STE WILLIAMS

ElcomSoft has updated its mobile forensics software to include the ability to retrieve online backups from Apple iCloud storage.

The enhancement to Elcomsoft Phone Password Breaker adds the capability to retrieve user data associated with iPhones from Apple’s iCloud online backup service. Backups to multiple devices registered with the same Apple ID can be retrieved using the technology, providing investigators has access to a user’s original Apple ID and password.

The approach means that investigators need not have physical access to Jesus phones in order to recover unencrypted copies of data they hold.

Elcomsoft Phone Password Breaker launched with the ability to retrieve user content from password-protected backups created on Apple iPhones and BlackBerry smartphones. The password breaker only facilitated the recovery of passwords protecting offline backups not data held in the cloud.

Access to data stored in iCloud online backup service is of interest to forensic investigators, not least because the facility has been used by millions of fanbois for data backup and device synchronisation since its introduction last June. Apple’s iCloud online backup service offers an alternative (or additional safety net) to backing up device data locally onto computers using iTunes.

iCloud backups offer a near real-time copy of information stored on iPhones including emails, call logs, text messages and website visits. iCloud backups are incremental. When set up to use the iCloud service, iPhones automatically connect to iCloud network and backup their content every time a docked device gets within reach of a Wi-Fi access point.

“While other methods require the presence of the actual iPhone device being analyzed or at least an access to device backups this is not the case with iCloud,” ElcomSoft chief exec Vladimir Katalov explained. “With a valid Apple ID and a password, investigators can not only retrieve backups to seized devices, but access that information in real-time while the phone is still in the hands of a suspect.”

The technology is marketed to computer forensics consultants, law enforcement and intelligence organisations. Investigators using the technology still need iCloud login credentials, which can’t be obtained with Elcomsoft Phone Password Breaker alone. Logging into iCloud requires an Apple ID and password.

This password, if not already known, can be acquired from an offline backup produced with Apple iTunes, and “used by investigators to watch suspects’ activities by monitoring changes to their online iCloud backups,” Elcomsoft explains.

“If investigators don’t have Apple ID and password, they can always try to get them and there are plenty of scenarios (both more and less sophisticated) to do so,” Elcomsoft spokeswoman Olga Koksharova told El Reg. “Getting Apple ID credentials may be a challenge, however there are numerous ways and places to find them or their traces on all iCloud devices registered to the same Apple ID.”

“Investigators can try to get physical access to a left alone Apple gadget (including laptops) and search it (e.g. its FileVault, which can take less than a minute if it’s unlocked), or take a physical image of one of i-devices (e.g. there is EIFT to acquire iPhone contents within 20 minutes or so), or search any other private/corporate stationary PC/Mac because the credentials can also be cached in web browser when the suspect tried to enter iCloud from the web browser, or social engineer at least,” she added.

However they eventually manage to get iCloud login credentials, investigators are subsequently relieved of the need to crack backup encryption passwords. The data is smoothly downloaded directly onto their computers from Apple remote storage facilities in plain, unencrypted form.

A blog post by Elcomsoft explaining how the technology works can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/17/elcomsoft_data_retrieval_tool/

A British man has been jailed for a year after hacking into the Facebook account of a US citizen.

Gareth Crosskey, 21, of Avon Close, Lancing, in West Sussex, hacked into his unnamed victim’s profile on 12 January 2011, gaining access to an e-mail account in the process. The breach was reported to the FBI, which traced the source of the hack back to the UK before turning the investigation over to Blighty’s plod.

Scotland Yard’s Police Central e-Crime Unit tracked down Crosskey as a suspect, leading to his arrest last July and subsequent prosecution. Faced with a mass of computer forensic evidence against him, Crosskey pleaded guilty to two hacking offences contrary to Britain’s Computer Misuse Act. He was sentenced to 12 months of imprisonment at a hearing at London’s Southwark Crown Court on Wednesday.

The PCeU issued a statement that said the result of the case “should act as a deterrent to any individuals thinking of participating in this type of criminal activity”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/17/facebook_account_hacker_jailed/

The UK’s privacy watchdog has fined the London Borough of Barnet £70k ($111k) after the local authority lost extremely sensitive information about young children for the second time in two years.

The latest loss occurred when a social worker took paper records home to work on them out of office hours. The staffer’s home was burgled in April last year, and the thieves made off with a laptop bag containing the documents and an encrypted computer.

The papers including the names, addresses, dates of birth and “details of the sexual activities” of 15 vulnerable youngsters. A subsequent investigation by the Information Commissioner’s Office found fault with procedures at Barnet Council relating to the handling of paper records. The borough’s policy included guidance for staff on handling sensitive files, but the measures failed to explain how the information should be kept secure.

The fine comes after the council promised in June 2010 to improve its information handling procedures following the theft of an unencrypted device containing personal data from an employee’s home. The council eventually introduced a paper handling policy, but this was not in place at the time of the second loss – hence the ICO’s decision to levy a fairly substantial fine on the public body.

Simon Entwisle, the ICO’s director of operations, commented: “The potential for damage and distress in this case is obvious. It is therefore extremely disappointing the council had not put in place sufficient measures in time to avoid this second loss.”

“While we are pleased that Barnet Council has now taken action to keep the personal data they use secure, it is vitally important that organisations have the correct guidance in place to keep sensitive paper records taken outside of the office safe. This includes storing papers containing sensitive information separately from laptops,” he added.

The ICO gained power to levy fines in relation to data privacy breaches that could be blamed on either lax procedures or negligence in April 2010. Since then 16 organisations including a police force, health authorities and local councils have been fined over data breaches. Two private sector firms – defunct copyright infringement ambulance-chasers ACS:Law and employment agency A4e – are also among those fined for data privacy transgressions. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/17/ico_fines_barnet/

Hong Kong’s Computer Emergency Response Team (HKCERT) has called for more resources to help it step up attempts to proactively monitor and deal with attacks on organisations in the special administrative region (SAR) of China.

Speaking to The Register, centre manager Roy Ko argued that the nature of the threats facing businesses in the region today means the CERT can no longer rely on old ways of responding to incidents.

“When we started out ten years ago people used to call in and we’d try to solve their problems over the phone, identifying what kind of attack they’d experienced,” he explained.

“Then later we noticed some cases like web defacement where people were not aware of the problem, so we tried to take a proactive approach to inform victims of hacking and other activities.”

The CERT checks all .hk sites for suspicious activity but it wants to expand this to .com and .org addresses for organisations based in the region, and make the whole process of receiving, processing and actioning information on compromised machines seamless and automated, he added.

“This year we plan to analyse all those compromised machines in Hong Kong. We’ve started the exercise – consolidating all the third party sources of information – and then we need to pass it on to the relevant parties, usually the ISPs,” said Ko.

“In the past it was done in not such a systematic way. The goal is to get it fully automated. We’re also planning our own sensors so that we can collect our own information on attacks.”

Considering the huge amount of wealth generated by the SAR and the attractive target which its many rich multinational businesses represent to financially motivated cyber criminals, however, Hong Kong’s CERT is under-resourced.

“We need to expand the scope of our service especially when it comes to monitoring activities in Hong Kong and see whether we can analyse earlier to do more preventative work,” said Ko.

“We have a very small team compared to other CERT teams. It’s not enough.”

Legislative councilor Samson Tam explained to The Reg recently that tightening information security regulations, investing more in education and awareness raising and ploughing further resources into the Technology Crime Division should be priorities for the new Hong Kong administration, but made no mention of the HKCERT.

Despite its lack of resources – the CERT occupies a small bank of desks on one floor of the Hong Kong Productivity Council building – Ko’s team appears to be forging effective relationships with government, law enforcement and its fellow CERTs in the region.

For example, the HK CERT participates in a working group every two months with the local police force’s Technology Crime Division and the government to identify any breaking threats and other areas they can work together such as awareness raising campaigns, he explained.

The HK CERT also has a “good communications channel” in place with the mainland China CERT, which Ko revealed is “very well resourced”, with an HQ in Beijing and regional headquarters throughout the People’s Republic.

He explained that this co-operation has helped the Hong Kong team identify the location of attacks on Hong Kong organisations launched from the mainland. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/17/hkcert_funding_call_china/

Ridding the world of the DNS Changer is proving a long, slow process that won’t be accomplished by July 9, when the court orders granted to the FBI expire and infected users suffer their inevitable blackout.

That’s the bleak warning given by BIND father and ISC founder and chair Paul Vixie to the AusCERT security conference on the Gold Coast today, 17 May.

“Remediation, which has not worked, has taken many forms, which did not work,” Vixie drily noted.

The notorious “operation ghost click” is well-known and understood, having been analysed in the six months since arrest of the Estonians (Vladimir Tsatsin, Timur Gerassimenko, Dmitri Jegorov, Valeri Aleksejev, Konstantin Poltev and Anton Ivanov) who hosted their ad-redirecting DNS on Rove Digital’s infrastructure.

Vixie said ISC’s ongoing research demonstrates that when the court order expires, there will still be in the vicinity of 300,000 DNS Changer-infected computers, in spite of the best efforts at remediation. Many users, Vixie said, are so untrusting and hostile that they resent being told they have a problem.

On the coming “dark day”, Vixie says, there’s a strong likelihood that ISPs will be swamped with help calls demanding to know what’s wrong. Had it been possible to do so, Vixie said, he would at least have contrived some way to “spread out the pain”, because “the way we’re doing it now, there will be no end to it.”

While the DNS Changer incident emphasizes the importance of DNSSec, but implementation is a slow process that depends on industry-wide cooperation.

He also took the opportunity to criticize the increasing willingness of governments to try and use misdirected DNS requests to enforce policies (such as porn-blocking or, in the case of Italy, blocking offshore gambling site).

“If it becomes popular [to use DNS] to block things that users want, they will move their DNS requests elsewhere.” The threat remains, however: SOPA-style legislation is still on the wish-list of entertainment lobbies, and will not leave the political agenda. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/17/dns_changer_blackouts/

Amazon Web Services’ General Manager and Chief Information Security Officer Stephen E. Schmidt is not allowed to make unannounced visits to the company’s data centres.

Speaking at the AWS Summit 2012 in Sydney today, Schmidt explained that he has to ask for permission from the relevant Vice-President before visiting a data centre, as part of the company’s security regime.

That regime means customers are also verboten from visits, a stance Schmidt says the company prefers because “tours are not instructive.” There are only so many ways to set up and secure a data centre, Schmidt says. Those methods are well-documented, AWS is aware of them, has deployed those it deems sensible and feels customers cannot learn anything useful from a visit.

Schmidt also said most AWS employees are kept ignorant of its data centres’ locations. Addresses for the facilities are not listed on the company’s intranet, a security-through-obscurity strategy Schmidt said “helps with protection.” Another obscurity strategy sees the company deliberately construct nondescript buildings.

Employees who can visit the facilities have that privilege revoked and formally re-instated every ninety days and must use “two or more levels of two factor authentication” to enter the building.

AWS also, Schmidt said, reviews log files proactively and a little obsessively.

“We review the logs to ensure we see what we expect, and to check for things we do not expect,” he said. The security team also checks to make sure logs are present, as absent logs or missing entries are eloquent descriptors of security incidents.

Schmidt also said the company has developed a special process to help penetration testers take advantage of its cloud. In the past such tests would likely have been flagged as a denial of service attack, but demand for such services means AWS now whitelists designated assets being used during penetration tests. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/17/aws_ciso_banned_from_own_datacentres/

Security software biz Avira has apologised after its antivirus suites went haywire and disabled customers’ Windows machines.

A service pack issued in Monday caused its ProActiv monitoring software to think vital operating system processes were riddled with malware and blocked them from running.

Users of the affected products – Avira Professional Security, Avira Internet Security 2012 and Avira Antivirus Premium 2012 – were left with malfunctioning or inoperable systems after they applied the dodgy update. A fix has since been issued.

Components reportedly blocked included iexplore.exe, notepad.exe and regedit.exe, plus applications including Microsoft Office and Google Updater were also sin-binned.

Unsurprisingly Avira’s support forums quickly filled up with posts by frustrated punters. “This update has been pretty catastrophic,” one small business user complained. “The whole company ground to a standstill.”

Avira responded by withdrawing the malfunctioning update, Service Pack 0 (SP0) for Avira Version 2012, and issuing a replacement upgrade. In an advisory, Avira said it “deeply regrets” the inconvenience customers have experienced as the result of the snafu. It goes on to explain how users can disable its ProActiv behavioural monitoring technology in case it goes nuts again.

From time to time antivirus signatures, used to identify malware inside files, cause headaches for vendors when they report false positive matches. Things get really messy in cases where core Windows components, rather than just third-party apps, are wrongly labelled as potentially malign. Screwing up a signature pack is one thing, but Avira’s mixup involves a major software update, raising questions over why the blunder was not caught during pre-release testing.

Avira is best known as a supplier of freebie Windows antivirus scanners to consumers in competition with the likes of AVG and Avast. The German firm uses its presence in this market to help it sell paid-for products to consumers and small businesses. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/16/avira_update_snafu/

Google released a major update to its Chrome browser on Tuesday that tackles 20 security vulnerabilities, eight of which are classified as high-risk bugs.

Chrome 19 – a cross-platform update for Windows, Mac, Linux and Chrome Frame – also includes a number of improved features such as tab sync. Google paid security researchers more than $7,500 under its bugs bounty programme for identifying the various vulnerabilities squashed by Chrome 19.

Most of the high risk flaws patched by the new version of Chrome tackle either “out-of-bounds write” or “use-after-free” memory vulnerabilities.

The full list of vulnerabilities addressed in Chrome 19 is detailed in Google’s advisory here.

In other patching news, Apple released a critical update addressing 17 security flaws in its QuickTime Media Player software. Several of the fixed vulnerabilities might lend themselves to attacks that plant malware onto the systems of users running pre-update versions of Apple’s media player software. QuickTime 7.7.2 addresses a total of 17 security bugs, as explained in Apple’s advisory here.

Rodrigo Branco, director of vulnerability and malware research at Qualys, discovered one of the critical bugs during fuzzing, a process that involves supplying a range of malformed data inputs to the application and checking for problems. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/16/google_chrome_update/

While “cyber^* operations” are becoming an increasing focus of both government and private research, legal frameworks are failing to keep pace, the US Army Cyber Command operational attorney Robert Clark has told the AusCERT security conference in Queensland.

As noted earlier by F-Secure’s Mikko Hypponen in his keynote address to the conference, the hundreds of jobs available for exploit research and creation in private defence contractors represent a huge shift in the source of attacks. Today’s exploits, Hypponen said, are more likely to emerge from a cubicle farm instead of a “black hat” hacker’s grubby keyboard.

However, the world is only at the very beginning of developing a legal response to such activities, said Clark.

Documents like the International Strategy for Cyberspace begin to change the landscape, since for the first time they attempt to wrap a formal framework around cyber-security – including deciding that “our cyber-security must be based on law or the [US] Constitution,” Clark said.

That foundation is important because computer-based espionage gives a victim no recourse against the information-gatherer, as only local law is useful against a ‘spy’. “Collecting information is not illegal under international law”, Clark said.

While happy to label so-called outbreaks of “cyber-war” as “B.S.”, Clark stated that “governments are in the business of offensive cyber-operations now.”

Clark also said that cyber “attack” is over-used in the media, as he feels the planet is yet to see a real cyber-attack . “Stuxnet was not a cyber ‘attack’, Estonia was not a cyber ‘attack’, that pipeline that some people say ‘yeah, that was malicious code’ wasn’t a cyber ‘attack’,” he said.

“Stuxnet was a big campaign,” he says, by virtue of its use of a combination of software, its attack vectors, its use of digital certificates. He is therefore happy to label it “a game-changer”. However, by the more precise definitions needed to invoke laws of armed conflicts, that does not create the conditions needed to regard it as a cyber-attack.

And why does this definition matter? In other words, why should we care about loose media use of “cyber war”? Because, Clark explained to El Reg: if policy-makers are only informed by the catchphrase and not the definition, they will make bad policy. ®

Bootnote:^*El Reg hates the word as well. Refreshingly, Clark agrees, but said he can’t avoid using it, given his job description.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/16/stuxnet_was_not_cyberwar/

Cybercrooks latched onto the release of Diablo III on Monday with a run of scams themed around the widely anticipated video game.

Blizzard’s games systems collapsed due to the higher than expected demand for the demon-slaying game, The Guardian reports.

The software company is attempting to stop pirates from nicking the new game by forcing wannabe warriors to log into its servers before they can start playing the role-playing game, even if they only want to try a single-player offline campaign.

This has created a bottleneck centered around log-in systems at Blizzard, which has struggled to service demand.

Technical glitches at Blizzard were an unexpected bonus for scammers, who have launched a raft of scams featuring the promotion of bogus crack and keygen sites. These fake sites might potentially be more attractive than they normally would be as gamers struggle to get their hands on legitimate content through regular channels.

Some of the scam sites that GFI Software has identified include supposed online key purchasing websites, that actually install dodgy software on the users’ PC. Other spammy Diablo 3-themed links collated by the security firm actually lead to unrelated flash games, spam linkdumps and a “donation experiment” where installs of the software on offer enter marks into a supposed prize draw giveaway. Other shenanigans on show include links to survey scams and YouTube videos offering “expert tips” on the hours-old video game.

These various scams are being promoted through the web at large and social media websites, including Facebook and Pinterest.

More details of these scams can be found in a blog post by GFI Software here.

Chris Boyd, senior threat researcher at GFI Software, and an expert in gaming security, told El Reg that the scams coinciding with the release of Diablo 3 are similar to those that have accompanied a succession of major gaming releases over recent months.

“Major releases have been an excellent target of scammers for some time now, from Fake AV [anti-virus] to SEO poisonings. There have been a number of scams targeting those stuck on Red Dead Redemption‘s treasure map hunts in 2010 and malware links posted to Twitter aimed at fans of Portal 2 in 2011. The most recent example of scammers looking to profit comes from Mass Effect 3, where scammers utilised surveys that promised an alternative ending to the game.”

More scams accompanying future high-profile video game releases are almost inevitable, Boyd warned.

“Diablo 3 is one of the most anticipated titles of the last few years and it’s only natural that dubious downloads are now in circulation. Games are now a huge draw for anybody looking to turn a fast profit,” he concluded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/05/15/diablo_3_scams/