STE WILLIAMS

A Harry Potter fan’s attempt to impress hacktivist collective Anonymous by defacing a charity’s website has backfired and his alleged identity handed over to cops.

RedSky, a video production firm that produced a documentary to help raise cash for underprivileged kids in New Zealand, was done over by the black hat hacker who uses the Twitter profile AnonVoldemort. Bryan Bruce, the filmmaker whose RedSky.tv website was trashed by the self-style Dark Lord, issued a plea on Facebook for help in restoring the site and tracking down the perp.

Members of Anonymous picked up on the message and responded by discovering AnonVoldemort’s supposed real name and alleged location, and supplied the information to Bruce. The outing of He-Who-Must-Not-Be-Named happened after Anons were unable to persuade AnonVoldemort to hand back a copy of the files lifted from RedSky.tv.

“Apparently, one of the (Anonymous) rules is you don’t hack charity sites, you don’t hack sites of people trying to help kids,” Bruce told the New Zealand Herald.

“This guy was trying to impress them, to try and get into their group and boasting about what he’d done – but they turned on him, they chased him.”

Bruce has forwarded the alleged name of the vandal onto authorities in Spain. Meanwhile RedSky.tv site remains threadbare and inoperative, and may take as long as a month to restore, according to Bruce.

RedSky.tv previously included a store where copies of his documentaries could be purchased, including Inside Child Poverty – A Special Report. Proceeds from this DVD and a percentage from other sales were donated to a charity that cooks up breakfasts for hungry Kiwi schoolchildren. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/03/cyber_vandal_doxed/

Developers, developers …. *^%%!!# developers who break Windows!

That may well be a refrain that motivated Redmond to release a new software tool, Surface Analyzer 1.0, which explains how new apps impact Windows’ ability to repel the various varieties of naughtyware.

Microsoft explains the tool’s powers thusly:

Attack Surface Analyzer looks for classes of security weaknesses Microsoft has seen when applications are installed on the Windows operating system, and it highlights these as issues. The tool also gives an overview of changes to the system that Microsoft considers important to the security of the platform, and it highlights these changes in the attack surface report. Some of the checks performed by the tool include analysis of changed or newly added files, registry keys, services, Microsoft ActiveX controls, listening ports and other parameters that affect a computer’s attack surface.

Redmond expects developers will find the new application useful to fine tune their wares before imposing new worries on real, live, end-users. IT departments are also expected to find the tool useful.

The new version of Attack Surface Analyzer is a full 1.0 release, taking the tool out of beta. You can grab it here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/03/attack-surface-analyzer/

The latest attempt by the US government to ensure some kind of security standards for its critical infrastructure has failed, with Senate Republicans having blocked legislation over concerns at over-regulation of business and the weighing-down of the bill with useless ammendments.

“Despite the President’s repeated calls for Congress to act on this legislation, and despite pleas from numerous senior national security officials from this Administration and the Bush Administration, the politics of obstructionism, driven by special interest groups seeking to avoid accountability, prevented Congress from passing legislation to better protect our nation from potentially catastrophic cyber-attacks,” said the White House in a statement.

The US Cybersecurity Act 2012 originally called for mandatory security standards to be enforced for companies forming the US national critical infrastructure – a rather nebulous term used to cover power, communications, water and the other stuff that makes life relatively safe and bearable. The government only has oversight of around 20 per cent of this, with private companies running the rest.

After the Republicans enforced a filibuster, the bill failed to meet the 60 votes required at a 52-48 split, with five Republicans and five Democrats crossing the floor. The US Chamber of Commerce, a lobbying group which was in the vanguard of opposition to the bill, applauded the vote.

“While we thank the co-sponsors for their efforts on the issue of cybersecurity, the legislation voted down today would have given the federal government too much control over what actions the business community could take to protect its computers and networks,” Ann Beauchesne, its VP of National Security told El Reg in an emailed statement

Owing to the peculiar nature of the US legislative system, various irrelevant amendments were tacked onto the plan, including two to limit abortion, a motion to limit the sale of high capacity gun magazines, and an amendment by Senate Minority Leader Mitch McConnell (R-Kentucky) to repeal the Affordable Care Act.

The bill was watered down to down to make security standards voluntary but that wasn’t enough to appease critics. The legislation also worried civil liberties groups with its lack of privacy protections, although these were in part addressed.

“Regardless of today’s vote, the issue of cybersecurity is far from dead,” said Michelle Richardson, ACLU legislative counsel, in a statement. “When Congress inevitably picks up this issue again, the privacy amendments in this bill should remain the vanguard for any future bills. We’ll continue to work with Congress to make sure that the government’s cybersecurity efforts include privacy protections. Cybersecurity and our online privacy should not be a zero sum game.”

The failure of the bill will leave many in the security industry seriously concerned. At last month’s Black Hat and DEFCON meetings, current and former government representatives warned that the situation for the US in cybersecurity terms was dire. General Keith Alexander, director of the NSA and head of US Cyber Command, called for the hacking community to help keep America safe.

Based on what attendees were telling El Reg, the security community is perfectly happy to share information with the government, so long as it’s a two-way street. The most common complaint is that government wanted all their hacks, but offered nothing in return when it came to locking down anyone else’s systems.

The Cybersecurity Act would have formalized some kind of information sharing, and the House of Representatives’ passing CISPA also seeks to set up a framework for collating data. But the security industry traditionally hasn’t needed legislation in the past to share information on a common threat.

Ever since the early days of the antivirus industry, the top researchers have shared information with commercial rivals on new threats. The first person to bag malware gets naming rights, but data is shared because security was more important that making a buck. This El Reg hack wonders if a similar system might work better than a government mandated one for cybersecurity. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/02/senate_blocks_cybersecurity_bill/

Pentagon top brass have ordered missile defence boffins to stop using government computers to surf for porn.

An official memo, dispatched by Executive Director John James Jr, reprimanded employees and contractors over “inappropriate use of the MDA [Missile Defense Agency] network” over recent months.

“Specifically, there have been instances of employees and contractors accessing websites, or transmitting messages, containing pornographic or sexually explicit images,” James writes in a 27 July missive obtained by Bloomberg.

“These actions are not only unprofessional, they reflect time taken away from designated duties, are in clear violation of federal and Department of Defense and regulations, consume network resources and can compromise the security of the network though the introduction of malware or malicious code,” he added.

Those caught misusing the network will face disciplinary action, including suspension or summary dismissal, the director warned, adding that sanctions apply equally to contractors and agency staff.

Agency spokesman Rick Lehner told Bloomberg that the memo was a response to “a few people downloading material from some websites that were known to have had virus and malware issues”.

The Missile Defense Agency is principally involved in developing defences against enemy ballistic missiles. The agency’s traces its origins back to Ronald Reagan’s Strategic Defense Initiative (AKA Star Wars) programme. Perhaps fortunately, the agency is not in charge of the US’s nuclear deterrent.

The Pentagon has requested a $7.7bn budget to run the agency next year. Its principal defence contractors include Boeing, Lockheed Martin, Raytheon, Northrop Grumman and Orbital Sciences. The agency itself and its contractors are prime targets for state-sponsored industrial espionage, which often uses advanced malware to infiltrate networks and steal information.

Dodgy porno websites are known to harbour malware, just like any sketchy corner of the internet. Using the sexual quirks of defence contractors to lure them into installing data-slurping software nasties is a somewhat scattergun approach – but it’s not beyond the realm of possibility. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/02/smut_warning_missile_defense_agency/

The Near Field Communications (NFC) Forum has defended its short-range radio standard, and blamed flaws in apps that use the tech for the security vulnerabilities revealed at the Black Hat conference last week.

Charlie Miller, best known for his work in exposing security weaknesses on Apple smartphones and desktops, demonstrated weaknesses in NFC implementations including Android Beam – which allows simple peer-to-peer data exchange between two Android-powered devices using the radio-tag tech – and Nokia’s NFC content-sharing and pairing tech. To do so, Miller tested Nokia’s N9 handset, an NFC handset which runs on the MeeGo system, and the Samsung Nexus S and Google Galaxy Nexus – both of which use Android Beam.

The security researcher began his work scanning the drivers, hardware and program stack on both Nokia Meego and Google Android for problems, using fuzzing, a software testing technique using random data injection to flush out bugs. He found some minor shortcomings using this approach, discovering a vulnerability in Android affecting all “Gingerbread” devices and “Ice Cream Sandwich” smartphones running flavours of Android prior to version 4.0.1.

But he was far more successful finding bugs at the application layer, involving the many applications that interface with NFC technology.

For example, an Android phones running the Android Beam app can simply touch another NFC-enabled Android in order to get it to load a webpage controlled by the toucher. This means the technology can be used to initiate an attack that involves content loaded into a browser, not just the relatively secure NFC driver and kernel stack, greatly increasing the potential for mischief.

The Nokia Content Sharing app running on the Nokia N9 with Meego offers a route into the same type of attack. As with Android Beam, Nokia’s Content Sharing app allows a user to force another person’s smartphone to load a web page without any user interaction. Disturbingly, this works irrespective of the whether or not the “Confirm Sharing and Connecting” setting is enabled.

The Nokia smartphone is configured to automatically pair with Bluetooth devices when its NFC tag-tapping functionality is switched on. In cases where Bluetooth is disabled, the phone will actually turn Bluetooth on and pair with devices without asking for permission, unless Confirm Sharing and Connecting is enabled.

Miller pointed out, for example, that the OS level handler for.png graphics files on the Nokia N9 contains known vulnerabilities. So a potential hacker would only need to force a targeted Nokia user to load a webpage containing PNG exploits in order to hijack his or her smartphone.

In one demo, Miller was able to view files on a targeted Android handset. Hacking the Nokia handset allowed Miller to send texts or make calls on the compromised device.

He concluded that NFC-enabled devices should offer an option to seek user confirmation before allow data received over NFC channel to be processed by application, and that confirmation should be requested by default. NFC exploits are particularly nasty because, as things stand, certain smartphones can be made to download and execute a malicious payload without the user even knowing any interaction has occurred.

Miller’s presentation, Don’t stand so close to me: An analysis of the NFC attack surface, was one of the highlights of this year’s Black Hat USA conference.

The NFC Forum praised Miller’s work, and acknowledged the possibility of app bugs and implementation flaws, while stressing the overall robustness of NFC technology.

“Miller’s demonstration underscores the importance of providing appropriate security measures at the application layer and enabling users to adjust security settings to suit their own needs and preferences,” the NFC Forum said in a statement published by NFC World. “The NFC Forum works to ensure that tools are available to allow applications to operate with the appropriate level of security.”

Debbie Arnold, director of the NFC Forum, told NFC World.

However, the NFC Forum works to ensure that tools are available to allow applications to operate with the appropriate level of security. These tools include: (a) Signature RTD (NDEF Signing), a specification the NFC Forum has released to digitally sign messages transmitted between devices and tags; (b) ISO/IEC 13157, a data link security standard to complement higher-layer security, originally developed by the standardization body Ecma International; (c) application security (end-to-end encryption) defined by the service provider; and (d) additional security layers in service providers’ respective back-end systems.

All of these activities and mechanisms work hand-in-hand. NFC solution providers may add security measures to their applications as they see fit, including both required and optional user actions to enable or disable functions.

Miller’s demonstration underscores the importance of providing appropriate security measures at the application layer and enabling users to adjust security settings to suit their own needs and preferences.

Smartphones from Google, Nokia and Samsung already ship with built-in NFC technology while Apple and Microsoft are both widely expected to add the short-range radio tech later this year. The killer application for the technology is “pay by tap”, which has prompted the launch of many competing mobile wallets, including Google’s Google Wallet, Orange’s QuickTap, Visa’s PayWave and MasterCard’s PayPass.

Additional security commentary on Miller’s presentation can be found in a blog post by Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/02/nfc_security/

Desperate banks have become the target for so-called 419 advance-fee fraud scams.

Increased regulatory scrutiny in the wake of the credit crunch and subsequent banking failures might be expected to deter banks from entertaining investment or deposit offers that come with up-front fees, payable by the bank, attached. But many banks might be prepared to take the risk because poor profits and earnings outlooks are enough to deter traditional investors, the Problem Bank List blog warns.

An estimated 772 banks – or almost 11 per cent of all Federal Deposit Insurance Corporation (FDIC) insured institutions – are on the FDIC’s Problem Bank List. These troubled institutions are been targeted by con artists posing as potential investors prompting the United States government deposit insurance agency to put out a special alert last week, warning about the scam.

The FDIC has become aware of multiple instances in which individuals or purported investment advisors have approached financially weak institutions in apparent attempts to defraud the institutions by claiming to have access to funds for recapitalization.

These parties also may claim that the investors, or individuals associated with the investors, include prominent public figures and that the investors have been approved by one or more of the federal banking agencies to invest substantial capital in the targeted institutions.

Ultimately, these parties have required the targeted institutions to pay, in advance, retention and due diligence fees, as well as other costs. Once paid, the parties have failed to conduct substantive due diligence or to actively pursue the proposed investment.

The FDIC goes on to warn banks to be wary of too-good-to-be-true investment offers, urging financial institutions to report suspicious activity.

You’d expect bankers to be wise to this sort of shenanigan, as the Problem Bank List blog notes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/02/struggling_us_banks_warned_over_419_scams/

Cybercrooks are now offering to launch cyberattacks against telecom services, with prices starting at just $20 a day.

Distributed denial of attacks against websites or web services have been going on for many years. Attacks that swamped telecoms services are a much more recent innovation, first starting around 2010. While DDoS attacks on websites are typically launched from botnets (networks of compromised Windows PCs under the control of hackers), attacks on telecom lines are launched using attack scripts on compromised Asterisk (software PBX) server.

Default credentials are one of the main security weaknesses used by hackers to initially gain access to a VoIP/PBX systems prior to launching voice mail phishing scams or running SIP-based flooding attacks, say researchers.

Telecoms-focused denial of service attacks are motivated by the same sorts of motives as a DDoS on a website.

“Typical motives can be anything from revenge, extortion, political/ideological, and distraction from a larger set of financial crimes,” a blog post by Curt Wilson of DDoS mitigation experts Arbor Networks explains.

Many of the cybercrime techniques first seen while crooks blitzed websites with junk traffic are being reapplied in the arena of flooding phone lines as a prelude to secondary crimes, according to Arbor.

“Just as we’ve seen the Dirt Jumper bot used to create distractions – by launching DDoS attacks upon financial institutions and financial infrastructure at the same time that fraud is taking place (with the Zeus Trojan, or other banking malware or other attack technique) – DDoS aimed at telecommunications is being used to create distractions that allow other crimes to go unnoticed for a longer period.”

Arbor details an array of services offered by hackers, some of which offer to flood telephones (both mobile and fixed line) for $20 per day. The more cost-conscious would-be crooks can shop around for a service that offers to blitz lines for $5 an hour, the price offered in another ad spotted by the ASERT security research team.

As well as blitzing phone lines, other attacks against a targeted organisation’s VoIP system or SIP controllers are possible.

Poorly configured VoIP systems can be brought down even by something as simple as a port scan, Wilson notes.

“In such cases, an attacker could bring down an organisations’ phone system quickly if they were able to reach the controller. The benefits of proactive security testing can help identify such brittle systems ahead of time, before an attacker might latch onto the vulnerability.

“Any system is subject to availability attacks at any point where an application layer or other processor-intensive operation exists as well as the networks that supply these systems via link saturation and state-table exhaustion. Telecommunications systems are no exception to this principle, as we have seen. Clearly, there is money to be made in the underground economy or these services would not be advertised,” Wilson concludes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/02/telecoms_ddos/

Indian government officials have apparently claimed that Research in Motion has handed over the skeleton keys used to encrypt BlackBerry communications – once again ignoring the fact that such keys don’t exist.

The Times of India has reported that RIM “agreed to hand over its encryption keys” to the Asian nation, and allowed lawful intercept of all email, messaging and other communications. The paper claims to have viewed internal government documents confirming this. According to the Times:

[RIM] has now handed over this infrastructure to Indian agencies, internal government documents reviewed by ET reveal.

Canada-based RIM has, as usual, not only denied handing over any keys but also reiterated that it couldn’t hand over keys that it doesn’t actually have.

BlackBerry users come in two varieties: corporate users connected to a BlackBerry Enterprise Server (BES), and consumers who connect to a RIM-managed BES. Corporate users create their encryption keys when setting up their BES, and communication between the handset and the BES is secured against all but the best-funded of governments. Consumers are issued a key by RIM, and connect to their geographically nearest – and RIM-managed – BlackBerry Enterprise Server (BES).

When BlackBerry Messenger (BBM – an instant-messaging service unique to RIM) was implicated in the 2011 riots, the UK police were able to wander along to the UK-based BES server and peruse all the messages and emails exchanged by rioters without breaking any encryption. The Data Protection Act provided all the power they need, with RIPA providing police with similar access to companies running their own BES – though in that case, the biz owners themselves hold the keys, hence the problem with the Indian government’s claims.

The problem for India was that RIM had no local BES, so consumers were connected to one in Canada and subject to Canadian law. What seems likely, though RIM won’t confirm it, is that RIM now has a BES server located within India where the local authorities can browse communications just as easily as their UK counterparts.

But that’s no help against companies, or groups, who run their own BES (the basic version of which is free). Where a local BES is used, RIM never has access to the encryption keys, and RIM has resolutely resisted informal requests to create a back-door in their software – rightly believing that if such a move became public (as it inevitably would) it would destroy the only area (security) within which RIM still has credibility.

The Times of India claims a government spokesman told them that RIM had provided such a back door, but it’s not the first time we’ve heard a claim of this type. Back in 2010, the Indian government claimed RIM was providing access to communications, at least twice, then it made roughly the same claim in October 2011, and again in February this year, so these new claims have to be taken in that context.

The Indian government is trying to reassure its population (and voters) that no foreign company will prevent it from intercepting communications, but it risks its own credibility by repeatedly claiming to have access to encryption keys which simply don’t exist. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/02/rim_keys_india/

Web attic Dropbox has admitted spammers got hold of its users’ email addresses after an employee reused their work password on a website that was subsequently hacked.

Suspicions of a breach at the online storage service arose two weeks ago when punters received floods of unwanted messages touting gambling sites at addresses they used exclusively with their Dropbox accounts.

The company launched an investigation, which confirmed these suspicions were well-founded. Most of the blame was levelled at an unnamed employee who reused his or her Dropbox password for an account on a third-party website that was compromised.

Hackers used the stolen credentials to raid the staffer’s online locker, and found a document containing Dropbox usernames and registered email addresses. The company stated:

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

Dropbox failed to say how many account records had been compromised, stating that its investigation remains ongoing. In the meantime it has promised to introduce tougher security controls such as optional two-factor authentication systems for logins, “new automated mechanisms to help identify suspicious activity” and systems to force users to retire passwords that are weak or haven’t been changed in ages. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/08/01/dropbox_breach/

To save time, battery life and processor cycles, smartphones don’t rely on “pure” GPS to fix their locations – they get help from location data in the mobile network. Research presented at Black Hat in Las Vegas last week cautions users that this represents a serious security vulnerability.

Under A-GPS (Assisted-GPS) schemes, the network can send current satellite location and time to the receiver, letting it acquire the signals more quickly; or the device can provide its GPS signal data to a server in the network for faster processing. Either way, the technology depends on the handset asking the network for help – and when that happens, location data is exchanged over the network.

The problems, according to University of Luxemboug researcher Ralf-Philipp Weinmann, are that requests for help are sent in the clear and are apparently easy to hijack.

For example, if an attacker had access to a WiFi network the phone connected to, its assistance request could be captured, and redirected to the attacker’s server. The attacker would now know where the phone is, and worse, that redirection would stay in place wherever the phone went in the future.

According to Technology Review, Weinmann described the attack as “rather nasty” since “if you turn it on just once and connect to that one network, you can be tracked any time you try to do a GPS lock”.

Because the processing is often handed off to the device’s main processor, Weinmann says, it could also act as a gateway for other attacks, from crashing the target device to planting malware. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/31/a_gps_hijack/