STE WILLIAMS

Microsoft is suddenly serious about tackling RT Jailbreak, a slick tool that unlocks Surface tablets using a hack publicised just days earlier.

A spokesperson for Microsoft’s Trustworthy Computing Group, tasked with Windows security, told The Register that Redmond is “actively investigating” the RT Jailbreak Tool v1 cooked up last week. Microsoft will take “appropriate action as necessary”, the spokesperson said, but provided no further details.

RT Jailbreak is batch file created by a coder called Netham45 that can crack locked-down Windows RT tablets in a matter of seconds. Once in, users can run any unauthorised desktop apps on their ARM-powered devices. Microsoft would rather people download and install authorised, and cryptographically signed, software specifically built for touch-driven computers from its official Windows Store outlet.

The jailbreak tool disables the signature check in the kernel to allow any software to run. It uses a debugging trick published last week by a security researcher known as C. L. Rokr, although the original hack entailed getting one’s hands dirty with WinDbg. Netham45 tidied up the process and packaged it as RT Jailbreak Tool v1, which was released just four days after Rokr went public with his or her discovery.

Microsoft appeared to brush off the Rokr hack at the time, saying it wasn’t a security vulnerability – even though it exploited an existing shortcoming in the Windows kernel. “We applaud the ingenuity of the folks who worked this out and the hard work they did to document it. We’ll not guarantee these approaches will be there in future releases,” Microsoft noted.

Redmond’s now heightened concern over the new tool may be because it is not quite so inaccessible to “the average user” as the original exploit, allowing punters to install all sorts of ARM-compatible software without the need to trouble the Windows Store. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/14/windows_rt_hack_microsoft_investigating/

Security watchers have discovered a malware-based cyber-espionage campaign targeting diplomats, governments and scientific research institutions worldwide.

Operation Red October has targeted Eastern Europe, former Soviet republics, and countries in Central Asia for the past five years, according to Kaspersky Lab. The attack has also claimed a smaller number of victims in Western Europe and North America. The firm said attackers are using the malware to slurp data and geopolitical intelligence from the targeted victims’ computer systems, mobile phones and enterprise networks.

The malware behind the attack is also designed to steal login credentials, said the researchers, adding that these are sometimes used to gain access to more sensitive systems from compromised machines and networks using stepping-stone tactics.

The Red October malware, dubbed “Rocra”, features unique architecture and functionality not seen in previous cyber-espionage attacks, said Kaspersky. Features include an advanced cryptographic spy-module designed to lift data from Acid Cryptofiler, which is known to be used by NATO, the European Union, European Parliament and European Commission since the summer of 2011 to encrypt classified information. The researchers said the malware also has the capability to steal data from smartphones including Android handsets, iPhones and Windows Phone mobes – including Nokia, Sony Ericsson and HTC models.

Kaspersky began investigating the operation after looking into a series of attacks against diplomatic service agencies. Its cyber security experts concluded that the attackers behind the assaults had been active since at least 2007. The firm said that targets have included diplomatic and governmental agencies of various countries across the world, research institutions, energy and nuclear groups, and trade and the aerospace industry.

The Red October attackers designed their own malware, “Rocra”, which incorporates a modular architecture featuring malicious extensions, info-stealing modules and backdoor Trojans, said the researchers.

Attackers created more than 60 domain names and several servers, mostly located in Germany and Russia, to act as command and control (CC) hubs for the attack. These servers act as proxies hiding the location of “mothership” control server, according to the Russian security sleuths.

Kaspersky reckons initial infection was carried out using targeted (spear phishing) malware including a Trojan dropper. Microsoft Office and Microsoft Excel vulnerabilities were exploited to infect targeted systems. The exploits used in the attack were previously used against Tibetan activists as well as military and energy sector targets in Asia. Kaspersky analysts reckon the attackers are native Russian speakers.

“Based on the registration data of C2 servers and the numerous artifacts left in executables of the malware, there is strong technical evidence to indicate the attackers have Russian-speaking origins,” Kapserky Lab said in a statement. “In addition, the executables used by the attackers were unknown until recently, and were not identified by Kaspersky Lab’s experts while analysing previous cyber-espionage attacks.”

Kaspersky used data from its own protection network as well as information obtained from sink-holing control servers to draw up a list of likely victims. The Russian security firm is continuing to work with international organisations, law enforcement agencies and Computer Emergency Response Teams (CERTs) in investigating the attacks and running a clean-up operation.

More details of the investigation can be found in a blog post by Kaspersky Lab here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/14/red_october_cyber_espionage/

India has reportedly concocted a plan to cut down on IT security problems: forcing hardware vendors to include a security awareness brochure with all desktop PCs, mobile phones and USB modems.

The plans were dreamt up to improve the country’s cyber security preparedness, in response to the increasing volume of online threats facing users, according to the Economic Times.

However, technology execs are apparently lobbying the government to modify its proposals, which were due to be rolled out at the beginning of the year.

Imported goods would cause particular headaches, according to one senior executive, who told the paper that the brochures would either have to be bundled with products at the relevant sea or airport before customs checks or even further back in the manufacturing process, at the time of packaging.

“We have the recipe for nothing short of a nightmare,” he added.

USB-based products would apparently generate a slightly different packaging problem in that the hardware is smaller than the brochure.

It’s not known if the un-named exec was a PC vendor, but it would be richly ironic if that were the case given crapware such companies load onto PCs. The exec’s complaint is also odd given India has 22 official languages and speakers of many are concentrated in certain areas. Bengali, for example, is spoken by 83m Indians in three states (and 160m or so Bangladeshis). As the Bengali-speaking population of India alone is larger than that of many nations, vendors would almost certainly produce products tailored to that language, leaving the argument that bundling logistics are onerous holding little water.

Indian web users are certainly being targeted like never before, as increasing broadband penetration married to an expanding middle class means more are getting online, but often without appreciating the security risks.

A 2012 Symantec report found advanced, targeted attacks rose from 77 per day in 2010 to 82 by the end of 2011, with over half hitting SMBs.

While its plans to raise cyber security awareness are well-meaning, the Indian government is not exactly leading by example when it comes to defending its networks.

Over 100 government web sites were hacked in just three months at the beginning of 2012 and then last month over 10,000 email accounts belonging to top officials were compromised. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/14/indian_security_brochure_plan/

Microsoft has announced plans to release an out-of-band patch today tackling a critical zero-day hole in Internet Explorer.

The update will almost certainly tackle an unpatched remote-code execution flaw in earlier versions of IE (detailed in Microsoft Security Advisory 2794220) that has become the target of hacker attacks since late December.

For now, Redmond only says the flaw is critical, as per its standard practice of not going into details ahead of actually publishing a security patch. Microsoft advises customers to apply the critical patch immediately, a piece of advice echoed by security watchers such as Sophos.

Several websites have already been compromised to spread malware exploits based on the vulnerability in IE 6,7 and 8. Users could safeguard themselves by either updating to IE 9 and 10 or using an alternative browser. Microsoft published a temporary FixIt tool to protect against this vulnerability but security researchers found this defence was far from bullet-proof.

IE 9 has been available since March 2011. Although the vulnerability attacks old, arguably obsolete browser software, it still presents a huge risk – not least because it affects 90 per cent of the Internet Explorer installed base, according to cloud security firm Qualys.

Sites booby-trapped to serve exploits based on the attack include an Iranian oil company, a website serving the Uyghur people of East Turkistan, the Council on Foreign Relations website and others.

The attacks bear the hallmarks of previous infections spread by the so-called Elderwood Project. Although a different vulnerability was abused in those earlier attacks, the ultimate aim was geared towards delivering the same malicious payload.

Emergency (out-of-sequence) patches for security flaws in Microsoft software are a rare but far from unprecedented occurrence. Previous examples include a fix for a security bug in ASP.Net applications that allowed attackers to decrypt password files, cookies, and other sensitive data in September 2010. You might also recall the August 2010 patch for a flaw in Windows shortcut, also associated with malware attack, and a March 2010 update to tackle a security bug in IE, also linked with distributing malware.

Patches outside the regular Patch Tuesday update are a pain for administrators and Redmond has done a good job in cutting down their frequency over the last three or four years. Microsoft has been battle-hardened from years of combating Windows bugs and its security practices have become an example to the rest of the industry. Some also argue that it encourages hackers to divert their attention away from Redmond and towards exploiting vulnerabilities in third-party software, most particularly Java and Adobe applications. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/14/ms_emergency_ie_patch/

Disney World is going RFID, replacing tickets and wallets with pay-by-bonk wrist bands, and offering an enhanced service for those who want to be greeted by name around the park.

The basic service, MyMagic+, is an RFID wristband which identifies each punter, allowing them to store FastPasses and upload credit card details so they can buy stuff without thinking (more than $50 requires a PIN) – and so that Disney can stalk you around the park and “customise” the experience, or, more excitingly, so that Buzz Lightyear can greet you by name almost as if you really were an individual.

Radio tags in wristbands aren’t new, and have replaced tickets in many parks around the US – Dolly Parton’s DollyWood theme park launched (pre-paid) Sunny Money back in 2007 (making it easier to carry cash while wearing a swimming costume). But Disney’s deployment in Florida (other sites to follow later) is significant not only because it is bigger than the others, but also because it will push the technology one step further than everyone else has done.

Virtual queuing is standard stuff these days, but with the My Disney Experience app (connected using the blanketing Wi-Fi), visitors will be able to schedule queuing time around meals, loo breaks and meetings with the costumed characters,. It will also ensure those characters know whose birthday it is, and let Disney know exactly how long you spent doing what.

For MyMagic+ isn’t just about making it easier to spend money, though that’s a significant motivation, it’s also about tracking how people move around the park and what they spend time doing (queuing mostly, from our limited understanding of the venue).

All such places track crowds, using basic CCTV or more advanced tech from companies such as Path Intelligence, but that’s anonymous, while Disney’s approach will provide all the details.

The company is stepping carefully; the app allows granular control of what’s shared at least until everyone gets comfortable with the idea of being greeted by name by a foam princess, and if it turns out that no one wants to share, it will still make spending money in the Magic Kingdom that little bit easier. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/14/dismey_rfid/

Computer scientists claim security vulnerabilities in Cisco VoIP phones allowed them to eavesdrop on calls and turn devices into bugging equipment.

Ang Cui has demonstrated how malicious code injected into 14 of the networking vendor’s Unified IP Phone models could be used to record private conversations – and not just those held over the compromised telephone itself: the malware can also pick up any sound within the vicinity when the handset is not in use. The discovered flaws effectively turn the network-connected phones into bugging devices.

Cisco VoIP phones are widely used in offices – small and large – across the world, creating a massive opportunity for potential mischief especially if the equipment is accessible from the public internet.

“It’s not just Cisco phones that are at risk. All VoIP phones are particularly problematic since they are everywhere and reveal our private communications,” said Professor Salvatore Stolfo of Columbia University who is supervising Cui’s computer science PhD research.

“It’s relatively easy to penetrate any corporate phone system, any government phone system, any home with Cisco VoIP phones — they are not secure.”

The New York university pair found that the operating system kernel in the vulnerable phones was not correctly validating data supplied by applications, meaning it trusted software to act responsibly. An attack could be launched by logging into the device over SSH, although this requires a suitable username and password, or by plugging into the Aux port of the phone to gain local access. Once inside the phone, miscreants could abuse kernel system calls to run their own code or crash the gadget.

But Cisco played down the academics’ work, and said an attacker would need to be able to physically plug a line into the phone to download the malware to the device. And SSH logins are typically disabled in office environments.

Cui and Prof Stolfo dedicated several months to probing the security of internet-protocol phones, and this is far from their first advisory on problems with the widely used technology. The boffins argue that Cisco has only addressed the reported bugs rather than tackle fundamental design flaws of the hardware giant’s phone operating system.

Cisco issued an advisory on the uncovered security issues last year. It followed this up with a further advisory on Wednesday, and another document providing more comprehensive and detailed mitigation advice.

“We issued a release note to customers at the end of last year (also crediting Mr Cui), but Wednesday’s release of the advisory and mitigation bulletin provides more public information and the consolidated mitigation options,” a Cisco spokesman explained.

Cui’s makeshift tool to inject malware into Cisco phones

Credit: Columbia University

The pair of academics reckon either a complete rewrite of the firmware or a new type of security defence technology is needed.

“Cisco’s recent advisory does not solve the problem unless and until they succeed in rewriting and releasing the rewritten kernel (promised in a few months) without harbouring any vulnerabilities,” Prof Stolfo told El Reg.

“We really wish them luck. However, they can fix the immediate holes, but that does not protect the phone against other bugs the software might have. What they really need is independent security software running on the phone, just like what is available and provided by a mature security software industry for general-purpose computers.”

In a separate statement, Cisco said it was continuing to investigate the reported flaws and working towards developing a more comprehensive fix. The networking giant said it has no evidence that the security shortcomings have actually been exploited. Cisco said the flaw would be hard to abuse and limited to Cisco 7900 series IP office phones:

Our engineering teams are actively working on a permanent fix, and we have released very detailed, step-by-step customer guides on identifying and preventing this vulnerability from being exploited. We are not aware of this vulnerability being used against any of our customers. We encourage customers with related questions to contact the Cisco TAC, or read the Security Advisory and Applied Mitigation Bulletin posted at www.cisco.com/go/psirt.

Cisco works closely with the IT security community and we view this as vital to helping protect our customers’ networks. We thank Cui and Salvatore Stolfo for reporting this vulnerability to Cisco.

The vulnerability affects some of Cisco 7900 series IP office phones. In addition to specialist technical skills, a successful exploitation requires physical access to the phone’s serial port or the combination of authenticated remote access and non-default network settings. No default account exists for remote authentication and devices configured for remote access must use administrator-configured credentials.

Killing the spy who bugged me

Cui and Prof Stolfo found the exploitable security weaknesses after analysing the firmware binaries of VoIP phones. The research was part of an attempt to develop security technologies for embedded systems, such as network-connected phones, routers and printers. They christened this prototype technology Software Symbiotes.

“This is a host-based defence mechanism that’s a code structure inspired by a natural phenomenon known as symbiotic defensive mutualism,” explained Cui. “The Symbiote is especially suitable for retrofitting legacy embedded systems with sophisticated host-based defences.”

The Symbiote runs on the embedded hardware and monitors its host’s behaviour to ensure the device behaves itself and operates as expected. If not, the Symbiote stops the host from doing any harm. Removal, or attempted removal, of the Symbiote renders the device inoperable – a factor that could create a means for launching denial-of-service attacks against equipment but this has not blunted the enthusiasm of the computer scientists.

Cui said the Symbiote system could be used to protect all kinds of embedded systems, from phones and printers to ATM machines and even cars. The Symbiote design reads a bit like a science-fiction plot element* so it’s no surprise that the computer scientists’ research was partially funded by war tech boffins at DARPA – the US military’s Defense Advanced Research Projects Agency. IARPA (Intelligence Advanced Research Projects Activity) and the Department of Homeland Security also bankrolled the research.

Cui and Prof Stolfo plan to demonstrate a Symbiote-protected Cisco IP Phone at the RSA conference in San Francisco in February. ®

* Hopefully unrelated to the character Venom from the Spiderman universe.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/14/cisco_voip_easily_tapped/

Hactivist collective Anonymous briefly took over some of MIT’s websites earlier this morning to protest against the role computer crime laws may have played in the death of Aaron Swartz.

Reddit co-founder and internet activist Swartz was found hanged in his apartment in New York on Friday, having taken his own life at the age of 26. He was under indictment for computer and wire fraud, facing fines and over 30 years jail time, and some are now blaming strict computer laws and the US justice system for his suicide.

Anonymous hackers posted their message in red on a black background, claiming that Swartz’s prosecution was unjust and his actions were political activism, not criminal activities.

“Whether or not the government contributed to his suicide, the government’s prosecution of Swartz was a grotesque miscarriage of justice, a distorted and perverse shadow of the justice that Aaron died fighting for,” the message read.

“The situation Aaron found himself in highlights the injustice of US computer crime laws, particularly their punishment regimes and the highly-questionable justice of pre-trial bargaining. Aaron’s act was undoubtedly political activism, it had tragic consequences.”

Swartz was arrested two years ago after allegedly using a laptop stashed at MIT to access JSTOR, an archive of academic journals, with a custom Python script and downloading 4.8 million articles. JSTOR charges for the documents, meaning the value of the articles amounted to millions of dollars.

Although JSTOR wasn’t interested in pressing charges, the government proceeded with the indictment. Swartz’s lawyer, Elliot Peters, was attempting to negotiate a plea bargain with prosecutors, but they remained insistent that he would have to spend time in prison.

Downloading the articles was part of Swartz’s campaign for free information online; he had pulled a similar stunt in 2008, when he snatched a fifth of the US court documents stored online and made them freely available to anyone.

While Swartz was suffering from depression, his family has attributed some of the blame for his death to his experiences of the criminal justice system. The Swartz family said in a statement that the US justice system is “rife with intimidation and prosecutorial overreach”.

MIT has said that it will investigate how it handled the network breach and its role in Swartz’s prosecution. The Anonymous hackers were careful to say that they didn’t blame MIT, even apologising for hijacking the university’s websites.

Anonymous called on the government to see the tragedy as a basis to reform computer crime and intellectual property laws and commit to a “free and unfettered internet”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/14/anonymous_protest_swartz_death/

India has reportedly concocted a plan to cut down on IT security problems: forcing hardware vendors to include a security awareness brochure with all desktop PCs, mobile phones and USB modems.

The plans were dreamt up to improve the country’s cyber security preparedness, in response to the increasing volume of online threats facing users, according to the Economic Times.

However, technology execs are apparently lobbying the government to modify its proposals, which were due to be rolled out at the beginning of the year.

Imported goods would cause particular headaches, according to one senior executive, who told the paper that the brochures would either have to be bundled with products at the relevant sea or airport before customs checks or even further back in the manufacturing process, at the time of packaging.

“We have the recipe for nothing short of a nightmare,” he added.

USB-based products would apparently generate a slightly different packaging problem in that the hardware is smaller than the brochure.

It’s not known if the un-named exec was a PC vendor, but it would be richly ironic if that were the case given crapware such companies load onto PCs. The exec’s complaint is also odd given India has 22 official languages and speakers of many are concentrated in certain areas. Bengali, for example, is spoken by 83m Indians in three states (and 160m or so Bangladeshis). As the Bengali-speaking population of India alone is larger than that of many nations, vendors would almost certainly produce products tailored to that language, leaving the argument that bundling logistics are onerous holding little water.

Indian web users are certainly being targeted like never before, as increasing broadband penetration married to an expanding middle class means more are getting online, but often without appreciating the security risks.

A 2012 Symantec report found advanced, targeted attacks rose from 77 per day in 2010 to 82 by the end of 2011, with over half hitting SMBs.

While its plans to raise cyber security awareness are well-meaning, the Indian government is not exactly leading by example when it comes to defending its networks.

Over 100 government web sites were hacked in just three months at the beginning of 2012 and then last month over 10,000 email accounts belonging to top officials were compromised. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/14/indian_security_brochure_plan/

Oracle has patched the latest Java nasty, suggesting users of the increasingly-flaw-prone product visit java.com pronto to download a new version of the software that addresses the flaw and stops malicious websites gaining control of compromised computers.

In a blog post describing the fix, Oracle’s Eric P. Maurice may just have leaked some of Oracle’s worries about Java besmirching its overall reputation, writing “These vulnerabilities do not affect Java on servers, Java desktop applications, or embedded Java.”

Oracle has also changed Java-in-a-browser’s default security level to “High”. Maurice writes that means “… unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.” Cue social engineering attacks, one imagines.

Maurice has another weapon he hopes Java users will deploy: the off button. “Note also that Java SE 7 Update 10 introduced the ability for users to easily disable Java in their browsers through the Java Control Panel,” he wrote. Another bug like this one and even that advice may be redundant: users must surely be considering just how much they needs Sun’s software spawn given its frequent pwnage. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/13/java_0_day_patch_issued/

As part of its quarterly patch release cycle, Oracle will be unleashing 86 of the things on Tuesday, January 15, over half of them critical enough to allow full remote code execution without piffling details like a password.

Roll ’em out

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible,” reads the security advisory.

Top of the busy list come Tuesday will be those running Oracle’s Application Performance Management and Enterprise Manager tools, since these two share an unlucky 13 critical patches between them. MySQL topped the patch list in numeric terms, although all but two patches aren’t too serious.

Managers using Oracle’s E-Business Suite and PeopleSoft are also doing to have a fair amount of critical fixing and the Seibel and Sun packages share 18 patches between them. Virtualization, supply chain, and JD Edwards users can pretty much put their feet up.

There’s no sign of a fix for the latest zero-day flaw to bedevil Java, although it’s a bit early and the eventual patch will probably be released out-of-cycle. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/11/oracle_critical_patches/