STE WILLIAMS

Information about WikiLeaks volunteer Jacob Appelbaum’s emails could already be in the hands of the US government after wonks obtained secret court orders against Google and Sonic.net.

The Wall Street Journal says it has seen documents showing that the two companies failed in their opposition to the court orders. However, the WSJ believes the orders relate only to the people Appelbaum corresponded with, and not the content of the messages.

The orders were obtained under the wryly named Electronic Communications Privacy Act, which has been in place since 1986 and which, the WSJ says, requires only that the government demonstrate reasonable grounds to believe that the requested records are relevant and material to an investigation.

This latest order follows the success of an earlier order, applied for in December and obtained in March, for access to the IP addresses from which Appelbaum and two other WikiLeaks supporters, Birgitta Jónsdóttir and Rop Gonggrijp, accessed their Twitter accounts.

This is part of the US government’s ongoing pursuit of WikiLeaks’ founder Julian Assange.

With the full archive of the cables out in public since September and Assange distracted by his own battles over extradition to Sweden to face sexual assault allegations, WikiLeaks itself seems somewhat in abeyance. Court proceedings are probably the main nourishment remaining for Assange-watchers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/11/appelbaum_email_headers/

Trusteer has downplayed the significance of reports that it might have been possible to bypass its anti-keylogger online banking protection technology.

Digit Security presented research at the 44Con conference last month suggesting that Trusteer’s Rapport technology could be ‘switched-off’ and ‘bypassed’ using functionality provided by Rapport itself. It suggested the vulnerability arose as a result of a design flaw rather than a bug.

Trusteer’s Rapport transaction security technology is offered as a voluntary download by 50 banks worldwide, including NatWest and HSBC in the UK, ING Direct USA and PayPal. The technology is designed to allow banking transactions to take place without interception even on compromised (malware-infected) machines by interfering with any attempts to log keystrokes or capture screenshots.

Digit Security said the Trusteer Rapport flaw has not been abused by existing malware. The Times followed up on the research with an article (behind paywall here) on the threat.

In a statement issued on Monday, Trusteer chief exec Mickey Boodaei said that it had corrected the flaw discovered by Digit Security. It criticised The Times and Digit Security for failing to give it enough time to design a fix.

An article published in The Times of London Money Section on October 1st 2011, describes a method to bypass Trusteer Rapport’s anti-keylogging mechanism and suggests that “millions of customers are at risk of fraud because of a fundamental flaw”. We investigated the claim and found it to be a speculative threat that is not currently incorporated in malware. We fixed the issue, but asked The Times for a few days to complete our testing. They decided to run the story anyway.

This situation illustrates why the information security industry has self-instituted a responsible disclosure process. Most researchers follow this practice, and do not disclose a vulnerability publicly until they have advised the software developer of the problem and given them the opportunity to fix it. This is designed to protect users. In this instance, the vulnerability code was made public without sharing it with us first, even though we made multiple requests to see it.

Trusteer downplayed the significance of the flaw discovered by Digit Security, arguing that exploiting it would be difficult in practice. The security company said that even if a hacker were able to use the flaw to disable anti-keylogging functions in Rapport, other secondary security protection technologies would still be in play.

Fortunately, the exploit code published by the researcher (http://www.digit-security.com/files/exploits/rapport-listen.c) doesn’t represent a real threat for the following reasons. First, it requires the user to be an administrator, which is not the default mode on Mac computers. Second, this code triggers the operating system to ask for the user’s admin password each time the code tries to read keystrokes. Finally, the code cannot be used to read password fields due to restrictions set by the system.

Even if this threat were real, our customers would not be at risk. That’s because Trusteer provides a wide range of defences against fraud. It prevents malware from installing on the computer and accessing information inside the browser; it verifies the legitimacy of the website that the customer is currently using to prevent the submission of sensitive information to fraudulent websites; it detects malware activity and removes the files associated with it; and it monitors web pages loaded into the browser and removes malicious content that tries to exploit vulnerabilities in the browser or its add-ons.

Trusteer concludes by criticising Digit Security for failing to follow accepted industry practices on responsible disclosure.

Trusteer accepts feedback from all sources that follow responsible disclosure methods which allow vendors to investigate and, if necessary, provide a fix before a vulnerability is made public. This is an accepted practice in the information security industry and was created specifically to avoid placing users at risk. The researcher who collaborated with The London Times failed to follow this code of conduct. It was irresponsible, and is exactly the type of behaviour we and the industry as a whole are trying to prevent.

More on Digit Security’s research can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/11/trusteer_rapport_security_bypass/

Live Broadcast Social networks, local admins, unpatched software, missing USBs: the causes of security problems in your business are often not just the big stuff that tries to get inside the firewall, it’s the little problems that are already on the inside.

On October 13th at 16:00 BST/11:00 EDT, our latest live Regcast questions-

• Could your traditional security architecture be solving the wrong problems?
• Would a new approach to your current security plug the gaps more efficiently?
• How much do we need to trust and train our users?

The Reg’s Tim Phillips is joined by security specialist Mike Rothman from Securosis, Paul Zimski from security specialist Lumension, and Andy Buss from Freeform Dynamics, who will reveal the results of the latest Register reader research that addresses these security dilemmas.

We’d love to hear about how you are(and how you are possibly not)keeping your organization’s security practices in check -so share your experiences in our on-going live QA.

Join us for this free event here and if you can’t be there for the live broadcast you can see the show through an on-demand version for your convenience.®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/10/security_mistakes_event2/

Computers controlling the US Air Force’s killer Predator and Reaper drones have been infected by a key-logging virus, according to a mole who spoke to Wired. And the malware is not going away despite serious efforts to nuke it.

The remote-controlled bomb planes have flown in missions since the discovery of the virus two weeks ago.

Consoles at the Creech Air Force Base in Nevada have been infected by the virus – the ‘cockpit’ from which the majority of the US Army’s unmanned Predator and Reaper drones are directed. Each aircraft is controlled by a pilot in the Nevada station using computers, video feeds and a joystick. Drone missions are carried out in places including Pakistan, Yemen and Afghanistan, and have killed an estimated 2,000 people so far.

The virus doesn’t affect the functioning of the aircraft, but it is monitoring and saving every keystroke the pilots make. It is believed that the malware won’t be able to transmit the information it collects beyond the classified military network hosting the equipment; the network is insulated from the public internet. But it has proved very hard to eradicate from the system.

Computer security technicians have disinfected all the internal hard drives on the operator consoles, but this does not seem to have rid the network of the problem.

“We keep wiping it off, and it keeps coming back,” a source familiar with the network infection told Wired. “We think it’s benign. But we just don’t know.”

It is thought that the virus was introduced to the system via a hard drive or a disk that had picked up the bug elsewhere.

Sky News also highlighted the risk of introducing malicious electronics or software into military hardware if chips are brought in from foreign sources.

“Sky News Online has previously seen US defence documents warning of the dangers for military systems constructed with non-military, commercially-bought computer chips sourced from Asia,” they write. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/10/keylogging_bug_infects_predator_drones/

Would an exclusive internet address for banks help prevent phishing and identity theft?

That’s the hope of a new project from a financial services trade group in the US, which plans to apply to domain name overseer ICANN early next year for a “.bank” top-level domain.

BITS, the technology policy arm of the Financial Services Roundtable, with the support of the American Bankers Association, plans to form a new company to manage the bid.

According to the project’s general manager, Craig Schwartz, a .bank domain would increase the level of security and trust when users bank online. Unlike .com or .co.uk addresses, only vetted financial institutions would be able to register a .bank domain.

“Ensuring sub-domains are given only to qualified candidates, that leads to a more secure space from the get-go,” Schwartz said.

Today, it’s possible for any criminal to buy an address such as log-in-to-your-barclays-account.com, set up a phishing site, and then hope enough people are gullible enough to think it’s an official Barclays site and hand over their login credentials.

But only a real bank would be allowed to register a .bank address. Coupled with cryptographic signing using the new DNSSEC domain security standard, this could give consumers a higher degree of confidence in .bank domains than they do in other extensions.

BITS, working with registry services partner VeriSign, is also working on other possible security measures not available in other top-level domains, Schwartz said.

Because .bank domains would be limited to authorised entities, Schwartz said he anticipates fewer than 10,000 .bank addresses being registered.

The Financial Services Roundtable and the ABA together have a membership than comprises the majority of American banks. FSR members alone have revenue of over $1.2 trillion, and many are US subsidiaries of overseas banks.

But BITS is by no means guaranteed to have its .bank application approved.

Under ICANN’s rules, between 12 January and 12 April next year, any company with at least $185,000 to spend on processing fees can apply for any string it wants as a top-level domain.

Last month, for example, moves stepped up to bid for .london and .scot.

Despite the pedigree of its supporters, BITS may find itself competing against other applicants for the .bank contract.

As well as legitimate rival bids from banking organisations in other countries, it’s possible some crafty investors may risk cash filing spurious .bank applications in the hope of getting paid off to go away.

But the organisation hopes its plan to self-designate as a “community” will smooth its passage through ICANN’s convoluted application process, in which a so-called Community Priority Evaluation can enable a well-backed applicant to trump its rivals.

Potentially confusing the .bank value proposition, some large banks may also apply to ICANN for their own “dot-brand” extensions, enabling domains such as mortgage.barclays or johnsmith.hsbc.

“Most of the dot-brand examples people bring up are big, well-known banks,” said Schwartz. “But there are thousands of banks around the world that don’t have that awareness or don’t have the resources [to apply to ICANN] as the large ones do. We see this as an opportunity to reach out to small and medium-sized banks.”

Nevertheless, educating the world’s internet users to only trust .bank domains when they bank online may take considerable time and marketing money to pull off without confusing consumers.

It may not even be effective at preventing phishing. Recent research from the Anti-Phishing Working Group found that only 9 per cent of phishing attacks use a variation of a real brand today, which suggests that many internet users don’t even look in their browser’s address bar.

If BITS’ bid for .bank is successful, it may take a few years for the domains to find their way into the public consciousness, but BITS thinks the domain may also work as a business-to-business play.

“A B2B opportunity is likely in the first phase, with potentially B2C coming down later,” said Schwartz. BITS sees potential benefits using .bank to transmit transactional information between banks, he said.

BITS is also considering applying to ICANN for other financially-oriented extensions, possibly including .insure and .invest, according to Schwartz. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/10/would_you_trust_a_dot_bank/

BT Business and former F1 driver Nigel Mansell both fell victim to a Twitter hijack punting a well-known diet pill spam scam.

Followers of both @btbusiness and @Mansell5 were on Friday both directed towards a weight loss site, featuring an advertorial on the supposed miracle Acai Berry diet at newzonlines(dot)com. BT Business quickly regained control of its account and apologised. The offending message remained live on the Mansell account for some time, seemingly unnoticed by the former F1 world champion until the weekend. It disappeared over the weekend. Mansell tweeted on Sunday night: “I’m thinking its time to choose a new password!”

A screenshot of the offending messages, which said “Are you serious about weight loss? Read this article ASAP!” can be found here.

The Acai Berry spam attack has been seen before and previously linked to last year’s Gawker password hack. Last December accounts where users happened to use the same password on both Twitter and Gawker were hijacked to post messages promoting the scam, as explained in a blog post by Sophos here.

It’s unlikely that either BT Business or (more especially) Mansell maintained Gawker accounts. The account compromise probably occurred as a result of a phishing attack or some form of password security lapse. Even though no harm was done, a giant telecoms firm such as BT ought to be a bit more savvy about this type of thing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/10/twitter_diet_spam_scam/

Grieving Apple Store staff arrived to work this morning to find their Covent Garden shop had been plundered overnight by a biker gang.

Two men are being questioned by coppers after the “smash and grab” raid at 1am today, just days after the death of billionaire Apple baron Steve Jobs.

Coppers were alerted after a gang of around seven moped riders and motorcyclists, most carrying pillion passengers, targeted the House of Jobs and made off with fondleslabs and “other similar devices”.

Islington plod chased one moped believed to be involved in the burglary but the rider managed to give them the slip.

The moped was subsequently abandoned in EC1 but officers saw two suspects inside a block of flats and pursued and apprehended them at around 1.20am.

A bag of swag police believe was stolen from the store was found in the possession of the two suspects – a 16-year-old and a 21-year-old.

Both the teen and the 21-year-old are now in custody at a north London nick.

Detective Sergeant Nathan Tozer of Westminster CID said: “Although two men are in custody on suspicion of burglary, the inquiry continues and other persons are sought.

“It is essential that anyone who saw the smash-and-grab, or the suspects making off, contact us as soon as possible,” he added.

Jewellery stores are typically the target of marauding morons on mopeds but with Christmas on the way, Jesus slabs are bound to be in short supply and huge demand.

Police are appealing to anyone with further information to contact Crimestoppers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/10/apple_store_burglary/

A rogue browser package has re-appeared online years after security researchers thought it was gone for good.

Yapbrowser first appeared in 2006, inciting marks to use what was touted as a full-function web browser client. In reality, the software was jammed packed with adware from notorious (now defunct) outfit Zango. Users attempting to visit any site using the browser were directed to a porn domain, as security watchers warned at the time.

Browser downloads were pulled shortly after the domain in question started featuring child abuse images. Weeks later Yapbrowser reappeared with claims it offered “full protection from virus attacks”. That eye-opening assertion was never substantiated and the browser, and its associated domain, disappeared shortly after it was acquired by a firm called SearchWebMe in June 2006. SearchWebMe never did much with the software and all the Yap domains were soon either dead or serving up generic advertisements.

Fast-forward five years and the Yapbrowser domain has now reappeared, offering what appears to be a 2006 vintage edition of Yapbrowser, marketing it using the same overblown security claims that first appeared half a decade ago. The reappearance of the download was spotted by security researcher Chris Boyd (AKA Paperghost) of GFI Software while he was researching a presentation on browser rogues for the VirusBulletin Conference last week. Boyd was shocked to discover the reappearance of the software, which he had thought was long dead.

“Not only is there a ‘2011’ notice at the bottom, there’s a link to the Yapbrowser executable. The file appears to be the original from 2006, the EULA looks identical (to the extent it lists ‘yapbrowserATyapsearchDOTcom’ as a contact, despite the fact that domain is long dead) and when fired up on a testbox it currently takes the end-user to Yapsearch, which is parked,” Boyd explained.

“Not only does it appear to be the same old file, the website blurb also makes the same ludicrous promises of security which are optimistic by any stretch of the imagination,” he adds.

Yapbrowser is being offered in two flavours: a regular and an “adult” version, both of which are offered at no charge alongside claims that “Your computer will be free from viruses breeding online” and “There is a 100% guarantee no system infection will occur when using our software”.

Both versions of the software can be downloaded via a site called filesurfing(dot)com, which offers to hunt content from download sites such as Rapidshare and Mediafire.

Boyd said surfers would be well advised to stay well clear of the Yapbrowser application in favour of established browsers. “Seeing this site lurch back into life, looking identical to how it did back in 2006 and with the browser download following close behind is quite a shock,” he writes. “I imagine anyone else who researched this one will be feeling much the same, and given the history of this program coupled with the (still) nonsensical claims of security and virus evasion it would be quite the leap of faith to want to download and use this program.”

Boyd has a full write-up of the history and reappearance of Yapbrowser – complete with screenshots – in a blog post here.

The Yapbrowser.com domain in registered to Chris Phillips in Harringay. “Chris Phillips” is named on the searchwebme site. We left messages on a phone number associated with the registration but were unable to confirm whether the two were the same by the time of publication. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/10/yapbrowser_zombie_reanimates/

German hackers have captured and analysed a cyber-sleuth Trojan which they claim may have been used by police to tap Skype calls and IM chats of criminal or terrorist suspects.

German wiretap laws do in fact permit the use of a “Bundestrojaner” (“Federal Trojan”), which has been used by police to record VoIP conversations for a few years.

But the so-called R2D2 (AKA 0zapftis) Trojan – which has not been confirmed as a creation of the German government – has far more capabilities than this, including the ability to download updates from the internet, log keystrokes, eavesdrop on IM chats and take screenshots. The backdoor function exceeds what’s permissible under German law.

Sophos has said:

We have no way of knowing if the Trojan was written by the German state – and so far, the German authorities aren’t confirming any involvement.

The comments in the Trojan’s binary code could just as easily be planted by someone mischievously wanting the Trojan to be misidentified as the infamous Bundestrojaner.

The R2D2 Trojan was captured by the Chaos Computer Club (CCC) and made public over the weekend, sparking a huge row in privacy-sensitive Germany.

A CCC spokes-hacker said:

This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown Trojan is possible in practice – or even desired. Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully.

Hackers from the group reverse-engineered samples of the malware code before analysing the functions built into the software. It concludes that any machine infected by the Trojan might be easily seized by third-party hackers.

The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the Trojan are completely unencrypted. Neither the commands to the Trojan nor its replies are authenticated or have their integrity protected. Not only can unauthorised third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the Trojan, and upload fake data.

A English-language statement by CCC on its find can be found here. The German chancellor’s press secretary denied that the R2D2 trojan has been used by the BKA, the German Federal criminal police. This denial has failed to stem speculation.

One popular theory is the Trojan might have been created by Digitask for the Bavarian government. Such speculation in interesting, though not based on any evidence outside of papers released by WikiLeaks suggesting Digitask had at least offered to create this sort of software.

Security firms say it is impossible to know who created the code from the evidence available.

Net security firm F-Secure writes:

“We have no reason to suspect CCC’s findings, but we can’t confirm that this Trojan was written by the German government… As far as we see, the only party that could confirm that would be the German government itself.

Anti-virus firms including F-Secure and Sophos have already added detection against the malware, along with commentary on the row (here and here, respectively). Other security outfits can be expected to follow suit; they are obliged to add detection for any blob of malware they come across regardless of who created it. Turning a blind eye to state-sponsored malware, especially in the post-Stuxnet era, would be commercial suicide. ®

Bootnote

The R2D2 name comes from a string of ASCII, “C3PO-r2d2-POE”, found in the mystery Trojan. Likewise, the 0zapftis name also appears, a phrase meaning “the barrel is open” that’s used by the Munich mayor in opening Oktoberfest every year.

Security firms agree with CCC that the Trojan is lame. F-Secure’s Mikko Hypponen tweeted amusingly:

It’s not well written. Which, I guess, makes it *more* likely it’s developed by a Government…

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/10/german_federal_trojan_row/

Scientists have circumvented the encryption used to protect a smartcard that’s widely used to restrict access in corporate and government buildings, and to process payments in public transit systems, a feat that makes it possible to clone perfect replicas of the digital keys and steal or modify their contents.

The attack, developed by researchers at Germany’s Ruhr University, takes about seven hours to recover the secret key protecting the Mifare DESFire MF3ICD40. The hack leaves no trace that the card has been compromised, and requires equipment costing $3,000.

The contactless card, which some customers adopted following the cracking of the Mifare Classic in 2008, is used by transit agencies in San Francisco, Australia, and the Czech Republic. It was adopted by NASA in 2004, although it’s not clear if the agency has since upgraded.

The findings of researchers David Oswald and Christof Paar are the latest to shatter the protection in embedded electronic devices that millions of people rely on to secure homes, offices, and mobile payment accounts. In addition to the breaking of the Mifare Classic, a team of scientists that included Paar cracked the encryption of the Keeloq security system used by manufacturers of cars, garage door openers, and other devices.

Recipe for trouble

Like the previous two hacks, the latest attack recovered the card’s secret key, allowing an adversary to assume the digital identity of individuals who use it to prove they are who they say they are.

NXP has marketed the DESFire MF3ICD40 despite its growing vulnerability to attack

“It provides a recipe for how to extract the secret key material non-invasively, basically by pointing a radio probe at the card and monitoring it as it performs a transaction,” said cryptographer Nate Lawson, the principal of Root Labs, who has read the research. “This is something that’s easily replicable with a few thousand dollars and a little amount of time, so it’s practical.”

Oswald and Paar’s attack relied on side-channel analysis, a technique that records a device’s electromagnetic radiation or other physical characteristics to learn important clues about the encryption taking place inside. In much the way a safe cracker listens to pin clicks to figure out a vault’s combination, their differential power analysis allows them to recover the 112-bit secret key that locks digital information stored on the DESFire card.

It involves the use of a probe connected to an oscilloscope that records electrical emanations while the card is being read by an RFID, or radio-frequency identification, reader.

For the recovery to succeed, an attacker must first buy a DESFire card and spend months making detailed observations about its inner behaviors. It took the researchers about a year to “profile” their card, although Oswald told The Register that a trained engineer could probably cut that time in half. Using the findings in their paper, a hacker could probably shave even more time off the profiling.

With that task out of the way, all that’s required for them to compromise a card is to have physical access to it for about seven hours. When they’re done, they will have access to the secret key needed to clone the card and access or modify whatever data is stored on it. The hack can’t be detected later.

In a message to DESFire customers, Mifare representatives said the attack works only on the MF3ICD40 model of the card, which is being discontinued at the end of the year. They encouraged users to upgrade to the EV1 version of DESFire because it isn’t susceptible to the attack.

They also said customers of the weaker model can minimize the damage of attacks by assigning unique keys for each card they deploy. When the measure is accompanied by systems that monitor card readers and a key-revocation mechanism, cards that are lost or stolen can be blacklisted.

The failure of the MF3ICD40 is its almost complete lack of countermeasures to prevent differential power analysis. While the card skips a few random clock cycles in an attempt to misalign an attacker’s traces, that countermeasure is now considered insufficient when used alone.

Endowing the card with additional protections was considered cost-prohibitive in 2002, the year a division of Philips designed it. Despite the growing use of attacks that use the technique, the company, which eventually became Netherlands-based NXP Semiconductors, continued to market the smartcard.

Let the upgrades begin

NXP doesn’t provide figures on how many vulnerable cards have been purchased over the years, but earlier this year it did say it had sold 3.5 billion smartcards overall.

NXP says upgrading to the EV1 model is relatively painless because it is backwards-compatible with its vulnerable successor. But cryptographer Lawson said the logistics of swapping out tens of thousands or even millions of cards and updating back-end systems accordingly can make the task cumbersome.

With potentially billions of cards affected, shops that still rely on the card may want to think about dumping them soon. Let the upgrades begin. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/10/mifare_desfire_smartcard_broken/