STE WILLIAMS

A university student presenting at the Amphion Forum has demonstrated turning a Cisco VoIP phone into a listening device, even when it’s on the hook.

According to Dark Reading, the vulnerability demands a fairly extensive reconfiguration of the phone. This, at least, means the attacker needs greater sophistication than previous eavesdropper attacks reported by The Register in 2007 and 2011.

A number of 7900-series phones are affected, according to Forbes.

The latest vulnerability is based on a lack of input validation at the syscall interface, according to Columbia University graduate student Ang Cui. This, Cui said, “allows arbitrary modification of kernel memory from userland, as well as arbitrary code execution within the kernel. This, in turn, allows the attacker to become root, gain control over the DSP [Digital Signal Processor], buttons, and LEDs on the phone.”

In the demonstration, Cui modified the DSP to surreptitiously turn on the phone’s microphone and stream its output to the network.

To simplify the demonstration, Cui programmed the necessary reconfiguration onto an external circuit which he plugged into the phone’s Ethernet port, and then captured what was spoken near the VoIP phone on his smartphone.

Cui told Dark Reading that the phones contain a number of vulnerable third-party libraries, which he promises to discuss at the upcoming Chaos Computer Conference, 29C3.

Cisco says workarounds and a software patch are available to address the issue, tagged with the bug id CSCuc83860. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/13/cisco_voip_phones_vulnerable/

Online boutique ExploitHub, which sells code to attack software security holes, has been plundered by hackers. A database snaffled from the marketplace was dumped online as proof of the raid.

ExploitHub admitted a breach of its systems occurred, but said any information lifted was limited to a discussion board about its wares rather than the actual paid-for downloads or other sensitive data. The website sells copies of exploit code written by researchers who discover security vulnerabilities in software and takes a cut in the process.

A group called Inj3ct0r Team, which apparently operates an exploit bazaar to rival ExploitHub, claimed responsibility for the pillaging ExploitHub and said it siphoned off $242,333 (£150,134) in downloads. It appears the group may have infiltrated the website via its Magento eCommerce installation.

“We hacked exploithub.com because the people who publish private exploits on exploithub.com need know that the ExploitHub Admins are lamers and can not provide them with adequate security,” the team said.

ExploitHub said a combination of human error and poor security controls allowed the breach to take place, but said its software goods were not exposed, contrary to claims by ‪Inj3ct0r‬ Team that it had raided ExploitHub’s databases and FTP server files.

ExploitHub’s operators stated:

After our initial investigation we have determined that the web application server itself was compromised and access to the database on that server was available to the attacker. The server was compromised through an accessible install script that was left on the system rather than being removed after installation, which was an embarrassing oversight on our part.

The database on that server however only contains information used by the web application itself as well as product information such as exploit name, price, and author, but does not contain any actual product data such as exploit code. The product data is stored elsewhere and there is currently no evidence that the storage location was accessed by any unauthorised party or that any of the exploit code or other product data has been compromised or stolen as has been claimed, however our investigation is ongoing.

The exploit information provided in Inj3ct0r’s attack announcement text file and SQL dump consists of exploit names, prices, the dates they were submitted to the market, the Authors’ IDs, and the Authors’ usernames, all of which is publicly available information retrievable from the web application’s normal browse and search functions; this is not private information and it was already publicly accessible by simply searching the product catalog through the website.

ExploitHub said the architecture of its systems “drastically limit and contain the impact of a successful compromise of its public-facing component, the web application server, to prevent the further compromise of any valuable product data such as exploit code”.

Unlike similar online marketplaces, ExploitHub only flogs exploits for vulnerabilities that have been disclosed in public – there are no zero-day exploits to pick up and launch before vendors can patch the holes.

“There is currently no evidence that the exploits or other products themselves have been compromised or stolen,” ExploitHub stated. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/13/exploithub_breach/

A security researcher has published yet another reason not to use Internet Explorer for anything, under any circumstances: it can track your mouse cursor movements, even when it’s minimised.

Affecting all versions newer than IE 6.0, and with no plans for a fix by Microsoft, the bug is demonstrated here (not being an IE user, this El Reg hack hasn’t tested the game).

As the notice from spider.io states, the exploit “compromises the security of virtual keyboards and virtual keypads” – often used as a “secure” login that defeats keyloggers.

“An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit,” the company writes. “The vulnerability is already being exploited by at least two display ad analytics companies across billions of webpage impressions each month. As long as the page with the exploitative advertiser’s ad stays open—even if you push the page to a background tab or, indeed, even if you minimise Internet Explorer—your mouse cursor can be tracked across your entire display.”

The 21-lines-of-code exploit posted by spider.io demonstrates that JavaScript in any Webpage, or any iframe, can poll for the position of the mouse cursor via fireEvent(), because IE “populates the global Event object with some attributes relating to mouse events, even in situations where it should not”.

The Register wouldn’t anticipate a fix in a hurry, since the fix would devalue a couple of billion ad-clicks. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/12/ie_stupidly_exposes_cursor_movements/

Antiviral fugitive John McAfee is on his way to the USA, after Guatemala booted him out.

McAfee’s blog features an audio interview he gave to Bloomberg in which he says he has been forced to apologise to the President of Guatemala, as his arrival in the nation coincided with negotiations of a treaty with Belize, the nation he fled.

Guatemala has booted him out, he added, and made it plain he has no alternative but to board a plane to Miami.

The interview concludes with McAfee saying ‘Officers are here with guns and I must leave’. The brutes have even made him fly American.

McAfee has since blogged from the plane.

That’s good news for McAfee, who wasn’t keen on chatting to Belize’s authorities. But it’s bad news for his friends and family, who remain in the Caribbean nation. Whether Belize will attempt to extradite McAfee remains unknown. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/13/mcafee_on_a_plane_to_miami/

The FBI have said that with the help of Facebook, they’ve taken down an international crime gang who went on an $850m botnet spree.

The ten suspects are allegedly responsible for multiple variants of the Yahos malware, which is linked to more than 11 million computer takeovers and over $850m in losses using the Butterfly botnet, which steals credit card and bank account details along with other personal data.

The feds said they’d nabbed folks from Bosnia and Herzegovina, Croatia, Macedonia, New Zealand, Peru, the UK and the US after an investigation that was aided by Facebook’s security team.

Yahos targeted Facebook users between 2010 and October 2012, according to the Feds, and the social network’s security systems detected the affected accounts and gave out tools to remove the threats.

The creator of the Butterfly botnet was already caught and one of that botnet’s customers was the now arrested group of crooks behind the infamous Mariposa botnet. Luis Corrons Granel, a researcher at Panda Security, suggested to The Reg that it’s possible that those arrests led to the cybercriminals behind Yahos.

Granel said he hadn’t heard of Yahos before, but it was likely that the Butterfly botnet was being used to distribute the malware. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/12/facebook_fbi_malware_suspects/

December’s Patch Tuesday brought seven bulletins from Microsoft, five of which cover critical security vulnerabilities.

A critical update for MS Word (MS12-079) is rated by security watchers as the most important of the batch. A flaw in Rich Text Format (RTF) processing poses a severe risk because Microsoft Outlook automatically displays the malicious text in the Preview Pane – without requiring user interaction.

Another critical update (MS12-077) tackles security bugs in Internet Explorer 9 and 10, and creates a risk of drive-by download attacks involving tricking users into visiting websites contaminated with malicious code.

A further critical update fixes a vulnerability in Windows file-handling component while the remaining items on the critical list grapple with vulnerabilities in Windows kernel-mode drivers involving font handling and security bugs in Microsoft Exchange, arising from the inclusion of buggy versions of Oracle Outside In file conversion software.

A graphical overview of the patches can be found in a post by the SANS Institute’s Internet Storm Centre blog here. Microsoft’s bulletin is here.

Trustwave SpiderLabs has written a blog post comparing this week’s patch batch to different brands of beer. IE updates are compared to Guinness Draught while the remote code execution in kernel-mode drivers is racked alongside 120 Minute IPA.

Microsoft also used Patch Tuesday to publish a new whitepaper on defensive techniques against “Pass the Hash” attacks. “Pass the Hash” is a technique used by attackers after the initial exploit, in which they use the stored password hashes to gain access to other machines in a local network. Such stepping stone attacks are standard network hacking practice, so defending against them using better configuration practices makes a lot of sense.

The seven bulletins in December bring the total count for 2012 to 83, a significant reduction on the 100 bulletins in 2011 and even more from the 2010 count, which ended with 106 bulletins.

Adobe recently began co-ordinating its security patch releases with Microsoft’s output. Tuesday offered security updates to Adobe ColdFusion 10 (and earlier) and Flash Player. The Flash update is configuration dependent, but can be critical, while the Cold Fusion security patch is given the lower status of “important”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/12/dec_patch_tuesday/

A proposed overhaul to Britain’s stringent libel law could have “a chilling effect on those publishing material online”, an influential human rights committee warned today.

The tabled amendments to the law of defamation could force website owners to take down defamatory material on request even if there is a valid legal defence to keep it online. That’s according to Parliament’s human rights joint-select committee, which criticised the draft legislation.

As the law stands right now, there are a number of defences to publishing a statement that damages a person’s reputation. One such defence is simply the provable truth: it is defamatory, for instance, to call someone a crook, but it is a justified statement if, say, a court has found them guilty of fraud.

But Clause 5 of the proposed legislation allows someone to order a website to take down a defamatory statement about them regardless of any valid legal defence. If the website complies and censors itself, it can avoid further litigation. If the website operator chooses to stand by the defamatory material then it must run the gauntlet of the High Court.

It’s this crucial Clause 5 that the committee of MPs and peers have urged the government to change. The panel’s report reads:

We are not satisfied with the government’s distinction in this matter. We think there is a real risk that website operators will be forced to arbitrate on whether something is defamatory or lawful, and to readily make decisions on commercial grounds to remove allegedly defamatory material rather than engage with the process.

As drafted, Clause 5 risks removing material from the internet, which, although it may be defamatory, may be lawful if a relevant defence applies. Material which is lawful may be suppressed because website operators are served with such notices. We recommend that the threshold for a Clause 5 notice should be elevated to ‘unlawful’, which would also ensure consistency with the E-Commerce Directive and the Pre-Action Protocol for defamation.

The committee chairman MP Hywel Francis said the panel welcomed the steps that had been taken in the bill to “protect website operators who are merely hosting content” to allow them to have a defence against the content published on their sites.

But he said they were concerned that freedom of speech could be threatened if the government didn’t introduce a “higher threshold” to protect against material said to be defamatory being removed from the internet.

The committee said in its report that, under any new law, a defamatory statement should “only unlawful… if there are no defences that can be made against a claim for defamation, such as if the statement is true or if there is a public interest that the information should be published and the publisher has acted responsibly in testing the truthfulness of it”.

The MPs and peers also called into question the bill’s planned public interest defence to offer more protection to publishers by arguing that it lacked clarity.

“We propose an alternative that is both clearer and more flexible. This would help to ensure that the bill fulfils its main aim of rebalancing the law of defamation in favour of freedom of speech,” the committee concluded in its report.

There has been an explosion in reports of online trolling cases in the UK this year, in part because local newspapers have heavily covered web attacks on ordinary folk as well as celebrities. In many incidences, the plod has investigated a nasty tweet or sick Facebook post in response to public pressure or demands from angry mobs on social networks.

The defamation law amendments are working their way through Westminster and a House of Lords committee will scrutinise the proposals next.

Separately, the Director of Public Prosecutions is putting the finishing touches to interim guidelines on how offences involving social networks and the internet should be prosecuted. He has previously warned cops in England and Wales to approach such cases in a measured way to avoid what he said could end up being millions of web trolling offences being prosecuted in courts across the land.

Late last month, the Law Commission opened a public consultation on contempt of court and the internet after a wave of high-profile cases of contempt online. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/12/dafamation_bill_human_rights_joint_committee_report/

Security researchers have discovered a targeted attack against Russian hi-tech firm that appears to originate in Korea.

The “Sanny” attack* is malware-based and geared towards stealing login information from Russian telecommunications, information technology and space research organisations. The first stage of the assault features a malicious Russian language MS Word document designed to drop malware onto compromised PCs. This establishes a backdoor on infected machines, establishing a botnet in the process.

The Command and Control channel for this botnet is embedded on a legitimate page, a Korean message board called “nboard.net”, according to an analysis of the attack by web security firm FireEye. The malware sends messages to two pre-programmed Yahoo! webmail address, one in Korea, if the board becomes unavailable.

Extracted data is normally sent to a public message board that does not require authentication, so details of victims are visible. Stolen data includes Outlook login credentials as well as username/passwords that Firefox remembers for different online services such as Hotmail, Facebook, etc. Apart from login credentials, the malware also profiles the victims, for example by victim_locale, victim_region, and other relevant information from the Windows REGISTRY of infected computers. This information is then posted to the Korean message board before been extracted and purged over a two day cycle by the unidentified attacker.

Apparent victims include a Russian Space Science research unit at a Russian University and ITAR-TASS, the Russian state-owned news agency.

Although it doesn’t have proof, FireEye reckons that a Korean is the most likely perpetrator of the attack.

“Though we don’t have full concrete evidence, we have identified many indicators leading to Korea as a possible origin of attack.” FireEye researchers Alex Lanstein and Ali Islam conclude in a jointly authored blog post on the attack.

More technical details can be found in a blog post by FireEye here. ®

* So named by the security researchers for one of the email addresses used by the attackers.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/12/russian_cyberespionage_attack/

A Guatemalan judge has reportedly ordered the release of John McAfee, after ruling the anti-virus pioneer turned Belizean manhunt target was being detained illegally.

McAfee is due to be released from detention at the central immigration centre in Guatemala City on Wednesday. In an update to his official blog, McAfee said he wanted to return to the US – but only after getting a visa for his 20 year-old girlfriend, Samantha Vanegas.

Telesforo Guerra, McAfee’s lawyer and Vanegas’s uncle, said that Judge Judith Secaida ruled that McAfee’s detention was illegal, and ordered him released with the condition that he gets his immigration status in order within 10 days, AP reports.

McAfee was detained last week after slipping over the border to Guatemala from neighbouring Belize. In the three weeks prior to that McAfee and his girlfriend had been on the run, trying to avoid the attentions of police in Belize who want to question him as a person of interest in the November 11 murder of McAfee’s neighbour, Gregory Faull. McAfee is not a suspect in the murder.

It’s not immediately clear whether Judge Secaida’s ruling quashes attempts by Belizean authorities to extradite McAfee to Belize.

McAfee has repeatedly said corrupt Belizean authorities are persecuting him and has expressed fears for his life if he was returned to Belize. Government and police officials in Belize say McAfee’s fears are baseless and that they simply want to question him about Faull’s murder.

In the 18 years since McAfee sold out his stake in McAfee Associates, making $100m in the process, he has devoted himself to yoga, low-level ultralight aircraft racing (“aerotrekking”) and more recently the production of herbal medications. McAfee, 67, expressed the desire to return home to the US, settle down and enjoy a quiet retirement during an internet broadcast live from the Guatemalan detention centre on Sunday.

“I simply would like to live comfortably day by day, fish, swim, enjoy my declining years,” he said.

During the same QA session, McAfee said he was scrupulous about paying his taxes and didn’t expect to run into any problems from the US Internal Revenue Service. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/12/john_mcafee_release_from_detention/

Samsung’s Smart TV has a vulnerability which allows remote attackers to swipe data, according to security researchers.

Malta-based security start-up ReVuln claims to have discovered a zero-day vulnerability affecting Smart TV, in particularly a Samsung TV LED 3D.

Smart TV can be used to browse the internet, use social networks, purchase movies and perform many other functions. A demo video produced by ReVuln shows how a “vulnerability for such devices can be used to retrieve sensitive information, monitor and root the device,” according to Luigi Auriemma of ReVuln. Exploits developed by ReVuln appear to allow it to access remote files and information (including viewing history) as well as the ability to siphon off data on USB drives attached to a compromised TV.

“This specific vulnerability affects almost all the Samsung televisions of the latest generations, so multiple models,” Auriemma told El Reg.

“We plan to invest more time and effort on the home devices security in the near future testing the products of many other vendors (we chose Samsung because it’s the current market leader in this sector) and moreover finding new types of attacks and ways to use such vulnerabilities. The televisions are just the beginning,” he added.

ReVuln says it plans to sell information on the vulnerabilities, rather than report them to equipment manufacturers, in order to “speed up” the development of a fix. Consistent with this general policy, ReVuln is not going into details about the flaws it claims to have discovered.

Security flaws in advanced television sets, which are becoming more like computers, and set-top boxes, has elicited the interest of other security researchers over recent months.

For example, Adam Gowdiak of Security Explorations discovered a possible mechanism for infecting set-top boxes with malware back in January. The attack created the means to either steal or share a satellite signal from a pay-TV subscriber. Proof-of-concept malware developed by Gowdiak offered a means to defeat the Conax conditional access system, the cryptographic technology designed to prevent this type of set-top-box hijacking and unauthorised sharing of satellite programming. The same trick might also be used to capture HD content for later distribution over the internet.

Security Explorations said all four satellite receivers (ITI5800S, ITI5800SX, ITI2850ST, ITI2849ST) tested in its lab, each manufactured by Advanced Digital Broadcast for ITI Neovision, are allegedly vulnerable. Each implements Conax conditional access using an additional security feature called chipset pairing. Flaws in chipset pairing lay at the heart of the multiple vulnerabilities uncovered by Security Explorations.

Unlike ReVuln, the Polish security research start-up notified firms that either supplied or used the affected technology.

Gowdiak presented details of the security vulnerabilities at the at Hack In The Box Security Conference in Amsterdam in May.

Set-top boxes and smart TVs are commonly (but wrongly) thought to be immune from malware and hacking attacks. In reality television systems are becoming more like PCs than the dumb devices of yesteryear, a factor that opens them up to potential security exploits. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/12/smart_tv_pwned/