STE WILLIAMS

Justin Clark, who back in April pinged industrial control vendor RuggedCom over a backdoor that existed in control systems based on its ROS operating system, has turned up a second vulnerability in the form of a hard-coded RSA key.

The original backdoor was a simple undocumented account designed to provide admin access in case of a lost management password. When obscurity failed, the company issued a patch disabling the backdoor.

The new vulnerability, according to the ICS-CERT advisory (PDF), is so serious that systems should be isolated from the Internet. Since the RSA key for the equipment is hard-coded in the ROS, key recovery from one device allows an attacker to decrypt SSL traffic to and from RuggedCom devices.

The advisory states that operators of the company’s kit should:

Minimize network exposure for all control system devices. Control system devices should not directly face the Internet; – Locate control system networks and devices behind firewalls, and isolate them from the business network; – If remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.”

RuggedCom has yet to comment on the issue. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/22/rugged_com_new_backdoor/

The US Department of Justice reports that three domains selling stolen Android applications have been seized in a combined operation by the FBI and international police.

Visitors to applanet.net, appbucket.net, and snappzmarket.com hoping for hooky apps will be disappointed to see the FBI’s warning page showing that the Feds now hold the rights to the sites. The FBI coordinated the shutdown with French and Italian police, who filed nine warrants for arrest and seized local servers to shut down the illegal app stores and preserve evidence about those running them.

No apps for you says FBI

“The theft of intellectual property, particularly within the cyber arena, is a growing problem and one that cannot be ignored by the US government’s law enforcement community,” said FBI special agent in charge Brian Lamkin. “These thefts cost companies millions of dollars and can even inhibit the development and implementation of new ideas and applications.”

Hopefully this isn’t going to mean a warning screen every time you download a new piece of software, in the same way you can’t seem to buy a DVD without a dire warning from the Feds – marvelously lampooned by The IT Crowd – that you may be a pirate.

In a statement, the DOJ reports that FBI agents downloaded thousands of applications from legitimate developers that had been cracked and then put back on sale. As is the way of things with these markets, El Reg is willing to bet they got a fair chunk of malware samples as well.

“Cracking down on piracy of copyrighted works – including popular apps – is a top priority of the Criminal Division,” said Assistant Attorney General Breuer from the Department of Justice.

“Software apps have become an increasingly essential part of our nation’s economy and creative culture, and the Criminal Division is committed to working with our law enforcement partners to protect the creators of these apps and other forms of intellectual property from those who seek to steal it.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/22/fbi_android_apps/

Security watchers have discovered a virus strain that compromises VMware virtual machines as well as infecting Mac OS X and Windows computers and Windows Mobile devices. It demonstrates previously unseen capabilities in the process.

The Crisis malware typically arrives in a Java archive file (.jar) and is typically installed by posing as a Flash Player Java applet to trick a victim into opening it.

The archive contains executable files targeting Apple and Microsoft operating systems; the malware is able to detect which platform it is running on and serve up the correct variant.

Once launched, the worm puts in place a rootkit to hide itself from view; installs spyware to record the user’s every move on the computer; and opens a backdoor to the IP address 176.58.100.37, allowing miscreants to gain further access to the machine, according to a write-up of the threat by Kaspersky Lab. The malicious code also, unsurprisingly, survives across reboots.

The Windows variant can kill off antivirus programs, log keypresses, download and upload files, take screengrabs, lift the contents of the user’s clipboard, record from the computer’s webcam and mic, and snoop on these applications: Firefox, Internet Explorer, Chrome, Microsoft Messenger, Skype, Google Talk and Yahoo! Messenger.

The Apple-targeting variant is more or less the same: it monitors Adium, Mozilla, Firefox, MSN Messenger (for Mac) and Skype, and records keystrokes. On Mac OS X, at least, the user does not need administrative privileges to install the software although its functionality is affected if the logged-in punter has insufficient rights: with admin-level access, the virus can slot in the rootkit, for instance.

Subsequent analysis of the malware by researchers at Symantec uncovered elaborate techniques in the Windows variants that allow it to spread onto virtual machines and Microsoft-powered smartphones.

Crisis uses three methods to spread itself from Windows desktops: it can copy itself and an autorun.inf file to a removable drive in order to infect the next machine the storage stick is plugged into; it can sneak onto virtual machines; and it can drop modules onto a Windows Mobile device.

The threat searches for VMware virtual machine images on a compromised Windows PC and attempts to copy itself onto the system using a VMware Player tool. It does not use a vulnerability in the VMware software, but rather relies on a feature that allows the virtual machine’s files to be manipulated even when the virty system is not running.

Virtualisation technology is widely used by security vendors – it allows them to create a sandbox in which they can probe and toy with captured wild software nasties without (ideally) infecting their host workstations. As a result many strains of malware are programmed to stop running once they find themselves in a virtualised environment to avoid being examined.

OSX-Crisis seems to be a proof-of-concept code designed to probe virtualised environments for weaknesses, according to Symantec.

“This may be the first malware that attempts to spread onto a virtual machine. Many threats will terminate themselves when they find a virtual machine monitoring application, such as VMware, to avoid being analyzed, so this may be the next leap forward for malware authors,” Symantec researcher Takashi Katsuki concludes.

Crisis also spreads from compromised Windows boxes by dropping modules onto Windows Mobile devices once they are connected to infected computers. The malware uses Microsoft’s Remote Application Programming Interface (RAPI), so it only affects Windows Mobile devices and not Android or iPhone devices, neither of which support the technology.

A full write-up of the latest analysis on the potent malware can be found in a blog post by Symantec here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/22/malware_crisis/

With a $2.5bn price tag, a 350-million mile journey and 2 million lines of C and some C++ code, the only bugs NASA wants its Curiosity rover to find are those possibly beneath the Martian surface.

And it may not be a particularly glamorous job, but software analysis outfit Coverity was the company tasked with “ensuring that every software defect is found and fixed before launch”.

Roughly 2,000 bugs were zapped in the rover’s code, estimates Andy Chou, the chief technical officer of Coverity, although NASA is schtum on the exact figures.

“For typical software (which this clearly isn’t), it’s not unusual to find approximately 1 defect for every thousand lines of code,” Chou said. “For a project with 2 million lines of code, it would therefore not be unusual for Coverity to be able to find about 2,000 defects.”

The company’s static analysis tool was used to examine the source code written by NASA’s Jet Propulsion Laboratory scientists – specifically the systems that guided Curiosity’s flight to the Red Planet and are now running all of the laser-armed robot’s onboard functions. At this stage, every bug correction is vital – after all, there’s no service desk on Mars.

The source code was fed through Coverity’s package, which examined the code to identify flawed logic and common programming gaffes. The error reports were then sent back to NASA’s JPL developers so they could sort them out.

Coverity’s tool checked the software that controls all the functions of the Rover. Credit: NASA

According to the software vendor’s communications manager Chris Adlard, NASA threw all kinds of tests at the code. “You can’t really test the Mars landing, so NASA wanted to use every possible way of pruning out mistakes, that’s why they were using a lot of methods,” he said.

The automated analysis tool was developed from research cooked up by Stanford University boffins. The tech analyses C/C++, Java and C# code bases as it is being compiled for hard-to-spot critical defects including resource leaks, memory corruptions and null pointer dereferences. It also looks at code behaviour to iron out flaws.

Rock-zapping Curiosity is the most complicated project NASA has ever launched to date, and testing was of huge importance. However a software checker can’t catch all mistakes: the error that wrecked the space agency’s Mars Climate Orbiter wouldn’t have been spotted by Coverity’s software, Chou admitted. That particular cock-up was caused by boffins mixing up measurements in imperial and metric units.

It’s not the first time the static analysis tool has been called up to check the globe’s biggest projects: it was also responsible for pulling the bugs out of CERN’s particle accelerator, which included 3.5 million lines of code in the ROOT framework – the software that sifted the petabytes of data coming out of the machine – and 50 million lines in associated science projects. The Large Hadron Collider’s ROOT code was more buggy than average: 40,000 bugs were found and squashed. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/22/mars_rover_software_coverity/

Adobe yesterday released a Flash Player update just one week after its patch Tuesday release, providing a bit of extra hassle for admins for the second Tuesday in a row.

The latest (APSB12-19) update for Adobe Flash and Adobe AIR addresses six cross-platform flaws in Adobe Flash Player for Windows, Mac OS X, Linux and Android smartphones. Five of the six flaws are categorised as critical because they might easily lend themselves to planting malware on machines running vulnerable versions of Adobe’s software. Researchers said this especially applied to Windows machines where the risk is at its nastiest.

The updates come a week after Flash Player was updated as part of Adobe’s normal Patch Tuesday update cycle. Adobe also released new versions of Acrobat/Reader and Shockwave player at the time.

Adobe’s bulletin can be found here. Commentary on the release can be found in a blog post by Qualys here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/22/adobe_flash_patch/

AMD hopes to heave its blog back online soon after hackers broke into the site.

The chip fryer downplayed the attack, and said a small number of encrypted account passwords were lifted. The records were subsequently dumped online in a 32KB file by the blog raiders.

Nonetheless AMD has reset its scribes’ login credentials as a precautionary measure, as a statement by the silicon biz explains:

AMD’s blog site was the target of an attack on 19 August. We believe that the attackers posted less than 200 registered usernames and salted password hashes to a hacker web site. AMD uses salted password hashes, which is an industry best practice for encryption and extremely difficult to crack.

We immediately took the blog site offline and changed all passwords. AMD remains committed to data security and user privacy and has launched an investigation into this matter. We expect to bring our blog site back online within the next 24 hours.

Black-hat hacking crew r00tbeersec claimed responsibility for the break-in at AMD’s WordPress-driven blog, and followed up the assault with a much bigger raid on Dutch technology giant Philips. The miscreants ransacked various websites run by the company, and made off with a thousand acount records containing names, telephone numbers, addresses, passwords and password hashes. One of the affected sites stored its passwords unencrypted in plaintext.

Commentary on the Philips hack can be found in a blog post by Paul Ducklin of Sophos here.

The motives behind the attacks, and the methods used, on AMD and Philips remain unclear. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/22/amd_blog_hack_follow_up/

WikiLeaks’ revelations of the “secrets” of global diplomacy weren’t that secret, says Dame Stella Rimington, novelist and former Director general of MI5.

Speaking in Australia, where she today delivered an address to the International Council on Archives conference , Rimington told The Reg that one of the issues public sector archivists need to deal with is what they do given at a time when much communication takes place casually. Prime Ministerial TXT messages, for example, may be key to reconstructing events for which the public rightly wants them to be held to account and therefore belong in public archives.

Capturing such material, she said, needs careful consideration because some of it may be worthy of classification as secret. And when information is truly secret, she says it is treated with extreme care.

“Governments need to be able to keep secrets, especially secret services, to protect us in a difficult world,” she said. That observation led her to offer an opinion on WikiLeaks, which she says probably didn’t publish anything significantly secret.

Stressing that she has no inside knowledge of Assange-related escapades, Rimington said she understands – as does the rest of the world – that the dump of diplomatic cables to WikiLeaks came from Bradley Manning, who she described as “a young soldier.”

“If it is all such sensitive stuff why was it available to a young soldier,” she asked. “If you do have secrets you must look after them and limit access to them.”

“That’s coupled with the vetting of your people [because] if you have incredibly top secret information you must protect it. You must limit access – that does not seem that difficult – so that only in the most inside layer is there access for those who need to know.”

“It seems to it seems to me that there was a so-called secret database was enormous and available to a huge number of people,” which means the content simply wasn’t that sensitive.

Rimington also said she feels Prime Ministerial TXTs won’t be able to justify tighter controls, as the public rightly wants accountability for elected officials.

“I don’t think the line between essential secrecy and appropriate openness changes because of fast communications,” she said. “You can only have it [archived material] effectively if the record is complete.”

She’s also not sure archivists can keep up in a world in which “resources are limited and information increases exponentially.”

But she feels linking different sources of public data will help.

“Genealogists and the like can link collections all over the world, all ensuring that greater amounts of information are available to be used by people who want to use it. Huge amounts of data are made easier to access.”

But she also lamented that, in polite conversation about the role of public archives, “everything is focusing on this WikiLeaksy thing.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/22/wikileaks_secrets_werent_stella_rimington_says/

An unlucky cable worker lost the ground plans for France’s most important government buildings when his USB stick was nicked.

According to a report in Le Parisien, translated by Le Reg foreign desk, thieves grabbed the unnamed man’s flash drive and other possessions from a car after he parked up to meet someone in the Gare de Lyon railway station.

The stolen memory stick contained a collection of personal files and detailed ground plans for the most important government buildings in the country: the President’s house at the Elysee Palace – the equivalent of Blighty’s Number 10 Downing Street – plus the headquarters of the Parisian police and the Beauveau Square seat of France’s Interior Minister.

And no, the documents weren’t encrypted.

Those plans are now in the hands of thieves, but it is not known whether it was a targeted swipe or an opportunistic crime. Still, if the crooks choose to look through the USB drive it won’t be too hard for them to find the unencrypted, easily readable plans.

The victim was employed by a company that had just scooped a contract to replace all the fibre-optic networking in these buildings as well as several other government properties. A police investigation into the theft, which happened on Sunday, 19 August, is underway according to the paper.

Le Reg contacted the French Interior Ministry for more information and will update when it replies. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/21/french_usb_stick_elysee_palace_plans/

The UK’s privacy watchdog has opened a tentative probe into the alleged security shortcomings of Tesco’s website.

The global supermarket behemoth, which sends out password reminders to Tesco.com customers in plaintext, was accused by security researcher Troy Hunt of storing punters’ credentials in an unsafe manner, as reported by El Reg several weeks ago.

Tesco has yet to respond in detail to Hunt’s criticisms, but the chain defended its security as “robust” in a statement.

“We know how important internet security is to customers and the measures we have are robust,” the firm argued. “We are never complacent and work continuously to give customers the confidence they can shop securely.”

When a customer forgets his or her login credentials, Tesco emails the customer’s actual password in clear text as a reminder, rather than following the more robust practice of reseting the account’s records.

The retail giant insists it “secures” stored passwords, but its approach implies that the encryption used, if any is used at all, is two-way, allowing the original passphrases to be recovered. The argument goes that if Tesco’s software can recover exact passwords from the database, so can hackers who penetrate the supermarket’s systems.

Ideally, web apps should encrypt passwords using a one-way function, a technique known as hashing, that does not store the original passwords and frustrates efforts to recover plaintext credentials by hackers.

No database breach has occurred at Tesco.com, so Hunt’s criticism centres on charges that the company is failing to follow best practices for password storage, failing to prevent cross-site scripting attacks and is mixing up encrypted and unencrypted content on a secure page.

Many readers have emailed us about Hunt’s blog and the majority of security experts agree he has a point. However one or two dissenters have noted that Tesco’s alleged password security malpractices are fairly common among huge corporations, so singling it out for particular blame appears somewhat unfair.

As previously noted, the password reminder issue on Tesco’s website was first reported five years ago.

However, the UK’s Information Commissioner’s Office (ICO) confirmed this week that it is looking into the matter, but declined to comment further.

“We are aware of the issues relating to the Tesco website and will be making enquiries,” the ICO said in a statement. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/21/tesco_ico/

McAfee has put together an elite team of researchers to investigate how to go about protecting car systems from next-generation hacking attacks.

Members of the team include Barnaby Jack, the security researcher best known for demonstrating ways that crooks can force ATMs to spit out cash and for highlighting security shortcomings in insulin pumps.

Modern cars increasingly rely on embedded processors. Security researchers have already demonstrated how these embedded systems might be hacked to generating bogus tire blowout warning messages or pull off other dangerous exploits. Attack scenarios include injecting malware using via on-board diagnostics systems, wireless connections and booby-trapped CDs.

No such attacks have ever taken place in the real world but car manufacturers and auto industry associations are already aware of the possible risk.

SAE International, a global association of more than 128,000 engineers and related technical experts in the aerospace, automotive and commercial-vehicle industries, has put together a number of technical papers that look into information security risks that look beyond potential concerns about hacking into electronic vehicle access systems, which have been an issue for several years.

“Vehicles include more and more electronic systems and open communication channels based on public standards, making them vulnerable to a variety of attacks,” the abstract to one recent SAE technical paper explains. “Security mitigation mechanisms are implemented in software and might be supported by a controller with basic security features,” it adds.

“Any cyber security breach carries certain risk,” said Jack Pokrzywa, SAE’s manager of ground vehicle standards, the Daily Tech reports. “SAE Vehicle Electrical System Security Committee is working hard to develop specifications which will reduce that risk in the vehicle area.”

Meanwhile Ford and Toyota have both recruited information security experts to look into the potential problem. Ford, for example, has hired infosec experts to make its SYNC in-vehicle communications and entertainment system more resistant against hackers and malware.

The McAfee team will be assigned to looking into much the same issues but with a slightly different mandate, geared towards developing security software and other protection technologies suitable for car-based embedded computing systems.

Bruce Snell, a McAfee executive managing the firm’s research on car security, told Reuters via PCPro. “If your laptop crashes you’ll have a bad day, but if your car crashes that could be life threatening.

“I don’t think people need to panic now. But the future is really scary,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/21/mcafee_car_hacking/