STE WILLIAMS

A NASA laptop containing personal records of thousands of employees and contractors was stolen two weeks ago.

The computer, which contained a copy of workers’ social security numbers among other information, was taken from a locked car near NASA HQ in Washington DC on 31 October, according to a leaked email.

The laptop was password protected, but the disk was partially unencrypted: “the information on the laptop could be accessible to unauthorized individuals,” Richard Keegan, NASA’s associate deputy administrator, wrote in the agency-wide memo published on the SpaceRef website. The missive went on to warn:

Because of the amount of information that must be reviewed and validated electronically and manually, it may take up to 60 days for all individuals impacted by this breach to be identified and contacted.

NASA has hired data-breach specialists to help tackle any fraud or identity theft in the wake of the blunder. As a result of the theft, NASA’s chief administrator Charles Bolden has demanded that no agency laptops be allowed out of the property without full-disk encryption.

Bolden wants all NASA laptops fully encrypted by 21 December, has banned the storage of sensitive files on smartphones and tablets, and told everyone to purge sensitive files from laptops when they are no longer needed.

The Reg contacted NASA for comment but as yet has received no reply. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/15/nasa_stolen_laptop/

Users of iOS dictionary apps from Collins, Longman and the OED have found themselves outed as pirates on Twitter, as a name-and-shame tactic used by the apps’ developer backfires.

The company concerned, Enfour, apparently reckons that 75 per cent of its users are pirates, which is why it planted some code in its applications to get their Twitter credentials and post confessions into their Tweet stream. However the apps failed to finger the right people … prompting red faces all round and multilingual apologies from the company.

The applications are mainly dictionaries and were updated at the start of November. Then some users started noticing a mysterious tweet appearing in their stream:

“How about we all stop using pirated iOS apps? I promise to stop. I really will. #softwarepirateconfession”

One of the first reports of the tweet was from Pocketables, where the disgruntled writer managed to dig up the receipt for the Oxford Deluxe Dictionary app he’d paid $50 for two years ago, but that didn’t stop the tweet being sent out.

The app obviously had to ask for the user’s Twitter details, which it did following the last update, but with such an old app and one bearing the Oxford Dictionary brand, the user didn’t feel there was any risk involved – not to mention that other users report the applications would not run unless the Twitter details were provided.

Ars Technica has gathered a selection of reports, though it hasn’t been able to pin down what’s causing the inaccurate accusations – beyond establishing that not every installation is tweeting and that both jailbroken and vanilla handsets are among those which are.

Enfour did swiftly apologise, in Japanese (PDF), and provided a list of applications (PDF, also in Japanese, though the app names are in English) which are being updated to remove the anti-piracy code. Staff also apologised on Twitter, which is where the 75 per cent claim was made.

Not that the problem has disappeared, as a casual search of Twitter shows such tweets being generated every minute or so even now, so the updates are clearly a work in progress.

Piracy on mobile devices is still rife, despite the ease with which applications may be purchased, so it’s not surprising to see developers trying different approaches. App stores packed with pirated content are blatant, often not even attempting to apply a veneer of legitimacy and it’s disheartening to see one’s work ripped off to such an extent. Enfour’s idea of shaming users into paying for their software is very Japanese, but its hard to imagine many gaijin being bothered by such a tweet appearing in their stream, unless they hadn’t nicked the software … in which case they’d be absolutely livid. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/15/iso_piracy/

Exclusive Sophos intends to shed 35 jobs from its development team as part of a company shakeup.

The security software maker confirmed cuts are on the cards, but would not discuss the specifics of the planned redundancies after an anonymous source tipped off the The Reg. The firm said it will attempt to move affected workers within the organisation to avoid laying them off.

Sophos said in a statement:

We’re currently in discussion with a small number of affected employees, and therefore cannot comment further on the specific figure or departments. We are working very hard to minimise the number of employees affected, through new opportunities within the business. In all, our overall staffing levels will increase from our previous quarter as we continue to invest for the future.

The antivirus firm said it will boost its workforce in the growth areas of security-as-a-service (SaaS) packages and unified threat management (UTM) to defend network borders. This comes after Sophos got into the all-in-one appliance market by snapping up security box biz Astaro in July last year. It followed that up with the purchase of mobile device management firm Dialogs Software in April 2012.

In a statement, Sophos added:

We are taking steps that we feel are critical to building a stronger and more successful company for the long term, and to respond to the fast-changing nature of the security landscape. We continue to expand our product portfolio and distribution channels, and we are making additional investments in key growth areas such as UTM, SaaS, mobile, MSP, and channel sales to serve our customers and partners better.

In order to make those necessary investments, we are scaling back our expenses in other areas, which will affect a small number of employees. Our overall staffing levels will increase from our previous quarter as we continue to invest for the future.

The company employs about 1,500 people globally, most working in its offices in Boston, US, and near Oxford, UK.

The privately held firm reported sales of $402.9m in the year ending 31 March, up 17 percent on the year before. Earnings before interest, taxes, depreciation and amortisation (EBITDA) came in at $107.9m, up 14 per cent year on year.

The timing is unfortunate for those developers at risk of redundancy. Last week security researcher Tavis Ormandy was highly critical of the overall quality of programming at Sophos in a technical paper detailing serious shortcomings in Sophos’ desktop antivirus products. The software maker patched the vast majority of these bugs prior to the publication of the damning dossier, and only one relatively low-risk bug remained.

Ormandy went at far as recommending that IT bosses should “exclude Sophos products from consideration for [protecting] high-value networks and assets”, a suggestion Sophos was quick to rebut. Nonetheless, news of the uncovered insecurities reverberated through the online security world last week.

It would be easy, perhaps too easy, to assume newly appointed Sophos chief exec Kris Hagerman hauled his antivirus team into the boardroom to give them an Apprentice-style dressing down and threaten them with redundancies after the Ormandy report surfaced. However the corporate culture at Sophos is such that everybody probably agreed to pull together, just like an Oxford University rowing crew. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/15/sophos_job_cuts/

Adobe has admitted that its Connectusers.com forum database was compromised, exposing password information about users of its conferencing technology in the process.

Potentially exposed passwords were hashed using MD5, but it’s not clear whether or not they were salted, an extra security precaution that thwarts brute force attacks based on compiling rainbow tables of password hashes from dictionaries of plain text passwords.

Adobe suspended the forum on Tuesday night in response to the breach, reportedly pulled off using a SQL injection attack. It is working to restore services, resetting the passwords of users in the service in the process. In a statement, the software developer stressed that the Adobe Connect web conferencing service itself was not affected by the breach.

Adobe is currently investigating reports of a compromise of a Connectusers.com forum database. These reports first started circulating late during the day on Tuesday, November 13, 2012. At this point of our investigation, it appears that the Connectusers.com forum site was compromised by an unauthorized third party. It does not appear that any other Adobe services, including the Adobe Connect conferencing service itself, were impacted.

An advisory from the software giant goes on remind everyone to use different login credentials across different websites and services. This is common-sense password security advice that limits users’ exposure to harm in the event that any of the services they use suffers a breach that exposes their private information, sadly an increasingly frequent occurrence. Adobe apologised to forum members for the breach.

Adobe Connect offers online conferencing and collaboration software used for applications including online training and web conferencing. It’s unclear how many users of the software have created profiles in the affected Connectusers.com forum. It’s also unclear who might have pulled off the attack or why.

The exposure of user information following database breaches is becoming an increasing frequent occurrence. Notable examples have resulted in the potential leak of more than 6 million LinkedIn password hashes back in June.

Last year hack attacks on sites including Gawker and the network of Sony’s gaming division have led to the leak of hundreds of thousands of users’ credentials online.®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/15/adobe_forum_breach/

An EU project to create wearable tracking devices for cops has recruited Sofant, a mobile tech startup spun out of Edinburgh University last year. The plan is to slip Sofant’s antennas into uniforms to receive Galileo satnav signals.

And it’s not just for the police: the ARMOURS* project will spend €1.5m developing prototypes for all sorts of emergency personnel who need to be tracked with an accuracy in centimetres, using Galileo satellites, rather than metres that GPS offers. Sofant will provide the antennas to make this happen.

Those antennas don’t have to be sewn into the uniforms; the ARMOURS project accepts they may be built into existing radio kit. There’s no doubt Sofant will plan to make use of its tiny transmitter chip knowhow seen last month. Sofant, which is only three people, will work alongside Spanish outfit Acorde, and microelectronics specialist Imec, along with the Ecole Polytechnique Federale De Lausanne.

The money comes from the European Global Navigation Satellite Systems agency, a body largely charged with finding uses for the world’s only civilian satellite-navigation system Galileo. Galileo only has two satellites at the moment, but plans to have 18 birds in the air by the end of 2014 which will be enough to declare the service operational.

Existing systems, the American GPS and Russian Glonass, are run by their respective militaries, and only offer an accuracy of metres. Coming late to the party Galileo is able to offer much greater accuracy, and hopes to play a role in mission-critical applications where one is loath to trust an army.

But mostly Galileo exists to annoy the Americans, and prove that Europe is just as much a world power as anyone else – including the Chinese, whose BeiDou-2 system is already under construction: you’re no one if you haven’t got your own satellite-navigation system these days.

Having multiple systems does have some advantages though, by combining the signals one can achieve a much higher level of accuracy than any network alone can offer, which is why antennas need to be designed to work at different frequencies – there’s not much distance between them, but there is some.

The ARMOURS project will run until March 2014, but which time enough of the Galileo network should be up and running to see if it works, and if it can help justify the enormous cost of building the competing sat-nav networks. ®

Bootnote

* ARMOURS stands for, believe it or not, Antenna and fRont-end Modules for pUblic Regulated Service.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/15/sofamt_galileo/

Developers have launched a sync-and-share service aimed at small businesses that adds an extra layer of encryption absent from popular services such as Dropbox and Box.

InfraScale says its Filelocker software protects data by encrypting it locally, in-transit and again in the cloud. Files are encrypted with a user’s personal passphrase before leaving a device, transferred over a standard 256-bit SSL connection, encrypted again for peace of mind server-side, and then stored in the FileLocker cloud. InfraScale said it doesn’t have access to the clear text of users’ data.

Presumably these measures are in place to ensure that if anyone intercepting data in transit, or compromising the cloud servers, cannot easily recover the unencrypted information.

FileLocker is free for five people and up to 25GBs of cloud storage (5GB per person), and supports desktop sync and mobile access albeit with a couple of limitations.

“The HTML5 mobile app will work for free and it lets you search, get your content on the go, download it, preview it and share it. But free users won’t get the native mobile apps,” explained Ken Shaw, chief exec of InfraScale told El Reg.

The company also offers a paid-for version of the service targeted at companies that want to run Filelocker on their own internal servers. Both versions of the technology launched on Tuesday.

That morning also marked the launch of another similar but more consumer-focused service. Scrambls for Files allows users to encrypt all types of files and folders before they are sent to cloud services such as Dropbox. The free technology is an extension of previous Scrambls services from Wave Systems Corp that allow users to control and encrypt social networking messages*.

Many sync’n’share startups are marketing file-sharing services that claim to be more secure or enterprise-friendly than Dropbox and Box. Other players in the online storage arena include TeamDrive, Microsoft SkyDrive, Google Drive, SugarSync, Accellion and many others.

End-to-end encryption is standard issue for enterprise apps, we’re told. Business-grade file-sharing services also offer collaboration tools to securely synchronise of data across tablets, smartphones and desktops.

“While it is true that some consumer-grade solutions lack these basic security features, for business solutions they are table stakes,” Paula Skokowski, chief marketing officer of Accellion, told El Reg. The company launched Kitepoint on Tuesday, which offers companies a unified view of content pulled from Sharepoint, enterprise content management systems, Windows file servers, and other stores throughout an organisation. The software is part of Accellion’s Mobile File Sharing cloud-based platform. ®

Bootnote

*Scrambls users are able to choose exactly who can see and read any scrambled files by forming groups (based upon email address and Facebook contacts and groups, etc.) Anyone outside the group will see only obfuscated text.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/15/sync_share_crypto/

November’s Patch Tuesday brought six updates, four of them critical, starring fixes for Windows 8 and a patch that addresses a highly exploitable vulnerability in IE 9.

Vulnerability management firm Qualys rates the Internet Explorer update (MS12-071) as easily the most urgent. Left unpatched, the set of four flaws easily lend themselves to exploitation through drive-by download style attacks. Microsoft rates its exploitability as “1,” which means that it is relatively easy to develop malicious code.

Three vulnerabilities in the Windows kernel, including a critical font-handling module flaw, are tackled by the MS12-075 update. Bugs in the Windows Shell are also on the critical list. Another bulletin, MS12-074, addresses five vulnerabilities in the .NET framework – one of them critical.

But .NET applications are turned off by default, so Qualys argues that a file format vulnerability in Microsoft Excel, which Microsoft rates as “important”, might actually be a bigger risk. “We think any vulnerability in a popular application that allows Remote Code Execution should be high on any IT administrator’s list to fix,” writes Wolfgang Kandek, CTO of Qualys. “Excel 2013, Microsoft’s newest version, published just this year, is the only version of Excel not affected. All other versions of Excel should apply this patch.”

Windows 8 debuted last month with a number of security improvements. The operating system already needs patching because the infant OS is affected by three of this month’s vulnerabilities. It’s unclear if any of the three blocks a remote code execution bug which exploit merchants VUPEN bragged about discovering just days after the release.

Andrew Storms, director of security operations at nCircle, characterised needing to patch Windows 8 so soon after its release as about as surprising as having to give a toddler its first round of inoculations.

“Much of the core operating system is reused from version to version, even in new releases, and all software has bugs,” Storms said. “These factors, combined with security researchers that love to find and report bugs in the latest software version, are reasons for the number of bulletins for Windows 8. This should surprise no one.”

Microsoft’s security bulletin notice, which has the full details of the runners and riders in this month’s release, can be found here. A more readable patching matrix from the SANS Institute’s Internet Storm Centre is here.

The security updates from Microsoft come hot on the heels of patches for Adobe Flash and Apple Quicktime, third-party applications that are frequently targeted for attack using cybercrime tools such as the infamous BlackHole exploit kit. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/14/nov_patch_tuesday/

Skype said it has resolved a password reset bug that made it possible to hijack accounts held with the VoIP service simply by knowing an email address.

The vulnerability, which was simple to abuse, first surfaced on a Russian underground forum three months ago before going mainstream when it appeared on Reddit early on Wednesday morning.

Would-be Hackers only needed to create a new Skype ID, associated with the email address of an intended victim. They could then assume control of this account using an online password reset form without needing to take control of the email address, something that made exploiting the bug a simple “point, click and pwn” exercise, as explained in our earlier story here. Numerous users and a handful of security consultants quickly verified that the exploit worked as advertised. Exploiting the bug locked legitimate users out of their account whilst allowing hackers to get access to potentially sensitive chat histories.

Skype disabled the password reset facility on Wednesday morning, around two hours after it went mainstream, while it grappled with the problem. In an updated statement on Tuesday afternoon, the Microsoft-owned VoIP service said it has now resolved the problem, allowing it to reinstate its password reset facility. It admitted a “small number of users” had been hacked by the bug and promised to help them to regain access to their accounts.

Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologise for the inconvenience.

Before Skype temporarily disabled password reset the only way to avoid exploitation was to associate a secret email address with a Skype account.

Rik Ferguson of Trend Micro has a good write-up of in the flaw in action and there’s more commentary on the potentially calamitous bug in a blog post by Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/14/skype_fixes_hijack_bug/

A spam campaign doing the rounds on Twitter that implausibly offers to show a picture, and then a video, of US President Obama punching someone in the face is ultimately designed to spread the infamous Koobface worm.

Prospective victims typically receive a direct message on Twitter, which contains the text “Check out Obama punch a guy in the face for calling him a n%£$*r”, and a malicious link to a fake Facebook page. This fake page confronts users with a request to submit their Twitter login credentials, as a blog post by Panda Security warns.

Users foolhardy enough to follow this request end up with compromised Twitter accounts, while their followers on the micro-blogging site receive further malware lures as direct messages, perpetuating the scam.

Instead of gaining access to the non-existent Obama right hook, victims are transported to a website that displays a fake YouTube video set against a fake Facebook background. Those stupid enough to go through with instruction to update their “YouTube player” to watch the video end up installing a variant of the Koobface worm.

The malware steals personal data from compromised machines.

Koobface is a strain of malware that has bedevilled social networking users (particularly on Facebook) since late 2008. The worms has earned scammers income principally through pay-per-install malware in the past, so the latest variant is a bit of a departure that essentially cuts out the middleman in personal data and ID theft scams.

It’s unclear how many victims have been hit by the two-part Obama sucker punch scam, which represents another example of how cybercrooks are increasingly attempting to use social networks as a means to spread malware.

“This attack exploits the two most popular social networking sites, Facebook and Twitter, to trick users into believing they are viewing a trusted site,” said Luis Corrons, technical director of PandaLabs. “It also relies on its victims’ curiosity by using a scandalous story involving US President Barack Obama and racism. Cyber-criminals know people are curious by nature and take advantage of this to trick users.”

The countries most affected by this outbreak, which has claimed an estimated 2,000 victims, are the UK and Sweden, according to Panda.

Corrons added that users who follow a few common sense rules are far less likely to fall victim of these types of malware scams.

“As a general rule, always keep your antivirus software up to date and be wary of messages offering sensational videos or unusual stories as, in 99 percent of cases they are designed to compromise user security,” he warned. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/14/obama_sucker_punch_scam/

Microsoft’s Internet Explorer market share may soon take a tumble in South Korea if presidential candidate Ahn Cheol-soo wins looming elections. The hot seat hopeful plans to abolish an anachronistic government crypto standard which has effectively locked users into Internet Explorer for over a decade.

At the tail end of the 1990s, the Korean government decided in its wisdom to develop a home-grown 128-bit SSL encryption standard to increase security around e-commerce.

SEED, as it was known, was then mandated for all online transactions.

The only problem with this new system was that it requires users to install Microsoft ActiveX plug-in to work and therefore needs Internet Explorer.

The result: a decade-long monopoly for IE as banking, shopping and other transactional sites were optimised specifically and exclusively for the Microsoft browser.

Although SEED was made non-mandatory back in 2010, its use is still widespread because the government-led approvals process for alternatives is so rigorous, according to Korea Times.

In the meantime, Internet Explorer market share in South Korea stands at a whopping 75 per cent as of October, with nearest rival Chrome down on 17 per cent, according to StatCounter. By contrast, IE is on just 26 per cent in Europe.

Protest group OpenWeb, which has challenged the Korean government over SEED in the courts, argues that the situation is not just anti-competitive and a massive hassle for individual users but also provides huge challenges to home-grown internet start-ups.

It said the following in a blog post:

Web pages riddled with quirks and bugs threaten end-users’ web accessibility. They are ‘enemies’ of free, open and fair internet. However, a country’s institutional and regulatory frameworks may also be mired with quirks and bugs. They threaten competing software companies’ market access to the country. Local software companies suffer as well. End-users, too.

Presidential hopeful Ahn set out his plans on Monday to support alternatives to SEED and put an end to the isolationist certificate system, according to the Wall Street Journal.

He should know what he’s talking about in the security space too, as the founder of popular Korean AV firm Ahn Lab.

The only threat to the plans could be his status as presidential hopeful.

The latest reports suggest independent candidate Ahn could be set to join forces with opposition party candidate Moon Jae In in a bid to stop ruling party candidate Park Geun Hye from winning election. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/14/ahn_lab_internet_explorer_seed_replace_korea/