STE WILLIAMS

A new Facebook program that pays cash rewards to people who report security bugs on the social networking site doled out more than $40,000 in its first three weeks.

According to a post published Monday by Facebook Chief Security Officer Joe Sullivan, researchers in 16 different countries have collected the bounties, which can reach as high as $5,000 for the best reports. One person has already received a total of $7,000 for flagging six different issues.

“We feel great knowing that we’ve launched another strong effort to help provide a secure experience on Facebook,” Sullivan wrote. “A bug bounty program is a great way to engage with the security research community, and an even better way to improve security across a complex technological environment.”

When Facebook announced the program last month, it joined Mozilla and Google in rewarding researchers who privately report vulnerabilities that could jeopardize the privacy or security of their users. To date, Google has paid more than $300,000 for bugs found on its various web properties – and that doesn’t include bounties paid for vulnerabilities reported in Google’s Chromium browsers.

At the other end of the spectrum are companies such as Microsoft and Adobe, which steadfastly refuse to pay bounties for private bug reports, even though their products greatly benefit from them. Last month, Microsoft offered a $250,000 reward leading to the conviction of the operators of the recently dismantled Rustock botnet, and earlier this month it promised more than $250,000 to researchers who develop new security defenses to protect Windows users against attacks that exploit software bugs.

In today’s post, Sullivan clarified several fine points in its bug bounty program. The minimum amount paid is $500. The program has already awarded a $5,000 bounty “for one really good report.” He didn’t say if there was a maximum amount, and he didn’t spell out the criteria for determining when one report is better than another.

The program covers bugs found only on the main Facebook website. There are no plans to extend it to third-party apps that work with the website. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/30/facebook_bug_bounty_progress/

Security researchers have discovered a counterfeit web certificate for Google.com circulating on the internet that gives attackers the encryption keys needed to impersonate Gmail and virtually every other digitally signed Google property.

The forged certificate was issued on July 10 to digitally sign Google pages protected by SSL, or secure sockets layer. It was issued by DigiNotar, a certificate authority located in the Netherlands. The forged certificate is valid for *.google.com, giving its unknown holders the means to mount transparent attacks on a wide range of Google users who access pages on networks controlled by the counterfeiters.

It’s at least the second time in five months that unauthorized parties have gotten hold of valid SSL certificates used to cryptographically prove that a sensitive website is authentic rather than a forgery. In March, hackers broke into the servers of a web-authentication authority and minted valid certificates for Google Mail and six other domains. It took eight days for the counterfeit credentials to be fully blocked from all major browsers, and much longer to be blacklisted from email programs.

The episode exposed serious vulnerabilities in the net’s foundation of trust, because in the intervening time it was possible for attackers to create convincing forgeries of trusted services that were almost impossible for people on attacker-controlled networks to detect. The hack was carried out on a reseller of certificate authority Comodo, and came from servers that used an Iranian IP address. Monday’s attack appeared to be more of the same.

“This isn’t a huge surprise,” Moxie Marlinspike, a researcher and frequent critic of the SSL system said on Monday about the discovery of the latest Google certificate forgery. “This is the kind of thing we should expect is happening all the time. The only thing noteworthy is that anyone noticed.”

Google and Mozilla have responded to the forgery by preparing updates to Chrome, Firefox and other software programs that take the highly unusual step of blocking all certificates issued by DigiNotar while the forgery is being investigated.

According to a post published on Sunday by a user calling himself alibo, the counterfeit certificate surfaced when he tried to log into his Gmail account using the Google Chrome browser.

“I think my ISP or my government did this attack (because I live in Iran and you may hear something about the story of Comodo hacker!)” he wrote.

Alibo’s claims that Iranian ISPs including ParsOnline were using the certificate to validate Gmail couldn’t be independently confirmed. But the document he published has been verified by researchers as a valid certificate issued on July 10 by DigiNotar that digitally signs all URLs that end in Google.com.

“This CA should receive an internet death sentence as their carelessness may have resulted in deaths in Iran,” an unknown researcher who verified the certificate wrote. “This cert was issued in JULY of 2011 and it is now just a few days before SEPTEMBER. It is being used in the wild against real people in Iran *right* now.”

Indeed, statements issued by Google and Mozilla shortly after this article was first published indicate a growing mistrust of DigiNotar, which in January was acquired by VASCO Data Security, a maker of two-factor tokens and other authentication products.

“While we investigate, we plan to block any sites whose certificates were signed by DigiNotar,” a statement issued by Google announced.

Google credited a security feature recently added to its Chromium browser engine with protecting alibo and bringing the bogus credential to public attention.

Mozilla, meanwhile, said it planned to issue updates for Firefox, Thunderbird and SeaMonkey shortly “that will revoke trust in the DigiNotar root and protect users from this attack.” It invited users who don’t want to wait to manually purge the DigiNotar root from their browsers following these instructions.

Representatives from DigiNotar didn’t respond to repeated requests for comment.

Marlinspike has recently proposed a new system he calls Convergence for authenticating websites. It allows end users to query parties they trust when validating the SSL certificates provided by websites they encounter. The system, which is enabled through a add-on for Firefox, is designed to eliminate reliance of certificate authorities, which aren’t legally or financially accountable to end users and have suffered a variety of security breaches over the years.

Someone relying on Convergence wouldn’t have been tricked by the rogue certificate discovered Monday.

“Whoever got this cert seems to have had it since July 10th, almost 40 days!” Melih Abdulhayoglu, CEO of Comodo wrote in an email. “Maybe they already had a good use out of it would be one guess I have. I find it difficult to believe that this is for notoriety, as if it was, then they would publish it immediately after obtaining it.”

Abdulhayoglu said the certificate was revoked on Monday, but that status may not do much to stop any attacks in progress. As Marlinspike demonstrated in 2009, it’s trivial for attackers to suppress the error messages returned by revoked certificates, allowing rogue certificates to live on for weeks or months after they are discovered. The only foolproof way to revoke a certificate is to update each browser, email client, and other piece of software accepting SSL certificates to blacklist the counterfeit credential.

That means the certificate could be a threat until patches are issued by all software makers that work with SSL certificates. It’s unclear how long that will take.

If it’s true that this credential is being used to snoop on Gmail users, there’s no telling how long it will take to stop the attack. ®

This post was updated to include comment from Google and Mozilla.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/29/fraudulent_google_ssl_certificate/

It’s retro day in the world of Internet security, with an Internet worm dubbed “Morto” spreading via the Windows Remote Desktop Protocol (RDP).

F-Secure is reporting that the worm is behind a spike in traffic on Port 3389/TCP. Once it’s entered a network, the worm starts scanning for machines that have RDP enabled. Vulnerable machines get Morto copied to their local drives as a DLL, a.dll, which creates other files detailed in the F-Secure post.

SANS, which noticed heavy growth in RDP scan traffic over the weekend, says the spike in traffic is a “key indicator” of a growing number of infected hosts. Both Windows servers and workstations are vulnerable.

SANS is soliciting copies of the worm for analysis. Since worms have become something of an anachronism in an era of for-profit attacks using botnets, that analysis will probably include asking the question “why bother?”

The first traffic spike was discussed by SANS early in August, but since then, the group is reporting that the spike has grown “tenfold”.

F-Secure also fingers jaifr.com and qfsl.net as servers being used to remotely control the Morto worm. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/28/morto_worm_spreading/

Nokia suffered an embarrassing security breach over the weekend when hackers penetrated one of its community websites and accessed names, email addresses, and other information belonging to developers of smartphone apps.

Nokia posted a message that warned developers that their information was exposed after hackers exploited a vulnerability that allowed them to carry out a SQL-injection attack.

“The database table records includes members’ email addresses and, for fewer than 7% who chose to include them in their public profile, either birth dates, homepage URL or usernames for AIM, ICQ, MSN, Skype or Yahoo,” the Nokia advisory warned. “However, they do not contain sensitive information such as passwords or credit card details and so we do not believe the security of forum members’ accounts is a risk. Other Nokia accounts are not affected.”

Nokia admins quickly fixed the bug that made the attack possible, but they soon took the developer community website offline pending a security assessment. At time of writing, the discussion boards weren’t accessible. Nokia’s advisory said the service would be restored as soon as possible.

Before the hacked site was closed, people visiting it were redirected to a website that showed an image of Homer Simpson smacking his head and exclaiming “D’Oh.” Below the image were the words “Worlds number 1 mobile company but not spending a dime for server security! FFS patch you security holes otherwise you will be just another antisec victim. No Dumping, No Leaking!”

The compromise came as hackers claimed to have attacked a database belonging to French telecom provider Orange.fr and leaked site and source code. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/29/nokia_website_hacked/

It’s retro day in the world of Internet security, with an Internet worm dubbed “Morto” spreading via the Windows Remote Desktop Protocol (RDP).

F-Secure is reporting that the worm is behind a spike in traffic on Port 3389/TCP. Once it’s entered a network, the worm starts scanning for machines that have RDP enabled. Vulnerable machines get Morto copied to their local drives as a DLL, a.dll, which creates other files detailed in the F-Secure post.

SANS, which noticed heavy growth in RDP scan traffic over the weekend, says the spike in traffic is a “key indicator” of a growing number of infected hosts. Both Windows servers and workstations are vulnerable.

SANS is soliciting copies of the worm for analysis. Since worms have become something of an anachronism in an era of for-profit attacks using botnets, that analysis will probably include asking the question “why bother?”

The first traffic spike was discussed by SANS early in August, but since then, the group is reporting that the spike has grown “tenfold”.

F-Secure also fingers jaifr.com and qfsl.net as servers being used to remotely control the Morto worm. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/28/morto_worm_spreading/

The theft of secret data related to RSA’s SecurID tokens used by 40 million employees to access sensitive networks likely started with a 13-word email, evidence uncovered through a researcher’s dogged sleuthing suggests.

“I forward this file to you for review,” the unsigned email, sent to four employees of RSA’s parent company EMC, stated. “Please open and view it.”

The never-before-seen email was uncovered by Timo Hirvonen, a researcher with antivirus provider F-Secure, a little more than five months after someone pierced RSA’s defenses and stole undisclosed information related to SecurID. The attack has generated enormous interest among forensics and malware experts because it aided in the subsequent hack of defense contractor Lockheed Martin and possibly other RSA customers guarding mounds of classified data.

RSA had previously said the perpetrators sent two different phishing emails to a small group of lower-level employees over a two-day period. The messages were “crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file,” RSA said. The company said the booby-trapped payload was a spreadsheet called “2011 Recruitment plan.xls” that contained a malicious Adobe Flash object, but it refused to share the binary with researchers outside the investigation.

Hirvonen was among the hordes of researchers who searched high and low for the malicious Excel file. He eventually wrote an application that analyzed malware samples for Flash objects. The tool uncovered an Outlook message file that turned out to be an email sent to the four EMC employees on March 3. Low and behold, it contained the recruitment spreadsheet, including the malicious Flash object.

With the binary in hand, the researcher soon discovered someone had uploaded it to Virustotal on March 19, more than two weeks after the attack and a day after RSA publicly disclosed the attack. That meant the highly sought-after file was in front of researchers’ noses for five months.

When the file is opened, it installs the Poison Ivy backdoor on the end-user’s machine. As the Youtube video below demonstrates, there are no obvious signs anything nefarious is taking place.

The only thing that was advanced about the attack, F-Secure has concluded, was the exploit targeting the then-unknown Flash vulnerability. (Adobe has since patched it.) The rest relied on a few of the most basic social engineering ploys to trick an employee at one of the world’s most trusted security company’s into clicking on it.

More from F-Secure is here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/26/rsa_attack_email_found/

Apple’s latest version of Mac OS X is creating serious security risks for businesses that use it to interact with a popular form of centralized networks.

People logging in to Macs running OS X 10.7, aka Lion, can access restricted resources using any password they want when the machines use a popular technology known as LDAP for authentication. Short for Lightweight Directory Access Protocol, LDAP servers frequently contain repositories of highly sensitive enterprise data, making them a goldmine to attackers trying to burrow their way in to sensitive networks.

“As pen testers, one of the first things we do is attack the LDAP server,” Rob Graham, CEO of auditing firm Errata Security, said. “Once we own an LDAP server we own everything. I can walk up to any laptop (in an organization) and log into it.”

The LDAP breakdowns in Lion aren’t well understood because Apple still hasn’t admitted there’s any problem. But according to threads here and here, it affects Macs running Lion that use LDAP to authenticate users to different desktop machines. After the initial login, Lion users can log in with any password. Apple’s latest operating system, which was released last month, blindly accepts whatever pass code it’s given.

Machines running Linux, Windows, and earlier versions of OS X authenticate just fine on the same LDAP servers, participants in the discussions reported. The are no widespread reports of problems when Lion machines log into networks that use protocols that compete with LDAP.

“Even though we have Open Directory running now (snark snark), we use OpenLDAP for our datacenter access and for clients,” a MacRumors newbie named monachus wrote. “Simply having Lion installed is a security vulnerability, as any user who can access OD settings can connect to the datacenter as any other users. It’s a HUGE hole.”

The user said his company has delayed a company-wide upgrade to Lion because of the issue.

Lion users said the problem arose only after upgrading from earlier OS X versions. The first report was made on July 25, five days after the newest OS was released. Amazingly, Apple allowed the the security hole to persist even after last week’s release of Lion 10.7.1, which fixed audio, video, and Wi-Fi glitches.

Apple’s Mac has long been considered a safe haven from the malware and social engineering attacks that mar the experience of so many users of Microsoft’s Windows OS. That’s partly because the Mac’s considerably smaller market share doesn’t make it worth the investment to write highly weaponized exploits that hijack OS X users. It’s also due in part to the non-trivial amount of resources and talent Apple has put into securing the OS, particularly in Lion.

Macs may be an excellent choice for individuals looking for a machine that’s resistant to malware attacks, but enterprises should think twice before deploying large fleets of them, a prominent security consultancy said recently. The recommendation is based on the finding that many of the OS X components used to administer Macs lack secure authentication protocols, making networks vulnerable to so-called APTs, or advanced persistent threats, such as those that have penetrated Google, RSA, and dozens of other corporations over the past 18 months.

“It’s a pretty big deal for customers using LDAP as their authentication scheme, and it demonstrates that enterprise deployment scenarios are obviously not part of Apple’s regression testing plan,” said Alex Stamos, one of the researchers at iSec Partners who said large corporate customers probably shouldn’t deploy large number of Macs for now. “Hopefully heavy coverage of these issues will lead Apple to invest security resources into improving the areas of OS X important to enterprise users, not just end consumers.” ®

This article was updated to change language describing protocols that compete with LDAP.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/26/mac_osx_lion_security_hole/

The Home Office has begun to look for a replacement for the Criminal Records Bureau (CRB) and Independent Safeguarding Authority (ISA), with a tender for a company to run outsourced disclosure and barring services.

The new service will bring the CRB and ISA together, and is aimed at supporting the implementation of the Protection of Freedoms bill.

It will involve: the receipt and processing of referrals for a barring decision; applications for disclosure; workflow management; customer and registration services; the issuing of certificates; payment services; and running a call centre. All of the services will have to be accessible through the Home Office’s desktops and infrastructure platform.

The tender notice in the Official Journal of the European Union says the contract will last for eight years and is valued at between £250m and £350m.

As yet there is no firm date for the new service to come into effect. A Home Office briefing on the Protection of Freedoms bill says that timescales will be finalised when the bill receives royal assent, which is expected to be in mid-2012.

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/26/home_office_plans_for_crb_replacement/

The maker of an insulin pump that’s susceptible to wireless hacking was identified for the first time on Thursday by a diabetic researcher who said the company repeatedly ignored his warnings.

A commercially available pump made by Medtronic, the world’s biggest medical device manufacturer, is vulnerable to attacks that allow strangers to increase, decrease, or stop the flow of insulin being administered, the Associated Press reported. The article went on to say that hacker Jay Radcliffe outted the Minneapolis-based company after “he was ignored in repeated attempts to alert the company to the defects.”

He has recently started relying on a new pump model made by Johnson Johnson to treat his diabetic condition, according to The Minneapolis Star Tribune.

A Medtronic spokeswoman declined to discuss the interactions her company had with Radcliffe. She said a company representative attended a presentation Radcliffe gave earlier this month at the Black Hat security conference in Las Vegas.

During his talk, Radcliffe repeatedly declined to name the model or manufacturer in hopes he could first brief Medtronic representatives privately. The Department of Homeland Security, which examined his findings, eventually helped introduce him to someone inside the company, but even then his emails and calls went unanswered, the AP said.

The research into the vulnerability of wireless insulin pumps and other medical devices recently attracted the attention of two US lawmakers. In a letter drafted last week, they called on the Government Accountability Office to ensure that the devices are safe and will not interfere with other medical equipment.

Radcliffe also criticized Medtronic for a statement issued after his presentation which said that pump users could protect themselves against his attack by turning off the device’s wireless function. The particular wireless ability he exploited can’t be switched off, the AP said.

That’s in addition to the zinger here in which Medtronic recently said: “To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide.”

The Medtronic spokeswoman didn’t address Radcliffe’s claims directly, but said the “risk of deliberate, malicious or unauthorized manipulation of our insulin pumps is extremely low.” Maybe, but it’s telling that a diabetic hacker thinks otherwise. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/25/medtronic_insulin_pump_hacking/

Transocean, the offshore drilling contractor at the center of the world’s biggest marine oil spill in the history of petroleum production, has been caught spewing a virtual sort of toxic sludge, according to a report released Thursday.

Researchers at web security firm Websense said deepwater.com, Transocean’s official website, has been hosting malicious exploit code that attempts to install malware on the machines of people who visit the site. The researchers counted at least two separate attacks included in several deepwater.com pages that exploit known vulnerabilities in Microsoft’s Internet Explorer browser and Adobe’s Flash media player.

Only 16 percent of the top 44 antivirus programs detected the latter exploit, the Websense report said, citing this analysis from Virustotal. The exploit code is stashed in invisible iframe tags planted on Transocean’s site, the report said.

As of 10:30 am California time, about 26 hours after the exploit code was first detected, the attacks were continuing unabated, Patrik Runald, a senior manager for security research at Websense, told The Register. They stopped shortly after The Reg asked a Transocean spokesman to comment.

“We don’t know exactly how the compromise happened but as the attackers were able to upload the exploit files to the server it’s not a SQL injection attack (which usually involves redirection to an external server),” he wrote in an email.

One of the world’s biggest offshore drilling contractors, Transocean operated the Deepwater Horizon oil rig, which caught fire on April 20, 2010 and spilled some 205.8 million gallons of oil into the Gulf of Mexico. Computers on the rig had a history of malfunctions, a chief engineering technician on the rig told investigators last year.

A spokesman for Transocean said members of the company’s IT department managed to remove the exploit code from the company’s servers, a claim Runald confirmed. The spokesman didn’t say if the deepwater.com website has ever been reviewed by outside security auditors.

The Websense report is here. ®

This post was updated to report that the exploit code has been removed.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/25/transocean_website_compromise/