations – and not just those held over the compromised telephone itself: the malware can also pick up any sound within the vicinity when the handset is not in use. The discovered flaws effectively turn the network-connected phones into bugging devices.

Cisco VoIP phones are widely used in offices – small and large – across the world, creating a massive opportunity for potential mischief especially if the equipment is accessible from the public internet.

“It’s not just Cisco phones that are at risk. All VoIP phones are particularly problematic since they are everywhere and reveal our private communications,” said Professor Salvatore Stolfo of Columbia University who is supervising Cui’s computer science PhD research.

“It’s relatively easy to penetrate any corporate phone system, any government phone system, any home with Cisco VoIP phones — they are not secure.”

The New York university pair found that the operating system kernel in the vulnerable phones was not correctly validating data supplied by applications, meaning it trusted software to act responsibly. An attack could be launched by logging into the device over SSH, although this requires a suitable username and password, or by plugging into the Aux port of the phone to gain local access. Once inside the phone, miscreants could abuse kernel system calls to run their own code or crash the gadget.

But Cisco played down the academics’ work, and said an attacker would need to be able to physically plug a line into the phone to download the malware to the device. And SSH logins are typically disabled in office environments.

Cui and Prof Stolfo dedicated several months to probing the security of internet-protocol phones, and this is far from their first advisory on problems with the widely used technology. The boffins argue that Cisco has only addressed the reported bugs rather than tackle fundamental design flaws of the hardware giant’s Unix-like phone operating system.

Cisco issued an advisory on the uncovered security issues last year. It followed this up with a further advisory on Wednesday, and another document providing more comprehensive and detailed mitigation advice.

“We issued a release note to customers at the end of last year (also crediting Mr Cui), but Wednesday’s release of the advisory and mitigation bulletin provides more public information and the consolidated mitigation options,” a Cisco spokesman explained.

Cui’s makeshift tool to inject malware into Cisco phones

Credit: Columbia University

The pair of academics reckon either a complete rewrite of the firmware or a new type of security defence technology is needed.

“Cisco’s recent advisory does not solve the problem unless and until they succeed in rewriting and releasing the rewritten kernel (promised in a few months) without harbouring any vulnerabilities,” Prof Stolfo told El Reg.

“We really wish them luck. However, they can fix the immediate holes, but that does not protect the phone against other bugs the software might have. What they really need is independent security software running on the phone, just like what is available and provided by a mature security software industry for general-purpose computers.”

In a separate statement, Cisco said it was continuing to investigate the reported flaws and working towards developing a more comprehensive fix. The networking giant said it has no evidence that the security shortcomings have actually been exploited. Cisco said the flaw would be hard to abuse and limited to Cisco 7900 series IP office phones:

Our engineering teams are actively working on a permanent fix, and we have released very detailed, step-by-step customer guides on identifying and preventing this vulnerability from being exploited. We are not aware of this vulnerability being used against any of our customers. We encourage customers with related questions to contact the Cisco TAC, or read the Security Advisory and Applied Mitigation Bulletin posted at www.cisco.com/go/psirt.

Cisco works closely with the IT security community and we view this as vital to helping protect our customers’ networks. We thank Cui and Salvatore Stolfo for reporting this vulnerability to Cisco.

The vulnerability affects some of Cisco 7900 series IP office phones. In addition to specialist technical skills, a successful exploitation requires physical access to the phone’s serial port or the combination of authenticated remote access and non-default network settings. No default account exists for remote authentication and devices configured for remote access must use administrator-configured credentials.

Killing the spy who bugged me

Cui and Prof Stolfo found the exploitable security weaknesses after analysing the firmware binaries of VoIP phones. The research was part of an attempt to develop security technologies for embedded systems, such as network-connected phones, routers and printers. They christened this prototype technology Software Symbiotes.

“This is a host-based defence mechanism that’s a code structure inspired by a natural phenomenon known as symbiotic defensive mutualism,” explained Cui. “The Symbiote is especially suitable for retrofitting legacy embedded systems with sophisticated host-based defences.”

The Symbiote runs on the embedded hardware and monitors its host’s behaviour to ensure the device behaves itself and operates as expected. If not, the Symbiote stops the host from doing any harm. Removal, or attempted removal, of the Symbiote renders the device inoperable – a factor that could create a means for launching denial-of-service attacks against equipment but this has not blunted the enthusiasm of the computer scientists.

Cui said the Symbiote system could be used to protect all kinds of embedded systems, from phones and printers to ATM machines and even cars. The Symbiote design reads a bit like a science-fiction plot element* so it’s no surprise that the computer scientists’ research was partially funded by war tech boffins at DARPA – the US military’s Defense Advanced Research Projects Agency. IARPA (Intelligence Advanced Research Projects Activity) and the Department of Homeland Security also bankrolled the research.

Cui and Prof Stolfo plan to demonstrate a Symbiote-protected Cisco IP Phone at the RSA conference in San Francisco in February. ®

* Hopefully unrelated to the character Venom from the Spiderman universe.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/14/cisco_voip_easily_tapped/