STE WILLIAMS

RSA Europe Security researchers attending the RSA Europe conference are split over regulating the controversial exploit vulnerability marketplace.

In recent years several vendors, including Google, Firefox and later Facebook and PayPal have offered bug bounties for security researchers who find flaws in their products or services.

Technology suppliers such as iDefense and HP Tipping Point ZDI (Zero Day Initiative) offer to act as a middlemen between security researchers and vendors, offering between $500-$20,000 for exclusive details.

Knowledge of these vulnerabilities allows HP TippingPoint to add detection for attacks against vulnerabilities that have yet to be publicly disclosed, giving its Intrusion Prevention System (IPS) appliances and similar kit an edge over the competition.

Other less well-known firms, such as Endgame Systems, sell information about vulnerabilities to clients such as the US Department of Defense. Sketchy details of its business only emerged as a result of the HB Gary Federal hack by Anonymous in February 2011.

French outfit Vupen, meanwhile, thumbs its nose at the possibility of selling its security discoveries to Google, preferring to sell information to its customers.

Rapid growth

The exploit vulnerability marketplace appears to be growing at a rapid rate, partly driven by interest in the use of previously unknown security vulnerabilities to develop exploits for cyberweapons such as Stuxnet and Duqu.

Boldizsar Bencsath, assistant professor at the CrySyS Lab of the Budapest University of Technology and Economics, part of the team that first discovered Flame, told El Reg that the Microsoft 0day vulnerability used by the malware was probably discovered by independent security researchers.

They then sold their information on this vulnerability to the larger team developing the cyberespionage tool, which largely targeted victims in Iran.

“Finding vulnerabilities using reverse engineering is painstaking work requiring deep knowledge,” Bencsath told El Reg. “It’s quite possible, indeed likely, that the exploits were discovered by totally independent parties.” Bencsath said the main team developing the malware were in his opinion a state-sponsored group, which he said was likely backed Israel and the US.

Security researcher Christopher Soghoian, who delivered a presentation about the exploit vulnerability marketplace at the recent Virus Bulletin conference, has likened the trade in exploits to a trade in weapons and raised the possibility of regulation.

“Politicians will inevitably get involved”

If vulnerabilities are sold in a completely open market then it’s possible that US researchers, for example, will supply the bullets in attacks later used by hostile intelligence agencies from Russia, China or even Iran to target US business and infrastructure. Governments in general will be able to outbid the likes of Google and Microsoft, the argument goes.

Governmental use of Trojans, exploits and hacking is growing and this might be directed at internal dissidents as well as external targets.

Dancho Danchev, a security researcher at the anti-malware firm Webroot, told El Reg that regulation on the sale of exploits was coming, although he wasn’t sure what form it would take. “Politicians will inevitably get involved,” he said.

Security researchers who discover a bug have a choice of informing a vendor directly (potentially getting a reward in the process), selling it to a middleman (such as TippingPoint’s ZDI) or auctioning it and selling it to the highest bidder.

Get rich and die trying

Greg Day, director of security strategy at Symantec, said that the volume of zero-day vulnerabilities was actually falling. “Security researchers should get a reward for discovering vulnerabilities but a black market for vulnerabilities is not the right long-term approach.

“Vulnerability researchers can adopt a ‘get rich and die trying approach’ but it doesn’t work in the longer term,” he added.

A senior member of the Jericho Forum, an independent group of IT security professionals, said that vendors such as Apple had to improve vulnerability reporting procedures. But he argued that a fringe element of security researchers would sell to black market sources, whatever incentives were given and however smooth the process of reporting was made.

Wolfgang Kandek, CTO at Qualys, said that proper incentives should be provided to “enable people to make a living from being white hats”. Kandek, unlike Danchev, disagreed that there was a need for government regulation on who could sell and buy vulnerabilities.

Separately, he said that successful attacks often used more than one vulnerability. As operating system security has improved, hackers have turned their attention towards vulnerable technologies such as Java, he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/11/exploit_vulnerability_marketplace/

A worm that locks Windows PC users out of their computers unless they pay a $200 ransom is rapidly spreading via Skype.

Once it has secreted itself into a machine, the malware tricks further victims into installing it by using the Microsoft-owned VoIP software to send messages that read “lol is this your new profile pic?” The malicious missives, dispatched to the infected user’s contacts, include a shortened goO.gl link to a zip file hosted by Hotflie.com.

This archive contains an executable that, antivirus biz Sophos says, installs a variant of the Dorkbot worm and recruits the compromised machine into a botnet army.

Left to its own devices, the worm may switch to its ransomware mode, locking the punter out of his or her computer and inform them that all their files have been encrypted and will be deleted unless a $200 payoff is forthcoming.

Previous Skype scams have also spread through bogus links in the software’s instant messaging client.

Graham Cluley, a senior technology consultant at Sophos, added: “Skype users may be less in the habit of being suspicious about links sent to them than, say, Facebook users.”

Trend Micro said some 400 computers were infected in the first 24 hours of the worm outbreak last Thursday. Skype said in a statement:

Skype takes the user experience very seriously, particularly when it comes to security. We are aware of this malicious activity and are working quickly to mitigate its impact. We strongly recommend upgrading to the newest Skype version and applying updated security features on your computer.

The chat biz recommends users do not click on “strange or unexpected” links. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/11/skype_worm_ransomware/

RSA Europe Cryptography guru Bruce Schneier called for more creative thinking and a broader perspective as a means to tackle security problems.

For example, the music industry, faced with an explosion in online file-sharing, hired security pros to develop anti-piracy measures, such as digital rights management technology. But these inconvenienced punters while doing little or nothing to stem copyright infringement. A better approach was making songs affordable and easy to buy, a model that has since lined Apple’s deep pockets.

“This [the latter approach] is not something a security person would think up,” Schneier said at the RSA Europe conference. “Security professionals would be too focused on building a better door lock.”

As another example, the ability to rate buyers and sellers on eBay and compare their reputations works well, generally speaking, but it’s something a security pro would be unlikely to conceive.

“Security professionals are just not trained to think up with this kind of technology,” Schneier said, adding that approaches needed to be “broadened rather than changed”.

He did highlight one piece of creative thinking from a security expert. Cambridge University’s Ross Anderson says banks could display a customer’s photo when someone is logged into that person’s online banking account.

“It then becomes a question of stealing from this person,” Schneier said. “It could reduce fraud.”

Criminals innovate to new technology quickly while police detectives “are still following techniques from Agatha Christie novels” and typically take at least five years to catch up.

During a keynote presentation at the security conference, Schneier reiterated arguments from his recent book Liars and Outliers, which draws elements from sociology, game theory and other disciplines to talk about security in the context of wider society. He said wider societal pressures such as morals and reputation play a greater role against, for example, deterring theft than elaborate security defences.

“Security focuses on people who don’t end up stealing because they can’t pick the door lock,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/11/schneier_it_security_professionals_creative_thinking/

Sites can slurp browser history right out of Firefox 16

• 
• 
• 
• 

Plug promised today for leaky hole

By Anna Leach • Get more from this author

Posted in Security, 11th October 2012 12:27 GMT

Free whitepaper – Operationalizing Information Security:

A hole in Firefox 16 makes it possible for a malicious site to access a user’s browsing history, Mozilla security chief Michael Coates revealed in a blog yesterday.

Coates promised a patch today for the vulnerability in the latest version of the browser.

Mozilla 16 was released on Tuesday but pulled a day later because of the vulnerability which would allow a hacker to suck out URLs from the browser history of a visitor of a malicious page.

There was no indication that the weakness was being exploited in the wild said Coates. Users on Firefox 15 are unaffected.

Mozilla-users who don’t want to wait for the patch today can downgrade to Firefox 15.0.1 until the clean version of 16 is ready. ®

Free whitepaper – Operationalizing Information Security:

• Send corrections
  
• 15 commentsPost a comment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/11/snoop_hole_mozilla_firefox_16/

Blogger Anna Roth has accused German police of monitoring Skype, Facebook chat and Google Mail, following an examination of expenditures by the country’s Ministry of Home Affairs.

In the wake of last year’s notorious discovery that police were using a Trojan to spy on criminal suspects – legal in limited cases, but according to the Chaos Computer Club, the code went far beyond its remit – the Bundestag released a parliamentary report, now translated into English (PDF), which gives rise to the new accusations.

As noted by ParityNews, buried in the 46-page report’s tables are some revealing items: contracts 486, for software to monitor Google Mail, MSN Mail and Yahoo! Mail; and contract 247, for Skype monitoring software.

DigiTask was also kept busy supplying and installing “capture units” (presumably surveillance appliances), often on a rental basis.

The contracts went to DigiTask, the company accused of developing the Trojan analysed last year by Chaos – the code of which was described as “amateurishly written” at the time. CCC’s analysis of the Trojan found that it installed backdoors and keyloggers on target machines.

Other gems include the supply of “clandestine radio equipment” by Phonak, Davis micro-cameras, and forensic software supplied by X-Ways Software.

Roth’s blog post is at Annalist, here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/11/german_police_snoop_spending/

Silent Circle, the secure mobile communications app backed by Phil Zimmerman, has gone live – offering protection from all but the most determined of government departments.

Silent Circle comprises a handful of iOS/Android/PC apps facilitating secure phone calls, text messaging and video calling, with secure email promised soon, all presented through an idiot-friendly interface aimed at corporate executives and international journalists rather than local freedom fighters who might find $20 a month a bit rich.

We discussed the product at length in June, and it hasn’t changed significantly since then. Communication between Silent Circle subscribers is entirely secure, while calls made outside the Circle are secured to the edge (which is in Canada or Switzerland) and then enter the unsecure public networks, Secure Circle is also registered outside the USA to avoid lawful-intercept requirements.

Cryptography is very rarely broken, publicly-scrutinised algorithms such as those used by Silent Circle require enormous resources to crack, beyond the reach of all but the most determined government. Secure networks are generally broken through poor implementations or badly-designed systems around the cryptography.

A good example is Cryptocat, a web-based tool for secure communications which was lauded by Wired and the Wall Street Journal before analysts started pointing out that storing keys on a web server is inherently risky, as one’s security is entirely dependent on the sanctity of that public-facing server.

Complete security is, of course, impossible, and given most of us couldn’t spot a Chinese remainder theorem if it hit us in the face, we’re required to place our trust in experts or the companies they endorse. Having been largely responsible for PGP, the crypto which got the US government so upset, Zimmerman is a brand most geeks will trust. Silent Circle will be hoping those geeks can convince their corporate colleagues that $20 a month is a small price to pay for secure communications. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/10/secure_circle/

RSA Europe Corporate security policies that simply adopt regulations and obsess over privacy are stuck in the last century, according to senior execs at security biz RSA.

Tom Heiser, president of the EMC-owned outfit, told delegates to the RSA Europe conference that efforts to comply with red tape and standards is fruitless as the rules were formulated to thwart adversaries of ten years or more ago.

“Security based only on compliance or risk makes little sense. Adversaries can read compliance rules just as well as information security professionals,” Heiser said.

He argued that “meeting compliance takes managers out of the loop”, and called for a revamp in rules such as the PCI DSS: the payment card industry’s data security standard.

Privacy rules also need to change, according to Heiser.

“We must find ways to share information while protecting the privacy of the citizen. Achieving a balance is critical to getting on an equal footing with our adversaries,” he said. “We need to share threat intelligence at machine speed.

“At the moment nation states and criminals have a much better framework for information sharing.”

A number of delegates at the conference saw no conflict between privacy and security. Questioned later on this point, RSA executive chairman Art Coviello conceded that privacy was a “cultural issue” while reiterating RSA’s view that privacy laws need to be revised to facilitate better information sharing.

“ID cards are standard in Europe but would be considered a gross invasion of privacy in the US. On the other hand US citizens have no problem giving personal information to large companies,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/10/rsa_keynote/

Microsoft has revealed the guidelines it gives its own developers to help them decide when users need a rude reminder to stop putting themselves at risk of security problems.

Redmond’s rules boil down to being neat and spruce, but the two adjectives are acronyms rather than items in a dress code. NEAT stands for the following

• Necessary: A warning should only interrupt a user if it is absolutely necessary to involve the user. Sometimes, a system can automatically take a safe course of action without interrupting the user. Sometimes, a security decision can be deferred to a later point in time.
• Explained: If it is actually necessary to interrupt the user with a security warning, the warning should explain the decision the user needs to make and provide the user with all the information necessary to enable them to make a good decision. Since the Explained part of NEAT is perhaps the most important, we devised another acronym, SPRUCE (see below), to help engineers remember what information to provide in a security warning.
• Actionable: A security warning should only be presented to the user if there is a set of steps the user could realistically take to make the right decision in all scenarios, both benign (where there is no attack present) and malicious (where an attack is present).
• Tested: Security warnings should be tested by all means available, including visual inspection by many eyes and formal usability testing.

SPRUCE stands for:

• Source
• Process
• Risk
• Unique
• Choices
• Evidence

SPRUCE’s tenets are visible in the graphic below, which is one of two helpful mini-posters Microsoft has made available (PDF) for you to print and pin into your cubicle.

Microsoft’s SPRUCE secure development methodology spelled out

Both NEAT and SPRUCE are also explained in detail in a document (DOCX) that explains both in detail, and also outlines the thinking behind their creation.

Among those thoughts is the revelation that Microsoft convened a committee to cook up guidelines on when to inform users about security issues. That effort, the document explains, “… produced a paper that captured a consensus view of the most important aspects of knowledge [and] … consisted of 24 pages, with 68 items of advice arranged into a hierarchy 3 levels deep.”

Redmond’s boffins quickly realised this was impractical, because:

“Microsoft engineers do not have time in their day to read 24 pages and 68 bullet points about usable security. The list of concerns for a Microsoft engineer is long … but usable security is only a tiny slice of usability (most of a product’s user experience has nothing to do with security) and a tiny slice of security (security includes both the development of security-related features and product-wide activities like threat modeling and penetration testing). Time for usable security is thus very limited.”

NEAT and SPRUCE are therefore watered-down versions of the best practices Microsoft’s security and UI thinkers put into the topic, rather than the source material.

The document says, however, that the simplified guidance on offer has proved powerful, with the mnemonics NEAT and SPRUCE representing “a great first step in helping engineers deliver more usable security.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/10/microsoft_neat_and_spruce_security_guidelines/

Iran is claiming to have successfully deflected yet another large scale cyber attack on critical infrastructure in the country, this time targeted at its offshore oil installations.

A brief report on the Iranian Students’ News Agency site on Monday seemed to accuse Israel and China of being behind an attack on the National Iranian Offshore Oil Company (NIOOC), a subsidiary of the state-owned National Iranian Oil Company.

However, a more comprehensive version of events reported by Fars News Agency, fingers Israel as being the sole perpetrator, but routing the attack through various different IP addresses including some in China.

The NIOOC’s IT boss Mohammad Reza Golshani explained that the attack was foiled thanks to its practice of separating internet and intranet-based machines.

No infrastructure damage or data loss resulted from the attack, although incoming phone calls to the oil platforms were barred at one stage, Golshani claimed.

The incident is yet another example of the increasing pressure on Iranian critical infrastructure organisations. Iran insists that pressure is a result of state-sponsored attackers.

Back in April, authorities were forced to disconnect key oil facilities after a data-deleting virus was discovered on computers at a key oil export terminal in the Persian Gulf.

In June, the Iranian government said it had uncovered a massive planned cyber attack on its nuclear facilities in the aftermath of failed international talks focusing on the repressive Islamic republic’s nuclear programme.

The incident sparked memories of the infamous Stuxnet attack discovered in 2010 which is thought to have been launched by the US and Israel in a sophisticated attempt to sabotage said programme. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/10/iran_oil_cyber_attack_foiled/

Windows 8 will make hackers’ lives hard, says Windows internals expert, security researcher and co-author of Apple’s iOS and the open source Windows XP clone ReactOS, Alex Ionescu.

Now chief architect at CrowdStrke, a security company focused on nation-state adversaries, Ionescu says Windows 8 builds on the usermode exploit mitigations introduced into Windows Vista and 7 with new approaches to security that attempt to mitigate kernel mode attacks.

Ionescu will outline those new defences at the Ruxcon Breakpoint security conference in Melbourne, Australia, next week.

He’ll tell the audience that many pathways to exploitation will be sealed off in the latest Windows release. “As usermode’s been getting tighter and tighter to attack and as in the Windows case more and more services have been moved to the kernel, it’s become quite a target … and the rewards are quite great,” Ionescu says. “It’ll be interesting to see how attackers deal with the new landscape [after the release of Windows 8].”

That Windows will be targeted is hard to doubt, given that in the past hackers have treated security in Microsoft’s flagship as an unmitigated joke. Writing exploits for Windows XP was extremely easy and the resulting boom in malware affecting Windows users was unprecedented. But companies like Microsoft and Adobe have made significant headway in recent years by introducing exploit mitigations to their products.

That’s not to say the vulnerabilities have all gone away, but features like application sandboxing, Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR) make them difficult to exploit.

Microsoft’s efforts started taking shape around 2004, when Service Pack 2 for Windows XP was released. It introduced a basic firewall to the operating system and pestered users into installing anti-virus software and opting for automatic OS updates.

Next came Vista with its much-loathed UAC feature and some basic memory mitigations like DEP and ASLR, with those features tweaked and carried over into Windows 7. All of a sudden, exploiting bugs on current-generation Windows became suddenly significantly harder and the number of usable exploits dropped off. The deluge, today, looks more like a trickle.

Ionescu cites the failure of highly-skilled exploit writers to successfully trigger a known, critical vulnerability in Microsoft’s Remote Desktop Protocol (RDP) on the Windows 7 operating system this August as a sign of real progress. “We had 90 people in an IRC channel, some of the best exploit writers, and the most we got was a denial of service attack,” he says. “No one actually found a way to exploit that bug and get code execution out of it, and I think Windows 8 will make those kinds of things even harder.”

“With Windows 8 they’ve definitely raised the bar and added a laundry list of mitigations and protections and additional security around things that make it honestly a lot harder,” he says.

There are further improvements to usermode security, as well, Ionescu says. Applications designed in the Windows 8 Metro language will be sandboxed in similar ways to mobile applications on Apple’s iOS and Google’s Android operating system.

“Every (Metro) application runs kind of in its own virtual account, its own files, its own registry settings, it’s own named objects and it’s isolated from all the other objects, files and registry keys that other applications might have [access to],” he says.

There’s also support for Early Launch Anti-Malware (ELAM) drivers. “They’ll load their drivers before their AV driver comes up and by this time the system is already rootkitted, it’s already owned… what ELAM does is say ‘let’s have a special category of drivers that we can guarantee loads before any other Windows driver’.”

Some clever hardware crypto features — Trusted Platform Modules (TPM) — will also allow users’ hardware to ensure the Windows kernel hasn’t been tampered with before it’s loaded into memory.

At a stretch it’s possible the biggest security risk to users in a Windows 8 will be their own behaviour and not the drive-by download attacks of the last three to four years, Ionescu says.

“Novice users, the way they get attacked is not through advanced exploits… they get a flash banner ad that tells them ‘download this and run it’ and they just go ahead and download and run it. That takes more than mitigations to prevent,” he says. “A well versed person who understands the risks of browsing the Internet and doesn’t just run random stuff… they should now feel a lot safer if they’re using Windows 8 I think.”

Regardless of all the mitigations, disastrous exploits affecting Windows 7 still surface from time to time, and that will no doubt continue with Windows 8. Windows 7 users, for example, were not immune to last month’s Internet Explorer bug, or this flaw in Oracle’s Java software.

The difference today is exploits affecting the current generation of Windows are considered newsworthy. That’s progress. ®

Bootnote

Patrick Gray’s Risky Business podcast will bring Reg readers special coverage of the Ruxcon Breakpoint conference. To get a taste of what will be on offer, click here to hear Patrick’s full interview with Alex Ionescu.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/10/09/windws_8_hacker_hassle/