STE WILLIAMS

Black Hat 2012 When he’s not working on DNSSEC, Dan Kaminsky is taking on censors, both in government and in private industry, with plans for a series of user-friendly tools that will map out where information is being deleted or blocked online.

Last year Kaminsky released his n00ter tool, which mapped internet traffic speeds to spot any monkey business by ISPs on the censorship front. But the tool was difficult to install and use and lacked wide support, he acknowledged in his presentation at this year’s Black Hat conference in Las Vegas.

To rectify this he’s working on a new system, due to be released in the next few months, which will be a simple browser add-on that can map out where censorship is occurring. Kaminsky said that he wasn’t looking to run a censorship information service himself, but to provide a large data set to privacy organizations that do, like OONI-Probe, Herdict, and the EFF.

“It’s crowdsourcing censorship detection,” he explained. “The internet is becoming less and less flat every day. The actual content that you see on the network is changing based on where you are because ISPs and governments are altering content.”

Censorship needs to be pointed out, warns Kaminsky

Kaminsky cited the example of Verizon, which is currently trying to contest the Federal Communications Commission’s Open Internet Order, which insists that ISPs can’t censor content for payment, or if they disagree with it. Verizon is claiming that it can do what it likes with content under First Amendment free speech rules.

“Just as a newspaper is entitled to decide which content to publish and where, broadband providers may feature some content over others,” Verizon said in its filing. “Although broadband providers have generally exercised their discretion to allow all content in an undifferentiated manner, they nonetheless possess discretion that these rules preclude them from exercising.”

Kaminsky’s plan is to release a tool which will capture the actual identity of the certificate used in a connection, to counter spoofing and intervention by third-parties. This will collect a data set and allow users to know just how their connections are being managed.

“My goal here is transparency,” he said. “If networks are going to be blocking or altering content, let that be transparent, and let us have that political discussion about what that means. We can’t have the discussion until there’s awareness and these tools exist to increase that.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/26/kaminsky_censorship_tools/

Anonymous says it will shortly release a sample of material it has obtained from an Australian Internet Service Provider (ISP).

In a chat room this morning, the group linked to AAPT’s Wikipedia page, making that ISP the likely target. The group has also insisted, on Twitter, that the leak is not fake and that the ISP concerned knows what is happening. AnonOps Radio

The group has also, on its internet radio channel, articulated a raison d’être for the release, with a person identifying themselves as “Lorax” stating the release will serve as an example of how unsafe personal data will be under Australian Government’s proposed data retention laws.

AAPT’s consumer business was acquired by iiNet in 2010, so it seems likely Anonymous will reveal details of its business customer database and try to reveal how the government uses the Internet.

Another possibility could see the data dump reveal details of former AAPT customers now under the iiNet umbrella, perhaps with personal details of politicians’ internet use.

We’ll update this story as more details emerge. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/25/anonymous_names_au_target/

Black Hat 2012 Former FBI executive assistant director Shawn Henry has warned that the biggest threat online comes not from terrorists or hackers, but from foreign intelligence organizations looking to steal intellectual property.

“The threat from computer attack is the most significant threat we face as a society, other than a weapon of mass destruction,” he said in his opening keynote at the Black Hat 2012 conference in Las Vegas. “Everything we do – RD, intellectual property, and corporate strategies – is stored or transmitted electronically. The DNA of companies is available to bad guys.”

Henry said that the FBI had seen cases where a company had lost a billion dollars of intellectual property in a weekend. Other companies were facing a stacked deck in trade negotiations, he said, because all too often their opposite numbers know what their negotiating positions will be.

Some might say this is a case of the pot calling the kettle black. It has been over a decade since the first complaints from the EU that the ECHELON eavesdropping system was being used to spy on competitors of US corporations – but when El Reg raised this, Henry denied that the US had ever carried out such spying.

Spies like us play nice, Henry asserts

This may be true now, but it was not always so, said Marcus Ranum, a Black Hat alumnus and faculty member of the Institute for Applied Network Security.

“Our entire industrial revolution was based on stolen European technology,” said Ranum. “We’re complaining now we are on top, but it’s buyer’s remorse. There are a lot of corporations who exposed far too much information online, and rather than fixing the problem, let’s blame the Chinese.”

The answer to the cybersecurity conundrum, Ranum opined, was to get a lot more proactive against threats by sharing information between the government and the private sector. There are a number of bills being considered by Congress to make this easier, and he acknowledged that in the past this had been too much of a one way street, with the government taking in information but not sharing it.

A proactive response doesn’t mean the NSA hacking the hackers, he said, but instead taking an attitude to building defensive systems so that if and when a breach occurs, the attackers either don’t get the information they are after, or they get wrong information.

“There’s denial and deception, corrupt packets and misinformation, so that when you sit down at negotiation they have the wrong answers to the test,” he said. “You can cause them pain if they’ve spent four months and two zero-day attacks to get on there and then find they have the wrong missile and it doesn’t even work.”

Rather than basing CSO and CIO bonuses on stopping breaches in the network, companies should aim to find out about a breach quickly after they happen, he said. A secure perimeter is impossible; instead, we need to work on mitigation, and that would take the active support of Black Hat delegates.

While the industry has woken up to this threat in the last few years, there were still not enough people taking it seriously, Henry said, adding that it will take a serious physical attack launched online to put it to the top of the agenda. The intelligence community had heard of Osama bin Laden for years, but it wasn’t until the world watched the planes hitting the buildings that the threat was taken seriously. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/25/fed_foreign_intelligence_threat/

Live chat One month ago a rookie IT mistake crippled the banking network of the RBS Group.

Sixteen million customers – individuals and companies – of RBS, NatWest and the Bank of Ulster were locked out of accounts, unable to withdraw cash or pay into accounts for days.

The cause? An “inexperienced operative” pressing the wrong button on a rather routine CA-7 batch processing job.

And although RBS denied it, The Reg uncovered that the person responsible worked offshore – in one of many positions sent abroad as part of wide-ranging outsourcing to cut costs and so-called efficiencies.

Join Reg reporter Anna Leach, who nailed the story, city IT recruitment expert Dominic Connor and fellow Reg readers for a one-hour, post-work, interactive Live Chat on the IT meltdown and for and update one month on. We tackle:

• What has RBS done to fix the problem?
• Could this hit other banks?
• What was the role of Computer Associates and who is really to blame?
• Will/should heads roll?
• What does this mean for your job?
• Does this spell the end of cheapo outsourcing deals?

Join the discussion below at 19.00 BST (18.00 GMT) on 25 July for QA and convo. You can register before the Live Chat for free and receive an email reminder before we go live.

®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/20/rbs_meltdown_live_chat/

Black Hat 2012 Five of the speakers at the original Black Hat conference in 1997 have been reunited at this year’s session to discuss the next 15 years of security, and all agree that people are the key investment area, not gadgets.

“The best return is on your employees,” said Black Hat founder Jeff Moss. “I rely on people, not on a widget. I can get all the widgets I need for free from the great open source community.”

Good security staff are key, of course, he said, but you also need good people managers who can understand how to use people in the right role and manage their output. Marcus Ranum, a Black Hat alumnus and faculty member of the Institute for Applied Network Security, agreed, highlighting forensics and malware specialists, but said that there was also a need for generalists who could see the bigger picture.

Ranum pointed out that virtually no-one runs their own payroll systems anymore; they hire a service to do it for them. To secure this, you don’t need a specialist in a particular payroll system, but a generalist who understands how any service will interact with on-premise software.

Security guru Bruce Schneier highlighted the need for staff who are familiar with the legal and regulatory environment, but said that the most important skill for the future CSO is knowing how to regain a measure of security after a system has been broken and to analyze what is missing.

“You want to make sure the breach is short and you can recover and go after the bad guys before they do even more damage,” he said. “As an industry we’ve been telling people ‘Buy our stuff and you’ll magically be safe.’ I like that we’re now saying, ‘God you’re screwed, buy our stuff after the fact – that’s a lot more realistic.'” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/25/staff_not_widgets_black_hat/

Live chat One month ago a rookie IT mistake crippled the banking network of the RBS Group.

Sixteen million customers – individuals and companies – of RBS, NatWest and the Bank of Ulster were locked out of accounts, unable to withdraw cash or pay into accounts for days.

The cause? An “inexperienced operative” pressing the wrong button on a rather routine CA-7 batch processing job.

And although RBS denied it, The Reg uncovered that the person responsible worked offshore – in one of many positions sent abroad as part of wide-ranging outsourcing to cut costs and so-called efficiencies.

Join Reg reporter Anna Leach, who nailed the story, city IT recruitment expert Dominic Connor and fellow Reg readers for a one-hour, post-work, interactive Live Chat on the IT meltdown and for and update one month on. We tackle:

• What has RBS done to fix the problem?
• Could this hit other banks?
• What was the role of Computer Associates and who is really to blame?
• Will/should heads roll?
• What does this mean for your job?
• Does this spell the end of cheapo outsourcing deals?

Join the discussion below at 19.00 BST (18.00 GMT) on 25 July for QA and convo. You can register before the Live Chat for free and receive an email reminder before we go live.

®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/20/rbs_meltdown_live_chat/

Anonymous is preparing to reveal 40GB of data its members say came from an Australian internet service provider (ISP) and contains “600k+” of customer data.

The Reg understands a “sample leak” will be released later today and that the organisation will take care to protect individuals’ personal details.

The activist collective yesterday took credit for a series of defacements of Queensland government websites and has since contacted other media outlets, telling them that it intends to release customer data from an Australian ISP.

The @Op_australia Twitter feed recently promised it is “almost there” on “something big”. Comments on an Anonymnous-aligned IRC channel offered the mention of 600,000 customers and references to the sample leak

The 600,000 figure means the data almost certainly comes from one of Australia’s largest ISPs. Telstra and Optus are both known to have millions of subscribers, while iiNet has stated it has 1.3 million.

Among smaller ISPs, TPG’s most recent half year report says it has 567,000 subscribers, placing it ahead of the likes of Exetel, Adam Internet and Netspace. iPprimus is probably also below the 600,000 customer threshold, making it likely that Anonymous will embarrass Telstra, Optus or iiNet … with TPG also a chance of hitting the headlines for all the wrong reasons. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/25/anonymous_isp_data/

Miscreants have developed a sophisticated multi-platform attack dog designed to maul Windows and Mac OS X computers.

The malware comes bundled in an Java Archive file which pretends to be Adobe Flash Player, named AdobeFlashPlayer.jar. Inside the malicious archive is a .class file named WebEnhancer, and two files named win and mac. The WebEnhancer applet decides if a user opening the file is running either Microsoft Windows or Apple Mac OS X before pushing the corresponding software nastie.

If run on an OS X system the malware drops multiple components, reconfigures system settings and installs a backdoor and rootkit combination onto infected machines. The Mac OS X component of the malware – called Crisis or Morcut – arrives on the eve of Apple’s release of Mac OS X Mountain Lion, but this is probably a coincidence. The new operating system build goes on sale today.

When run on a Windows systems, a version of the Swizzor malware is installed instead.

The Mac malware uses anti-analysis and stealth techniques that are uncommon among OS X malware but have been a mainstay of the windows malware landscape for several years, as a write-up on the threat by Mac security specialists Intego explains. The threat can install itself on Mac systems without requiring a password.

The threat has not appeared in the wild, but its complexity and use of clever infection techniques point to possible infections in future.

Samples of the malware were submitted to the VirusTotal website but it’s unclear who created it or what their motives might be. virusTotal routinely shares samples of malware submitted to the site to anti-virus firms.

An overview of the overall threat, including how it works on Windows machines as well as Macs, can be found in a blog post by Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/25/mac_crisis_malware/

Siemens has corked vulnerabilities in its industrial control kit similar to those exploited by the infamous Stuxnet worm.

Security bugs on the German manufacturer’s Simatic Step 7 and Simatic PCS 7 SCADA control software created a means to load malicious dynamic-link library (DLL) files. This is the type of flaw exploited by the Stuxnet worm, which used DLL hijacking techniques in Step 7 software to infect systems controlling high-speed centrifuges at Iranian nuclear facilities. It is not clear, however, whether or not this specific bug was used in the Stuxnet attack.

Siemens said that previous versions of its Step 7 and PCS 7 software allowed the loading of DLL files into the Step 7 project folder without validation – giving the malware free rein to attack the SCADA systems. The firm fixed the flaw by introducing a mechanism that rejected the loading of DLL files into the folder – effectively blocking the path to possible infection, an advisory by the Industrial Control Systems Cyber Emergency Response Team (ISC-CERT) explains [PDF].

A second update [PDF], also released on Monday, deals with a SQL server authentication security flaws in Siemen’s Simatic WinCC and Simatic PCS 7 software. Left unfixed, the vulnerability created a means for hackers to get into targeted systems using default credentials.

Siemens issued a series of patches in the wake of the discovery of the Stuxnet worm back in 2010 but this failed to placate critics, including Ralph Langner, who claimed last year that many shortcomings in Siemens’ supervisory control and data acquisition (SCADA) systems remained unpatched.

Stuxnet used an array of Windows-based zero-day flaws, configuration weaknesses and security bugs in SCADA systems to infect a system and spread across it. So even though the main Windows-based attack vector was patched relatively quickly, concerns remain about the security of industrial controls software, which is often overlooked when it comes to patching. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/25/siemens_scada_security/

Analysis Software jack-of-all-trades Symantec has replaced dapper CEO Enrique Salem with board chairman Steve Bennett. Salem, we think, got the bullet for failing to conquer the mobile security market, his handling of the Backup Exec outrage, and his humdrum financial performance.

The company’s profit dipped this quarter, the first financial period of 2013, to $172m, down 9.5 per cent compared with the same three months a year ago. This figure is well down from $559m recorded in the previous quarter, which was bulked up by a payment from Huawei when the telco equipment giant bought out the Huawei-Symantec joint venture.

Revenues in Q1 2013 were up just 1 per cent year-on-year to $1.668bn, the seventh quarter in a row of $1.6 to $1.7bn sales. Salem had been tasked with lifting Symantec out of its revenue doldrums, relatively speaking.

Symantec’s figures to Q1 FY2013

The fact that Symantec’s board chairman is taking over indicates that Salem has gone with some haste: there has been no succession plan for this situation, that much is clear. Bennett said in a statement:

Enrique Salem has been a significant contributor during his 19 years’ associated with Symantec, including the last three years as CEO. While progress has been made over the last three years in many areas, it was the board’s judgment that it was in the best interests of Symantec to make a change in the CEO.

Enrique Salem

Bennett vented the board’s frustration thus: “My view is that Symantec’s assets are strong and yet the company is under-performing against the opportunity. I’m looking forward to working with the team to build upon the significant assets in place to help Symantec accelerate value creation for all of its stakeholders.”

Symantec has a new lead independent director who can make comments on the business inappropriate for a chairman or CEO. That person is Dan Schulman, who said: “The board’s decision to make a leadership change was not based on any particular event or impropriety but was instead made after ongoing consideration and a deliberative process.” Translation: Enrique, we thought long and hard, and we reckon it’s time Symantec backed up to another chief exec – just our little joke, there.

Being told Salem made a significant contribution in the circumstances but not thanked speaks volumes.

Steve Bennett

Bennett joined Symantec’s board in February 2010 after he was president and CEO of Intuit for eight years. He looks like a permanent rather than a stopgap CEO for Symantec, and said he viewed the job as a three or five-year task, followed preferably by an internal replacement. He said: “We are making progress on many fronts, but we believe we can further accelerate the company’s value to employees, customers, partners and shareholders.” Not good enough, in other words.

Symantec’s sales in the consumer segment have eroded under competition from increasingly capable freebie gear from the likes of AVG, Avast and Microsoft.

In addition the firm failed to switch away from its traditional software renewal business or set the world alight in the storage and system management market.

Less tangibly, Salem came across as a grey bureaucrat, hopelessly outgunned in the battle for big ideas when put against more charismatic figures such as Eugene Kaspersky, and seemingly without the ability to fire up Symantec’s sales team or channels.

As chief operating officer, Salem also earned the ire of its distribution network by dissing US resellers behind closed doors.

Chief financial officer James Beer said today: “We saw strength in endpoint protection, consumer security, authentication services, data loss prevention, and backup appliances.”

Here’s the company’s latest results break down:

• Consumer products contributed $521m, 31 per cent of total revenues, and decreased 1 per cent year-on-year.
• Security and Compliance contributed $501m, 30 per cent of revenues, and increased 7 per cent annually.
• Storage and Server Management contributed $584m, 35 per cent of revenues, and decreased 2 per cent annually.
• Services contributed $62m, 4 per cent of revenues, and declined 2 per cent annually.

Revenues from the Clearwell and Live Office acquisitions generated $24m.

In the earnings call Bennett admitted that the Backup Exec product faced challenges – a major update upset a lot of people. He said Symantec will work to get it back on track.

Bennett will undertake a 90 to 120-day tour of the company to chat to employees. He’ll probably make some short-term decisions but couldn’t say or wouldn’t say what they are right now. He seemed particularly keen on a Symantec eCommerce engine, though. Positioning Symantec as the mobile security market leader is a priority for him.

He also said Symantec generates more cash than it needs to run day-to-day and make any desired acquisitions – so he’ll help decide how to return any excess cash to shareholders, implying share re-purchases and/or dividends.

Asked if Symantec should be restructured and possibly broken up he said: “I start with a clean sheet of paper. The most important thing is strategy, and structure follows strategy. … I believe our assets are better than our performance and I need to understand what’s in the way.”

The estimated revenue for the next quarter lies between $1.635bn and $1.665bn, a decline of between 1 to 3 per cent year-on-year – more of the same as it will be too soon for any new Bennett broom to have an effect. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/25/symantec_ceo_change/