STE WILLIAMS

Users of Adobe Flash Player have grown accustomed to frequent security patches, but beginning with its next batch of bugfixes, Adobe says it will release updates on a new, more predictable schedule – one that just happens to coincide with Microsoft’s “Patch Tuesday.”

“The alignment of the release cycle to Patch Tuesdays will make updates more predictable for customers, in particular for customers running the Flash Player bundled with Internet Explorer 10 on Windows 8,” Adobe’s Wiebke Lips told The Reg in an email.

In the past, Adobe has often issued fixes for Flash security vulnerabilities as soon as they became available, at times even patching critical flaws on Sunday.

Microsoft, on the other hand, prefers to unsettle IT admins as seldom as possible by issuing security fixes on a fixed, regular schedule, with updates arriving the second Tuesday of each month.

The two companies’ differing approaches were all well and good until the launch of Windows 8 and Internet Explorer 10. Unlike previous versions of IE, Microsoft has baked Flash support right into its latest browser, in much the same way that Google bundles Flash in Chrome. That means IE 10 users must now get their Flash Player updates from Microsoft, rather than from Adobe.

The change caused some consternation among early Windows 8 adopters in September, when Microsoft announced that it did not intend to publish its first batch of security fixes for IE 10’s Flash component until after Windows 8’s official launch on October 26 – even though patches had been available for Adobe’s standalone Flash Player since August.

Faced with uproar from users who took this to mean that IE 10 would perpetually lag behind other browsers in security, Redmond quickly recanted, issuing an off-schedule patch and promising to coordinate more closely with Adobe on future fixes.

That coordination seems to have been something of a work in progress, however. Initially, Microsoft’s Yunsun Wee announced that future IE 10 security fixes would arrive “on a quarterly basis when Adobe normally issues Flash Player updates,” with emergency updates occasionally breaking the cadence.

As of Wednesday’s announcement, however, the shoe appears to be on the other foot. Although the latest patches arrive a week ahead of Microsoft’s next Patch Tuesday, Adobe says future scheduled updates will ship in lockstep with Redmond’s own schedule – or mostly, anyway.

“That said, we may ship out-of-cycle updates if appropriate, e.g. in the event of zero-days / exploits in the wild,” Lips wrote.

One might hope, since Flash remains one of the most popular targets for web-based exploits. Whether Adobe and Microsoft will see eye-to-eye on what constitutes a critical exploit, however, remains to be seen. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/08/adobe_switching_to_patch_tuesday/

North Carolina State University researchers have revealed a vulnerability in Android that allows SMS messages to be sent from one app to another without going over the air, something they say could be used for SMS phishing attacks.

The Xuxian Jiang-led team is the same group that gave the world the Android click-jacking rootkit, a phone-call bugging vulnerability, and identified a dozen malicious apps on Google Play in 2011.

The team’s latest announcement is characterised as a “WRITE_SMS capability leak”, because it can be exploited without an attacker having to request any permissions. The vulnerability is demonstrated in the video below.

“This vulnerability allows a running app on an Android phone to fake arbitrary SMS text messages, which will then be received by phone users. We believe such a vulnerability can be readily exploited to launch various phishing attacks,” the group writes.

Symantec points out that the ability to use an app to generate what looks like an SMS has been known since 2010, but hadn’t been considered a vulnerability. It seems to be a classic case of “this is a feature, not a bug”: the vast majority of apps using the code, the A-V company says, “use the code to deliver advertisements”.

Symantec says there are currently 200 apps on Google Play, recording millions of combined downloads, that send ads to users as spoofed SMSs. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/08/android_vulnerability_in_adware/

Two-factor authentication just got a whole lot more convenient for residents of Singapore, after Standard Chartered Bank’s local outfit teamed with MasterCard to offer account-holders a credit card that is also a one-time-password-generating hard token.

MasterCard calls the device a ‘Display Card’ and says it includes “an embedded LCD display and touch-sensitive buttons”.

The hard token functionality seems not to have anything to do with the credit card, as Standard Chartered says it will be used with its online banking products when customers make “ higher-risk transactions such as payments or transfers above a certain amount, adding third party payees, or changing personal details.” If it behaves as other hard tokens do, punters enter a code with the keyboard, read the resulting one-time-password on the screen and then enter that code into the computing device they’re using for online banking. Logon credentials for online banking service will still be required.

The card’s been doing the rounds of Europe for a couple of years now, scoring a few wins with Turkish, Romanian and Belgian financial institutions.

We’re pretty sure a decent hard token would never produce the password ‘123456’

But the win at Standard Chartered, a British outfit with global footprint, gives the technology useful profile.

Nagra ID security, the Swiss company behind the token-in-a-card, insists the device will sit happily in one’s wallet and offers a three year warranty, which we believe makes it safe to sit on. The card is, in all other ways, a completely conventional credit card and can be embossed, branded and carry holographic security devices like any other credit card. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/08/hard_token_in_credit_card/

A man has been arrested in Stoke-on-Trent by police investigating a DDoS attack on Theresa May’s website and the Home Office website in June.

The 41 year old was arrested this morning by officers from the eCrime unit. He was later bailed until December.

The man was arrested on suspicion of assisting or encouraging the denial of service attack that took down Theresa May’s constituency website and the Home Office site five months ago.

Police confiscated computers, telephones and associated media storage devices from the man’s home.

Officer Jason Tunn from the Metropolitan Police Central e-Crime Unit said that officers were committed to combating and prosecuting cyber criminality anywhere within the UK.

“Assisting and encouraging cyber crime is a serious matter” he said, “and I would advise all persons to consider their actions and any possible future consequences prior to posting any material online.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/07/man_arrested_theresa_may/

Adobe has updated its Flash Player software ahead of schedule to head off crooks exploiting critical vulnerabilities uncovered in the product. The flaws were reported by Google’s security team.

The cross-platform upgrade includes new builds of Flash for Windows, Mac OS X, Linux and Android-powered smartphones. Adobe AIR on Windows and Mac OS X also needs updating due to a low-risk flaw. The patches tackle seven vulnerabilities in total, some of which are critical. Windows users are most at risk, but other platforms are far from unexposed.

Users of Flash Player for Windows and Mac should update to version 11.5.502.110, Linux folks should step up to 11.2.202.251, Android 4 phones should use 11.1.115.27 and Android 3 should switch to 11.1.111.24. Adobe AIR needs to be updated to version 3.5.0.600.

As Sophos notes, there are separate downloads for Flash Player plugins, one for each web browser engine supported, a process that complicates the patching process. It also points out that Adobe tends to update its Flash player quarterly in line with the nearest Microsoft’s Patch Tuesday – but this time the Photoshop maker has lobbed out its security updates a week early.

Virus pushers and crooks seize upon security flaws in ubiquitous Adobe applications and Oracle’s Java, so it would be wise to apply the updates sooner rather than later. An advisory from Adobe on the updates can be found here. ®

Bootnote

* Polyfilla, for our non-US-speaking readers. In this case the American word seemed more colourful.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/07/adobe_flash_update/

UK criminal prosecution lawyers will meet cops this month to decide whether or not to open a new investigation into Pentagon-hacking Brit Gary McKinnon.

Last month Home Secretary Theresa May withdrew an extradition order against the 46-year-old on medical and human rights grounds. Five psychiatrists warned there was a risk the Scot, who suffers from Asperger Syndrome and depression, would kill himself if extradited to America. US authorities want to put McKinnon on trial and jail him for infiltrating US military and NASA computers in 2001 and early 2002.

May said UK prosecutors will review whether McKinnon, who lives in north London, can be tried in Britain. It is understood a meeting between the Crown Prosecution Service (CPS) and Met police officers regarding his case will take place at the end of November.

It’s curious that the CPS is mulling a “new criminal investigation” when the high-profile case has been played out in public for years: McKinnon has repeatedly appealed against the American extradition request in court and took his fight all the way to the House of Lords in June 2008.

His mother Janis Sharp fears the “new investigation” may defeat restrictions on how long after the fact a prosecution for computer hacking can be initiated.

“Hopefully the CPS are not now including the Met ‘to investigate’ so that they can pretend it’s new facts from a new investigation so that they can bypass the three-year statute of limitations,” she said today.

McKinnon was arrested in March 2002 by officers from the UK’s since disbanded Hi-Tech Crime Unit. His case was put on hold until US extradition proceedings began in 2005. McKinnon’s family and supporters fought a fierce and ultimately successful campaign against extradition. The campaigners argued that McKinnon ought to be tried in the UK.

Sharp told El Reg that UK prosecutors have consistently refused to take up the case, even when the McKinnon team offered CPS lawyers a signed confession.

“A UK trial is what we fought for ten years and is what the CPS refused us for ten years as they said they were unable to prosecute Gary as they didn’t have the evidence required,” she explained.

“After a judicial review in June-July 2009 against the CPS in which we tried to force a UK prosecution to take place, Lord Justice Stanley Burnton agreed with the CPS that the CPS were wholly justified in refusing to prosecute Gary in the UK.

“It would therefore be a spectacular turnaround if the CPS suddenly decided they could prosecute after all.”

‘This could have saved us 10 years of misery’

The McKinnon case prompted changes to the US-UK extradition procedure, which critics argued was one sided because stateside authorities need to show only “reasonable suspicion” while UK extradition requests to the US need to be backed up by prima facie evidence. The McKinnon case marked the first time a Home Secretary has intervened since the controversial US-UK extradition mechanism was put in place in 2003.

Blighty’s courts will soon be allowed to decide whether to assert jurisdiction over a case before processing an extradition request, a procedure known as a “forum bar”. Such procedures, had they been available years ago, could have saved the McKinnon family a decade of stress and frustration.

“If this was the case it would mean they could have prosecuted Gary in 2002 and saved our family more than 10 years of absolute misery which has destroyed Gary’s life and caused his mental health to deteriorate further, and has all but ruined our lives too,” Sharp said.

McKinnon, who admits he accessed US government computers in search of evidence for UFOs, disputes the level of damage the Americans estimated he caused.

“The Crown Prosecution Service and Metropolitan Police Service have agreed to form a joint panel to decide whether a new criminal investigation into the allegations against Gary McKinnon should take place,” a CPS spokesperson told V3.

“It is proposed that the panel will convene in late November once some preliminary enquiries have been made by both the CPS and the MPS [Metropolitan Police Service].” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/07/uk_mulls_re_opening_mckinnon_investigation/

Eavesdropping spook base GCHQ is drawing up a list of companies that can help power stations, banks and other crucial UK organisations fend off and recover from hacking attacks.

The “Cyber Incident Response” scheme – launched today by CESG, the data security arm of GCHQ, and the Centre for the Protection of National Infrastructure (CPNI) – is targeted at the public sector and firms supporting the UK’s key systems and businesses. A roll out to the wider private sector may follow as the programme matures.

The project, in its pilot phase, recommends four companies selected for their expertise in computer forensics and their ability to respond to digital attacks on electronic systems. The four firms, which will assist the nation’s critical organisations, are BAE Systems Detica, Cassidian (the defence and security unit of EADS), Context Information Security and US-based Mandiant.

The concept is modelled on the well-established CHECK scheme that firms can use to find CESG-approved penetration-testing outfits. So-called cyber-incident response services are necessary because, even with a well thought out corporate security policy, malware outbreaks and hacker attacks are inevitable. The trick is to detect attacks early and thwart them before any real damage is done, which is where response services come into play.

The GCHQ scheme builds on the 10 Steps to Cyber Security best practice guidelines published by the government in September, and is designed to further the UK’s electronic security strategy.

Chloë Smith, minister for safeguarding Blighty’s computers, said: “The growing cyber threat makes it inevitable that some attacks will get through, either where basic security is not implemented, or when an organisation is targeted by a highly capable attacker. ‘Cyber Incident Response’ services provide access to organisations certified by CESG/CPNI to respond effectively to cyber incidents.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/07/gchq_cyber_incident_response_scheme/

So much for your sandbox US researchers at RSA, the University of Wisconsin and the University of North Carolina have used a malicious virtual machine to extract a cryptographic key from another virtual machine running on the same hardware.

The finding, published here (PDF), will not be welcomed by virtualisation companies or cloud computing providers, as it shows that the logical isolation between virtual machines may not be as secure as promised. Hypervisor vendors and cloud providers alike constantly talk up security, asserting that despite virtual machines sharing physical resources there’s no extra risk associated with this mode of computing.

The researchers’ findings seem to both support and disprove those assertions.

Support comes from the fact the paper’s report that the attack was not easy, as it required … “overcoming challenges including core migration, numerous sources of channel noise, and the difficulty of pre-empting the victim with sufficient frequency to extract fine-grained information from it.”

Security worries will be fuelled by the researchers’ success and use of Xen as a test platform, as it is said to power AWS’s and Rackspace’s cloud offerings. The paper also points out that Xen powers some desktop virtualisation setups, hinting that desktop-on-desktop attacks also need to be considered.

The conditions for the test were as follows:

“Our threat model assumes that Xen maintains logical isolation between mutually untrusting co-resident VMs, and that the attacker is unable to exploit software vulnerabilities that allow it to take control of the entire physical node. We assume the attacker knows the software running on the victim VM and has access to a copy of it.”

With that rig in place, the researchers set about trying to sniff activity on the victim VM with what is described as an “access-driven attack in which the attacker runs a program on the system that is performing the cryptographic operation of interest.”

Such attacks work as follows:

“The attacker program monitors usage of a shared architectural component to learn information about the key, e.g., the data cache, instruction cache, floating-point multiplier, or branch-prediction cache. The strongest attacks in this class, first demonstrated only recently , are referred to as asynchronous, meaning that they do not require the attacker to achieve precisely timed observations of the victim by actively triggering victim operations. These attacks leverage CPUs with simultaneous multi-threading (SMT) or the ability to game operating system process schedulers; none were shown to work in symmetric multi-processing (SMP) settings.”

The paper delves into very technical detail about how the research team found ways to observe and decipher CPU behaviour, but eventually declares that using “a novel combination of low-level systems implementation and sophisticated tools such as classifiers and sequence alignment algorithms, we assembled an attack that was sufficiently powerful to extract ElGamal decryption keys from a victim VM in our lab tests.”

The paper often goes out of its way to point out the attack it describes is unusual and required a lot of effort to achieve. Even so, it will likely make virtualisation users just a little less confident that their sandboxes will always remain free of unpleasant contaminants. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/07/vm_side_attack_extracts_crypto_key/

Security watchers have given a lukewarm backing to plans by New Jersey authorities to allow email voting for residents of the state left displaced by Superstorm Sandy.

New Jersey Lieutenant Governor Kim Guadagno issued a directive on Saturday permitting voters to download absentee ballots before returning them by either email or fax in order to cast their vote, as previously reported.

“I’m not filled with confidence, but this seems like the best of a bunch of bad alternatives,” commented security guy Bruce Schneier, in a brief blog post.

Robert David Graham of Errata Security is even more negative: “Is anybody taking bets on how much the vote-by-email will exceed the population in New Jersey?”

There are some safeguards in place to prevent this scenario, as Ed Felten of Princeton’s Center for Information Technology Policy explains:

“Although the order does allow a ballot to be submitted by email or fax, this is subject to the submission of a signed hardcopy ballot, and the law directs election officials to compare the electronic ballot with the eventually received hardcopy,” he writes on the Freedom to Tinker blog.

Unless it’s encrypted, email isn’t secure. By default email can be easily spoofed or intercepted and read. That’s why sending password reminders by email is a no-no. The medium is a total non-starter for anything more sensitive.

Computer scientist Matt Blaze argues the use of email for voting is undesirable but justifiable in the midst of the aftermath to a national disaster.

“The security implications of voting by email are, under normal conditions, more than sufficient to make any computer security specialist recoil in horror,” Blaze, a computer scientist at the University of Pennsylvania, explains. “Email, of course, is not at all authenticated, reliable, or confidential, and that by itself opens the door to new forms of election mischief that would be far more difficult in a traditional in-person polling station or with paper absentee ballots.

“If we worry that touchscreen ‘DRE’ electronic voting machines might be problematic, email voting seems downright insane by comparison. But a knee-jerk reaction to the worst case scenario is probably not helpful right now. Clearly, email voting is risky. The question is whether these risks outweigh the benefits, and whether the technical and procedural safeguards that are in place are adequate to mitigate them under these rather unique circumstances.”

Even supporters of internet voting more generally are skeptical that the effort will go smoothly without running into problems, such as individuals attempting to vote multiple times or potential denial-of-service attacks from spammers¹, Politico reports.

Changes in voting laws have facilitated email and fax voting for overseas voters and military personnel since 2010. However only 3,500 ballots were cast this way in the mid-term elections to Senate and Congress and there is some concern that the approach is not ready for prime time.

The scheme could potentially service hundreds of thousands of votes, Charles Stewart, co-director of the Cal Tech-MIT Voting Technology Project, told Politico. It would be better to allow displaced New Jersey residents to cast their vote in Tuesday’s presidential and Senate races using provisional ballots at any polling station close to where they have been relocated, Stewart argued.

Separate directives issued over the weekend enable displaced voters and emergency relief workers to vote by provisional ballot at a polling place in a county other than the voter’s county of registration.

New Jersey hasn’t voted Republican in presidential elections since 1988, when the state went for George Bush (senior). It’s a safe bet that Obama will claim New Jersey when the results are tallied in the early hours of Wednesday, however people are allowed to vote. ®

Bootnote

¹New Jersey features in seven citations on Spamhaus’s ROKSO database of spam operations. New York, by comparison, gets 73 and California, 72. Nonetheless there’s a suspicion that more than a few spammers live in New Jersey, making the spam DDoS a slightly more plausible threat than might otherwise be the case.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/06/nj_email_voting_what_could_go_wrong/

A security researcher has discovered embarrassing and critical vulnerabilities in Sophos’ enterprise protection software.

Tavis Ormandy, an information security engineer at Google, published a paper along with example attack code to highlight flaws present in Windows, Linux and Mac OS X builds of Sophos’ antivirus product.

The holes can be reliably and easily exploited by hackers to compromise the computers the software is supposed to defend. Specifically, the antivirus scanner fails to safely examine encrypted PDFs and VisualBasic files, which could arrive in an email or website download; these documents can be crafted to trigger flaws within the software and gain control of the system.

In response, Sophos confirmed today that most of the eight vulnerabilities documented by Ormandy were patched a month after the security researcher reported the bugs in September. The company is adamant the flaws have not been exploited in the wild.

Nonetheless Ormandy – who said his work has nothing to do with his employer – argued in a post to the Full Disclosure mailing list on Monday that the risk is high.

“My paper includes a working pre-authentication remote root exploit that requires zero-interaction, and could be wormed within the next few days,” he writes. “I would suggest administrators deploying Sophos products study my results urgently, and implement the recommendations.”

Ormandy’s dossier [PDF] also includes advice on best practices for Sophos users and is “intended to help administrators of high-value networks minimise the potential damage to their assets caused by Sophos”. Even the name of the paper “sophailv2” alludes to failure.

His suggestion that IT bosses “exclude Sophos products from consideration for high-value networks and assets” is unlikely to find much favour at Sophos HQ.

Ormandy is also critical of the overall quality of programming and quality assurance testing by Sophos as well as the company’s insistence that the exploitation of the holes is unlikely.

“A working exploit for Sophos 8.0.6 on Mac is available, however the techniques used in the exploit easily transfer to Windows and Linux due to multiple critical implementation flaws described in the paper. Test cases for the other flaws described in the paper are available on request,” he wrote.

Ormandy reported the vulnerabilities to Sophos on 10 September. Five of the flaws were mitigated in a new version rolled out to users on 22 October. A further two security bugs were quashed on 5 November. The security firm promises a fix for a further bug, which causes its software to crash, by the end of the month.

As well as the PDF and Visual Basic blunders, vulnerabilities were found in the antivirus engine’s handling of malformed CAB and RAR files, which corrupted the computer system’s memory if triggered – another headache for sysadmins. The software also needlessly knackered the Windows operating system’s ASLR defence mechanism against malicious code, and was vulnerable to cross-site scripting attacks. These flaws have been patched.

A demonstration of the Sophos Anti-Virus Sophail PDF Vulnerability, the worst of the vulnerabilities uncovered by Ormandy, can be found here as a Metasploit payload.

Best of enemies

There’s a history between Sophos and Ormandy, which goes some way to explain the somewhat aggressive tone of their latest exchanges.

The Google engineer delivered a presentation on what he argued were shortcomings in Sophos software at Black Hat USA in August 2011. Prior to this writers on the Sophos Naked Security blog repeatedly criticised Ormandy over the allegedly “irresponsible disclosure” of a zero-day vulnerability in Windows Help and Support Center that affected Windows XP machines in June 2010.

Days later Sophos published an article provocatively titled Tavis Ormandy – are you pleased with yourself? Website exploits Microsoft zero-day. The revealed flaw was subsequently used by miscreants to infect more than 10,000 PCs in less than one month, according to Sophos.

El Reg counted five articles and a podcast openly critical of Ormandy on the Naked Security blog, not including the two posts on the vulnerabilities he’s discovered in Sophos software, which are a bit passive aggressive but overall neutral in tone, if you discount the anger over the Windows flaw uncovered two years ago.

By comparison the crooks behind Operation Ghost Click, a massive online crime wave uncovered last year, are mentioned only twice, although in fairness the DNS Changer malware the crims peddled has been frequently covered by Sophos.

Love Bug worm author Onel de Guzman gets only three mentions. That’s not to say Sophos blog writers hold Ormandy in lower regard than de Guzman, but it does suggest they may have gone a bit over the top with their criticism of Ormandy two years ago – something that may have encouraged subsequent probing of the UK-based software company’s products.

Graham Cluley, a senior technology consultant at Sophos, welcomed Ormandy’s efforts.

“Sophos products are better than they were three months ago and Tavis’s research has helped,” Cluley told El Reg. “He told us about vulnerabilities we didn’t know about before, which we’ve successfully been able to patch.”

Every security system vendor suffers from vulnerabilities from time to time, and it’s far better that the flaws are reported by researchers such as Ormandy and fixed before they are exploited by hackers, Cluley added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/06/sophos_multiple_vulns/