STE WILLIAMS

Invisible Things Lab (ITL), a group of security researchers based in Warsaw, Poland, has announced Qubes 1.0, the first production release of a new desktop operating system designed to provide unprecedented security through the pervasive use of virtualization.

“Unfortunately, contrary to common belief, there are no general purpose, desktop OSes, that would be formally proven to be secure,” ITL founder and CEO Joanna Rutkowska wrote in a blog post announcing the release on Monday. “At the very best,” she said, “there are some parts that are formally verified, such as some microkernels, but not whole OSes.”

To help rectify that situation, Rutkowska and her team built Qubes, an OS that uses virtual machines (VMs) to isolate sensitive applications and their data from parts of the system that may be vulnerable to compromise.

Qubes wasn’t written from scratch, but instead draws upon existing open source components, although it uses them in new ways. At its heart is the Xen hypervisor, which it uses to create and manage the various VMs that form its security model.

In Qubes, users can create as many VMs – also known as domains – as they want, and assign them varying security levels based on the sensitivity of the applications and data they will be using in them. For example, one user might decide to create “home”, “work”, “banking”, and “shopping” domains, each shielded from the others and each with its own security policies.

Below all of these application domains, Qubes maintains a separate administrative domain that provides a common GUI for all of the running applications. No matter which domains the various applications might be running under, they can all share the desktop on the same screen, and share the same input devices.

A Qubes desktop running VMs at various security levels marked green, yellow, and red (click to enlarge)

That doesn’t mean they can share data, however. The user has ultimate control over which files and other data can pass between which domains. Even operations as simple as cut-and-paste between domains aren’t allowed without explicit user approval.

Qubes can also enforce network policies for each domain, both to prevent unwanted network activity by malware and to block commonplace user mistakes. For example, a user might configure Qubes so that only a web browser running in the banking domain can access online banking sites, while browsers running in other domains are blocked from those sites.

Qubes can even create “disposable VMs” for one-time actions that could compromise security even though they would ordinarily be allowed. For example, a user could choose to open a PDF file from a suspicious source in a disposable VM, minimizing the potential damage it could cause if the file contained exploit code.

Rutkowska cautions that, particularly in this early phase, Qubes shouldn’t be considered a “safe” OS, but rather a “reasonably secure” one. That’s because despite all of the layers of security built into the Qubes security model, the security it provides is not automatic. Instead, it relies on the user to make decisions, which Rutkowska admits won’t be the right approach for everyone.

“This provides for great flexibility for more advanced users,” she writes, “but the price to pay is that Qubes OS requires some skills and thinking to actually make the user’s data more secure.”

Rutkowska also warns that there may yet be bugs in the Qubes code that could be used to compromise its security model. She should know. In 2006, she made a name for herself in the security community by creating Blue Pill, a rootkit based on the hardware virtualization support features found in modern AMD and Intel processors.

Users who would like to try out the new OS can do so by downloading an ISO and following the instructions on the Qubes website. For those who would like to try to crack Qubes’ security, on the other hand, Rutkowska says bring it on. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/05/qubes_secure_os_released/

Labor Day ended with a bang at the Dell headquarters in Round Rock, Texas, after an unidentified shooter fired a number of rounds though its windows.

At least three shots were fired at Building Seven on the Dell campus at 9:30pm on Monday night, with the first floor windows of a breakout room falling victim to some senseless shooter. Local police lofted a chopper to try and flush out the varmint, but have had no luck in apprehending him – and, yes, odds are it’s a him, not a her.

A company spokesman explained to El Reg that an unknown nubmer of shots were fired at the building, which was occupied by some of Dell’s 24-hour support staff. At least three windows had been broken in the salvo of shots, but that no one on the site had been injured. Two buildings were briefly sealed and searched to make sure there were no trespassers.

“Thankfully there were no injuries,” he said. “The local polcie were here in minutes and did a thorough check of the grounds, then we all got back to work.”

A witness to the shooting reported that an unidentified person was seen pedaling around the Dell campus on a bicycle with a gun visible. The pedaling pistolero wasn’t arrested at the scene and hasn’t been positively linked to the shooting.

Some might think that this is just part and parcel of doing business in Texas. After all, the state is notoriously free and easy with firearm ownership, although it has only slightly higher rate of gun deaths per 100,000 that the US average, which is 10.2 unfortunates per year. Do remember, however, that Dell’s HQ is in Round Rock, which is part of the Texan progressive reservation of Austin – it’s not so much the stomping grounds of trigger-happy good ol’ boys as it is of latte-sippin’ lib’ruls.

More likely it was someone just saying a reckless, rowdy goodbye to one of the few holiday weekends in the US calendar. Either that or a disgruntled engineer from Microsoft’s Surface project got peeved at Michael Dell slagging of Redmond’s tablet ambitions. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/05/dell_shooting/

Bitcoin exchange Bitfloor has suspended its operations while it tries to figure out who pinched 24,000 units of the virtual currency by accessing an unencrypted backup and using information it contained to transfer 24,000 BTC to destinations unknown.

In a post on the Bitcoin Forum, Bitfloor founder Roman Shtylman said he has shut down the Exchange because:

“Last night, a few of our servers were compromised. As a result, the attacker gained accesses to an unencrypted backup of the wallet keys (the actual keys live in an encrypted area). Using these keys they were able to transfer the coins. This attack took the vast majority of the coins BitFloor was holding on hand. As a result, I have paused all exchange operations. Even tho only a small majority of the coins are ever in use at any time, I felt it inappropriate to continue operating not having the capability to cover all account balances for BTC at the time.”

The good news is that Shtylman also says “I still have all of the logs for accounts, trades, transfers. I know exactly how much each user currently has in their account for both USD and BTC. No records were lost in this attack.” Bank account records “And all records for the current status of the exchange (accounts, trades, etc) are all also secure,” he added in a later post.

The bad news is that 24,000 Bitcoins is about 248,000 real world US dollars, according to Bitcoin conversion site Preev.

In the long (and fast-growing) thread following Shtylman’s confession, users are angrily asking why he used lax security practices to protect their virtual cash. His answer follows:

Yes, I realize this is a very serious mistake.

Which looks an early favourite for understatement of the year.

Another thread on the Bitcoin Forum is dedicated to figuring out who committed the theft, and where the Bitcoins have gone.

Bitfloor.com remains down at the time of writing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/05/bitfloor_heist/

Hackers have dumped online the unique identification codes for one million Apple iPhones and iPads allegedly lifted from an FBI agent’s laptop. The leak, if genuine, proves Feds are walking around with data on at least 12 million iOS devices.

The 20-byte ID codes were, we’re told, copied from a file extracted from the Dell notebook of a senior federal agent, who was tracking the activities of hacktivists in LulzSec, Anonymous and related groups. Supervisor Special Agent Christopher Stangl’s machine was compromised via a AtomicReferenceArray vulnerability in Java in March, the black hats claim.

Once his computer was infiltrated by the hackers, a file was allegedly seized containing 12 million device records that included Unique Device Identifiers (UDIDs), usernames and push notification tokens as well as a smaller number of names, mobile phone numbers, addresses and zip codes. Members of the AntiSec crew leaked edited extracts of this data, having mostly stripped it of fanbois’ personal information, on Monday.

The listed UDIDs, which include gadget serial numbers and other data so apps can distinguish between individual devices, appear to be genuine. However, by themselves they may pose only a minimal privacy risk once leaked online, so the effect of the dump is largely confined to embarrassing the Feds – and raising questions as to why agents have the information in the first place.

The most likely source of the data was either an iOS app developer or multiple developers, Mac Rumours speculates.

The Java exploit used in the attack is unrelated to the mega-bugs finally patched by Oracle last week.

It’s a matter of record that Stangl was among the agents invited to an FBI-Scotland Yard conference call about the progress of investigations into members of Anonymous back in January. Members of LulzSec infamously eavesdropped on this call and leaked a recording after intercepting an email arranging the chat.

Email addresses exposed by this breach may have been used in a follow-up targeted attack that tricked investigators into visiting a booby-trapped website exploiting an at-the-time Java 0-day vulnerability. Rob Graham of Errata Security expands this plausible theory in this How the FBI might’ve been owned blog post.

The AntiSec activists behind this week’s leak suggest the device info data was used as part of some FBI tracking project involving iOS devices, such as iPhones. Even they are a bit vague on what that might be. However the group goes into some detail in explaining how it apparently swiped the data:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

The AntiSec group says it decide to published a portion of the leaked data in response to a keynote speech by the NSA’s General Keith Alexander at the DefCon hacker convention in July. In part, Alexander sought to persuade hackers at the convention to consider a career at the NSA, a suggestion that predictably galled the black hats. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/04/antisec_hackers_fbi_laptop_hack/

UK regulator PhonepayPlus has fined a Russian firm £50,000 after it was found guilty of peddling a deceptive Android application that signed unwitting victims up to a premium-rate text service.

Connect Ltd, trading as SMSBill, reportedly promised access to Android games. After the app was installed, a text message was also sent to a premium-rate number, generating a £10 charge on victims’ phones from the resulting auto-reply message. After being charged, the consumer was redirected to the 7mobi.net “GamePortal”, where they could play games.

The terms and conditions for the application only explained that a charge would be incurred six pages into the small print, and even then inaccurately suggested only a £5 charge would be incurred.

The dodgy behaviour was spotted by security researchers at Sophos. SophosLabs researcher Vanja Svajcer discovered a malicious link on Facebook that led to malware being downloaded onto his Android smartphone back in February. Aggrieved punters also lodged complaints about lack of pricing information and charging without consent with PhonepayPlus, prompting an investigation.

Connect Ltd was last week found guilty of “very serious” breaches of the PhonepayPlus Code of Practice for premium-rate phone services, as explained in more detail in an adjudication.

The unregistered service provider was ordered to refund affected customers within the next three months as well as paying the £50,000 fine. In addition, Connect Ltd is also obliged to lodge any proposals for new premium-rate services to the regulator before releasing them in the UK, during a probationary period of two years.

Consumers spent between £100,000 to £250,000 on the service, according to PhonepayPlus, although it is unclear how much revenue Connect Ltd itself made from the dodgy Android app.

More commentary on the information security aspects of the case can be found in a blog post by Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/04/android_sms_game_scam/

Australia’s Attorney-General Nicola Roxon has re-stated the case for a European-style data retention regime, arguing that there’s no point bringing a knife to a gun fight when it comes to protecting Australia’s interests.

In a speech delivered to the 2012 Security in Government conference in Canberra today, Roxon quickly addressed the argument that it is dangerous for governments to hold a lot of information about their citizens, saying:

“We hold more information than ever before. This information is not only Government information but it is often personal information of Australian citizens. The responsibility we have to protect that information is immense. Because the information is now stored online it is also accessible to potentially more people within an agency – increasing the risk of insider threat.”

The Australian government is therefore “turning up the heat on our own systems to ensure we’re secure from insiders who might have the ability and access to threaten our national security.” That heating process is using a new “Protective Security Policy Framework” Roxon said has been “…specifically written with an eye on the online environment” and “marks an important shift from a compliance based model to a risk management approach, providing guidance on how to identify risks, as well as the controls needed to mitigate them.”

Her speech moved on to privacy and how it is, in her view, important “to strike a balance between ensuring we have the investigative tools needed to protect the community and individual privacy.”

That balance, she argues, can be achieved even under a regime that allows data retention, because it is such a useful investigative tool.

“Many investigations require law enforcement to build a picture of criminal activity over a period of time. Without data retention, this capability will be lost,” Roxon argued. “Many of you will recall the disturbing murder of Cabramatta MP John Newman in Sydney in 1994. Call charge records and cell tower information were instrumental in the investigation and subsequent conviction on Phuong Ngo (FONG NO). These records allowed police to reconstruct the crime scene.

She added that there has been plenty of attention paid to data retention laws, the consultation process that sparked the ire of Anonymous is just a consultation process and is being conducted in the open, which should quell fears about governments granting themselves unfettered power.

She then explained the Raison d’être for the data retention proposal and other reforms:

“We cannot live in a society where criminals and terrorists operate freely on the internet without fear of prosecution. We cannot allow technology to create a ‘safe haven’ for criminals, or a ‘no go’ zone for law enforcement.

But, this does not mean unfettered access to private data either.

What it does mean are carefully drafted, tested and oversighted national security laws – and this is what I’m focussed on delivering.”

Roxon signed off by pledging that “, I will focus on delivering the right checks and balances to ensure that national security powers are not abused and that the privacy of Australians is respected.”

The difficulty of achieving that level of security is, however, what Anonymous thought it had pointed out by revealing personal data found on a neglected server belonging to Australian telco AAPT. The Reg mentioned the contents of Roxon’s speech in an IRC channel frequented by entities who use the iconography and identity of Anonymous. The response indicated considerable displeasure and intent to again protest vigorously, in Anonymous’ particular fashion. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/04/australia_data_retention_plan/

Microsoft has tweaked its fine print so it can reuse its users’ photos, emails and chat messages to polish its online services.

The new terms-of-use agreement was rolled out late last week. It grants Microsoft the right to use information gathered from Hotmail, Photo Gallery, Office.com and SkyDrive accounts in a manner it sees fit to “improve the services with new features that makes them easier to use”. Before, the software giant had simply reserved the right to handle punters’ content to provide a service.

It is reminiscent of Google’s terms’n’conditions shake-up that brought users of its individual services under one roof, in terms of privacy and data sharing, so that the advertising giant could tap into a wealth of information on each punter.

Microsoft’s updated red tape also extends the policy first introduced to Windows in May that bans customers from banding together to form class-action lawsuits against the company.

The new wording here says:

When you upload your content to the services, you agree that it may be used, modified, adapted, saved, reproduced, distributed, and displayed to the extent necessary to protect you and to provide, protect and improve Microsoft products and services.

For example, we may occasionally use automated means to isolate information from email, chats, or photos in order to help detect and protect against spam and malware, or to improve the services with new features that makes them easier to use.

The old service agreement here, had said:

You understand that Microsoft may need, and you hereby grant Microsoft the right, to use, modify, adapt, reproduce, distribute, and display content posted on the service solely to the extent necessary to provide the service.

The agreement covers users of Microsoft’s Hotmail, SkyDrive, Windows Live Messenger, Photo Gallery, Movie Maker, Mail Desktop, Writer, Bing, MSN, and Office.com. The new wording suggests the company may gleam information from, say, a picture gallery account to customise or massage search results from Bing. The company has already added social-network juice by mixing in data from Facebook, Twitter, LinkedIn and Quora to search results. Bing search has already been added to Hotmail.

Users of Hotmail were alerted to the changes on 30 August, just ahead of the long Labor Day holiday weekend in the US. The new policy comes into effect on 19 October. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/03/microsoft_hotmail_terms_update/

A former captain in the Russian Federal Security Guard Service* has been sentenced to four and a half years in prison after he was convicted of involvement in the kidnapping Ivan Kaspersky, son of Kaspersky Lab founder Eugene, the Moscow Times reports.

Ivan Kaspersky was kidnapped in Moscow April 2011 by a gang who attempted to extort €3m from his parents for his safe return. The plot failed and the then 20 year-old student was recovered five days later without any bloodshed, following a police operation.

Alexei Ustimchuk was arrested along with his alleged partners but tried separately in a military court where he pleaded guilty to preparing the kidnap, buying three cars and numerous mobile phones to set up the failed operation. Pravda adds that defence lawyers argued Ustimchuk did not know the target of the intended kidnapping and supposedly thought it was an attempt to intimidate a debtor. Nonetheless he pleaded guilty to abduction and extortion.

Other suspects in the case are yet to stand trial. ®

Bootnote

*The organisation which provides bodyguards and other security for the Russian President and other high-ranking officials, as well as guard troops for important locations such as the Kremlin. In Soviet times it was part of the KGB.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/03/kaspersky_kidnapper_jailed/

Sysadmin blog Right on cue, Java has responded to my hatred in kind. Shortly after I awoke to discover my previous article denouncing the language had been published, a client called to inform me his computer had contracted some malware. Java has, if you’ll forgive the anthropomorphization of a bytecode virtualization engine, decided to exact its revenge.

Closer inspection of the infection revealed deep network penetration that the installed antivirus applications were completely unable to cope with. The chief financial officer of the company relies on cloudy applications that require Java-in-the-web-browser. Contrary to early reports that we should only fear Java 7, this beauty crawled in through a fully up-to-date Java 6 browser plugin and installed some friends.

I have no idea what the initial vector was beyond the swift appearance and disappearance of some malicious Java archive files; the primary delivery mechanism scrubbed itself clean (along with significant chunks of the browser history) right after it downloaded its payload onto the compromised Microsoft Windows PC.

The payload: a software nastie called Sirefef. This itself is actually irrelevant; even Microsoft Security Essentials can find and kill most variants. The purpose of Sirefef is to serve as the staging component for the coup de grace: the highly sophisticated Zeroaccess rootkit (Sirefef downloaded some other friends too, but once the rootkit is dealt with, they are easily dispatched.)

Zeroaccess is a nightmare. It creates a hidden partition to run components from, deletes the BITS and Windows Update services, infects system restore and then removes the system restore interface from Windows. It locks you out of various sections of your file system it has decided to secrete backup copies of itself into. (C:WindowsTemp, C:WindowsSystem32ConfigSystemprofile and so forth.)

Zeroaccess knows all the standard tricks; it hides itself from Trend Micro’s virus scanner Housecall, kills industrial-strength bleach Combofix (attempting to run this tool will freeze the system), resists cleaning by SurfRight’s Hitman Pro, Symantec’s resident AV and so forth. If you delete the hidden partition after booting from a Linux Live CD, chances are you didn’t get every last remnant of the thing and it will be back in due time. It also prevents remote support app Teamviewer from starting properly with Windows.

If any residue of the rootkit lingers, or if Sirefef and/or its downloaded friends remain, they will all download and reinstall one another and we get to play whack-a-malware one more time. Bonus points were awarded for exploiting known Windows 7 vulnerabilities to infect every other machine on the network; that was a nice touch that really made my Friday.

Cleaning up this one Trojan-horse town

So what’s the solution? It turns out that some combination therapy kills the Zeroaccess variant in question. The solution I have settled upon is this:


1. Disconnect every Windows system from the network; if one is infected, they are all infected. (I have absolutely no idea what they used to get through the firewalls on client PCs, but it was effective.) You need to clean all systems one at a time on a quarantine basis. If you have a way to automate the rest of this list for enterprise deployment, please let me know.
2. Create a new local user with admin privileges, reboot and log on as that user. (You need as clean a profile as possible.)
3. Download and run Symantec’s Zeroaccess removal tool. It will ask you to reboot; do so. A widget will pop up when you next log in that says the rootkit was not found. This is a lie. The removal tool got rid of it, and you have already been reinfected. Fortunately, it can’t do anything until the next reboot.
4. Run Trend Micro’s Housecall; kill all the things. Do not reboot.

5. Repair the background intelligent transfer service (BITS).

6. Repair the Windows automatic updates service. (If you get the popup for the “Microsoft Fixit” tool, use it. It will fix your broken Windows update service.)
7. Install Windows updates. Do not reboot.

8. Run Microsoft Security Essentials; kill all the things. Do not reboot. At this point, you should have killed all of Zeroaccess’s little friends.

9. Re-run the Symantec Zeroaccess removal tool. It should kill the newly reinfected (but still dormant) variant of Zeroaccess.
10. Reboot. When the system comes back up, make sure you log in as the “new” local administrative account you created.

11. Run Combofix. If it doesn’t lock up your system, you’re good!
12. Reboot back into your regular account, and delete the local account you created for this process. You win.

If you are infected with Zeroaccess, exercise extreme caution. Someone is actively versioning this rootkit. I detected at least three different variants on one network alone. More to the point, the little friends that serve as satellite malware are also seeing some rapid evolution; what worked for me today may not work a week from now.

This incident should serve to underscore exactly how serious the Java exploits in question are. If you can, uninstall Java. If you must use Java, keep it as up-to-date as possible and see if you can disable or remove the plugins for your browsers. (In an attempt to help resolve the current crisis, Ninite is offering free access to the pro version for a limited time; it can really help with the updating.) If you absolutely must use Java-in-the-browser then it’s time to start taking security very seriously; break out the tinfoil and start making some shiny hats.

Java-in-the-browser absolutely must be treated as “already compromised”. There is no wiggle room here. Do not under any circumstances run Java in the browser on any production system or any client system in which any other application is used. Go buy another Windows licence and put Java inside a virtual machine.

Ring-fence the virtual machine by placing it on its own VLAN and subnet. Keep that virtual machine’s traffic as separate from the rest of your network and system as you possibly can: Java-in-the-browser is a live grenade and you can’t afford to have it go off inside your network. If you can, deploy the virtual machine from a managed template; the ability to destroy it at the end of the day and revert to a “known good” is a huge advantage when dealing with a threat of this magnitude.

Even if Oracle gets its act together and solves the immediate issues, this is only the latest in a long line. Java is simply is not developed with an adequate “security first” approach; Oracle is used to dealing with large corporations, not consumers. It doesn’t have the experience to fight these kinds of rapidly escalating arms races, and it shows.

There isn’t time to wait for Oracle to overcome its corporate inertia. It is time for systems administrators to act. It is our duty to depopulate Java with extreme prejudice. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/03/java_cleanup/

A shortcoming in browsers including Firefox and Opera allows crooks to easily hide an entire malicious web page in a clickable link – ideal for fooling victims into handing over passwords and other sensitive info.

Usually, so-called “phishing attacks” rely on tricking marks into visiting websites designed by criminals to masquerade as banks and online stores, thus snaffling punters’ credentials and bank account details when they try to use the bogus pages. However this requires finding somewhere to host the counterfeit sites, which are often quickly taken down by hosting companies and the authorities or blocked by filters.

Instead, the malicious web pages can be stored in data URIs – uniform resource identifiers, not to be confused with URLs – which stuff the web code into a handy string that when clicked on, instructs the browser to unpack the payload and present it as a page.

It negates the need to find somewhere to secrete your malicious page, and once shortened using a service such as TinyURL, the URI can be reduced to a small URL perfect for passing around social networks, online chats and email. Crooks would still need to set up a server to receive data from victims, however.

It’s a technique already documented by researchers Billy Rios and Nathan McFeters – but now Henning Klevjer, an information security student at the University of Oslo in Norway, has revisited the attack method in his paper, Phishing by data URI [PDF].

Typically an attacker would first create a standalone web page, probably using content scraped off the legitimate site it seeks to mimic before making an encoded page and embedding it into a data URI.

URI-based attacks were previously documented by Rios and McFeters as part of an attack Microsoft’s Internet Explorer 6 and 7. Klevjer’s research expands on this basic theme and gives it a modern twist.

Google’s Chrome browser blocks redirection to data URIs, and other browsers have limits on the volume of data that can be packed into URIs. Klevjer created a 26KB attack page that failed to load in Internet Explorer, but worked on both Firefox and Opera.

As well as getting around the need to find a home for malicious web pages, the data URI trick can sidestep traditional scam defences, such as web filtering. Data URIs may also contain a potentially malicious Java applet, a major concern following last week’s Java-related security flap, a post on Sophos’s Naked Security blog notes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/09/03/phishing_without_hosts_peril/