STE WILLIAMS

With a crunch conference on government cyber-security starting tomorrow, the director of government spook den GCHQ, Iain Lobban, said Britain had faced a “disturbing” number of digital attacks in recent months.

Attackers had targeted citizens’ data, credit card numbers and industry secrets, Lobban said.

“I can attest to attempts to steal British ideas and designs – in the IT, technology, defence, engineering and energy sectors as well as other industries – to gain commercial advantage or to profit from secret knowledge of contractual arrangements,” the eavesdropping boss added in his article for The Times.

According to Foreign Secretary William Hague there were more than 600 “malicious” attacks on government systems every day, while criminals could snap up Brits’ stolen card details online for just 70 pence a throw.

The statement was paired with the announcement of a £650m investment in cyber-security over the next four years, with both Hague and Lobbman arguing that industry and government need to work together to pull off a safe, resilient system.

Countries that could not protect their banking systems and intellectual property will be at a serious disadvantage in future, Hague told The Times.

The government could have its work cut out, though: security software maker Symantec today suggests that businesses are cutting back on cyber-security and are less aware of and engaged with the big threats than they were last year. Symantec was specifically staring at industries integral to national security.

It found that only 82 percent of them participated in government protection programmes, down 18 points since last year.

Symantec reckoned that reduced manpower meant companies had less time to focus on big structural threats.

“The findings of this survey are somewhat alarming, given recent attacks like Nitro and Duqu that have targeted critical infrastructure providers,” said Dean Turner, a director at Symantec.

“Having said that, limitations on manpower and resources as mentioned by respondents help explain why critical infrastructure providers have had to prioritise and focus their efforts on more day-to-day cyber threats.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/31/britain_attacked/

Part 1 The threat from the fast-dwindling supply of mainstream “IPv4” Internet addresses for new users is a bit like Y2K creeping up on us all over again. Almost no one can see beyond the cost of code review, systems change, hardware upgrades and general upheaval into the brave fairly-old world of IPv6 – but putting it off forever isn’t really an option either. And like Y2K, if it’s handled well, no one will ever notice or thank us “IT professionals” for it: we’ll be accused of make-work, scare-mongering and overcharging. What’s not to like?

Ultimately IPv6 will do away with the much of the annoyance of NATing, dynamic IP addresses, address rationing, etc, and should make for more efficient and cheaper communications. IPv6 support may soon be necessary to be reachable at all by some users.

IPv6 (or IPng: Next Generation) has been the future of the Internet for a decade and a half, so why the hesitation to get with the programme? It’s probably a case of “if it ain’t broken” and Y2K backlash, but the existing IPv4 address scheme is now broken and Y2K wasn’t a figment of the imagination (I fixed a lot of finance-related bugs around then, trust me).

Anecdotally it seems relatively safe, for example, to implement dual-stack (ie with both IPv4 and IPv6 address) Web sites immediately. See the “heise online” IPv6 experience which was largely positive.

“The small number of flaws was so encouraging that heise online decided to adopt dual-stack for production use as soon as possible … [users] do occasionally report problems. The majority of these continue to revolve around the flawed IPv6 implementations in Mac OS X, iOS and in the firmware of AirPort base stations. But the number of cases is far smaller than previously feared. Overall, heise online considers the switch a complete success, and would recommend it to any similar site.”

8th June this year was “World IPv6 Day” http://www.worldipv6day.org/faq/ which was a global test of the new world order. It mainly worked, and almost no one noticed. In particular, bringing up IPv6 support didn’t in practice hurt IPv4 users much or at all.

And just failing to plan for IPv6 at all doesn’t just lose traffic and potential customers. It may also undermine your security too. You’d better plan those IPv6 security policies, keep an eye on rogue 6-in-4 tunnels (failing to upgrade your external links doesn’t necessarily stop IPv6 getting in and out), and work to minimise the attack surface of already-IPv6-capable services and applications in house.

Netalyzr poised to start looking at my Internets

PREREQUISITES

Let’s put aside for the moment the matter of whether you’re going to upgrade your client or app or server to support IPv6, what would need consideration if you did?

• Does your host/connection/routing even support IPv6 yet? And don’t forget to include your connection, your servers’ and your customers’/users’ too.
• Do your routers, bridges and switches support IPv6?
• Does your DNS service support IPv6 (eg AAAA records, RFC3596) yet?
• Will your WiFi / IP phone / hot-desk systems work with IPv6?
• What parts of your code/system/logging are likely to break or otherwise need TLC?
• Are you intending to run dual-stack (ie both IPv6 and IPv4) from any/all hosts (servers, workstations, phones, gadgets)?
• How will you deal with IPv6 tunnelling, planned and rogue?
• How will your performance monitoring and user-tracking tools cope? (For example, do you track approximate user location by IPv4 address prefix?)
• Will your anti-DoS/anti-abuse mechanisms based on client address work?
• Have you the expertise to craft watertight IPv6 firewall rules, especially if you no longer use NAT and the protection it provides to internal machines as a side-effect?
• Since one way that hosts can create their own IPv6 addresses is to use their Ethernet MAC address, have you thought about the information leak that this represents, eg for road-warrior mobile users?

Next page: THE WEAKEST LINK IS YOU

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/31/ipv6_transport/

Blue Coat Systems has fingered itself as one of a number of US companies whose Web filtering kit is being used by the Syrian government.

The company has told the Wall Street Journal that the Syrian government’s online crackdown is being partly enabled by its devices. However, the filtering, WAN optimization and deep packet inspection vendor says its products were taken to Syria out of a shipment it believed was bound for Iraq.

America has had trade embargoes against Syria in place since 2004.

According to the Wall Street Journal, the vendor has already alerted the US government to what it calls an improper transfer of at least 13 devices to the Syrian government, which is blocking or monitoring Internet communications as part of its response to the protests.

Other firms have suffered similar embarrassment in the past. In September, the UK’s Gamma International denied selling Skype-snooping software to Mubarak’s regime in Egypt. The Wall Street Journal also identifies McAfee and Netsweeper as being used by various repressive governments in the Middle East.

Blue Coat says that analysis of logs and IP addresses that were leaked by activists Telcomix indicates that its devices are in Syria, according to this AFP story. An unnamed company spokesperson said “since we didn’t sell it there, we don’t know the particulars.”

The WSJ says the US State Department is investigating. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/30/blue_coat_in_syria/

Every 24 hours 600,000 Facebook accounts are subject to attempted hacking or violation, Facebook has revealed.

The Social Network™ disclosed details of hacking activity as it unveiled new measures to protect user’s privacy. “We are adapting and responding to new threats everyday and will continue to roll out new ways to protect your account,” Facebook said.

In a blog post, Facebook revealed new tools to help users access their accounts if they are locked out and help prove your identity through your friends. “It’s sort of similar to giving a house key to your friends when you go on vacation – pick the friends you most trust in case you need their help,” it explains.

‘Trusted friends’ allows users to nominate a few friends as a default measure that will be given access codes to your account if you cannot access it.

It is also testing a feature that allows users to use app passwords for logging into third party applications.

Initial feedback from users has been mixed with many pointing out that “friends” are also subject to hacking and security maybe further compromised by exposing access information to other parties.

Meanwhile according to researchers at Barracuda Labs, one in 100 tweets are malicious while one in 60 Facebook posts are malicious.

The new Barracuda survey data of social media users found that LinkedIn is the least-blocked social network by enterprises, with only 20 percent of organizations preventing their employees from using LinkedIn from work.

Over 90 percent of users have received spam over a social network, and more than half have experienced phishing attacks. More than 20 percent have received malware, 16.6 percent have had their account used for spamming, and about 13 percent have had their account hijacked or their password stolen. Significantly more than half are unhappy with Facebook’s privacy controls. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/30/facebook_hack_stats/

The FBI’s Shawn Henry says the world needs a second Internet for critical systems – apparently never having been told what a “private network” is when you don’t prefix it with the word “virtual” – and the idea is taking off in other quarters.

Here’s why it’s a dumb idea: it won’t work.

It’s not just that the easiest defenses are the cheapest ones – as promulgated by Australia’s Defense Signals Directorate and now endorsed by the SANS Institute.

However, that’s a big part of it: if people can’t be trusted to apply patches and block obvious holes, how does creating a new, vastly expensive, probably-intrusive (since one idea doing the circuit is the registration of all machines) network change things? All it does is put the same insecurities and vulnerabilities and slack practices on a new network, which everybody will hail as “secure” up until the moment it’s penetrated.

And penetrated it will be.

It seems like everybody’s forgotten that Stuxnet wasn’t an Internet-borne attack. It was carried on a USB key: the kind of attack vector that will still exist on Henry’s proposed secure Internet.

Not only that: the kind of private networks that do exist – say, electricity utilities’ extensive in-house fibre, to pick an example – become vulnerable not because they’re directly connected to the Internet, but because somewhere in a large organization, there’s likely to be machines that exist on both the public and private networks.

They will still exist: it’s simply not feasible that any network of millions of machines will be entirely free of all possible bridges to other networks.

It seems to me that the Shawn Henry proposal is a recipe for tossing billions of dollars against walls the world over, and creating a user base believes themselves secure and becomes even more cack-handed and complacent at actually protecting themselves.

The real reason a “secure Internet” wouldn’t work is because, as the DSD and the SANS Institute have illustrated so efficiently, the problem is behavioural, not technical.

I’m going to propose an idea: use price signals to encourage the behaviour we want.

I believe – without the benefit of a single minute’s proper research, so I guess I’m handing some enterprising youngster a PhD outline on a plate here – that I can borrow an expression from the world of economics, the mis-pricing of risk, to explain what I mean.

How to price the risk?

When a lender puts the wrong price on their risk, they suffer a loss (OK, OK, or they get bailed out by already cash-strapped governments who don’t want the whole system to come crashing down around their ears).

The price of risk in computer security looks smaller than the price of security. It’s easy to add up the cost of security: firewalls plus servers plus IDS plus staff plus antivirus plus this fabulous quantum crypto kit …

However, until a breach actually occurs, the cost of risk is pretty much zero – you can’t predict the financial impact of a breach on any particular system until after the fact; and doing nothing is free until the sky falls in and someone’s dropped your customer list into Pastebin.

There is a group of people who are experienced in assessing the likely cost of something that hasn’t yet happened: actuaries.

Rather than trying to mandate technologies and network architectures and all the things that don’t help if the behaviour is wrong, why not look at the most effective way to encourage good behaviour – such as, for example, mandating “breach insurance” for all corporate and government computer systems connected to the Internet?

Today, someone deciding to connect internal System A to Internet-connected System B is encouraged to look at the business opportunity, and discount the risk. Someone deciding to replace an internal network with Internet services is encouraged to look at savings, and discount the risk. Only when something goes wrong, such as (for example) the Sony PlayStation Network hack, do we get an assessment of the cost involved when something goes wrong.

Because there is no balance-sheet price on risking a computer system, many or most of the people holding the purse strings begrudge the cost of securing it.

But if there’s a real price associated with a risk, then security gets a business case: “your premium will be $2 million, or $800,000 if you satisfy our security auditors.” Or even “we will never insure this system to be exposed to the Internet. If you must run it, you must do so on a private network.”

It’s not a complete solution. But it’s better than seeking truckloads of cash to try and replicate the Internet. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/26/fbi_secure_internet/

A Tennessee man, found guilty of cracking the Gmail account of Miley Cyrus and posting private photos of her online, has asked the sentencing judge to spare him prison because of his diminutive stature.

A teenaged Josh Holly was arrested by federal investigators three years ago after he correctly guessed the security question to Cyrus’ Gmail account and harvested racy photographs of the then-15 year old online. He is due to be sentenced on Monday, and according to court documents obtained by The Smoking Gun, he has asked for a non-custodial sentence on the grounds that he is too young for the Big House and, at five-feet six-inches, is considerably smaller than the average inmate.

His attorney Sumter Camp petitioned the judge for probation, saying it was a “sufficiently onerous punishment for a first-time offender of immature mental age,” and that jail time “would hinder rather than aid Josh’s rehabilitation.” He is also asking for leniency on the grounds that Holly has been meeting with the FBI and has ratted out anyone else he could think of provided “information about others that he was aware were involved in illegal computer-related activities.”

Bizarrely enough, the government prosecutors actually agree that Holly may be too short for the slammer, but said that – in light of the serious nature of the crimes – then this should not be a cause to go easy on the 22 year old.

“The government does not contest the presence of the various factors pointed out by probation and advanced by [the] defendant in support of his request for departure, primarily [the] defendant’s youth, mental and emotional issues and physical stature,” writes a federal prosecutor, in response to Camp’s claims. “The government disagrees with [the] defendant and probation with regard to the weight and significance that should be attributed to these factors in viewing the totality of facts in this case.”

Holly has been ordered to stay off the internet for the moment, but has already violated this, posting a message on his Facebook page reading: “I’m having these strong urges to start playing around and hacking shit again, there’s so much new stuff on the net. I can’t stop these urges. Am I a bad person?”

Holly posted up pictures of the underage star posing for self-taken photographs in her underwear, and baring her midriff. He bragged about his feat online, under the name TrainReq, and investigators found numerous cracked accounts and stolen credit card numbers in his possession. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/28/miley_cyrus_cracker_short_for_slammer/

Hackers interfered with two US government satellites on four separate occasions in 2007 and 2008, according to a report scheduled to be released next month by a congressional commission.

In June 2008 and again in October of the same year, a Terra AM-1 earth observation satellite operated by NASA experienced interference at the hands of hackers, Bloomberg Businessweek reported, citing the unreleased report. The draft doesn’t elaborate on the interference, but it said the sessions lasted two minutes in the first incident and nine minutes in the second incident.

It also said “the responsible party achieved all steps required to command the satellite,” although the hackers didn’t actually exercise control over the craft.

A Landsat-7 earth observation satellite jointly managed by NASA and the US Geological Survey was commandeered for 12 minutes or longer on two occasions in October 2007 and July 2008, the report stated.

Both crafts use the commercially operated Svalbard Satellite Station in Spitsbergen, Norway, which “routinely relies on the internet for data access and file transfers,” the report said. That has led to speculation the attackers may have hacked the internet connection to take control of the satellites.

“Such interference poses numerous potential threats, particularly if achieved against satellites with more sensitive functions,” the draft report warns. “Access to a satellite’s controls could allow an attacker to damage or destroy the satellite. An attacker could also deny or degrade as well as forge or otherwise manipulate the satellite’s transmission.”

The annual report by the US-China Economic and Security Review Commission goes on to say the breaches are consistent with the activities of China’s military. The draft concedes that there’s no hard proof of a direct connection, but recites a litany of other hacks in the recent past it claims suggest that China has “conducted and supported a range of malicious cyber activities.”

Among them are allegations of an attack on the website of the outlawed Falun Gong spiritual group, based on video footage contained in a newscast aired on China Central Television 7. It also refers to a March 22 incident, in which US internet traffic was “improperly” redirected through a network controlled by the China Telecom Corp. Ltd. That’s almost certainly a reference to a brief diversion of internet traffic sent between Facebook and subscribers to ATT’s internet service. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/28/us_government_satellites_hacked/

Microsoft has announced that it’s dropped dotFREE from its ongoing lawsuit over the Kelihos botnet.

In a blog post dated October 26, senior attorney of Microsoft’s Digital Crimes Unit Richard Boscovich says neither dotFREE nor its owner, Dominique Alexander Piatti, were involved in Kelihos.

Piatti’s case was unusual, in that his naming in the lawsuit was the first time Microsoft had identified a specific defendant associated with a botnet.

Rather than controlling the subdomains that hosted Kelihos, Microsoft now believes that “the controllers of the Kelihos botnet leveraged the subdomain services offered by Mr. Piatti’s cz.cc domain” – making the cz.cc domain a victim rather than an offender.

Redmond now says its case against 22 “John Doe” defendants – identified by IP address only – will continue, and Piatti has agreed to either delete subdomains used by Kelihos, or to transfer them to Microsoft.

Microsoft is working hard to establish itself as a security hero in the world of botnets, having shut down the Rustock botnet in March, and the Waledac botnet last year.

As part of the settlement with Piatti, Microsoft says it will help dotFREE prevent future abuses of free subdomains and establish a secure TLD. Boscovich also notes that control of the botnet domains will give it insights into the operation of Kelihos. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/27/dotfree_off_the_hook/

At least four web authentication authorities have reported being compromised in as many months, according to research from the Electronic Frontier Foundation that renews serious questions about a technology millions of websites rely on to remain secure.

EFF Technology Projects Director Peter Eckersley compiled the data by scrutinizing publicly available documentation the authorities must complete each time they revoke a SSL, or secure sockets layer, certificate. Since June, four separate certificate authorities have listed the reason for canceling one or more credentials as “CA compromise,” the research shows.

So far, DigiNotar, the disgraced CA that went bankrupt after suffering and then covering up a massive intrusion into its network, and a related Dutch governmental group are the only authorities known to have revoked certificates in the past four months because they were hacked. Since June, rivals StartSSL and GlobalSign have reported security breaches but have said they were disrupted before attackers could forge counterfeit credentials.

The realization that at least two other CAs have experienced security breaches that required certificates to be revoked renews a criticism that has dogged SSL for years: With more than 600 authorities trusted by major browsers, there are too many points of single failure. As demonstrated by the DigiNotar debacle, the compromise of just one authority allows impostors to obtain digital certificates that Google Mail, Skype, or other services use to encrypt gigabytes worth of sensitive traffic and prove their servers are authentic, rather than easily forged impostors.

“As currently implemented, the Web’s security protocols may be good enough to protect against attackers with limited time and motivation, but they are inadequate for a world in which geopolitical and businesses contests are increasingly being played out through attacks against the security of computer systems,” Eckersley wrote in a blog post titled “How secure is HTTPS today? How often is it attacked?”

Since the EFF launched its SSL Observatory project, Eckersley and colleague Jesse Burns have counted a total of 14 CAs that have cited compromise as the reason for revoking a total of 248 certificates. In all, the four authorities who have done so since June revoked 55 certificates.

In an email, Eckersley declined the name the two unknown CAs out of concern doing do will discourage CAs from being truthful in future revocation reports.

“Although it’s publicly researchable, I think that these CAs have actually been doing the right thing by correctly listing their reasons for revocation,” he explained in an email. “It’s bad enough that we have to trust an unbounded number [of] master certificates for the web’s encryption system – it’s even worse when security incidents related to those certificates are kept secret.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/27/ssl_certificate_authorities_hacked/

Police have discovered the existence of a mobile phone known as “the Hub” which was used by News of The World journalists to hack over 1,000 voicemails between 2004 and 2006, according to The Independent.

The phone sat on the news desk of the now-defunct newspaper and was used to illegally access 1,150 numbers between 2004 and 2006, according to Met officers working on the case codenamed “Operation Weeting”. The phone was registered to News International and the Met appear to have found the detailed call logs for the handset.

An ex-NOTW journo confirmed the existence of the phone and described it to the Indy as being “at the heart of the NOTW newsroom”. The reporter also said that it had been used to hack phones “on an industrial scale”.

The Independent learned about the phone from victim of the hacking scandal Tom Rowland, a former TV exec who worked on Big Brother. Met police inspectors told Rowland about “the Hub” when he met them in police headquarters in Putney to get an update on the case.

Mr Rowland said: “They [Weeting detectives] showed me a phone log taken from inside News International. They said it was the ‘NOTW hub’ and showed a pattern of calls made to my mobile phone.”

The log reveals his mobile number being accessed over 60 times, with specific dates listed.

The phone would be one of the most significant pieces of evidence to emerge in the case so far. Police are now trying to establish who kept the phone and who hid it.

The Metropolitan Police refused to comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/27/phone_hacking_phone_found/