STE WILLIAMS

Microsoft plans to publish nine updates next Tuesday – four of which are critical – as part of a Valentine’s Day edition of its Patch Tuesday update cycle.

Highlights of the batch, which collectively address 21 vulnerabilities, include a critical update for Internet Explorer.

There are also two critical fixes for Windows itself, plus one for Microsoft’s .NET framework. Three the five remaining “important” fixes grapple with remote code execution-type vulnerabilities, one of which involves Office. Flaws of this type are best addressed sooner rather than later because they might easily be exploited by malware slingers.

Patching IE ought to be be the highest priority, according to vulnerability scanning and web services firm Qualys.

“[W]e saw last month how quickly attackers are incorporating browser-based attacks into their toolkits; an exploit for MS12-004 was detected a mere 15 days after Patch Tuesday,” notes Wolfgang Kandek, CTO of Qualys, in a blog post on the upcoming patch batch.

Andrew Storms, director of security operations at net security firm nCircle, said all supported versions of Windows will need patching. Oddly the most recent versions of Windows – which normally need the least patching – are the most affected by the February 2012 patch batch, he added.

“Microsoft is planning to deliver a big ‘Valentine’ next Tuesday. Their advance notification indicated they plan to release nine bulletins, and 21 CVEs next Tuesday. This is very consistent with last year’s ‘Valentine delivery’ that included 12 bulletins and 22 CVEs.”

“It’s surprising that this month’s patch affects almost every Windows operating system – each OS is affected by five of the eight applicable bulletins. That’s kind of weird because newer OS versions are generally more secure.”

“It’s even more surprising that Windows Server 2008 R2 is affected by the greatest number of bulletins. Generally, we see fewer bugs on server side operating systems, and this is doubly true for Server 2008 since so many of its newer mitigations and default settings protect the OS even when bugs are found,” he added.

Microsoft’s own pre-alert notice can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/10/ms_patch_tuesday_feb_pre_alert/

The Metropolitan police has requested Oyster card data relating to citizens and other personal information from Transport for London (TfL) more than 22,000 times since 2008, according to figures published by the capital’s transport authority.

The force requested personal data TfL holds relating to citizens 5,295 times in 2008; 5,359 times in 2009; 5,046 times in 2010; and 6,258 times in 2011, according to a response to a freedom of information request from Guardian Government Computing. The figures also show that the force has made 264 requests for such information this year so far.

TfL said that it could not provide a breakdown of the number of requests made by the Metropolitan police just for passengers’ Oyster card data alone, but a spokesman for London’s police force told Guardian Government Computing that the majority of requests were likely to be related to Oyster information. Other than Oyster data, personal information requested would include CCTV images and details of TfL staff, he said.

The transport authority said that it receives “many requests” for information pertaining to different crime types. Examples over the last four years include requests for Oyster data to assist with the police’s investigations into offences such as theft, robbery, missing persons and sexual offences.

More than 40 million Oyster cards have been issued since they were launched in 2003, with in excess of 3 billion journeys on TfL’s network made each year using the cards. The transport authority stores data for two months after a journey has been made with an Oyster card.

Nick Pickles, director of privacy campaign group Big Brother Watch, said that it was important that electronic methods of payment and identification do not no become “a massive surveillance exercise”.

“The escalating use of this data by law enforcement agencies highlights the risk that these databases are increasingly being used by authorities instead of tried and tested methods,” he said.

TfL is overhauling its ticketing system and is set to accept contactless payments on selected networks later this year. It has said that it would like to move away from travel information being stored on individual cards to a system where most travel data is stored in TfL’s back office.

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/10/metropolitan_police_asks_for_tfl_data/

Cybercrooks have embraced the open-source model in the development of banking Trojans following the release of source code for the infamous ZeuS cybercrime toolkit last year.

Multiple variants of a Zeus Trojan called Citadel have emerged over recent weeks as VXers have embraced a new development lifecycle – dubbed open-source malware.

Net security firm Seculert reports that the main developers of the software have also created forums where customers of Citadel (other cybercriminals) can suggest new features and modules for the malware, report bugs and other errors, or enter into discussion with their fellow e-banking fraudsters.

The approach is fuelling development of extremely well-developed malware, Seculert reports.

“Because of the new development lifecycle, this malware evolves quickly, and since late December we have seen over five new versions released by the Citadel authors, with new modules and features added to each version,” Aviv Raff, CTO at Seculert, told El Reg.

New modules and features include support for AES Encryption of malware configuration files, support for security vendor websites blacklisting and technology designed to keep off the radar of Zeus tracking websites.

Cybercriminals have embraced open-source malware with the creation of 20 unique botnets using the new Citadel malware, which is starting to become the FreeBSD of e-banking fraudsters. Several of those botnets have infected more than 100,000 machines, Raff reports.

Cybercrooks have embraced trends from the legitimate business world for some years. For example, the Citadel authors provide their customers with a user manual, release notes and a licence agreement.

“We suspect that the open-source model may be the next growing trend,” Seculert concludes. “The cybercrime world is characterised by rapid development, cutting-edge technology, and hackers’ constant cravings for recognition. By looking at the developments in the software world, the open-source model may be well accepted in the cybercrime ecosystem as well.”

A blog post from Seculert, showing admin panels for the malware and a pie-chart illustrating Citadel infections per country, can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/10/open_source_malware/

Turns out it’s not necessary to decrypt the PIN, or even hack into Google’s Wallet, just ask the phone nicely and it will let anyone root though its innards.

The flaw was spotted by The Smartphone Champ, and unlike yesterday’s efforts which required root access and a modicum of brute force, this hack barely qualifies for the term, as it just involves asking the phone to reset the application data. That wipes the stored PIN, but not the card details, so a new PIN is entered and transactions immediately become possible:

Google has apparently responded with a statement, providing a phone number (855-492-5538) which you can call if planning to pass on the handset on to a friend, or in the event that your phone is stolen. Google will then disable the prepaid card to prevent the phone being used to pay for stuff with a tap on the till.

It’s easy to imagine how this situation has come about, though harder to understand why Google didn’t spot it earlier. The Android application manager allows one to clear app caches, wipe all data belonging to a specific application, as well as uninstalling the app, and we know that the Google Wallet app stores the user’s PIN in a file so wiping the data wipes the PIN.

But the card details themselves aren’t stored in the phone’s filesystem, they’re stored safely in the Secure Element, so they don’t get wiped when the “application data” is removed.

Run the Google Wallet after removing its data and it assumes it is being run for the first time, and dutifully asks the user to create a PIN. Then ask it to add a prepaid card and it happily finds one already installed in the Secure Element and readies it for use.

None of this makes Google Wallet any less secure than a real wallet, in fact it remains slightly more secure, and it’s typical of the teething problems one hits when implementing such a complicated architecture (involving banks, payment processors and various trusted third parties), but it is extremely embarrassing and risks the future of a technology which is already proving surprisingly hard to sell. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/10/google_wallet_again/

The UK is to establish three regional policing e-crime hubs as part of efforts to boost the capability of British police to tackle the growing problem of cybercrime.

The new hubs, in Yorkshire and the Humber, the Northwest and in East Midlands, will each get their own three-officer team. Each will work alongside the Metropolitan Police Central e-crime Unit.

The regional roll-out is part of UK government plans to spend £30m over four years to improve the country’s ability to investigate and thwart cyber-crime. This is part of a much larger budget of £650m earmarked for the fight against cyber-threats more generally and protecting the UK’s national infrastructure from attacks, the majority of which will go to the intelligence agencies, principally GCHQ.

Each of the three regional units will be staffed by a detective sergeant and two detective constables. A period of training means it will take at least a few weeks before these units are up and running. Greater Manchester Police (GMP) and West Midlands Police (Birmingham) already had officers on staff who handled cybercrime cases and worked with private-sector forensic experts and expert witnesses, so the new hubs are more about formalising existing capabilities than adding something that previously only existed in London.

In a statement, ACPO lead on e-crime Deputy Assistant Commissioner Janet Williams said:

The government has acknowledged a need to collaborate and provide a structured response to the cyber security of the UK and these three additional policing units are going to play a critical role in our ability to combat the threat.

It is anticipated the hubs will make a significant contribution to the national harm reduction target of £504m. In the first six months of the new funding period alone we have already been able to show a reduction of £140m with our existing capability.

While a training period is required before the hubs are fully functional, they will undoubtedly provide an enhanced ability to investigate this fast growing area of crime and provide an improved internet investigation capability.

James Brokenshire, minister for crime and security, said: “Cyber crime is a threat locally and nationally, and every police force in the country has to deal with its impact on people and businesses in their area.”

“As well as leading the fight in their regions, these units mark a significant step forward in developing a national response to cyber crime, which will be driven by the new National Crime Agency,” he added.

The regional e-crime hubs were launched at the ACPO e-crime conference in Sheffield on Wednesday. The conference itself was famously discussed during a conference call between the FBI and UK-based cybercops that was leaked by Anonymous last week. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/09/regional_cyber_hubs_fight_e_crime/

A researcher at website categoriser zvelo has discovered Google Wallet’s PIN protection is open to a brute-force attack that takes seconds to complete. And Google is powerless to fix the problem, it seems.

The attack is limited to instances where physical access is available, or the phone has been previously “rooted” by the user. Once the assault succeeds the attacker can read the contents of the wallet including credit card numbers and other details such as the transaction history. Worse still, Google can’t address the flaw without shifting responsibility for the PIN onto the banks, who might not want it.

Google Wallet uses Near Field Communications (NFC) a wireless technology so the user can make payments by bonking the phone onto a suitably equipped till. The Google Wallet provides a management interface to the cards stored on the system, and the bonk triggers an encrypted exchange of information between the card and the till authorising the payment.

That exchange remains secure, but when the user wants to edit their card details, or see their transaction history, they use Google Wallet which requires a 4-digit PIN, and it’s that PIN which has proved vulnerable.

The chaps at zvelo noticed that the wallet application stores a hash of the PIN, and were thus able to create a matching PIN simply by hashing all 10,000 possible numbers – a process which only takes a few seconds as they’ve demonstrated on their video.

The hash files, which are accompanied by other data warranting further enquiry, are only available to other applications once a handset has been rooted – the Android OS keeps applications separated so this attack is limited to stolen phones or those rooted by their owners. The latter case is particularly concerning as it would, in theory, allow a rogue app to lift all the data remotely without the user being aware.

The problem, for Google, is that the obvious way to fix this is to move all the data into the secure element on the phone. The secure element is essential to NFC transactions, but falls under the legal responsibility of the payment processor – so moving the PIN into there would change the already complex legal architecture.

There’s also the problem of which secure element the PIN would be attached to. Google’s existing NFC devices support a secure element in the SIM (under the control of the network operator) as well as one embedded in the handset, and Google Wallet is supposed to provide a single interface to all the securely stored content.

So it looks like a fix won’t be coming any time soon, which is bad news for those touting a rooted Google Nexus S, and using Google Wallet to pay for stuff, but unlikely to worry the rest of us immediately. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/09/google_wallet_pin/

Paul Chambers, the Twitter joker turned misdemeanour conviction martyr, returned to court on Wednesday to launch a second appeal against a conviction over a “threatening message” to blow Doncaster’s Robin Hood Airport “sky high”.

Chambers, 27, posted the notorious micro-blogging message in early January 2010 while the Yorkshire airport was closed during a cold snap and shortly before he was due to fly to Belfast to meet an online acquaintance, who since became his girlfriend. The trainee accountant ranted via his @pauljchambers account, which had around 600 followers at the time.

Crap! Robin Hood Airport is closed. You’ve got a week and a bit to get your shit together otherwise I’m blowing the airport sky high!

The message was spotted during an unrelated search and reported by an off-duty member of staff at the airport to police. Even though the message was never taken as a threat, and no extra precautions were taken at Doncaster airport, charges were still brought against Chambers.

Chambers was subsequently convicted for sending a threatening message – which is an offence against the Communications Act of 2003 – fined £385 and ordered to pay £600 costs as well as getting himself lumbered with a criminal record.

The Twitter joke trial cost the unfortunate Chambers his original job as a trainee accountant as well as losing him a second job in the flurry of publicity just before his Crown court appeal last September. This appeal failed after Judge Jacqueline Davies decided that Chambers’ original Twitter update was “obviously menacing”, contrary to testimony from the defence that the message was “facetious”.

The failed appeal left Chambers with an extra £2,000 in prosecution costs in addition to the original £1,000 fine and costs. Fortunately he wasn’t left to bear that cost himself thanks to ordinary Twitter users and celebrities who donated to help fund a further appeal.

Chambers’ supporters include Graham Linehan, writer of Father Ted, and comic Al Murray, who took part in a benefit gig on behalf of the Twitter martyr, as well as attending the High court in London to hear Chambers’ appeal. Other supporters include lawyer David Allen Green (@davidallengreen) and Stephen Fry.

Ben Emmerson QC, appearing for Chambers, said the Crown Court’s decision to uphold the original conviction was both legally incorrect, contrary to common sense and unworkable.

Around 4,000 re-tweeted Chambers’ original message in an “I am Sparticus” show of solidarity but no action was taken against any of them

He told Lord Justice Gross and Mr Justice Irwin that the question before them was “whether this prosecution-conviction-sentence was a steam roller to crack a very small nut and whether it was a disproportionate response”, the BBC reports.

The two senior judges retired to consider their ruling on the case which, when it comes, will become the definitive statement in English law on how to treat cases of this type in future. Judgments in the Court of Appeal on points of law set a binding precedent on lower courts, all Crown courts and magistrates’ courts in England and Wales. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/09/twitter_joke_trial_appeal/

It had to happen eventually. Controversial hardware manufacturer Foxconn was reportedly hacked late on Wednesday and a heap of staff email log-ins and intranet credentials posted online which could allow third parties to lodge fraudulent orders.

In a lengthy message posted to Pastebin, hacking group Swagg Security claimed the notable scalp. Though they described Foxconn’s dubious track record on working conditions at length, the group said this was not the primary motivation for the hack.

Although we are considerably disappointed of the conditions of Foxconn, we are not hacking a corporation for such a reason and although we are slightly interested in the existence of an Iphone 5, we are not hacking for this reason. We hack for the cyberspace who share a few common viewpoints and philosophies. We enjoy exposing governments and corporations, but the more prominent reason, is the hilarity that ensues when compromising and destroying an infrastructure. How unethical right?

The Register tried to contact Foxconn’s Shenzhen headquarters for confirmation but had not heard back at the time of writing.

However, according to their Twitter feed the hackers gained access to Foxconn’s systems via an “outdated vulnerability” in a version of Internet Explorer which was being used internally by the company.

The data dump posted online includes mail server log in and username credentials as well as log-ins for procurement sites and intranets which Swagg Security claimed “could allow individuals to make fraudulent orders under big companies like Microsoft, Apple, IBM, Intel, and Dell”.

“Foxconn did have an appropriate firewall, but fortunately to our intent, we were able to bypass it almost flawlessly,” the hackers explained in their note.

“Of course with funding ourselves we did have our limitations. But with several hacking techniques employed, and a couple of days in time, we were able to dump most of everything of significance.”

Tech site 9To5Mac said it was able to verify that the stolen log-ins worked on more than one Foxconn server.

The electronics giant does appear to be taking measures to lock down its systems, however. Swagg Security tweeted on Thursday morning that the company had closed the compromised services.foxconn.com, quipping: “Guess you guys made one to many orders”.

F-Secure chief research officer Mikko Hypponen told The Reg that, looking at the data released by the hacktivists, Foxconn was not following network security best practices.

“If you do a Google search for the site: services.foxconn.com, you’ll see that they had a file uploading service there for their partners,” he said.

“So my best guess at this stage would be that the attackers managed to upload something malicious on the [services.foxconn.com] server and somehow used that to gain access.”

The news comes as pressure mounts on Apple and other tech giants to clamp down on conditions in supplier factories.

On Thursday morning, concerned Apple customers will drop off 250,000 signature petitions in cities across the globe including New York, London and Sydney registering their disapproval of supplier working practices.

Foxconn usually comes in for most abuse, given that lucrative contracts with big names including Apple, Microsoft and Intel have made it one of the largest electronic component manufacturers in the world. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/09/foxconn_hack_swagg/

Certificate Authority Trustwave has revoked a digital certificate that allowed one of its clients to issue valid certificates for any server, thereby allowing one of its customers to intercept their employees’ private email communication.

The skeleton-key CA certificate was supplied in a tamper-proof hardware security module (HSM) designed to be used within a data loss prevention (DLP) system. DLP systems are designed to block the accidental or deliberate leaking of company secrets or confidential information.

Using the system, a user’s browser or email client would be fooled into thinking it was talking over a secure encrypted link to Gmail, Skype or Hotmail. In reality it was talking to a server on the firm’s premises that tapped into communications before relaying them to the genuine server. The DLP system needed to be able to issue different digital certificates from different services on the fly to pull off this approach, which amounts to a man-in-the-middle attack.

The same principle approach might be used in government monitoring activities, such as spying on its own citizens using web services such as Gmail and Skype. Evidence suggests that digital certificates issued by Netherlands-based firm DigiNotar last year were used in this way to eavesdrop on the webmail communications of Iran users last year, although no firm state-sponsored connection has been established.

In a statement published on Sunday, Trustwave said it supplied the tamper-proof digital stamp issuing device to a private customer (not an ISP, government or law enforcement agency), adding that the technology could not have been used outside the private network to which it was supplied. The CA said it had carried out an audit of the target network before supplying the technology.

Nonetheless, it admits the approach was misguided and has promised not to use the technique again. It has also revoked the offending subordinate digital credential-issuing root server.

Sysadmins applying data loss prevention policies that state that a firm has the right the scan and or block webmails sent from work can set up an internal certificate authority on machines connected to a local intranet. That approach wouldn’t work on personal mobile devices a user brought into work and this seems to be the reason why Trustwave took the approach it did – which it now admits was misguided.

Trustwave has come clean and admitted it supplied technology that enabled third parties to issue arbitrary SSL server certificates for monitoring, albeit for benign reasons. This is a significant admission and further shakes confidence in the whole digital certificate trust model, already rocked by the Comodo breach, the DigiNotar hack, the SSL BEAST attack and other problems over recent months. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/09/tustwave_disavows_mitm_digital_cert/

After sparking an outcry – and arguably putting itself on the wrong side of privacy laws outside America – ex-Facebooker and now CEO of Path, Dave Morin, has blogged an apology.

The furor surrounding the application broke with this blog post, in which a Path fan analysed the app’s behavior and discovered that it copied a user’s entire address book to its servers – without permission and in the clear.

Morin originally responded that “friend finding matching is important to the industry” (our emphasis), but said the upload of the address book was only used to help users connect to friends and family, and “notify them when friends and family join Path.”

His promise of an update to turn the feature into an opt-in didn’t mollify users, who demanded to know what would happen to data already held by the “personal network” company without their permission.

Those complainants now have their answer: the data has been deleted, according to Morin’s blog post. Morin adds a pint liter of mea culpa stirred in with a couple of spoonfuls of “deeply sorry” and a pinch of “complete transparency”.

While still claiming that users are “completely in control”, anybody who abandons their good senses and uploads their entire address book to the company – and then changes their minds – will have to rely on an e-mail to Path’s customer service to request deletion. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/08/path_in_privacy_mea_culpa/