STE WILLIAMS

Microsoft has beefed up one of its anti-exploit tools with technology from a $200K contest finalist.

Technology from a BlueHat Prize finalist Ivan Fratric, designed to mitigate attacks that leverage Return Oriented Programming (ROP), has already been incorporated into Redmond’s Enhanced Mitigation Experience Toolkit (EMET) 3.5 Technology Preview, released on Wednesday.

Fratric, a doctorate computer science researcher at the University of Zagreb in Croatia, developed ROPGuard to thwart attacks based on ROP, a hacker technique that involves combining short pieces of benign code for a malicious purpose. “ROPGuard defines a set of checks that can be used to detect when certain functions are being called in the context of malicious ROP code” thereby protecting against attacks based on exploiting memory corruption vulnerabilities, Microsoft explains.

The EMET toolkit offers features to fine-tune enterprise configuration as well as event logging technology that permits real-time notification of exploitation attempts, among other functions.

The BlueHat Prize competition, which is aimed at nurturing innovation in exploit mitigations – by handing out more than $250,000 in cash and prizes as bait – was launched by Microsoft a year ago at the Black Hat security conference in Las Vegas.

All three finalists in the blue Hat competition have developed ROP exploits blockers of one type or another, with the best rated due to land the $200,000 first prize.

Online interviews with the trio can be found here.

Microsoft is due to announce the inaugural BlueHat Prize grand prize winner at its “researcher appreciation party” in Las Vegas later today, when the three finalists will find out which of them has bagged the top $200k prize. The runner-up gets $50k and third place gets an MSDN subscription valued at $10k).

In related news, Microsoft Security Response Centre released its annual report (PDF) on Wednesday. The progress report looks at how Redmond investigates third-party vulnerabilities and coordinates the release of security updates through Microsoft Vulnerability Research (MSVR), among other things.

The MSVR program reported 96 vulnerabilities to 39 different vendors over the last year. The 33-page progress report focuses on stats about bulletins and bug fixes since 2006. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/27/ms_bundles_bluehat_tech_anti_exploit_tool/

Black Hat 2012 Apple’s first Black Hat presentation was one of the most highly anticipated talks at this year’s infosec gathering in Las Vegas, but many delegates were left feeling more than a little short-changed.

The conference space for the presentation began filling up early, before the day’s keynote with Neal Stephenson had even finished, and it was standing room only by the time Dallas De Atley, manager of the platform security team at Apple, took to the stage.

But all delegates got was a rehash of the iOS security paper Apple released in May, with almost no new information. To add insult to injury De Atley ignored the customary QA session and scuttled straight out of the hall once he’d finished his speech.

“This was one of the worst talks I have ever seen at Black Hat. Nothing new, no information and no questions. It was a vendor pitch. Too bad for all the other talks that got rejected because of this,” said attendee Moritz Jaeger on the Black Hat Facebook page.

As for the guts of the presentation, De Atley explained how Apple has combined hardware and software to reduce the risk of a successful hack. Each A5 processor has a unique identifier that is fused into the chip which cannot be changed and this is used to authenticate the device with software.

In order to minimize the attack profile Apple has stripped out all unnecessary software from iOS, De Atley said, with all unnecessary tools removed and no remote login support or shell. This was augmented by physically separating the operating system from user data while all third-party applications are loaded into a sandboxed container and can’t directly access the operating system.

All third-party applications have must also be approved by Apple, and are monitored both in terms of their installation and also their runtime to avoid any funny business on behalf of the developers.

Apple had plumped for a hardware encryption engine with iOS to save on battery life and processor load he said, and the result was a full AES and SHA supported system that ensured the safety of user’s data. The company had designed iOS from the ground up to be secure he said.

“Security is architecture,” he said. “You have to build it in from the very beginning. It’s not something you can sprinkle over the code at the end.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/27/apple_black_hat/

Black Hat Retail Chip and PIN devices might easily be attacked using a specially prepared chip-based credit card, according to security researchers.

Researchers from British IT security company MWR InfoSecurity demonstrated the attack at a session during the Black Hat Security Conference in Las Vegas on Wednesday.

The researchers showed how a specially prepared chip-based credit card might be used to pay for an item. The PIN Pad device produces a receipt that appears to authorise the payment that is never actually processed, thereby exposing merchants to fraud.

In a second demonstrated attack scenario, researchers showed how a specially prepared card containing malware can be used to infect a PIN entry device, installing code capable of harvesting card numbers and PINs from cards subsequently used on the compromised terminal. The attacker might be able to return later with another malicious card in order to collect harvested numbers and PINs before cleaning off the malware.

Cloned cards might subsequently be produced with counterfeit magnetic stripes. These cards might be used to withdraws funds from ATMs in countries where Chip and PIN is yet to be introduced.

MWR InfoSecurity has also identified examples of network and interface attacks, similar to those reported by German researchers SR labs on other devices recently. The Basingstoke-based firm found the flaws during its ongoing research into secure payment technologies.

A statement by MWR InfoSecurity on its research was lacking in detail and no one from the firm could be reached for additional comment at the time of going to press. However, in a radio interview, Professor Ross Anderson of Cambridge University told the BBC that the MWR has built on its earlier research into the security of PIN entry devices.

Anderson described the work as “impressive”. “We had already known that you could disrupt the operation of a payment terminal by inserting a malicious programmed smartcard but what MWR has done is to develop this into an exploitable attack. It’s yet another vulnerability in the Chip and PIN system.”

MWR has notified the vendors involved but is withholding names and other details because the devices concerned are currently being used at thousands of retail outlets in the UK and around the world. It is urging an industry-wide review of retail Chip and PIN entry devices.

Don’t Panic

In a statement, the UK Cards Association said it was investigating the attack scenario while stressing that no attack of this type has actually been recorded.

We are currently assessing the implications of research by MWR InfoSecurity which, on the face of it, outline a possible means of attack on PIN entry devices. Those seeking to commit fraud are constantly searching for new ways to breach the security of the payments system and we take all threats very seriously.

The attack described targets point-of-sale card acceptance devices in retail outlets. It is not an attack on chip cards themselves (including contactless cards) or cash machines.

Importantly, we have no evidence of this type of attack occurring, either in the UK or anywhere else in the world where chip PIN is in use. That said, working with partners across the industry, we are urgently identifying measures to exclude any risks.

Levels of card fraud are at their lowest since 2000. Card holders who are the innocent victims of fraud have excellent legal protection, meaning they will not suffer any financial loss as a result.

Ian Shaw, managing director of MWR InfoSecurity, said in a statement that the lack of security in Chip and PIN machines is putting millions of businesses around the globe at potential risk.

“Whilst criminal attacks are unlikely to be happening on a widespread basis currently, the vulnerabilities exist and previous patterns suggest that attacks like this are only a matter of time,” Shaw said. “We test a lot of technology used in sensitive banking and retail payment environments and were surprised at how vulnerable many PIN Pads are to these kinds of attacks.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/27/chip_and_pin_keypad_insecurity/

Delegates at the Black Hat conference in Las Vegas are sharply split on the merits (or otherwise) of malware like Stuxnet that can be used offensively to take down infrastructure.

Stuxnet was the first malware that was publicly acknowledged to have been designed to take down physical equipment – in this case, Siemens supervisory control and data acquisition (SCADA) systems. According to recent reports it was developed by the US and Israel as part of Operation Olympic Games, a malware program started by former President Bush and expanded by the current administration.

“I think what you’re talking about is a moral crime,” said Marcus Ranum, faculty member of the Institute for Applied Network Security. “What you’re really doing is putting civilian infrastructure on the front line in this non-existent war. The military is basically saying ‘we’ve saved you a little old fashioned bombing – you should be happy,’ but that’s not appropriate.”

Ranum’s position brought applause from the audience, but others were less impressed. Black Hat founder Jeff Moss said that he was more supportive of using malware in this way, since it provided military options without the need to endanger human life.

“I’ve always thought that these were tools in the spectrum of proportional force in between harsh words and dirty looks and Mark II bombs,” said Moss. “Now instead of blowing up plants and killing people you can attack the equipment, and this is another notch on the proportionality meter. If you agree with that or not it’s a good tool to allow nation states to exert force without having to blow people up.”

Ultimately, however, such debate is slightly pointless, F-Secure’s top security man, Mikko Hypponen told The Register. The industry should focus instead on practicalities.

“Ultimately the ethics of this don’t really matter – the decision has been made and this kind of stuff is going to be unavoidable.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/26/stuxnet_moral_crime/

Black Hat 2012 Renowned science fiction author Neal Stephenson gave a keynote address at the Black Hat conference in Las Vegas in which he outlined his ideas for realistic swordplay in gaming, the future of the space program, and how to make science fiction slightly more optimistic.

Stephenson said he’d been a cryptography geek since he was a child, when he’d make invisible ink using lemon juice. His father was involved in signals intelligence for the US government, but after an early foray into email encryption and privacy software, the younger Stephenson now eschews such methods. While technically they work, he said, they are socially unusable for efficient communication, and he was now “relaxed and fatalistic” about online security.

Similarly, he’s not a fan of social networking. He now maintains both a public and private Facebook page, but he only got on the network after discovering he had a fan page with over 10,000 fans. He’s also joined Twitter in the last few months, but pronounced his disappointment with the medium.

“My dream of Twitter was that it would be full of pithy little haiku-like messages,” he told interviewer Brian Krebs. “You do get a few of those, but most of it is just people embedding links that sends you off to some other website, so it doesn’t save time or compress bandwidth at all.”

He is, however, a hardcore gamer, pronouncing Halo as his relaxation aid of choice. He’s even rigged an Xbox controller onto the arms of his elliptical machine so that he can play while working out, which he says helps make the time spent on the machine less boring.

Stephenson is a keen swordsman. He has a collection of weapons, mostly blunted for training purposes, and recently raised half a million dollars on Kickstarter to create a realistic sword fighting computer game. He’s now recruiting a small band of geeks to code the system, but said that more money might be needed as “half a million doesn’t get you very far in gaming.”

He has also acted as a consultant for Blue Origin, Amazon founder Jeff Bezos’ private space venture. Stephenson said that he is only tangentially involved these days, but was full of praise for the SpaceX program set up by PayPal co-founder Elon Musk.

Simply building a rocket that works is a phenomenal achievement in itself, he said, but Musk has also overcome some other problems that people don’t usually consider. Getting insurance on payloads, for example, is incredibly difficult if you don’t have a track record for actuaries to study, and the regulatory issues around launching can be huge.

While private efforts to get into space are proceeding well, Stephenson said that the initial space race “tanked.” That, he said, along with a slowing pace of technological advancement, had contributed to the science fiction genre shifting from the optimism of Clarke and Asimov to a darker, more dystopian bent. The first half of the 20th century had seen the development of flight, radio, television, and nuclear power, but lately new developments had been few and far between, he explained.

As part of an effort to get science fiction into a happier mode, he is taking part in a new book of optimistic SF entitled Hieroglyphs. Stephenson’s contribution will be a piece about building a 20km tall skyscraper, and he is working on the practical details needed for such a project with the engineering department of the University of Arizona.

With regard to his own novels, Stephenson said he is working with the British filmmaker Joe Cornish as part of long term plans to bring his novel Snow Crash to the silver screen. Overall, however, he said that novels aren’t really right for making into films and that short stories translated much more readily to film.

Stephenson said he didn’t read science fiction for a long time, citing Heinlein as one of the few authors he read growing up. But in the 1980s he was inspired by the novels of Thomas Pynchon and William Gibson, who he said combined good SF with “respectable literary conventions.”

He tries for the same effect in his own work, he said, and also takes care to future-proof his work as much as possible. In his most recent book REAMDE, for example, he removed all mention of iPhones or BlackBerrys and replaced them with the simple word phone, which he says will age better. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/26/neal_stephenson_black_hat/

An item of Windows malware has managed to make its way onto Apple’s iOS App Store. It’s likely to have been an accidental screw-up, but it nonetheless raises concerns about Apple’s app-screening process.

The malicious Windows executable was found by a user who downloaded an app called “Instaquotes-Quotes Cards For Instagram” from iTunes before his security software warned him that the file was infected with a worm. A closer look at the incident, which might have easily been a false alarm by his security software, a not infrequent occurrence, revealed that the threat was all too real.

The file contained a worm variously identified as CoiDung-A by Sophos, Worm-VB-900 by ClamAV and VB-CB by Microsoft. Apple pulled the Instaquotes app from the iOS App Store on Tuesday, shortly after it emerged that the app was tainted with malware. The worm at the centre of the security flap is quite old, and hence widely detected, and not especially potent.

The user who downloaded the app posted his discovery on the Apple Support Communities discussion board, where other users were quickly able to confirm that warnings generated by security software were well-founded.

MacRumors reports that the price of the app, which has been available since 19 July, was reduced from $0.99 to free this last weekend. It’s unclear how many people download the app.

The malware can’t actually run on a Windows PC without first being extracted from the iOS application package, a factor that means it is unlikely even those Mac users who downloaded the app could spread it to their Windows by infecting friends and colleagues. And, of course, iPhones and iPads can’t run Windows programs. The tainted app can’t infect a Mac OS X machine either.

What’s worse than a worm inside an Apple?

The spread of the malware was probably caused by the accidental infection of a developer’s computer, although deliberate infection can’t immediately be ruled out. The tainted app made it through Apple’s approval process, which has to be the main area of concern.

“Perhaps what’s most disappointing about the discovery of Windows malware inside an iOS app is that Apple doesn’t seem to have conducted a simple virus scan as part of its app-vetting process,” notes Joshua Long, in a post on Sophos’ Naked Security blog. “Just extracting all files from the package, and scanning them with anti-virus software, would have prevented the Windows malware from getting into the iOS App Store in the first place.”

Earlier this month, Apple approved another questionable iOS app. Find and Call collected contact information from smartphones before uploading this data and sending SMS text message spam to a user’s contacts, all without warning the user or asking for permission.

The malware embedded in Instaquotes cannot cause any direct harm to Apple smartphones and tablets, unlike Find and Call. However the appearance of a tainted copy of Instaquotes just weeks after the Find and Call security flap suggests it would be unwise to assume Apple’s iOS App Store “walled garden” was impregnable.

In fairness it ought to be pointed out iOS malware, certainly on devices that have not been jailbroken, had been virtually unheard of for five whole years from the launch of the App Store up until the start of this month – a huge achievement. ®

Bootnote

Users of Mac desktops who are conscious about internet hygiene often run anti-virus software for much the same reason that it’s a useful addition on Linux file-servers and mail-servers: to clear out any Windows-based malware. Even though these machines can’t catch a Windows bug they can become “Typhoid Marys” that spread infection. The Flashback Trojan finally proved that Mac malware was a problem and isolated cases of Linux worms have cropped up occasionally for years, but Windows malware remains the biggest enemy.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/26/windows_malware_ios_app_store_shocker/

A cyberstalking computer science student who tricked women into taking computers with hacked webcams into steamy shower rooms has been jailed for 12 months.

Trevor Timothy Harwell, 21, of Fullerton in California, will be forced to spend five years on probation following his release and ordered to complete a sex offender treatment programme after he was convicted of illegally installing spyware on six women’s computers in order to capture images and videos for his “subsequent sexual gratification”. Fullerton pleaded guilty to six felony counts of computer access and fraud, a statement by Orange County prosecutors on the case explains.

Cyberstalkers have been getting their rocks off by secretly snooping on female victims via webcams for several years. In some case, young women and girls have been blackmailed into performing further nude poses and sex acts by hackers threatening to distribute the compromising images they had already captured of their victims via the internet.

Harwell added a twisted refinement to the basic scam by making sure infected computers displayed a bogus error message to increase the chances of capturing nude pictures and movies.

The bogus error message stated: “You should fix your internal sensor soon. If unsure what to do, try putting your laptop near hot steam for several minutes to clean the sensor.”

Despite the implausibility of this message, several women were nonetheless tricked into taking their laptops into their bathroom while taking a steamy shower.

Harwell was able to install “CamCapture” spyware onto victims’ computers in the first place because he worked part time as a computer repairman, specialising in fixing Macs, starting in June 2009. Harwell met his six identified victims through friends and his church before gaining access to their computers under the pretense of providing computer support. The scheme was exposed after two of his victims, who happened to be sisters, observed that the computer camera was irregularly blinking and took it to be repaired at a different shop.

The presence of spyware was detected and the matter was reported to police who opened an investigation that identified four other victims as well as fingering Harwell as a prime suspect in the case. Thousands of secretly taken still images and videos were found on Harwell’s computer. He was charged in June 2009.

Additional commentary on the case can be found in a blog post by Graham Cluley of Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/26/webcam_spyware_pervert_jailed/

Anonymous says it will shortly release a sample of material it has obtained from Australian Internet Service Provider (ISP) AAPT.

In a chat room this morning, the group linked to AAPT’s Wikipedia page, making that ISP the likely target. The group has also insisted, on Twitter, that the leak is not fake and that the ISP concerned knows what is happening.

Anonymous representatives have also said, in the same chat room, that the group’s attack was not on AAPT itself but on a cold fusion server hosted at Melbourne IT. ZDnet reports that AAPT and Melbourne IT have both acknowledged the breach.

Anonymous has also, on its internet radio channel, articulated a raison d’être for the release, with a person identifying themselves as “Lorax” stating the release will serve as an example of how unsafe personal data will be under Australian Government’s proposed data retention laws.

Chat has also suggested the group will release portions of data that in some way embarrass the Australian government.

We’ll update this story as more details emerge. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/25/anonymous_names_au_target/

Chinese police are celebrating the arrest of a nationwide cyber crime gang suspected of making over £30 million by selling fake professional qualifications, which they helped to produce by hacking into government web sites.

Police have arrested 165 people so far, scattered across 12 provinces. A whopping 185 government sites are thought to have been breached by the gang, according to China Daily.

The group made their money by selling fake qualifications certifying the recipient in fields such as medicine, financial services and architecture, with over 30,000 people suspected of having bought the dodgy certificates.

The gang’s USP, and the reason it could charge up to 10,000 yuan (£1,000) per certificate, was that it could hack the relevant government site and tamper with the back-end database to ensure that the fake cert’s name and registration number appeared legitimate.

Police in Jieyang, Guangdong province cracked the case when city officials raised the alarm after spotting that an illegal link had been added to one of the local government web sites.

The gang was found to be a highly organised and extensive network of individuals, each with different responsibilities – some would hack the government sites, some would manufacture the certificates and seals, others would advertise their services, and so on.

“The gang tampered with official databases or added links to external databases so that if anyone checked up on the fake certificates, the client’s name would appear,” said Chen Xiaoping, head of Jieyang police’s cyber crime unit.

“They have a strong idea on how not to get caught. They used overseas servers and bank accounts of strangers, whose details were bought online.”

Roy Ko, centre manager of the Hong Kong Computer Emergency Response Team (HKCERT), said the news was not surprising, given the huge demand for professional qualifications in China which already leads to widespread cheating at exams.

“Hacker groups will do anything to optimise their profit, by the easiest means. Obtaining personal credentials and re-selling them cannot generate quick money,” he told The Reg.

“There were already channels to get fake certificates. This is just going one step further, to ensure the fake certificates can actually be found on official web sites.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/26/fake_qualifications_scam_busted/

AAPT has issued a statement in which it confirms one of its servers has been attacked, and data downloaded.

Anonymous claims it is the perpetrator of the attack and has been promising imminent release of documents that it has hill embarrass the federal government.

AAPT CEO David Yuile has issued a statement that says, in SHOUTY CAPS, that:

IT WAS BROUGHT TO OUR ATTENTION BY OUR SERVICE PROVIDER, MELBOURNE IT, AT APPROXIMATELY 9.30PM LAST NIGHT THAT THERE HAD BEEN A SECURITY INCIDENT AND UNAUTHORISED ACCESS TO SOME AAPT BUSINESS CUSTOMER DATA STORED ON SERVERS AT MELBOURNE IT. AAPT IMMEDIATELY INSTRUCTED MELBOURNE IT TO SHUT DOWN THE SERVERS WHEN WE WERE NOTIFIED OF THE INCIDENT.

Yuile goes on to say that an internal investigation suggests just two files were accessed. The data they contain is described as “historic” and containing “limited personal customer information.”

He also says the servers have not been connected to AAPT’s networks for a year, nor accessed for that period.

All of which probably represents a lesson in virtual machine sprawl, but that’s probably something to discuss another day.

Yuile says AAPT has told the authorities what’s up, will get in touch with customers mentioned in the files and, in more SHOUTY CAPS:

“IS TREATING THIS MATTER WITH THE UTMOST SERIOUSNESS.”

An Anon, meanwhile, told The Reg the data “will be leaked when it is leaked.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/26/aapt_confirms_anonymous_hack/