STE WILLIAMS

Microsoft has “hardened” its Windows Update system after researchers discovered the Flame virus can infect PCs by offering itself as an update masquerading as official Microsoft software.

The sophisticated worm has been hurtling through computers in the Middle East and beyond for up to two years before being unearthed by security experts late last month. Now it has emerged that the malware uses a skeleton-key-like certificate found in Microsoft’s Terminal Services Licensing server to sign its malicious code and trick Windows machines into trusting and installing its executables.

Redmond said in a blog post yesterday that it was continuing to analyse Flame and repeated that it would “evaluate additional hardening of both the Windows Update channel and our code signing certificate controls”.

It warned any customers who do no have their Windows Update software set to automatic configuration to install the latest patch immediately, which will thwart Flame’s man-in-the-middle attack. Microsoft explained:

To attack systems using Windows Vista and above, a potential attacker would have needed access to the now invalid Terminal Server Licensing Service certificates and the ability to perform a sophisticated MD5 hash collision.

On systems that pre-date Vista, an attack is possible without an MD5 hash collision. In either case, of course, an attacker must get his signed code onto the target system. This can be done if the client’s Automatic Update program receives the attacker’s signed package because such packages are trusted so long as they are signed with a Microsoft certificate.

Windows Update can only be spoofed with an unauthorised certificate combined with a man-in-the-middle attack. To address this issue, we are also taking steps to harden the Windows Update infrastructure and ensure additional protections are in place.

Microsoft added that it had waited until it was clear that most of its customers were protected against the malware before publishing more details about how so-called “cryptographic collisions” had been used in those attacks.

Earlier this week, virus protection vendor Symantec described exactly how Flame, AKA Flamer, could spread on local networks.

The security company noted: “One of the methods is to hijack clients performing Windows Update. Three Flamer apps are involved in delivering the rogue update: SNACK, MUNCH, and GADGET.”

SNACK tended to sniff out NetBIOS requests on LANs and would then imitate a Web Proxy Auto-Discovery Protocol (WPAD) server and feed a rogue configuration file (wpad.dat) to the local network, thereby effectively hijacking it and forcing traffic to redirect to the malware-infected machine, Symantec said.

MUNCH – a web server within the Flame code – would then chow down on the redirected traffic, including matching URLs for Microsoft’s Windows Update software.

The final part of the puzzle was GADGET, a module which Symantec said provided a binary signed by the dodgy Terminal Services certificate via the MUNCH web server that fooled the system into believing that it was the genuine article from Microsoft.

“The binary is downloaded by the uninfected computer as if it is a legitimate Windows Update file and is executed. The binary is not Flamer itself, but a loader for Flamer. One sample of this binary refers to itself as TumblerEXE.exe,” Symantec explained.

Hence, all the panic coming out of Redmond towers to ensure that its customers have all updated their Windows software to prevent their systems being compromised by Flame. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/07/microsoft_combats_flame_with_additional_hardening/

Along with the LinkedIn password dump, dating site eHarmony has confirmed that some of its users’ passwords have also been published online, possibly by the same attacker as that obtained the LinkedIn data.

The company has responded with the usual “the security of our users” bromide here. It says all affected user passwords have been reset, along with providing the usual advice of creating strong passwords, using a different password for every site, and changing passwords every few months*.

The LA Times says that the eHarmony list contained only passwords, not the user logins they’re associated with. However, as noted by Reuters, if wrongdoers have access to eHarmony accounts, they also probably have a shot at some decent extortion, since not everybody registered with a dating site is safely single.

Cloudmark’s Mary Landesman told Reuters she considered LinkedIn’s password storage to be “poor practice”, since the social-network-for-professionals didn’t salt the users’ passwords before hashing them. ®

*Bootnote: Personally, I’d rather use a password that’s very memorable and thirty characters long than the usual “eight characters long with mix of upper and lower case and non-alphabetic characters”.

Before any security expert corrects me, my pass-phrases have to pass one other test: that the phrase is unknown to Google. I’m not dumb enough to use “the quick brown fox jumps over the lazy dog”. I usually look at a painting from my desk, and recite some characteristic of it – “TwoGumnutsFiveBirdsGeorgeFiney”. Of course, I am not a security expert, so I can’t seriously call into doubt the wisdom of using 4pOzx_!+4 as a password for something. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/07/eharmony_also_breached_in_linkedin_password_dump/

LinkedIn has said it is looking into a file that reportedly contains the mildly obscured passwords of around 6.5 million of its users.

A list containing the SHA1 hashed but unsalted passwords, purportedly of users of the business social network, has been posted on a Russian Dropbox-alike website. Some LinkedIn users have confirmed on Twitter that their password was in the list, with many saying it was an old password:

LinkedIn passwords leak is real. My hashed password is there (good luck getting a reverse hash ;) )

— Ivan Zlatev (@ivanzlatev) June 6, 2012

RT@nunoloureiro: My passwd hash is not there but my friend’s old password is. He changed it 27th May, so LinkedIn leak is prior to that date

— RandomStorm (@RandomStorm) June 6, 2012

LinkedIn has no information on its website, but it has tweeted that it’s assessing the situation:

Our team is currently looking into reports of stolen passwords. Stay tuned for more.

— LinkedIn (@LinkedIn) June 6, 2012

The network hadn’t returned a request for comment at the time of publication.

There aren’t any email addresses or names on the leaked list, but security experts have been at pains to stress that doesn’t mean the hackers don’t have them.

SHA-1 hashing is not the securest form of encryption; sensitive information should really be salted, a much stronger form of security.

The leak is coming at a bad time for LinkedIn, as it’s already had to defend itself against privacy concerns over its new mobile calendar feature.

The feature is supposed to sync users’ mobile calendars with LinkedIn to provide details on the people they are meeting. However, in order to make this “smarter”, LinkedIn had been pulling in email addresses for the people, the subject of the meeting, the location and the meeting’s notes – a lot of information.

Syncing with LinkedIn is an opt-in feature, so users don’t have to do it and the network has said it doesn’t store any calendar information on its servers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/06/linkedin_password_leak/

LinkedIn has confirmed that the list of 6.5 million user passwords leaked yesterday appears to be genuine.

The social network for suits said it was still investigating the situation, but it said the SHA-1-hashed password list posted on a Russian Dropbox-alike site contained real user data. LinkedIn has chucked compromised users’ passwords out and will be sending them emails to let them know how to get a new one (full details of the process here).

Although the website’s engineers hashed the stored passwords – a process that converts each one into a new long string of characters that are tough or impossible to convert back into the original password – they did not apply any salt.

By overlooking this technique, it is easy for hackers to produce a so-called rainbow table of hashes from possible passwords and search for these in the leaked list, thus identifying a significant number of the original passwords. Salting adds extra arbitrary data to a password when it is hashed, thwarting pre-generated tables and making life difficult for password crackers.

The firm said that its security has been tightened.

“It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases,” the network said in a blog posting.

The company also apologised to its users for the breach.

Dating site eHarmony was also hacked, possibly by the same attackers that hit LinkedIn. The site said it was resetting the passwords of affected users and assured members that it used “robust security measures, including password hashing and data encryption”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/07/linkedin_admits_data_breach/

With Stuxnet outed as a government-sponsored project by none other that one B. Obama of 1600 Pennsylvania Avenue, the world has concrete evidence that states commission the coding of malware.

That evidence led Anton Chuvakin, a research director in Gartner’s IT1 Security and Risk Management group, to ponder just what the coders hired to do the deed can say about it on their curriculums vitae.

“’Malware’ … is now a legitimate occupation that you can put on your resume,” Chuvakin suggests, half-jokingly, before going on to offer this format for government-directed malware authors CVs.

“2006-2007: developed ‘attack software’ for XYZ government”

It’s since been suggested to us, however, that Chuvakin’s suggested may not be entirely suitable, given that anyone working on this kind of thing will be asked to sign a confidentiality agreement.

Such agreements, says Peter Acheson, CEO of recruitment company Peoplebank, “prohibit them from disclosing too much about the specifics of the technology and the project generally.”

Acheson therefore suggests that those among you whose careers have wandered in this direction “discussion of the specific tasks in terms of the project rather than references to the types of technology or what the specific project was designed to achieve” on your CV. That form of words, he feels, will get you credit for shady work without resulting in a window-less van arriving outside your home at dawn.

Acheson suggests the following hypothetical format to get malware gigs onto your CV:

2009– 011 – Department of Defence – Israel Project Director – Strategic Defence project. Worked on the development of strategic defence software for Department of Defence. Project had defence classification XYZ 123. Responsible for all aspects of overseeing development of the strategic software including management of 200 people.

“Often there will be some sort of ability to check participation on the project by talking to a Senior person in Defence about their involvement in the project,” Acheson adds.

Gartner’s Chuvakin also raises, in his post, the need for new langauge to describe Stuxtnet and its ilk, and his suggestions may help you to craft suitably evasive CV entries.

“What do you call ‘malware’ working for the good guys?” he asks. “’Attack software’? ‘Sabotage-ware’? ‘Good malware’? We need a whole new language to describe what we are seeing now. This is ‘one man’s terrorist is another man’s freedom fighter’ all over again… “ ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/07/stuxnet_on_your_cv/

Police are investigating a claimed cracking of presidential hopeful Mitt Romney’s Hotmail and Dropbox accounts.

An anonymous tipster claims to have accessed Romney’s accounts by answering the security question needed to gain access. Using publically available information the attacker claims to have correctly guessed the name of Romney’s pet in order to scan his Hotmail account, and then found the same password was used on for the candidate’s Dropbox login.

“I have nothing to do with Anonymous and have never done anything like this before,” the person told Gawker, although no corroborating screen shots or email were included in the message. Romney’s campaign team has said the authorities are investigating.

It’s an unfortunate slip for Romney. He takes security very seriously, as shown when he finished his previous job as governor of Massachusetts. Romney’s management team purchased 17 hard drives they had been using for $65 apiece and purged the email servers completely, leaving no electronic records intact from 2002 to 2006, although there are 700 to 800 boxes of documentation.

“In leaving office, the governor’s staff complied with the law and longtime executive branch practice,” Andrea Saul, Romney campaign spokeswoman, told The Boston Globe. “Some employees exercised the option to purchase computer equipment when they left. They did so openly with personal checks.”

The attack mimics that used to access Sarah Palin’s webmail account in 2008, shortly after she was nominated as the Republican vice-presidential candidate. In that case, David Kernell, then a University of Tennessee student, earned himself a 366 day sojourn in prison for his cracking, although he did provide proof that the former Alaskan governor had been using her private email for state business, leading to the publication of over 24,000 emails she had made.

It appears Romney didn’t learn the lessons from that case and has been caught in the same bind. Politician’s lives are well-documented and if they’ve been honest in answering their security questions, then they are at more risk than most. In Romney’s case, the pet question is also rather awkward, owing to a now-infamous tale of his pet Irish Setter, Seamus.

In 1983, the Romney family was taking a 12 hour road trip to their vacation home, and because the car was full Seamus was installed on the roof in a dog carrier fitted with a windscreen. Midway through the trip the dog had an attack of diarrhea and Romney hosed him off (and the car) before continuing the trip. Romney’s Republican opponents and the usual suspects at PETA, have made much of the incident. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/06/romney_hacked_hotmail_gmail/

LinkedIn has said it is looking into a file that reportedly contains the mildly obscured passwords of around 6.5 million of its users.

A list containing the SHA1 hashed but unsalted passwords, purportedly of users of the business social network, has been posted on a Russian Dropbox-alike website. Some LinkedIn users have confirmed on Twitter that their password was in the list, with many saying it was an old password:

LinkedIn passwords leak is real. My hashed password is there (good luck getting a reverse hash ;) )

— Ivan Zlatev (@ivanzlatev) June 6, 2012

RT@nunoloureiro: My passwd hash is not there but my friend’s old password is. He changed it 27th May, so LinkedIn leak is prior to that date

— RandomStorm (@RandomStorm) June 6, 2012

LinkedIn has no information on its website, but it has tweeted that it’s assessing the situation:

Our team is currently looking into reports of stolen passwords. Stay tuned for more.

— LinkedIn (@LinkedIn) June 6, 2012

The network hadn’t returned a request for comment at the time of publication.

There aren’t any email addresses or names on the leaked list, but security experts have been at pains to stress that doesn’t mean the hackers don’t have them.

SHA-1 hashing is not the securest form of encryption; sensitive information should really be salted, a much stronger form of security.

The leak is coming at a bad time for LinkedIn, as it’s already had to defend itself against privacy concerns over its new mobile calendar feature.

The feature is supposed to sync users’ mobile calendars with LinkedIn to provide details on the people they are meeting. However, in order to make this “smarter”, LinkedIn had been pulling in email addresses for the people, the subject of the meeting, the location and the meeting’s notes – a lot of information.

Syncing with LinkedIn is an opt-in feature, so users don’t have to do it and the network has said it doesn’t store any calendar information on its servers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/06/linkedin_password_leak/

Facebook is testing ways to open its social network to kids under the current cut-off age of 13.

Many pre-teens will typically circumvent Facebook’s sloppy screening process by simply lying about their age during the sign-up process.

Facebook has acknowledged this widespread action by children under the age of 13 and is looking at ways for youngsters to access the site under parental supervision, the Wall Street Journal reported on Sunday.

Of course, those untapped users could also help bump up ad sales now that the company has gone public.

According to the newspaper, Facebook is exploring a method that would link an under-13-year-old’s account with that of their parents so that their activity on the network can be fully policed.

Facebook gave The Register this statement:

Many recent reports have highlighted just how difficult it is to enforce age restrictions on the internet, especially when parents want their children to access online content and services.

We are in continuous dialogue with stakeholders, regulators and other policymakers about how best to help parents keep their kids safe in an evolving online environment.

However, it’s understood that the company – which claims to be closing in on 1 billion users worldwide – is not about to reveal a new system that would grant official access to pre-teens wanting to use Facebook.

A review of online privacy rules relating to the protection of children in the US, aka Children’s Online Privacy Protection Act (COPPA), to which Facebook has already given its own formal response, is expected to be published by the Federal Trade Commission in the next few months. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/06/facebook_under_13s_access/

An NHS Trust is disputing a record fine the Information Commissioner’s Office has levelled on it for leaving tons of data on patients and staff on hard drives that were sold on eBay instead of being destroyed.

Brighton and Sussex University Hospitals NHS Trust was served a civil monetary penalty of £325,000, the highest handed out since the ICO got the power to lay financial smackdowns in April 2010. The Trust said it didn’t agree with the ICO’s findings and was appealing the fine.

The ICO claims that the private data of tens of thousands of patients and employees was left on the sold hard drives, including information from the HIV and Genito Urinary Medicine department, which included personal identifiers like dates of birth and occupations as well as sensitive medical data on their STD test results and diagnoses and sexual preferences. The database also held the names and dates of birth of 1,527 HIV positive patients.

The Trust decommissioned a number of hard drives in March 2008, which were then stuck in commercial storage in a locked room watched by CCTV. Two years later, around a thousand of the drives were moved to Brighton General Hospital and put in a room that could only be accessed with a key code.

The Trust’s IT service provider Sussex Health Informatics Service (HIS) asked its usual subcontractor to take care of destroying the drives, but that firm couldn’t do it, so HIS asked a different company to do it.

The ICO discovered that HIS never entered into a proper contract with the new contractor, even though it offered one, and only performed basic checks on the credentials of the one individual who ran it. The Trust didn’t even know that HIS had employed this contractor.

The unnamed individual came to the hospital on two occasions in the autumn of 2010 to destroy the drives, but they weren’t supervised all the time and the hospital never got a proper certificate of destruction with all the serial numbers listed.

That December a data recovery company bought four of the hard drives online from a seller who had bought them from the individual and reported the data breach.

The ICO said that the Trust initially tried to tell the ICO that it was just those four drives that had been sold and all the other hard drives waiting to be destroyed were secure, but it was rumbled in 2011 when a university said that one of their students had bought more drives, 15 of which held the Trust’s data.

Eventually, the ICO found out that at least 232 of the Trust’s hard drives were sold.

The Trust has said it doesn’t agree with the ICO’s findings and it is pursuing an appeal with the Information Tribunal.

“We dispute the Information Commissioner’s findings, especially that we were reckless, a requirement for any fine,” chief exec Duncan Selbie said in a canned statement.

“We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay.

“No sensitive data has therefore entered the public domain. We reported all of this voluntarily to the Information Commissioner’s Office, who told me last summer that this was not a case worthy of a fine,” he added.

Selbie said that the ICO had ignored its attempts to explain the situation.

“It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would ‘prejudice the monetary penalty process’,” he complained.

“In a time of austerity, we have to ensure more than ever that we deliver the best and safest care to our patients with the money that we have available. We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/06/nhs_trust_disputes_ico_fine/

CyCon 2012 NATO does NOT need cyber-offensive capabilities, according to a senior military commander.

Major General Jaap Willemse, who was speaking at the International Conference on Cyber Conflict (CyCon), said launching barrages of computer-based attacks is off the agenda for the Western military alliance, at least for the immediate future.

“Nobody at NATO is considering it. There are huge political, legal and diplomatic objections,” said the assistant chief of staff command, control, communication and intelligence at NATO Allied Command Transformation. “There are huge risks compared to the potential benefits.”

“NATO does not have the doctrine, command and control, educational support or other factors needed to run an offensive capability,” he added.

Although there might be a need for internet-based sorties in the future, the Royal Netherlands Air Force major general said: “It could become another tool for a NATO commander like electronic warfare and intelligence.”

For now, however, NATO’s efforts should be limited to developing an ability to simulate cyber-attacks for testing purposes – and protecting nations’ critical infrastructures from hackers should ordinarily be left to the 28 national governments that make up NATO. Maj Gen Willemse said NATO’s role should be limited to monitoring unless clear gaps in defences appear that present a need to intervene.

NATO’s current action plan runs until 2015, and the alliance needs a new roadmap with a “solid plan based on risk assessment”, Maj Gen Willemse said while giving the opening keynote at the fourth CyCon in Estonia on Wednesday.

“Governments are not going to pour money into a black hole,” he concluded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/06/06/nato_cyber_offensive/