STE WILLIAMS

Google and other browser vendors have taken steps to block an unauthorized digital certificate for the ” *.google.com” domain that fraudsters could have used to impersonate the search giant’s online services.

According to a blog post by software engineer Adam Langley, Google’s Chrome team first discovered a site using the fraudulent certificate on Christmas Eve. Upon investigation, they were able to trace the phony credential back to Turkish certificate authority Turktrust, which quickly owned up to the problem.

It seems that in August 2011, Turktrust mistakenly issued two intermediate certificates to one of its customers, instead of the ordinary SSL certificates it should have issued. It was one of these more trusted certificates that allowed the customer to generate the fake ” *.google.com” certificate, unbeknownst to Turktrust or Google.

Armed with such a certificate, attackers can potentially create fraudulent websites that pose as Google websites, which can then be used to spoof content, launch phishing attacks, or perform man-in-the-middle attacks to intercept data from Google services.

Such attacks would be more insidious than your garden-variety online fraud because the spoofed certificate would cause users’ browsers to report the fake sites as genuine.

According to Turktrust’s own website, “Turktrust is the one and only local enterprise in Turkey that is recognized by Microsoft (Internet Explorer), Mozilla (Firefox), Opera and Safari web browsers and whose SSL server certificates are valid throughout the world.”

That status could be in jeopardy, however, because the only solution to the spoofed-certificate problem, now that the cat is out of the bag, is to revoke the authority of some or all certificates issued by Turktrust.

On Thursday, Google’s Langley said that the search giant has already updated the certificate-revocation metadata of its Chrome browser to invalidate both of Turktrust’s wrongly-issued intermediate certificates – one on Christmas Day and the other the day after – and that further actions are forthcoming.

“Given the severity of the situation, we will update Chrome again in January to no longer indicate Extended Validation status for certificates issued by Turktrust, though connections to Turktrust-validated HTTPS servers may continue to be allowed,” Langley wrote.

In a separate security advisory, Microsoft said it had similarly updated the Certificate Trust List to revoke the authority of the problem certificates for all supported versions of Windows, which currently means Windows XP Service Pack 3 and later.

But the Mozilla Foundation went even further, not merely revoking the two certificates, but also suspending inclusion of Turktrust’s root certificate with the Firefox browser “pending further review.”

“We are concerned that at least one of the mis-issued intermediate certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control,” Mozilla director of security assurance Michael Coates wrote in a blog post. “We are also concerned that the private keys for these certificates were not kept as secure as would be expected for intermediate certificates.”

As usual, users of all browsers are advised to make sure they are up to date with the latest security fixes, although some browsers – such as Chrome – install such fixes automatically.

Coates added that any additional action regarding Turktrust would be discussed in the Mozilla Foundation’s mozilla.dev.security.policy forum. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/04/turkish_fake_google_site_certificate/

The maintainers of Ruby on Rails are warning of an SQL injection vulnerability which affects all versions of the popular Web framework.

They advise that users should immediately apply an upgrade available here.

Designated CVE-2012-5664, the maintainers explain the bug this way: “Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL.”

New versions have been released to eliminate the flaw, and the Ruby on Rails team also describes a workaround (for careful users who want to test the new versions before implementation). “The issue can be mitigated by explicitly converting the parameter to an expected value,” the post explains.

As noted by Threatpost, Phenoelit has a more detailed explanation of the impact of the bug here.

“When a RoR application is created the secret which goes into the HMAC will be created along with all the other files a minimal RoR application would need. This secret usually is a 64 byte long random string and lives in railsapp/config/initializers/secret_token.rb. The simple problem is, that most developers are simply not aware of the confidentiality of this file, and in result they’ll happly check it into Github or other online repositories”, Phenoelit states.

If the HMAC key for an application is known, an attacker can easily send fake credentials to the application. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/03/ruby_on_rails_sql_injection_vuln/

A malicious backdoor designed to infect web servers poses a severe threat, Trend Micro warns.

The malware, dubbed BKDR_JAVAWAR.JG, poses as a Java Server page but actually creates a backdoor on compromised servers. “This malware may arrive as either a file downloaded from certain malicious sites or as a file dropped by other malware,” Trend explains in an advisory.

The attack only works if the targeted system is either a Java Servlet container (such as Apache Tomcat) or a Java-based HTTP server. “Using a password cracking tool, cybercriminals are able to log in and gain manager/administrative rights allowing the deployment of web application archive (WAR) files packaged with the backdoor to the server. The backdoor will be automatically added in the accessible Java Server pages,” Trend adds.

Once installed, the backdoor can be used to “browse, upload, edit, delete, download or copy files from the infected system”, say the security researchers.

The threat proves the point that servers, as well as user desktops, are vulnerable to Java-based exploits, which have become a hacker favourite over recent years. More details on the threat can be found in a blog post by Trend Micro here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/03/web_server_backdoor_peril/

Facebook had a busy time over the holiday period fixing several security flaws, including a webcam-related vulnerability that allowed hackers to record video from a user’s web camera and post it on their timeline.

“An attacker could trick a user to silently record his webcam video and publish it to his Facebook wall, without the user even knowing about it,” according to Aditya Gupta, the Indian security researcher who discovered the flaw. Gupta and fellow security researcher Subho Halder from XY Security earned a $2,500 reward from Facebook for discovering the Cross-Site Request Forgery (CSRF) bug, which stemmed from a failure to apply adequate security controls. Gupta notified Facebook about the “Peeping Tom” bug in July but the social networking giant only recently rolled out a fix.

A video by XY Security illustrating the resolved webcam vulnerability can be found here.

Days after news on the webcam vulnerability became public, Facebook was obliged to respond quickly to a flaw in its New Year “Midnight Delivery” messaging service. The service delivers New Year’s messages from Facebook users to their selected pals at the stroke of midnight on 31 December, whether or not the user is online.

However, URL tweaking made it possible to see the intended recipients, and the contents of message. Senders of the messages were not revealed, but even so it was a huge privacy snafu. Fortunately Facebook acted promptly to suspend the service and fix the problem before restoring the service in time for the dawn of 2013, The Next Web reports. Security blogger Jack Jenkins was first to notice the bug, which had the potential to expose private message between secret lovers and other juicy information, assuming the parties involved were daft enough to use Facebook to exchange such sensitive information.

In other Facebook-related privacy news, Randi Zuckerberg, sister of Mark Zuckerberg and a former Facebook executive, complained after a family photo went viral after she uploaded to to Facebook. Randi Zuckerberg intended that the photo would only be seen by her friends. However this plan went awry after the photo appeared in the feed of Callie Schweitzer of Vox Media, who reposted it on Twitter, since when the image has taken on a life of its own. The photo itself showed photo to her family’s (OTT) reaction to Facebook’s new “Poke” app.

Schweitzer didn’t know Randi Zuckerberg, but she was a friend of one of Schweitzer’s sisters, hence the appearance of the photo in her timeline. Rather than complaining about Facebook’s privacy settings, the sister of the tech titan decided to rebuke the blameless Schweitzer (who apologised), via a Diva-like Twitter update.

Digital etiquette: always ask permission before posting a friend’s photo publicly. It’s not about privacy settings, it’s about human decency

More reaction to this grandstanding can be found in a story by The Guardian here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/02/facebook_privacy_bug_fixes/

Spam has been a fact of life, on a par with death and taxes, for many years now. To be blunt, spammers don’t particularly care about us. They don’t have any sense of reason or shame that we can appeal to, and they have no incentive to be accommodating. We’re not their customers. In fact they make their money from selling us, not selling to us, so they have an excellent motive not to help us.

Trying to unsubscribe from a suspicious email list using the prescribed method, or any other seemingly logical approach, is the worst possible thing to do — it merely confirms that your email address is in use, paradoxically making it even more valuable to the spammers for their malign purposes. About all anyone can do is use junk filters or packages like SpamAssassin and hope for the best. All this is well known.

However, a lot of spam comes from ostensibly legitimate online businesses that you’ve actually made purchases from. This may technically not be in the same category as the utterly useless, purely evil variety of spam, but it’s effectively no different: It’s email that you never requested, sent to a list that you never asked to be signed up to. Anyone who’s made any number of purchases online has probably seen the noise level of this other kind of spam skyrocket over the years.

It’s no mystery how this happens: For the vast majority of web or mobile transactions, you’re forced to register with the seller, establishing an account linked to your home address (possibly) and your email address (definitely). There are other annoyances connected to this process, like creating a userID and password, both of which must be added to the dozens or hundreds of other userIDs and passwords you’ve already been asked to create and keep track of. But to anyone who’s overwhelmed with email they don’t want — at this point, pretty much everyone — being added to a new mailing list every other time you buy something is surely the biggest annoyance of all. It’s not inconceivable that someone making an online purchase from, say, a discount wine seller might want to be notified about any amazing wine deals the vendor may offer at some time in the future.

But in most cases you, the buyer, are not asked that question. You’re literally forced to register before you’re allowed to place an order, which means handing over your email address and all the rest. True, some sites allow you to make an “express purchase” without registering (and as the name implies, this has the additional benefit of making the checkout process itself much faster), but those are rare and getting rarer.

There’s one important difference between these “soft” spammers and the faceless, unapologetic, evil ones: We’re actually customers of the former, so it’s presumably in their interest to be nice to us. But as site registration becomes accepted as a natural part of the online shopping process, it, and the soft spam resulting from it, will be seen less and less as an intrusion. My concern about this doesn’t necessarily have anything to do with privacy invasions through the gathering of personal information, though I’m sure some people, reasonably enough, are uncomfortable with that. (How would you feel about “registering” with every bricks-and-mortar shop you buy something from?) For me, it’s mainly about getting email for the rest of my life from an online vendor simply because I made a casual purchase from them at some point in the past.

I still receive mail from companies whose sites I haven’t visited in years and years, including sellers of clothing for toddlers — not especially useful now that my daughter is 10. I’m not nostalgic, but I’m sometimes afraid to gamble with an unsubscribe request to terminate one of these unwanted relationships. Will a particular company be honorable about it? There’s no sure way to know. The least scrupulous companies will not only be using your address themselves, but enthusiastically selling it to other parties, who sell it to other parties, and so on. This does not exactly enhance the online shopping experience, and it’s no way to repay people for their patronage.

There have been times when, giddy at the thought of saving $5 on some sale item, I’ve registered on a new e-commerce site, only to regret it in the cold light of the morning, when I realized that it would have been worth the extra five bucks not to give my email address to some unknown new set of spammers, forever. On more than one occasion I’ve gone so far as to make a purchase from Amazon rather than a company I preferred (because it was smaller, or more local, or had a better price) simply because Amazon already has all the personal information on me that they could possibly want. Going through the time-consuming steps of registration, and implicitly signing up for some new set of email lists, was just not something I wanted to deal with. There’s no reason making a simple online transaction should entail these kinds of worries.

Possibly even worse than having a retail business capture your email address via registration is having a charity do it. I’m not talking about traditional donations, which can generally still be made by way of a cheque sent through the post. It now seems to be the rule that when anyone participates in a race or walkathon to raise money for charity (something co-workers or relatives of mine do at least a few times a year) the request for sponsorship is made by email, with a link to a website where the donation must be entered. These sites always seem to require registration, followed by — you guessed it — periodic emails telling you about all the great things the organisation is doing, or gently nudging you to give more. Again, there’s nothing inherently wrong with any of this if I’ve indicated that I’m OK with it. But why should making a donation require me to be on your email list (and possibly other affiliated ones) from that moment on? These cases pose a real dilemma, because if a friend, relative, or co-worker is asking for sponsors for her 10K run to benefit cancer research I’m not about to say no. I’ll admit, however, that the temptation has been getting greater.

Spam in general is so completely out of control that the old retort of “What’s the big deal? It’s easy enough to use your DELETE key” doesn’t wash anymore. I’m afraid to think how much time I spend every day using my DELETE key, and I’m sure there are people who spend a lot more than I do. It’s way beyond a minor annoyance to be added to “just one more” email list, because that “just one more” happens many times over. And again, this isn’t even taking into account the issue of privacy (with the associated profiling, tracking, etc), which is very real. There’s not much I can do about Nigerian scams, but it seems clear that legitimate businesses should allow me to perform a simple transaction and be forgotten, if that’s my preference. Yes, they’ll need my postal address, but they don’t necessarily need my email address, and if they do need it for purposes of completing the transaction there’s no reason they need to sign me up for spam forever as a side effect. Who knows — I might actually want to be added to their mailing list, but I should be allowed to make that decision voluntarily. The customer’s always right, right? ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/02/registration_site/

Microsoft has pushed out a temporary fix to defend against a zero-day vulnerability that surfaced in attacks launched last week.

The security flaw (CVE-2012-4792) – which affects IE 6, 7 and 8 but not the latest versions of Microsoft’s web browser software – allows malware to be dropped onto Windows PCs running the vulnerable software, providing, of course, that users can be tricked into visiting booby-trapped websites.

Redmond has released a temporary Fix It (easy-to-apply workaround) pending the development of a more comprehensive patch.

The security flaw was initially discovered by security tools firm FireEye on the Council on Foreign Relations website on 27 December. The attack had been running for at least a week, and perhaps longer, before it was detected. Retrospective analysis by Sophos suggests the same exploit was used on at least five additional websites, suggesting attacks based on the bug are far from limited.

While the attacks appeared to be targeted to a small number of sites, there is no obvious link between the victims,” warns Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post. “Some are referring to this as a ‘watering hole’ attack*, but the evidence we have doesn’t necessarily support that conclusion.”

Security watchers advise either applying Redmond’s workarounds, upgrading to IE 9 or using an alternative browser – at least until a proper patch becomes available. The next patch Tuesday is coming up on 8 January. This doesn’t give Microsoft much time but given the high-profile nature of the vulnerability it’s likely that Redmond will release a patch sooner rather than later. ®

* Watering hole attacks have become a feature of cyber-espionage attacks over recent months. Instead of infecting the website of a military contractor or government agency directly, hackers compromise the website of a third party that is frequently visited by users who also visit the targeted organisation. This might be the website of a local sports team or a site with content relevant to the core business of the targeted organisation, for example.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/02/ie_0_day_patch/

Apple’s flagship Paris store was raided on New Year’s Eve by armed robbers, who made off with iThings worth up to one million euros.

The four crooks broke into the shop at 9pm – three hours after it closed and just hours before French revellers celebrated the start of 2013 – le Plod told daily newspaper Le Figaro.

Neither the police nor the iPhone giant confirmed the value of the stolen loot. Reports in the French media suggest the haul could be worth up to £812,000.

The fruity firm’s stores are particularly attractive to gangs of thieves: at the end of 2011, a teen troupe of burglars broke into the Apple Store in London’s Covent Garden.

In fact, iGear is so seductive to the criminal element that New York mayor Michael Bloomberg blamed the Tim Cook-run titan’s popularity for the rise in major crime in the city.

Apple did not return a request for comment from El Reg. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/02/apple_store_paris_robbery/

A study released in December by US security outfit Imperva has tipped a bucket on the multi-billion-dollar anti-virus industry, claiming that initial detection rates are as low as five percent, and concluding that enterprise and consumer anti-virus spend “is not proportional to its effectiveness”.

Working in conjunction with students from the Technion-Israel Institute of Technology, the company tested 82 malware samples against 40 anti-virus products including offerings from Microsoft, Symantec, McAfee and Kaspersky.

The test revealed that while catalogued viruses are well-detected, “less than 5% of anti-virus solutions in the study were able to initially detect previously non-cataloged viruses and that many solutions took up to a month or longer following the initial scan to update their signatures.”

Interestingly, the study revealed that virus writers improve their chance of evading detection by keeping a low profile. If an infection is spreading rapidly, it provides a large number of identical samples that feed into the anti-virus detection databases.

On the other hand, “variants that are of limited distribution (such as government sponsored attacks) usually leave a large window of opportunity”, the study states. That window of opportunity gives security teams a “blind spot”: if a zero-day virus gets past the first line of defense, security teams might not notice the infection until it’s become a crisis.

While stating that it does not advocate abandoning anti-virus products, Imperva suggests enterprise security should devote more attention to detecting aberrant behavior in systems and servers. Which, unsurprisingly, happens to be the company’s own specialty.

The full study is here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/01/01/anti_virus_is_rubbish/

Major crime is on the rise in New York City, and Mayor Michael Bloomberg says the increase is due entirely to thefts of Apple’s iPhone and iPad devices, which he says are inordinately attractive to thieves.

As reported by The New York Times, Bloomberg raised the issue during Friday’s edition of his weekly morning broadcast with John Gambling on WOR radio, during which he discusses current issues in the city.

According to Bloomberg, the New York Police Department’s annual crime index – a composite statistic that tallies such felonies as murder, grand larceny, and robbery – recorded 3,484 more major crimes in 2012 than in the previous year, an increase of 3.3 per cent.

Take thefts of iPhones and iPads out of the mix, however, and you end up with a rather different picture. 3,890 more Apple products were snatched during the year than in 2011, more than enough to account for the entire increase in overall crime.

“If you just took away the jump in Apple, we’d be down for the year,” Marc La Vorgna, the mayor’s press secretary, told the Times.

Most other types of crime in the city are indeed on the decline, and have been since 1991. For example, in 1990 the NYPD recorded 2,245 homicides. The current tally for this year is 414, putting New York on track to record its lowest murder rate since it first began compiling statistics in 1963.

On his radio program, Bloomberg said he had not broken out thefts of devices made by Apple’s competitors, such as Samsung and HTC, but he observed that iPhones and iPads seemed to be particular targets for thieves in New York. The rate of such thefts is increasing ten times faster than that of other types of crime.

Similar trends have been observed in cities across the nation. In San Francisco, home of The Reg‘s West Coast aerie, thefts of Apple products accounted for nearly half of all robberies in 2012. Cell phone robberies were also up in St. Louis, where Mayor Francis Slay observed in September, “It will take a national solution to make this problem go away.”

While federal legislation to prevent cell phone theft does not yet appear to be in the offing, however, Mayor Bloomberg did have some advice for iDevice owners in New York.

“Put it in a pocket in sort of a more body-fitting, tighter clothes, that you can feel if it was – if somebody put their hand in your pocket, not just an outside coat pocket,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/29/bloomberg_blames_apple_for_crime_spike/

Sorry to spoil the day for any sysadmins that thought today would be a slow day, but a security researcher has announced a serious vulnerability in the default configuration of a popular WordPress plugin.

W3 Total Cache, which boasts high-traffic sites like Mashable and Lockergnome among its users, has serious vulnerabilities, according to this post on the Full Disclosure list.

The default setup – that is, when users simply choose “add plugin” from the WordPress catalogue – left cache directory listings enabled, according to poster Jason Donenfield.

This, he said, allows database cache keys to be downloaded on vulnerable installations – and that could expose password hashes. “A simple google search of “inurl:wp-content/plugins/w3tc/dbcache” and maybe some other magic reveals this wasn’t just an issue for me”, he writes.

Donenfield later amended the search term to “inurl:wp-content/w3tc”.

“Even with directory listings off,” he continues, “cache files are by default publicly downloadable, and the key values / file name of the database cache items are easily predictable.”

Donenfield says the developer of the plug-in intends to release a fix “soon”. In the meantime, he notes that “deny from all” should be set in the .httaccess file. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/27/wordpress_cache_plugin_vulnerable/