STE WILLIAMS

NSW public servant’s email hacked, used to criticise leader

‘Source’ of explosive missive about education policy was on holiday

By Simon Sharwood, APAC Editor • Get more from this author

Posted in Government, 25th October 2012 06:44 GMT

Free whitepaper – A private Cloud-based approach

The Director-General of the Australian State of New South Wales’ Department of Education has had her holiday ruined by parties unknown who gained access to her email account and used it to send a message critical of her political masters.

New South Wales has cut funding to some areas of public education, a decision that has drawn much criticism from educators and the wider community.

An email purportedly sent by Director-General Dr Michele Bruniges and despatched to all schools and technical colleges in the State saying the government was “dismantling” technical education was therefore explosive.

The email signed off with an even hotter comment, namely:

“I can only hope that with enough formal protesting to the Ministers office, sensibility will prevail and that public education is not the victim of this short sighted NSW Government vision.”

Education Minister Adrian Piccoli has told the AAP newswire that the mail is a fake, and that Dr Bruniges could not the source as she was on holiday at the time it was distributed. He’s therefore loosed all the appropriate dogs to chase down the malfeasant an ensure the book is thrown at them. ®

Free whitepaper – Operationalizing Information Security:

• Send corrections
  
• 2 commentsPost a comment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/25/nsw_public_servant_email_hack_sends_fake_criticism_of_barry_ofarrell/

The appearance of a Sony PlayStation 3 firmware hack will only affect hardware modders, according to a gaming security expert.

Chinese hacker group BlueDisk-CFW has published a tool that circumvents the console’s firmware. This was followed by the release of “LV0 decryption key.” The decryption keys allow PS3 firmware packages to be unscrambled on a PC, then re-encrypted with existing firmware 3.55 keys so that they can be run on hacked consoles, as previously reported.

BlueDisk-CFW originally intended to charge for their tool but the release of the decryption key by a separate group called the The Three Musketeers spoiled that plan.

Anyone with a bit of technical skill can get around the restrictions themselves.

Chris Boyd (AKA PaperGhost), senior threat researcher at GFI Software, and an expert in gaming security, said both incidents make little different to regular gamers.

“The only real benefit to this is for those already running custom firmware on hacked machines, who are now able to update their PS3 and go online. While they may be able to play games online until Sony change the PSN passphrase, it’s unlikely to cause a wave of in-game cheating and modding.”

Boyd added that the firmware hack has no bearing on the security of the Playstation Network itself.

“The Playstation Network itself is still secure and users shouldn’t panic. I’ve already seen one person say they cancelled their credit card as a result of thinking the PSN had been compromised (it hasn’t). With the PS4 on the horizon, this may prompt SONY to speed up work on the upcoming console.”

The arrival of the firmware hack coincides with a ruling by a US judge that the notorious Sony PlayStation Network hack of May 2011, which left millions unoable to play online games for weeks, provides insufficient grounds for a class action lawsuit. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/25/sony_firmware_hack/

US-CERT has issued a warning that DomainKeys Identified Mail (DKIM) verifiers that use low-grade encryption are open to being spoofed and need to be upgraded to combat attackers wielding contemporary quantities of computing power.

You might think this is no big deal – after all the value of strong cryptography has been recognized for years. Unfortunately this problem has been found to affect some of the biggest names in the tech industry, including Google, Microsoft, Amazon, PayPal and several large banks.

The DKIM system adds a signature file to messages that can be checked to ascertain the domain of the sender by checking with DNS. It also takes a cryptographic hash of the message, using the SHA-256 cryptographic hash and RSA public key encryption scheme, so it can’t be altered en route.

The problem stems from the very weak key lengths that are being used by companies that should know better. To make matters more embarrassing the problem was spotted by complete accident by Floridian mathematician Zachary Harris, who used it to spoof an email to Google CEO Larry Page.

Harris told Wired that he received an email from a Google recruiter, asking him to interview with the company for a site-reliability engineering position. Smelling a rat, he looked at the email in more depth and saw that Google was only using a 512-bit key, which isn’t particularly secure these days.

“A 384-bit key I can factor on my laptop in 24 hours,” he said. “The 512-bit keys I can factor in about 72 hours using Amazon Web Services for $75. And I did do a number of those.”

Thinking the recruiter might have introduced the vulnerability as a creative test if he was suitable for the job, Harris used the flaw to spoof and email to Larry Page from fellow co-founder Sergey Brin, in which he plugged his own website as something worthy of attention. He got no response, but two days later noticed Google had upped its key length to 2,048 bits and he was suddenly getting a lot of IP hits from the Chocolate Factory.

After doing some digging around Harris discovered this was a surprisingly common problem. Amazon, Twitter, eBay and Yahoo! were all using 512-bit keys and even Paypal and banks like HSBC were still on 768-bit systems, despite the standard recommending at least 1,028-bit as a minimum.

“Those are not factorable by a normal person like me with my resources alone. But the government of Iran probably could, or a large group with sufficient computing resources could pull it off,” he warned.

Harris contacted those companies he had found were vulnerable and most, but not all, upgraded their systems to much higher keys. He also contacted CERT Coordination Center at Carnegie Mellon University so an alert could be put out before he went public.

Upgrading key length isn’t difficult, but companies also need to revoke the old ones and remove test keys from files. Some receiving domains are still accepting test keys that have never been revoked he said.

With spoofed emails an increasing problem you’d think something so simple could have been spotted earlier. The industry still has a lot of catching up to do it seems. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/24/uscert_dkim_spoofing_flaw/

Boeing has successfully conducted a test of a missile capable of blasting a building’s electronics with an energy beam without harming the structure itself. The era of EMP weapons has arrived it seems.

The Counter-electronics High-powered Advanced Missile Project (CHAMP) is an air-launched device that uses a high-powered microwave pulse to disable electrical systems. On Oct. 16th the missile was tested at the Utah Test and Training Range and successfully toasted electrical systems in a two storey building.

“We hit every target we wanted to, we prosecuted every one. Today we made science fiction science fact,” said Keith Coleman, CHAMP program manager for Boeing Phantom Works. “When that computer went out, when we fired, it actually took out the cameras as well. We took out everything on that, it was fantastic.”

Boeing announced the plans for CHAMP back in 2009, as part of the US Army’s continuing quest for a weapon that can knock out electronics easily. You can do this with the electromagnetic pulse (EMP) produced by a nuclear explosion, but those tend to be somewhat messy as they produce rather too much “collateral damage.”

Based on the video the company has released of an earlier test the weapons system, developed by Sandia National Laboratories, does look somewhat effective. The on-screen PCs are shut down, although there’s no way of telling if they are fried or just powered down, and one system still appears to be functioning. Hardened military systems might prove a tougher challenge.

There’s no word on how many attacks a single missile can make; Boeing’s saying multiple targets can be hit on a single run but isn’t specifying just how many. Boeing said last week’s hour-long test hit seven targets, but didn’t specify how many missiles were used.

There’s also the question of whether this is a reusable weapon, and if not how it destroys itself once exhausted. Leaving technology like this littered across the landscape would be a gift for those seeking to develop anti-electronic weapons and looking for kit to reverse engineer. The Iranian military was very happy to apparently get a US drone this way, although they seem unable to get any more.

Finally, and most worryingly of all from the perspective of an IT manager who could be targeted, there’s no word on the effect on human beings. The US already uses microwaves as a crowd control device but CHAMP’s kind of attack should last fractions of a second, and this may be something that causes brief discomfort but no fatalities.

The US Air Force predicted it would have this kind of weaponry this year back in 2007, but we’re still awaiting word of those EMP hand grenades that are apparently in circulation. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/25/boeing_champ_missile_microwave_attacks/

Facebook has donated $250k it seized from spammers to an academic centre of excellence in the fight against cybercrime.

The University of Alabama at Birmingham’s Center for Information Assurance and Joint Forensics Research will use the cash to build an expanded version of the faculty, due to open next year. The centre helped researchers at Facebook to track down the infamous Koobface gang and helped to unravel the even more notorious GhostClick (DNSChanger) scam, among other work.

Notable researchers at the centre include Gary Warner, Director of Research in Computer Forensics and co-chair of Anti-Phishing Working Group. Warner also runs the well read CyberCrime Doing Time blog.

“As a result of numerous collaborations over the years, Facebook recognizes the center as both a partner in fighting Internet abuse, and as a critical player in developing future experts who will become dedicated cybersecurity professionals,” says Joe Sullivan, chief security officer at Facebook, in a statement. “The center has earned this gift for their successes in fighting cybercrime and because of the need for formal cybersecurity education to better secure everyone’s data across the world.”

The donation itself will be widely applauded in security circles even though the Koobface investigation remains controversial. In January 2012, the New York Times publicly named five people security researchers have fingered as prime suspects in the spread of the Koobface worm, a strain of malware that has bedevilled social networking users (particularly on Facebook) since late 2008. Koobface, which was unusually sophisticated, earned scammers income principally through pay-per-install malware.

Critics argue that the disclosure was premature and served only to tip off the suspects, who subsequently went to ground. Whatever the truth of that, no arrests or lawsuits have been filed as a result of the investigation. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/24/facebook_uab_research_donation/

Adobe plugs up buffer overflow holes in Shockwave update

Nobody using them yet – but they will be now

By John Leyden • Get more from this author

Posted in Security, 24th October 2012 12:27 GMT

Free whitepaper – Operationalizing Information Security:

Adobe released a patch for its Shockwave Player software on Tuesday, addressing six security vulnerabilities that might easily lend themselves to malware-pushing exploits.

Shockwave Player 11.6.7.637 and earlier versions on both Windows and Mac need updating to the latest version: Shockwave Player 11.6.8.638.

Adobe said it was not aware of any exploits in the wild, so there’s no need for panic, but since vulnerabilities in Adobe software applications have become a major target for the bad guys over the last two or three years, dismissing the update as unimportant would be equally unwise.

Adobe credited security researchers at Fortinet’s FortiGuard Labs and CERT for help in discovering the security bugs in its software. A security advisory from Adobe explains that the security bugs in Shockwave involve a mix of buffer overflow vulnerabilities as well as an “array out of bounds” security bug, all of which could result in code execution on systems running the vulnerable software. ®

Free whitepaper – AccelOps’ Unified Infrastructure Management Examined

• Send corrections
  
• 6 commentsPost a comment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/24/adobe_shockwave_update/

The Chairman of Huawei’s Australian operations, John Lord, has proposed the nation create a national “cyber security evaluation centre” at which “all equipment implemented into major or critical Australian networks can be subjected to the same thorough security assessment.”

Lord said such a centre would mirror the UK’s Cyber Security Evaluation Centre.

Lord floated the idea during a speech to Australia’s National Press Club, a forum often used by politicians and other significant figures to announce big ideas or flesh out their thinking.

Lord’s speech called for debate on security in Australia to stay “sober” as “If we are to find real solutions to real cyber-security problems, we cannot allow the discussion to be muddied by issues like the ongoing trade conflict between the US and China.”

That conflict, Lord said, means the recent US House of Representatives committee report that damned Huawei “… must be called for what it really is: protectionism, not security.”

Lord went on to say the committee’s report is a geopolitical stunt, with the transcript of his speech offering the following:

“The fiery rhetoric of the U.S. Committee’s report may make good headline-fodder in an election year, but it should really be seen as a missed opportunity. It missed the opportunity to address the real issues at stake, to increase awareness of the common threats we face, and to develop methods of countering these threats in a realistic way. When all telecoms equipment is produced by an interdependent global supply chain, simply blacklisting a single vendor or country will not make critical infrastructure more secure.”

Huawei’s proposal, in Australia at least, is a testing centre at which it will happily “offer complete and unrestricted access to our software source code and equipment” and at which Lord hopes “in the interests of national security we believe all other vendors should be subject to the same high standard of transparency.”

Lord added that he imagines the centre “could be funded by vendors themselves and operated or overseen by security-cleared Australian nationals with complete transparency of all equipment.”

Huawei will, also Lord added, “support and adopt any internationally agreed standard or best practice for cyber security in its broadest sense; we will support any research effort to improve cyber defences; we will continue to improve and adopt an open and transparent approach enabling governments to review Huawei’s security capabilities, and finally, as we have done to date, we warmly welcome the assistance from our customers in enhancing our processes, our technology, and our approach to cyber security …”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/24/huawei_accuses_usa_of_protectionism/

High-profile, sophisticated hackers stealing industrial secrets tend to hog the headlines but opportunistic hackers searching for routine vulnerabilities can create a world of hurt for victims, often small businesses.

Verizon’s Data Breach Investigations Report found that 79 per cent of attacks during 2011 were classified as ‘opportunistic’, where the victim is not pre-selected as a target. Victims are selected purely because they exhibit basic weaknesses that are easy to exploit. Over the last two months, the Verizon RISK team has been examining these type of attacks, looking at the source and characteristics of opportunistic attacks.

Most of the opportunistic attacks started after the miscreants scanned a few well-known ports. The most commonly scanned ports were: TCP port 3389, Microsoft’s Remote Desktop Protocol (RDP), MS SQL server (port 1433) and VNC for remote desktop, said the researchers.

Jay Jacobs, principal at Verizon’s RISK Team, said opportunistic hackers are looking for open network ports with default or easy to guess passwords. If these two conditions were met, then attackers either planted custom malware on compromised systems or used them to relay spam. the custom malware often contains key-logging software but is only occasionally derived from banking Trojan toolkits, such as Zeus.

The Verizon team also looked at the geographical location of attackers. Around 21 per cent of opportunistic attacks came from IP addresses in China. Chinese hackers prefer to go after remote access services such as RDP or MS SQL. The next most common source of attack traffic was the the US (associated with 14 per cent of attacks). IP addresses originating from the US generally prefer to target spamming/proxy services like the TDSS Proxy or McAfee’s port 6515, the researchers said.

Other common sources of attack include the Russian Federation (8 per cent) and South Korea (4 per cent).

Jacobs said in some cases, Eastern European crooks might have been scanning for victims using compromised machines in China, so Verizon’s figures should only be taken as indicative rather than a precise breakdown of the actual physical location of opportunistic hackers. He said that a mix of different criminal hacking groups – from small to large and well organised – were involved in the attacks.

Most of the attacks are profit-orientated. Jacobs said that hacktivists such as Anonymous were generally interested in targeted attacks.

Opportunistic attackers use very simple techniques, looking for a single vulnerability across many hosts before moving on if they don’t immediately locate a problem (97.4 per cent of IP addresses that sent packets only checked one port). Hackers of this ilk latch onto the first target that is susceptible to the single style of attack they use. Opportunistic hackers typically use automated tools to carry out these scans, which produce a huge treasure trove of information which most hackers are ill-equipped to handle.

Jacobs said defending against this type of attack is not particularly difficult, even for small businesses. Keeping unnecessary services off the internet and ensuring that strong passwords are used throughout an organisation are probably enough to keep small business safe from opportunistic attacks. Since basic security controls and practices are enough to block opportunistic hackers their victims are more likely to be small businesses, without any security policies in place.

“Opportunistic hackers are the internet equivalent of car thieves who walk through a parking lot trying car doors,” Jacobs said. “Although they might appear to be mundane, the impact of these financially motivated smash and grab attacks on victims can be catastrophic.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/24/opportunistic_hackers/

Hackers exploit security vulnerabilities in software for 10 months on average before details of the holes surface in public, according to a new study.

Researchers from Symantec reckon that these zero-day attacks, so called because they are launched well before vendors are even aware of the vulnerabilities, are more prevalent and more potent than previously thought.

Zero-day exploits are often closely guarded secrets and can be very valuable to crooks – but once details of the exploited flaws emerge in public, developers and sysadmins can get to work to mitigate or halt the attacks. But this also tips off world+dog that these holes exist in systems.

Leyla Bilge and Tudor Dumitras, both of Symantec Research Labs, identified 18 zero-day attacks between 2008 and 2011, and 11 of them were previously undetected. “A typical zero-day attack lasts 312 days on average and that, after vulnerabilities are disclosed publicly, the volume of attacks exploiting them increases by up to five orders of magnitude,” the researchers note.

The study is based on data from customers who had opted into Symantec’s anti-virus telemetry service.

A paper [PDF] on the research – Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World – was presented at the ACM Conference on Computer and Communications Security in Raleigh, North Carolina last week. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/24/zero_day_study/

The notorious Sony PlayStation Network hack, which saw millions of accounts compromised in May 2011, doesn’t give grounds for a class action, according to a US judge.

The ruling, available from Courthouse News, dismisses most of the grounds for the lawsuit against Sony, which was first filed in June last year. The judge, Anthony Battaglia of the US District Court in Southern California, has given the plaintiffs until November 9 to decide whether they want to file an amended complaint.

However, as noted by Ars, the judgement seems to “gut” the main points of the complaint, based on the disclaimers present the customer terms and conditions that covered the PSN service.

Sony only promised to take “reasonable measures” to protect its customers, the judge noted, and explicitly stated that the company couldn’t promise that customers would be immune from intrusion, stating: “there is no such thing as perfect security … we cannot ensure or warrant the security of any information transmitted to us”.

Moreover, the judge said, the plaintiffs could only seek an action for economic loss if they could demonstrate that they’d been defrauded in some way by Sony Network Entertainment.

The judge also dismissed the plaintiffs’ complaints under various consumer protection laws. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/23/psn_hack_lawsuit_dismissed/