STE WILLIAMS

Facebook has extended its security program, adding another seven vendors to the list of folks offering free anti-virus software through its AV Marketplace and also including Android security products for the first time.

But one of the Android malware zappers, McAfee’s Mobile Security, is free for just seven days, a far shorter period of time than is offered with many other trial anti-virus products.

Facebook launched the AV Marketplace back in April, saying at the time that it did so in order to educate the world and help its users stay safe online. The Social Network has not disclosed how the its partnerships work on the marketplace, but says “over 30 million” folks have used the service since launch.

That the program has now been expanded to include avast!, AVG, Avira, Kaspersky, Panda, Total Defense, and Webroot shows it’s proving beneficial to Facebook (and maybe lucrative, as such arrangements are said to see software companies pay those who distribute their wares). The new six now offer free software at the Marketplace alongside launch partners Microsoft, McAfee, TrendMicro, Sophos and Symantec.

Facebook hasn’t said why it chose this moment to add Android products to the Marketplace, but it is not alone in expressing worries about Android security. The USA’s Internet Crime Complaint Center(IC3), for example, last week emitted a warning about malware on the Chocolate Factory’s OS spawn.

The warning was, however, a little odd inasmuch as its warning mentioned FinFisher (which first came to light in November 2011) and Loozfon (August 2012).

Norton is the other source of free Android AV on the Marketplace. It’s product is timeless. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/17/facebook_extends_av_marketplace/

Two former execs from Taiwanese flat panel-maker and Apple supplier AU Optronics have been arrested on suspicion of carrying out industrial espionage for their new employer, Chinese electronics firm TCL.

The two – surnamed Lien and Wang – were pulled in for questioning by the Taiwanese Bureau of Investigation last month, according to AFP.

The pair are suspected of stealing IP relating to AU’s AMOLED technology before being hired by TCL unit Star Optoelectronics Technology, where they were apparently being paid an annual salary in excess of US$1 million.

Before the move, Lien was in charge of AU Optronics’ display tech development centre while Wang was a research unit manager.

“The illegal leak of the cutting-edge technology has undermined Taiwan’s competitive edge in the flat-panel industry and severely betrayed the national interest,” said the Bureau in a statement obtained by AFP.

The two have apparently been released and now await further questioning by prosecutors.

AU Optronics is widely believed to be supplying Apple with display technology for its much anticipated iPad Mini tablet, along with Korean rival LG Display.

Chinese firms are often blamed for cyber espionage, most notably the decade long hack of telecoms kit maker Nortel, but a more straightforward trade in IP by the corrupt and/or misguided seems to be as big a threat to firms.

Just last month a Chinese man went on trial in the US accused of exporting defence related data to his homeland and possessing stolen trade secrets, while US military contractor United Technologies was hit with a $75m fine after confessing to over 500 export violations.

The problem is particularly pronounced for Taiwanese businesses which often operate on the mainland, making it easier for rival, local, firms to steal trade secrets.

A year ago, AU Optronics, TSMC and other tech firms urged Taiwanese president Ma Ying-jeou to push for a new law explicitly penalising industrial espionage. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/16/au_optronics_indsutrial_espoinage_apple/

Pacemakers and implanted defibrillators are vulnerable to wireless attacks that could kill tens of thousands, says the security researcher best known for “jackpotting” an ATM on stage at the BlackHat security conference in Las Vegas in 2010.

The researcher in question, Barnaby Jack, today told the Ruxcon Breakpoint security conference in Melbourne, Australia that “the most obvious scenario would be a targeted attack against a high profile individual.”

Jack also warned of a worst-case scenario “worm with the ability to commit mass murder”.

Such devices are accessible through a wireless interface designed to deliver telemetry and allow maintenance. But Jack, who works for US-based security company IOActive, has subverted security in that interface and showed delegates a video demonstration of a wireless attack against an Implantable Cardioverter-Defibrillator (ICD). “There’s 830 volts going into the heart there, which is a bummer,” he said as an audible zap played over the conference audio system.

The attacks work at a range of up to 50 feet.

Perhaps most alarmingly, Jack said it is possible to create a worm that could spread from patient to patient, re-flashing the devices with malicious code. This code could be programmed to deliver fatal shocks to patients implanted with vulnerable implants at a scheduled time.

Hacking the devices was too easy, Jack says. “There’s no attempt to obfuscate or hide anything from a would-be attacker”.

They key problem is the devices rely solely on the device’s serial and device numbers for authentication. Unfortunately it’s trivial to enumerate these numbers wirelessly, authenticate to the device and reprogram them with malicious code.

In addition to his much-publicised attacks against ATMs, Jack recently made headlines when he reverse engineered and exploited insulin pumps, but the issues identified in his latest research are grave; millions of people worldwide rely on pacemakers and ICDs.

Jack says medical device manufacturers should be held liable for vulnerabilities in their products. “I 100% agree that they should be held liable… removing liability from the manufacturers is ridiculous. It allows them to write shoddy code and have no consequences from it,” he says.

In the meantime, he recommends a complete redesign of the devices’ security model, starting with the introduction of encrypted communications between devices and transmitters and a “reasonable” authentication scheme.

Jack did not identify affected vendors and says he hopes to work with them to improve the devices’ security. ®

Patrick Gray’s Risky Business podcast will bring Reg readers special coverage of the Ruxcon Breakpoint conference.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/17/pacemakers_open_to_wireless_attack/

A new security research outfit called ReVuln has presented its letter of introduction to the world in the form of a paper that analyses how the Steam protocol can expose gamers to attacks.

In this document (PDF), the company analyses what happens when a URL using the protocol steam:// is redirected. Of the major browsers, Internet Explorer and Chrome present warnings (Chrome being the most detailed, describing the program the redirect is trying to call); Opera presents a warning but only shows the first 40 characters of the URL being called; Firefox requests a confirmation but doesn’t show the URL; and Safari will directly execute the program without warnings.

RealPlayer is also vulnerable to external calls using crafted URLs, write the company’s Luigi Auriemma and Donato Ferrante.

Steam’s custom browser executes software to an external URL call without warnings. However, they note, it’s limited to Valve-owned domains (like steampowered.com).

One proof-of-concept demonstrated in the paper is the use of the Steam reinstall feature, an undocumented feature for installing backups from a local directory. This has a splash image processor which, the paper says, has an integer overflow vulnerability that “may allow executing malicious code on the Steam process.”

Other undocumented features in Steam include command-line parameters in the Source engine (used by games such as Half-Life and CounterStrike), callable from a URL and also vulnerable; and integer overflow vulnerabilities in the Unreal engine.

These and other vulnerabilities are detailed in the video below:

Users can disable the steam:// protocol in their browser, but a complete fix will depend on Valve, the researchers state. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/17/steam_revuln_analysis/

The Spanish banking giant Santander has downplayed growing concerns over its alleged inclusion of “sensitive data” in its cookies.

The bank did not deny including personal data in cookies.

In a post on widely read security mailing list Full Disclosure, an anonymous contributor details a number of alleged problems on Santander UK’s consumer eBanking site.

He claims that Santander online banking “unnecessarily stores sensitive information within cookies”. Depending on which areas of online banking the customer uses, he claims this data allegedly includes the user’s name, PAN (credit card number), bank account number and sort code, Alias and UserID.

“Of particular concern is the full PAN, which PCI DSS states should be rendered unreadable anywhere it is stored,” the whistleblower stated.

He adds that he had gone public after experiencing problems getting the bank to play attention to (now fixed) cross-site scripting problems he had previously unearthed on its website.

The source alleges that Santander is violating its own cookie policy, which states that session cookies “do not contain personal information, and cannot be used to identify you” as well as the credit card industry’s PCI DSS regulations (PDF).

Santander issued a statement strongly denying allegations that anything was amiss. It said that data stored in its cookies posed no risk to account security.

The data items stored within our cookies, if compromised, would not allow access to our online services on their own and our primary login processes do not rely on cookie data.

We review the use of our cookies and the data contained within them, and if necessary will review the IDs used by our customers to limit any future risks.

We take the security of our customer data very seriously. Customers can change their IDs at any time themselves and are reminded not to use the ‘remember me’ function on public or shared computers.

The Full Disclosure critic argues that Santander’s handling of cookies does pose a risk, in cases where customers fail to close their browser after an e-banking session. “Additionally, whilst the cookies expire at the end of a session, they are not overwritten on logout,” he explains. “This mean any user who does not close their browser, even if they log out correctly, will still have these cookies present until they close their browser, [t]hus increasing the window for exposure.”

In the UK, Santander is the third biggest bank and a major provider of mortgages, with a combined total of more than 25 million British customers. The Full Disclosure posting was brought to our attention by three Reg readers who described it as unverified but potentially noteworthy. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/16/santander_cookie_risk/

Kaspersky Lab, the Russian security firm that has garnered headlines with its research into Stuxnet, Flame, Duqu, Gauss, and other sophisticated malware, says it is working on a new operating system designed specifically to shield against attacks by cyber-weapons.

The as-yet unnamed OS – internally it’s known only as “11.11” because the project was launched on November 11 – is intended to protect industrial control systems (ICS) of the type used in manufacturing and infrastructure from attacks like the one that sabotaged Iranian nuclear facilities in 2010.

In a blog post on Tuesday, the ebullient Eugene Kaspersky, chair and CEO of Kaspersky Lab, compares his company’s efforts to those of John McClane, the hero policeman played by Bruce Willis in the Die Hard films.

“Alas, John McClane isn’t around to solve the problem of vulnerable industrial systems, and even if he were – his usual methods of choice wouldn’t work,” Kaspersky writes. “So it comes down to KL to save the world, naturally!”

He’s only half joking. A paper describing Kaspersky Lab’s new OS explains that the types of ICS it aims to protect include those used to operate power stations, reservoirs, electricity grids, pipelines, transportation systems, and telecommunications networks. Should any of these fail due to cyber-attacks, the paper suggests, “chaos and catastrophe could well follow.”

According to Kaspersky, the problem is that historically, neither the developers of ICS nor the companies and governments that have implemented them have paid enough attention to security. Most have relied on the fact that information about how their systems operate is not widely available (“security through obscurity”) and that their ICS networks are not directly connected to the public internet (“air gap”). But as Kaspersky points out, neither of these protections was sufficient to block the Stuxnet attack in Iran.

Furthermore, Kaspersky says, even when vulnerabilities are discovered in ICS software, existing implementations frequently go unpatched because operators are often reluctant to apply any software updates. The risk of interrupted production due to system downtime is deemed greater than the security risk.

“Ideally, all ICS software would need to be rewritten, incorporating all the security technologies available and taking into account the new realities of cyber-attacks,” Kaspersky writes. “Alas, such a colossal effort coupled with the huge investments that would be required in testing and fine-tuning would still not guarantee sufficiently stable operation of systems.”

No defects, no third-party code

The alternative, he says, is to build in security at the lowest operating levels, which is the goal of Kaspersky Lab’s OS project. The new OS aims to create a fully secure operating environment into which existing ICS software can be installed, where it can run with the assurance that any defects in its code cannot be exploited by outside programs.

Details on just how this can be accomplished this remain vague. Kaspersky says his company is working closely with ICS vendors and customers to develop the OS, and that details of that collaboration must remain confidential. Other aspects of the project he’s just not sharing.

In a nutshell, however, Kaspersky says that for an ICS to be considered secure, the data obtained from operation/process management systems must be guaranteed to be accurate and reliable, so that operators can take control of processes when disaster might be looming.

To achieve this, Kaspersky says his company is building an OS environment that will contain absolutely zero defects or vulnerabilities in the OS kernel and that will make running unauthorized, outside code “a categorical impossibility.”

The new OS will not be based on Linux or any other existing platform. To retain a degree of security through obscurity, Kaspersky says it will be written entirely from scratch. The number of lines of code in the kernel will also be kept to an absolute minimum to reduce the likelihood of defects.

While this may sound like a tall order, Kaspersky says it’s possible because of the narrow focus of his company’s efforts. The OS Kaspersky Lab is developing is intended strictly for running ICS components and no other purpose. It won’t run games, media players, web browsers, or any other class of general-purpose software.

Even then, Kaspersky recognizes that building the OS he envisions will be “very difficult and will take a lot of time.” He says Kaspersky Lab has, in fact, already spent ten years on the problem, and he gave no timeline as to when the finished, working OS might appear.

Still, he says, the problem of state-sponsored malware such as Duqu, Flame, and Gauss is one that must be addressed, and neither current operating systems nor ICS software are sufficient to contain it.

“And it doesn’t really matter who’s being targeted at present; what matters is that such cyber-weapons are being developed and deployed at all,” Kaspersky writes. “And once Pandora’s Box is open, there’s no way of getting it closed again. The building up of armaments for attacks on the industrial systems and infrastructure of enemies sooner or later will affect us all.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/16/kaspersky_os_announced/

Kaspersky Lab has discovered a cut-down version of the infamous Flame cyber-espionage weapon.

MiniFlame, like its big brother, is also an information-slurper well suited to cyber-spying. The malware, also known as SPE, was found by Kaspersky Lab’s experts in July 2012, and originally labelled as a Flame module.

Two months of subsequent analysis of Flame’s command control servers (CC) revealed that the miniFlame module was actually an interoperable tool that could be used as an independent malicious program, or as a plug-in for both Flame and Gauss. The dual use of miniFlame as a plug-in provides another piece of evidence that the creators of Flame and Gauss, another cyber-spying utility, worked together.

All these advanced threats come from the same “cyber warfare” factory, the Russian anti-virus firm concludes.

At least six versions of miniFlame were created between 2010 and 2011, with some variants still being active in the wild. Development of the malware may have started as early as 2007.

MiniFlame operates as a backdoor designed for data theft and direct access to infected systems. The number of infections related to miniFlame is much smaller than the volume attributable to either Flame or Gausss. Kaspersky Lab estimates mimiFlame racked up just 50 to 60 infections worldwide. Experts at CERT-Bund/BSI helped Kaspersky Lab researchers in their investigation.

“The number of infections combined with miniFlame’s info-stealing features and flexible design indicate it was used for extremely targeted cyber-espionage operations, and was most likely deployed inside machines that were already infected by Flame or Gauss,” Kaspersky Lab researchers concludes.

The original infection vector of miniFlame is yet to be determined. Once installed, miniFlame creates a backdoor that allows any file to be extracted from a compromised machine. The malware is also capable of making screenshots on infected PCs.

miniFlame uploads stolen data to its CC server (which may be unique, or ‘shared’ with Flame’s CCs). Commands to control servers allow miniFlame to gain access to a module which “infects USB drives and uses them to store data that’s collected from infected machines without an internet connection”.

Alexander Gostev, chief security expert, Kaspersky Lab, commented: “miniFlame is a high precision attack tool. Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack. First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage. The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programs used for cyber warfare operations: Stuxnet, Duqu, Flame and Gauss.”

Additional details about miniFlame can be found in the blog post here and in a report here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/16/miniflame/

An automated CAPTCHA circumvention service has decided to use CAPTCHAs to restrict access to its own contact us services.

It’s unclear whether or not its possible to use bypasscaptcha.com to, err, bypass bypasscaptcha.com “contact us” page CAPTCHA. The automated CAPTCHA solving service is likely to be of interest primarily to those who want to sign up to online forums and set up webmail accounts in preparation for spam runs, or other similar malfeasance.

Asked directly whether it was in the pay of spammers (like most other CAPTCHA-busting services), bypasscaptcha.com quickly responded:

“Sorry that we can not tell you who our customers are.”

Bypasscaptcha.com’s front page explains that “we hire workers to work on our project not only to make money for ourselves, but also to make our workers live better with much better salary than other local workers without any special skills.”

Which is a nice way of saying we’re paying poor folk overseas a pittance to decipher the letters in jumbled up images hundreds of times a day in hi-tech sweat-shops … but it’s better than picking over rubbish dumps.

An advert for the service on ProgrammableWeb explains:

“The service operates through the Bypass CAPTCHA API which can be implemented in third-party software.”

It’s unclear who’s behind the service, which was brought to our attention by Reg reader Christopher P.

“They cannot be English, what with their absolute failure to understand irony,” Christopher notes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/16/captcha_busting_irony_fail/

The Greater Manchester Police Force have paid a £120,000 fine after losing the details of more than a thousand people under investigation for serious drugs crime.

The personal details were kept on an unencrypted memory stick with no password protection, belonging to an officer with the Serious Crime Division team. Kept in the officer’s wallet it went AWOL in July 2011 after the wallet was swiped from his kitchen table when his home was burgled.

It contained the details of 1,075 people who had been investigated by the drugs squad over the past 11 years.

The weight of the fine from the Information Commissioners Office reflects endemic data security problems that the ICO found in the Manchester police force: officers regularly used unencrypted USB sticks and there were few checks on what data could be downloaded and taken out of the office.

A similar security breach in September 2010 had prompted no change in culture, the ICO said. In 2010 a businessman found a mislaid Greater Manchester Police branded memory stick that contained sensitive anti-terrorism materials.

And officers were still not sufficiently trained in data security, the ICO found.

A unencrypted stick amnesty by the force’s data controller after the breach got back a haul of 1,100 devices.

David Smith, ICO Director of Data Protection, said:

This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine.

It should have been obvious to the force that the type of information stored on its computers meant proper data security was needed. Instead, it has taken a serious data breach to prompt it into action.

®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/16/manchester_police_fine_memory_stick/

Chinese police have smashed over 700 cyber crime gangs and arrested nearly 9,000 alleged criminals.

The Ministry of Public Security – or police force, to you and me – announced confidently that it had cracked 4,400 criminal cases in its bid to “earnestly safeguard the legitimate rights and interests of the masses of the people, to purify the internet environment”.

The efforts to crack down on internet fraud, hacking, trafficking counterfeit goods, firearms and online porn are a continuation of a campaign begun back in March that has already led to thousands of separate arrests.

The MPS also trumpeted its successful smashing of what it claimed to be the country’s first illegal “internet PR network” – basically an operation offering to delete negative user-generated content for firms.

The gang – which made in excess of 10 million yuan (£992,000) – would apparently also try to extort money from businesses by threatening to actively post negative comments about them if they didn’t pay up.

The problem of post deletion is thought to be endemic in China, to the point where web giant Baidu was recently forced to sack four employees arrested on suspicion of accepting bribes in return for removing user-generated content on the popular Baidu Tieba site.

Whether the arrests will be good news for an international community beset by attacks supposedly originating in China remains to be seen.

China almost certainly has a very considerable cyber crime problem as highlighted by a recent report from the US, but it’s unclear whether these arrests are more likely to have impacted financially motivated gangs preoccupied with targets inside China rather than stealing data from abroad.

To the sceptical observer there may also appear to be – as is always the case with these announcements – an ulterior motive to the police crack down on cyber crime, namely finding a pretext to censor those critical of the government.

To this end, the police statement reveals that 1.88 million ‘harmful’ messages were deleted and 3,500 sites were shuttered as part of the campaign, with little else by way of explanation. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/16/china_police_arrest_thousands_online_crime/