Information Genology

Half of Fortune 500 firms infected with DNS Changer

2012-02-03T04:05:00.001-08:00

Machines will be cut off from the Web next month, say experts

Computerworld - Half of all Fortune 500 companies and major U.S. government agencies own computers infected with the "DNS Changer" malware that redirects users to fake websites and puts organizations at risk of information theft, a security company said today.

DNS Changer, which at its peak was installed on more than four million Windows PCs and Macs worldwide -- a quarter of them in the U.S. alone -- was the target of a major takedown organized by the U.S. Department of Justice last November.

The takedown and accompanying arrests of six Estonian men, dubbed "Operation Ghost Click," was the culmination of a two-year investigation, although some security researchers have been tracking the botnet since 2006. As part of the operation, the FBI seized control of more than 100 command-and-control (C&C) servers hosted at U.S. data centers.

According to Tacoma, Wash.-based Internet Identity (IID), which provides security services to enterprises, half of the firms in the Fortune 500, and a similar percentage of major U.S. government agencies, harbor one or more computers infected with DNS Changer.

IID used telemetry from its monitoring of client networks, as well as third-party data, to claim that at least 250 of the Fortune 500 companies and 27 out of 55 major government agencies had at least one computer or router infected with DNS Changer as of early this year.

The still-infected machines pose several problems, said experts.

"Initially, DNS Changer was worrisome because it could redirect you from a safe location to a dangerous one controlled by criminals," said Rod Rasmussen, the chief technology officer of IID in an emailed statement. "However, the FBI temporarily fixed that. Now, the big worry is that machines that are still infected face a second vulnerability -- they are left with little if any security."

That's because DNS Changer also blocks software updates -- the patches vendors like Microsoft issue to fix flaws -- and disables installed security software.

Others, however, have pointed out that computers still infected with DNS Changer have only weeks before they will be crippled.

As part of Operation Ghost Click, a federal judge approved a plan where clean DNS servers were deployed by the Internet Systems Consortium (ISC), the non-profit group that maintains the popular BIND DNS open-source software. Without that move, infected systems would have been immediately cut off from the Internet when the FBI seized the criminals' domain servers.

But the ISC was authorized to maintain the alternate DNS servers only for 120 days, or until early next month.

"[The ISC] will shut down the [DNS] servers in March and anybody who is still using those servers will then lose access to the Internet," said Wolfgang Kandek, chief technology officer of Qualys, in a Thursday post to that company's security blog.

Qualys has added DNS Changer detection to its free BrowserCheck tool that runs on Windows PCs, while the umbrella organization DNS Changer Working Group -- of which IID is a member -- has created a website that steps users through the process of detecting and infected PCs and Macs.

China's 'Internet Of Things' To Become Semantic Web Superpower?

2012-01-14T08:41:00.001-08:00

Web 3.0 and Semantic Technology is fast approaching and will soon overtake Social Media as a communications medium, within the next decade (see previous post, "New Industrial Revolution Sabotages Social Media!"). The development of the 'Internet of Things' is the first step in attaching sensors, barcodes and IP addresses to every 'thing' that occupies space in our material world - and it appears that China could very well be its supreme leader.

The Internet of Things is where wireless networks of objects are created using RFID, Bluetooth, GPS, and other technologies, working in tandem with cloud computing environments, Web portals, and back-end systemsthat will allow our 'things' to talk to each.

Some analysts predict that the industrial value of the Internet of Things over the next decade will surpass that of the Internet 30 times over, and say it will become a market that is worth more than $100 billion.

At the recent China IoT Conference held in Shanghai, Xi Guohua, China's vice-minister of industry and Xi Guohuainformation technology announced that China is placing a priority on developing a national IoT plan. Florian Michahelles, associate direct or the Auto-ID Labs and an RFID technology expert noted that "the entire hype for Internet of Things has actually been jump started by the current premier Wen Jiabao mentioning Internet of Things as one of the key industry areas for China.

Internet + Internet of Things + Wisdom of the Earth

Wen JiabaoAccording to a ReadWriteWeb report, "it started on Aug. 7, 2009 when Chinese Premier Wen Jiabao made a speech in the city of Wuxi calling for the rapid development of Internet of Things technologies. It included this equation: Internet + Internet of Things = Wisdom of the Earth. Wen Jiabo followed up with a speech on Nov. 3 at the Great Hall of the People in Beijing, in which he encouraged breakthroughs in key technologies for sensor networks and the Internet of Things.

What about Europe's Parliament of Things?

In a recent post titled, "Europe Beats U.S. In Race For Social Networking The 'Internet Of Things," I talked about the European Union taking the lead in this technology. However, if China is to step up its 'semantic' game, as hinted by this recent announcement, coupled with its suppression of freedom of speech, chances are a government mandate in China will move the IoT along a lot quicker in that country than the bureaucratic hurdles that will confront the European Union.

W. David StephensonAn example of the benefits of IoT technology in China surfaced as the result of sensor project that helped clean up a lake in the city of Wuxi, which is now proclaimed China's 'Internet of Things' capital city. In the U.S. had the government given heed to W. David Stephenson's "Regulation 3.0" plan, we might have been able to prevent the BP offshore oil tragedy - as his plan called for sensors to be attached to oil rigs. This, in turn would have provided early alerts and an opportunity to prevent the malfunction in advance. (See " The Semantic Web As Big Brother Could Have Prevented The BP Oil Disaster").

Big Brother Might Be The Answer?

In that same article, I also talked about the fine line governments have to tread in order to institute these types of programs. While the 'Big Brother' mentality is abhorred in the States, it certainly is an accepted form of human interaction in China. According to Curt Hopkins in his ReadWriteWeb report, he notes that perhaps we place to much emphasis on privacy concerns, and that China's approach "is one situation in which the omission of pesky human rights will speed the plough."

Robert Kong HaiRobert Kong Hai (@weirdchina), an American writer and author living in China feels that "with a one party system … it generally moves as one machine to get it done and without much dissent."

In interviewing Kong Hai today, I asked why the U.S. was not as aggressive as China or Europe regarding the Internet of Things. He noted the following:

I think the bottom line is, IoT is just not mainstream enough. In a Western type democracy like the USA, to get the big money needed to fund research and development you need public support and political will. I don’t really hear a unified message about Internet of Things technologies for people to get excited about. You can’t rely on the US government to push this technology. It’s the private sector that has to step up. Remember, in China it’s the total opposite. The government jumps in and the private sector take cues from the government.

A couple other issues standing in the way; (1) China with its economy in decent shape apparently has extra cash sitting around to invest in IoT technologies - and I just don’t think the USA does. (2) China, with its political system, can push through projects with limited public objection (this could mean limited privacy protections), so projects get started immediately. Try to get away with that in a western country such as the USA or someplace in the EU. We all know that the USA is a democracy with much different rules and procedures to follow. These could include years of public objection, courts getting involved, changing administrations. This just means delay, delay, delay.

So it appears in the race for "Superpower" authority, China once again takes the lead- and if the U.S. doesn't take action soon and embrace this new technology, we could be left behind.

It's a quandary to think that our 'race into space' did not allow Russia nor China to take the lead, and yet, today, some forty years later, we have somehow lost that drive to be leaders in this new field of technology. With setbacks like these, we could end up as Martin Jacques has predicted his book, "When China Rules The World" - a country ruled by another Superpower! If that doesn't give someone in authority enough impetus to act, I don't know what will.

Hackers hit Dutch certificate authority Gemnet

2011-12-12T06:52:00.000-08:00

Dutch certificate authority Gemnet has taken its site offline following the discovery of a system breach.

Parent company KPN said that the certificate authority had temporarily suspended its web operations following a breach that allowed outside attackers to access the Gemnet web server.

In an effort to allay fears that the hack might lead to the creation of false certificates, KPN said that no systems related to the certificates themselves had been compromised in the attack and the Dutch PKIoverheid key infrastructure was not in any danger.

The incident follows a server breach at KPN Corporate Market in November that forced the company to temporarily close its site. This was preceded by another data breach at Dutch certificate authority Diginotar in the summer. Fallout from that breach eventually caused Diginotar to file for bankruptcy protection in the Netherlands.

A spokesperson for security firm McAfee told V3 that the latest breach underscores the importance of maintaining proper protections and monitoring of all systems.

"The recent hackings at KPN's Gemnet subsidiary serves as an illustration to the importance of basic security principles, such as utilising best practices and performing thorough penetration testing," the spokesperson said.

"More than ever, it is critical that companies establish proactive security policies in order to prevent attacks."

source - http://www.v3.co.uk/v3-uk/news/2131314/hackers-hit-dutch-certificate-authority-gemnet

Hackers exploit Adobe Reader zero-day, may be targeting defense contractors

2011-12-12T06:49:00.001-08:00

Adobe credits Lockheed Martin, victim of earlier attack, and defense industry cyber-threat group with reporting unpatched bug

Adobe today confirmed that an unpatched, or zero-day, vulnerability in Adobe Reader is being exploited by criminals.

Those attacks may have been aimed at defense contractors.

Adobe promised to patch the bug in the Windows edition of Reader and Acrobat 9 no later than the end of next week. Tuesday, Dec. 12 is also Microsoft's regularly-scheduled Patch Tuesday for the month.

The upcoming patch will be Adobe's sixth for Reader and Acrobat this year.

"A critical vulnerability has been [found] in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Unix, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh," Adobe said in an early-warning email. "This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system."

The company issued a security advisory with what information it was willing to share.

Adobe acknowledged that the vulnerability is being exploited in what it called "limited, targeted attacks" against Reader 9.x on Windows, but did not provide any additional information about where and when the attacks were occurring, or who had been targeted.

Adobe identified the bug as a "U3D memory corruption vulnerability," U3D, which stands for "universal 3D," is a compressed file format standard for 3-D graphics data promoted by a group of companies, including Adobe, Intel, and Hewlett-Packard.

Reader vulnerabilities are typically exploited by attackers using malicious PDF documents that are attached to email messages with baited subjected heads that try to dupe recipients into opening the document.

Doing that also executes the malicious code -- in this case, likely malformed U3D data -- hidden in the PDF, compromising the victim's PC and letting the attacker infect the machine with other malware.

The attacks exploiting the unfixed flaw may have targeted U.S. defense contractors: Adobe originally credited the security response teams at both Lockheed Martin and MITRE with reporting the vulnerability.

Lockheed Martin is one of the U.S's largest aerospace and defense contractors, and manufactures the F-22 Raptor fighter jet and won the contract to build the F-35 Lightning II, the planned successor to the F-16 Falcon aircraft.

MITRE manages several research centers funded by U.S. government agencies, including the National Security Engineering Center for the Department of Defense, and the Center for Advanced Aviation System Development for the Federal Aviation Administration (FAA).

Lockheed Martin was in the computer security news last May when it admitted it had been the target of a "significant and tenacious [cyber]attack," which was allegedly conducted by leveraging information stolen several months earlier from RSA Security.

It's not unusual for companies targeted by hackers to be among the first to report a previously-unknown vulnerability, as they are, of course, in the best position to do so.

"My guess is they got it or were targeted and reported it to Adobe," said Mila Parkour, an independent security researcher who writes the Contagio Malware Dump blog. Parkour has been credited with reporting both Reader and Flash Player vulnerabilities to Adobe.

Adobe also has a connection to the Lockheed Martin attack of May;hackers exploited an unpatched bug in Adobe's Flash Player to gain initial access to RSA Security's network.

But minutes after Adobe issued its advisory, it changed the credits, retaining Lockheed Martin but replacing MITRE with the Defense Security Information Exchange (DSIE), a group of defense contractors that, according to a document on the White House website (download PDF), "share intelligence on cyber-related attacks."

MITRE was not able to comment on Adobe initially giving it credit for reporting the Reader zero-day to Adobe.

Adobe, meanwhile, said that the original credit to MITRE had been incorrect. However, MITRE is one of the organizations on the Defense Industrial Base (DBI), a superset of the DSIE. Other defense contractors who belong to the DBI include Boeing, General Dynamics, Lockheed Martin, Northrup Grumman, Pratt & Whitney and Raytheon.

The DSIE did not reply to questions about whether one or more of its members had been targeted by the Reader exploits.

While a patch for Reader and Acrobat 9 will reach users next week, Adobe said it will not deliver fixes for Reader and Acrobat 10 for Windows, as well as all versions for Mac OS X and Unix, until Jan. 10, 2012.

Adobe justified those delays on the grounds that Reader 10, also called Reader X, includes anti-exploit "sandbox" technology that isolates the application from the rest of the computer, and thus blocks the exploit now in circulation.

The company said that the risk to Macintosh and Unix users was "significantly lower" because attacks have been spotted targeting only Windows PCs.

source - http://www.computerworld.com/s/article/9222454/Hackers_exploit_Adobe_Reader_zero_day_may_be_targeting_defense_contractors?taxonomyId=17&pageNumber=2

Wi-Fi security do's and don'ts

2011-11-13T03:51:00.001-08:00

Wi-Fi is inherently susceptible to hacking and eavesdropping, but it can be secure if you use the right security measures. Unfortunately, the Web is full of outdated advice and myths. But here are some do's and don'ts of Wi-Fi security, addressing some of these myths.

Watch a slideshow version of this story.

WiFi users blissfully ignorant about real security

1. Don't use WEP

WEP (wired equivalent privacy) security is long dead. Its underlying encryption can be broken quickly and easily by the most inexperienced of hackers. Thus you shouldn't use WEP at all. If you are, immediately upgrade to WPA2 (Wi-Fi protected access) with 802.1X authentication 802.11i. If you have legacy clients or access points that don't support WPA2, try firmware upgrades or simply replace the equipment.

2. Don't use WPA/WPA2-PSK

The pre-shared key (PSK) mode of WPA and WPA2 security isn't secure for business or enterprise environments. When using this mode, the same pre-shared key must be entered into each client. Thus the PSK would need to be changed each time an employee leaves and when a client is lost or stolen unpractical for most environments.

3. Do implement 802.11i

The EAP (extensible authentication protocol) mode of WPA and WPA2 security uses 802.1X authentication instead of PSKs, providing the ability to offer each user or client their own login credentials: username and password and/or a digital certificate.

The actual encryption keys are regularly changed and exchanged silently in the background. Thus to change or revoke user access all you have to do is modify the login credentials on a central server, rather than having change the PSK on each client. The unique per-session keys also prevent users from eavesdropping on each other's traffic which is now easy with tools like the Firefox add-on Firesheep and the Android app DroidSheep.

Keep in mind, for the best security possible you should use WPA2 with 802.1X, also known as 802.11i.

To enable the 802.1X authentication, you need to have a RADIUS/AAA server. If you're running Windows Server 2008 and later, consider using the Network Policy Server (NPS), or the Internet Authenticate Service (IAS) of earlier server versions. If you aren't running a Windows Server, consider the open sourceFreeRADIUS server.

You can push the 802.1X settings to domain-joined clients via Group Policy if you're running Windows Server 2008 R2 or later. Otherwise, you may consider a third-party solution to help configure the clients.

4. Do secure 802.1X client settings

The EAP mode of WPA/WPA2 is still vulnerable to man-in-the-middle attacks. However, you can help prevent these attacks by securing the EAP settings of the client. For instance, in the EAP settings of Windows you can enable server certificate validation by selecting the CA certificate, specify the server address, and disable it from prompting users to trust new servers or CA certificates.You can also push these 802.1X settings to domain-joined clients via Group Policy or use a third-party solution, such as Avenda's Quick1X.

5. Do use a wireless intrusion prevention system

There's more to Wi-Fi security than combating those directly trying to gain access to the network. For instance, hackers could setup rogue access points or perform denial-of-service attacks. To help detect and combat these, you should implement a wireless intrusion prevention system (WIPS). The design and approaches of WIPSs vary among vendors, but generally they monitor the airwaves looking for, alerting you to, and possibly stopping rogue access points or malicious activity.

There are many commercial vendors offering WIPS solutions, such as AirMagnet and AirTight Neworks. There are also open source options, such as Snort.

6. Do deploy NAP or NAC

In addition to 802.11i and a WIPS, you should consider deploying a Network Access Protection (NAP) or network access control (NAC) solution. These can provide additional control over network access, based on client identity and compliance with defined policies. They can also include functionality to isolate problematic clients and remediation to get clients back within compliance.

Some NAC solutions may also include network intrusion prevention and detection functionality, but you'd want to make sure it also specifically provides wireless protection.

If you're running Windows Server 2008 or later and Windows Vista or later for the clients, you can use Microsoft's NAP functionality. Otherwise, you may consider third-party solutions, such as the open source PacketFence.

7. Don't trust hidden SSIDs

One myth of wireless security is that disabling the SSID broadcasting of access points will hide your network, or at least the SSID, making it harder for hackers. However, this only removes the SSID from the access point beacons. It's still contained in the 802.11 association request, and in certain instances, the probe request and response packets as well. Thus an eavesdropper can discover a "hidden" SSID fairly quickly especially on a busy network with a legitimate wireless analyzer.

Some might argue disabling SSID broadcasting still provides another layer of security, but also remember it can have a negative impact on the network configuration and performance. You'd have to manually input the SSID into clients, further complicating client configuration. It would also cause an increase in probe request and response packets, decreasing available bandwidth.

8. Don't trust MAC address filtering

Another myth of wireless security is that enabling MAC address filtering adds another layer of security, controlling which clients can connect to the network. This has some truth, but remember that it's very easy for eavesdroppers to monitor the network for authorized MAC addresses and then change their computer's media access control (MAC) address.Thus you shouldn't implement MAC filtering thinking it will do much for security, but maybe as a way to loosely control which computers and devices end-users bring onto the network. But also consider the management nightmare you might face to keep the MAC list up-to-date.

9. Do limit SSIDs users can connect to

Many network administrators overlook one simple but potentially dangerous security risk: users knowingly or unknowingly connecting to a neighboring or unauthorized wireless network, opening up their computer to possible intrusion. However, filtering the SSIDs is one way to help prevent this. In Windows Vista and later, for example, you can use the netsh wlan commands to add filters to those SSIDs users can see and connect to. For desktops, you could deny all SSIDs except those of your wireless network. For laptops, you could just deny the SSIDs of neighboring networks, enabling them to still connect to hotspots and their home network.

10. Do physically secure network components

Remember, computer security isn't just about the latest technology and encryption. Physically securing your network components can be just as important. Make sure access points are placed out of reach, such as above a false ceiling or even consider mounting access points in a secure location and then run an antenna to an optimum spot. If not secured, someone could easily come by and reset an access point to factory defaults to open access.

11. Don't forget about protecting mobile clients

Your Wi-Fi security concerns shouldn't stop at your network. Users withsmartphones, laptops and tablets may be protected onsite, but what about when they connect to Wi-Fi hotspots or to their wireless router at home? You should try to ensure their other Wi-Fi connections are secure as well, to prevent intrusions and eavesdropping.

Unfortunately, it isn't easy to ensure outside Wi-Fi connections are secure. It takes a combination of providing and recommending solutions and educating users on the Wi-Fi security risks and prevention measures.

First, all laptops and netbooks should have a personal firewall (such as Windows Firewall) active to prevent intrusions. You can enforce this via Group Policy if running a Windows Server or use a solution such as Windows Intune to manage non-domain computers.

Next, you need to make sure the user's Internet traffic is encrypted from local eavesdroppers while on other networks by providing VPN access to your network. If you don't want to use in-house VPN for this, consider outsourced services such as Hotspot Shield or Witopia. For iOS (iPhone, iPad, and iPod Touch) and Android devices, you can use their native VPN client. However, for BlackBerry and Windows Phone 7 devices, you must have a messaging server setup and configured with the device in order to use their VPN client.

You should also make sure any of your Internet-exposed services are secured, just in case the user doesn't use the VPN while on a public or untrusted networks. For instance, If you offer email access (client or web-based) outside of your LAN, WAN or VPN, ensure you use SSL encryption to prevent any local eavesdroppers at the untrusted network from capturing the user's login credentials or messages.

Geier is a freelance tech writer become a Twitter follower to keep up with his writings. He's also the founder of NoWiresSecurity, which helps businesses easily protect their Wi-Fi network with Enterprise (802.1X) security.

Read more about wide area network in Network World's Wide Area Network section.

source - http://www.computerworld.com/s/article/9221548/Wi_Fi_security_do_s_and_don_ts?taxonomyId=17

5 Things You Need to Know About Android Phones

2011-10-31T19:39:00.000-07:00

1. Use a service to secure data. Android's open market and few security features open the door to hackers, leaving critical corporate data at risk. The best security comes from providers like Good Technology, which secures phones using its own network operations center, software on the phones, and a server behind a firewall. Technology like Good's encrypts data as it travels to and from the device, and stored data is also encrypted. IT administrators are not required to open a hole in the corporate firewall.

2. Ask phone makers for help. Some manufacturers, including Motorola and Samsung, have developed little-marketed products and services for enterprises. Samsung, for instance, is developing a version of its TouchWiz software that will support advanced encryption standard security and VPN connections. Motorola recently acquired 3LM, a company developing software that resides on the phone and in a corporate server, to encrypt data travelling to and from the device and set up a VPN to corporate data. 3LM's software is expected to be available on other Android phones, not just those made by Motorola.

3. Restrict users to models with better security. Motorola, for instance, has a line aimed at enterprise users-business-ready phones that include enhanced security features. The Droid Pro, for example, allows for remote wipe of SD cards, and comes with a VPN client and the ability to force users to create new passwords after a set time.

4. Wait for mobile virtual machine technology to mature. VMware is working on a mobile virtual machine that lets users toggle between two phone personas: one for corporate use and one for personal use. The company plans to also offer a management tool so IT departments can set policies for the corporate persona on the phone. So far, LG and Samsung say they hope to make phones capable of using the VMware tool. Other companies, like Open Kernel Labs, are offering tools that let developers build applications that can run inside a virtual machine, isolating them from threats.

5. Use a management tool that enforces basic security. Sybase, BoxTone, Zenprise, Mobile Iron and Fiberlink are among the many companies offering mobile device management-and in some cases, additional mobile security-products and services. Even a basic mobile device management product will at the very least help IT administrators enforce policies like a password requirement and remotely erase important corporate data if a device is lost or stolen.

Read more about other in CIO's Other Drilldown.

source - http://www.networkworld.com/news/2011/103111-5-things-you-need-to-252588.html

Researchers find "massive" security flaws in cloud architectures

2011-10-26T19:23:00.000-07:00

German researchers say they found flaws in Amazon Web Services that they believe exist in many cloud architectures and enable attackers to gain administrative rights and to gain access to all user data.

While the researchers say they have told AWS about the security holes and AWS has fixed them, they believe the same types of attacks would be effective against other cloud services, "since the relevant Web service standards make performance and security incompatible."

A research team at Ruhr University Bochum used a variety of XML signature-wrapping attacks to gain administrative access of customer accounts, then create new instances of the customer's cloud, add images and delete them. In a separate exploit, the researchers used cross-site scripting attacks against the open-source, private-cloud software framework Eucalyptus.

MORE FLAWS: Amazon Web Services receives critical gov't certification

They also found the Amazon service to be susceptible to cross-site scripting attacks.

"It's not only a problem of Amazon's," says Juraj Somorovsky, one of the researchers. "These are general attacks. Public clouds are not so secure as they seem to be. These problems could be found in other cloud frameworks also."

Somorovsky says the researchers are working on a high-performance libraries that can be used with XML security to eliminate the vulnerability that was exploited with the XML signaturewrapping attacks. They will be ready sometime next year. Signature-wrapping attacks re-use validAmazon Web Services acknowledged it worked with the Ruhr University team to correct the problems they found. "...[N]o customers have been impacted," a spokesperson for AWS said in an email. "It is important to note that this potential vulnerability involved a very small percentage of all authenticated AWS API calls that use non-SSL endpoints and was not a potentially widespread vulnerability as has been reported."

Public cloud security: Mission impossible

AWS has posted a list of best practices that, if followed, would have protected customers from the attacks the Ruhr University team devised as well as other attacks. These are:

Only utilize the SSL-secured / HTTPS endpoint for any AWS service and ensure that your client utilities perform proper peer certificate validation. A very small percentage of all authenticated AWS API calls use non-SSL endpoints, and AWS intends to deprecate non-SSL API endpoints in the future.

Enable and use Multi-Factor Authentication (MFA) for AWS Management Console access.

Create Identity and Access Management (IAM) accounts that have limited roles and responsibilities, restricting access to only those resources specifically needed by those accounts.

Limit API access and interaction further by source IP, utilizing IAM source IP policy restrictions.

Regularly rotate AWS credentials, including Secret Keys, X.509 certificates, and Keypairs.

When utilizing the AWS Management Console, minimize or avoid interaction with other websites and follow safe Internet browsing practices, much as you should for banking or similarly important / critical online activities.

AWS customers should also give consideration to utilizing API access mechanisms other than SOAP, such as REST / Query.

source - http://www.computerworld.com/s/article/9221212/Researchers_find_massive_security_flaws_in_cloud_architectures?taxonomyId=17

FCC warns retailers to stop selling signal-jamming devices

2011-10-25T03:49:00.001-07:00

The Federal Communications Commission has issued warnings to 20 online retailers to stop selling illegal signal-jamming devices, including mobile phone, GPS and Wi-Fi jammers.

The sale and use of devices that jam the signals of authorized radio communications are illegal in the U.S., the FCC said, adding that it will "vigorously" prosecute violations from now on.

"Our actions should send a strong message to retailers of signal-jamming devices that we will not tolerate continued violations of federal law," Michele Ellison, chief of the FCC's enforcement bureau, said in a statement. "Jamming devices pose significant risks to public safety and can have unintended and sometimes dangerous consequences for consumers and first responders."

Jammers, which are sometimes used in theaters, churches and classrooms to avoid disruptions, can prevent people from contacting police and fire departments or family members in an emergency, according to the FCC.

If a retailer receives a second FCC warning, it could face fines from $16,000 to more than $110,000.

source -http://www.computerworld.com/s/article/359439/FCC_to_Retailers_Stop_Selling_Phone_Jammers?taxonomyId=17

Experts explain greatest threats to cloud security

2011-10-13T10:03:00.000-07:00

Cloud security threats come in all shapes and sizes, so we asked eight experts to weigh in on what they see as the top threat to cloud security. The answers run the gamut, but in all cases, our cloud security panelists believe that these threats can be addressed.

Public cloud security remains MISSION IMPOSSIBLE

1. Application-layer denial of service attacks

By Rakesh Shah, Director of Product Marketing & Strategy, Arbor Networks

The biggest security threat to the cloud is application-layer distributed denial of service (DDoS) attacks. These attacks threaten the very availability of cloud infrastructure itself. If a cloud service is not even available, all other security measures, from protecting access to ensuring compliance, are of no value whatsoever.

Hackers have found and are actively exploiting weaknesses in cloud defenses, utilizing cheap, easily accessible tools to launch application-layer attacks. A major reason they have been successful is that enterprise data centers and cloud operators are not well prepared to defend against them.

Existing solutions, such as firewalls and IPSs are essential elements of a layered-defense strategy, but they are designed to solve security problems that are fundamentally different from dedicated DDoS attacks.

As DDoS attacks become more prevalent, data center operators and cloud service providers must find new ways to identify and mitigate evolving DDoS attacks. Vendors must empower data center operators to quickly address both high-bandwidth attacks and targeted application-layer DDoS attacks in an automated and simple manner. This saves companies from major operational expense, customer churn, revenue loss, and brand damage.

2. Loss of confidential data

By Guy Helmer, CTO of Palisade Systems

Confidentiality of content is the top cloud security threat and concern for information security and IT leaders.

Companies of all sizes and across all industries, especially healthcare and financial industries, have taken steps to protect confidentiality of their content in their legacy data centers because of high costs from disclosures, penalties resulting from breaches, and loss of reputation.

8 ways to become a cloud security expert

However, in the cloud, unbeknownst to many organizations, content can't be monitored, controlled, and protected as easily, because of lack of visibility, sharing systems with other cloud customers, and potential for malicious insiders at cloud providers.

Cloud environments pose different obstacles for safeguarding content. In information-as-a-service (IaaS) environments, customers have the ability to create corporate infrastructure in the cloud. Encryption, access control and monitoring can reduce the threat of content disclosure. However, modern content security monitoring and filtering solutions may be difficult or impossible to deploy due to architectural or other limitations in this cloud environment.

In platform-as-a-service (PaaS) environments, customers can quickly spin-up new Web, database and email servers, but will find they have even fewer ways to do any monitoring or protection of content than in an IaaS environment.

Customers with confidential content are at the greatest mercy of vendors in SaaS environments. With few exceptions, there is no way for a customer to ensure security of content at a SaaS provider - the SaaS provider must be completely trusted and trustworthy (and bound by a strong contract) to maintain security on behalf of the customers.

3. Managing complexity and risk

By John Thielens, Chief Architect, Cloud Services, Axway

The biggest threat in the cloud - certainly for large, mature enterprises - is managing complexity and risk.

When organizations manage on-premise deployments the old-fashioned way, they tend to break down the basic components (network, firewall, storage fabric, computing servers, disaster recovery), and identify the types and levels of risk around each piece - both separately and as part of the entire infrastructure. This way of analyzing an infrastructure generates a tremendous amount of transparency in general, and for risk management in particular.

Tips on cloud security

But when you go to the cloud, elements you have typically been able to analyze for complexity and risk are now being built and managed by someone else, with a potential hit to transparency that can hobble your overall strategy for complexity and risk management.

So, enterprises must "raise the bar" with cloud providers when they are looking to consume cloud-based services. And one key question to ask is: What level of transparency can you offer me (including predictive service-level agreements) so that I can leverage that into my existing risk management directives?

The challenge for cloud providers is to balance the magic of providing a cloud service - which is supposed to deliver a clean, simple, easily consumed interface - with the ability to integrate an enterprise's existing IT fabric. And that includes providing a level of technical disclosure (transparency) that gives enterprises the power to manage the complexity and risk of blending the cloud into their infrastructure.

4. Downtime due to a cloud outage

By Peter Glock, Cloud Service Director, Orange Business Services

Like a well tuned symphony orchestra, there is strength in numbers, a collective force to be harnessed to create opportunities for the composer and drive your audience into your concert hall. But sometimes when just one of those players is slightly out of tune, or when your horn section is late for a great performance, the whole orchestra can come to a complete grinding halt.

The same can be said of cloud computing. In the cloud you can leverage the best design, harness flawless operations, and leverage the power of the few to benefit the many. However, just like a professional orchestra, the benefits of cloud services can come crashing down on top of you if it is not correctly designed, operated and maintained.

The attraction of the cloud is being on a platform that appears to offer unlimited computing resources. However, the same controls that are managing your enterprise infrastructure are also managing others at the same time, all on the same network. This high-wire act can create a scenario where even a minor glitch or breach could set off a string of consequences. The challenge then for cloud providers is whether they can keep on top of a complex and sizable network. The more users on that network, the more difficult it is to troubleshoot, the greater likelihood of a cloud blackout that impacts all the infrastructures tied throughout it. Even a successful incident response will likely involve shutting down large parts of the network, impacting you even if your infrastructure is not the source or primary victim of the problem.

Recent headlines has shown this to be true as commercial service providers have experienced wide-reaching cloud outages that have knocked out Websites and caused revenue loss for both customer and provider alike. However, if you chose wisely, the cloud is still a compelling business proposition.

We see customers adopting a hybrid approach, mixing public cloud services with private, and limiting reliance on a shared platform. In addition, we find that most business operations in the cloud are not mission-critical, so even if an event occurs there is limited loss on the customer side. This is especially evident among large enterprises. Small-to-mid sized businesses that are dependent on a public cloud for all of their resources are usually the most hurt during an outage.

Operational risk from cloud services can be mitigated through good process management and service-level agreements (SLA) that preserve uptime and provide workarounds in case of downtime.

5. Employee `personal clouds'

By Simon Crosby, Co-founder and CTO of Bromium

When I talk to CIOs about their use of cloud computing, they are focused on building a private cloud - an enterprise-owned, virtualized and automated IT-as-a-service capability that will help them respond more readily to changing business needs, and achieve greater efficiency and availability. Why build a private cloud? The answers are remarkably consistent: public cloud services are viewed as a security risk.

But there aren't any significant technology barriers to building a public cloud service that is far more secure than any enterprise private cloud. It is easy, for example, to implement a system in which all data is encrypted at rest, and available in decrypted form only to the application consuming it, using keys provided by the enterprise owner of the data (and not the cloud provider).

But the perceptions remain - driven by the growing stream of reports of successful attacks against companies and governments. The risks are real, and deeply worrying, but in the vast majority of cases, involve compromise of enterprise private clouds from compromised enterprise PCs.

To restate this: the enterprise is far more vulnerable to attack via its employees and their use of poorly secured enterprise clients than to direct attacks on its data centers. The RSA attack in which the seeds of the RSA tokens were stolen, started with an employee opening an infected MicrosoftExcel spreadsheet. The first attack from China on gmail used a poisoned URL and Internet Explorer 6. So, the biggest security threat in the cloud results from the employee's "personal cloud" - the merging of their personal and enterprise interests in a single device with a monolithic OS that fails to isolate and separate different domains of trust.

6. Lack of visibility

By Paul Henry, Security expert and forensic analyst at Lumension

The biggest threat to cloud security is a lack of visibility, which has opened the door to liability concerns.

Many traditional security providers were late in joining the shift to virtualizationand it took years for them to offer solutions that could actually act upon data that flowed seamlessly between virtual machines without physically touching a network interface. In virtualization this has caused a serious lack of visibility and control that has further worsened by vulnerabilities or flaws within a neighbors' multi-tenant cloud environment making the liabilities of who is responsible a constant battle.

Given that cloud was built on the promise of being cheaper, we must now consider that this environment we are creating holds no acceptance of liability on the part of the provider. Providers are offering their cloud services "as is," without assuming any risk at all, some even providing an exclusion for all liability-leaving anyone facing a cloud security issue solution-less.

What is interesting about the cloud environment is that because of these liability issues, providers of cloud will have to institute a security service-level agreement (SLA). Whereas in the past we have been conditioned to accept flaws and vulnerabilities from software vendors, in order for costs to remain low within the cloud environment, providers must now push back on any security related issues to avoid accepting any potential legal liabilities.

7. Changes in governance and operational security

By Joe Leonard, Security Practice Manager at Presidio

The two main concerns for cloud security are changes in governance and operational security.

Organizations must evaluate their existing governance against the cloud security model and understand the residual risks and what compensating controls need to be implemented. Governance areas for concern include risk management, legal and compliance, life-cycle management and portability.

Operational security concerns include business continuity, disaster recovery, incident response, encryption, vulnerability assessment, identity access management and virtualization.

The cloud multi-tenant environment security controls are developed for a general service offering which may or may not provide adequate security for every organization. Organizations need to assess their vulnerabilities and implement threat prevention policies and technologies; otherwise, reacting to breaches will become more the rule than the exception.

The cloud plays a critical role in helping organizations capitalize on the efficiency, flexibility and ease of operation. Companies must invest in people with the technical skills necessary to assess their readiness for implementing different cloud architectures that help move data in and out of public/private clouds and understand the security risks associated with changes related to cloud architecture.

Because of the organizational and cultural complexities of executing cloud strategies, companies are opting to "out task" certain aspects of their operations because skilled resources are in short supply. Companies who understand the organizational impacts of cloud and who can acquire these skills, set the right security policies, and build closer relationships with the lines of business will be the best able to mitigate the two big risks associated with cloud security.

8. Easy access to cloud resources

By Tomer Teller, Security researcher and evangelist at Check Point

When it comes to cloud security the number one threat is the abuse of cloud power by cyber-criminals.

Today, there is a low barrier to entry, which makes it easy for hackers to launch security attacks on cloud computing resources.

For some companies, the nature of the cloud allows any person with a valid credit card to register and use cloud services. Spammers, malicious code authors and other criminals can use these platforms to launch denial-of-service attacks, host botnet command and control servers, perform password and key cracking and other malware and infect legitimate tenants in the cloud systems.

In addition, today's attackers can create massive distributed DoS attacks, even without having any zombies. All they have to do is buy or obtain access to a few servers and blow some service off for a few minutes.

This also allow criminals to build "Rainbow Tables", which are pre-computed hashes used for offline password cracking -- in addition to CAPCHA breaking and decryption that are often involved. Hackers can take advantage of such techniques to rapidly change locations and keep their business alive.

Some cloud services even provide trial versions that grant access for short periods of time, allowing criminals to be completely anonymous.

While the cloud is profoundly changing the way companies leverage technology for business, it's important to be aware of the opportunities it can create -- in both positive and negative respects. Sometimes you have to think like a criminal in order to prevent one from threatening your business.

Read more about cloud computing in Network World's Cloud Computing section.

source -http://www.computerworld.com/s/article/9220729/Experts_explain_greatest_threats_to_cloud_security?taxonomyId=17&pageNumber=5

Facebook tracking prompts call for FTC probe

2011-09-30T08:41:00.001-07:00

Lawmakers say Facebook user tracking 'raises serious privacy concerns'

Facebook's tracking technology has landed the social network in hot water, with two lawmakers calling for a Federal Trade Commission investigation of the social networking company.

Rep. Ed Markey (D-Mass.) and Rep. Joe Barton (R-Texas) wrote an open letter Wednesday urging FTC Chairman Jon Leibowitz to look into Facebook's tracking of its users even after they log out of the site.

The issue came to light just days after an Australian blogger published data showing that Facebook is gathering information on the online activities of its users.

"As Co-Chairs of the Congressional Bi-Partisan Privacy Caucus, we believe that tracking user behavior without their consent or knowledge raises serious privacy concerns," wrote Markey and Barton. "When users log out of Facebook, they are under the expectation that Facebook is no longer monitoring their activities. We believe this impression should be the reality."

On Sept. 25, blogger Nik Cubrilovic had raised privacy concerns over Facebook's use of tracking cookies. "Even if you are logged out, Facebook still knows and can track every page you visit."

Cubrilovic later noted that Facebook issued a fix for the problem.

In an email to Computerworld today, Facebook spokesman Andrew Noyes said, "Facebook did not store or use any information it should not have."

"Like every site on the Internet that personalizes content and tries to provide a secure experience for users, we place cookies on the computer of the user," he said. "Three of these cookies on some users' computers inadvertently included unique identifiers when the user had logged out of Facebook. However, we did not store these identifiers for logged-out users."

He also noted that Facebook did not and could not use this information for tracking or any other purpose.

Dan Olds, an analyst at Gabriel Consulting Group, however, said he's a bit dubious that the tracking of user activity by Facebook was an inadvertent mistake.

"Simple mistake? Or a 'feature' in their code that perhaps they weren't using yet, but could use to generate revenue in the future?" Olds wondered. "I tend to think it's more the latter, and another example of how Facebook has been tone-deaf when it comes to user privacy."

Olds also noted that the issue of tracking users extends beyond Facebook.

"Facebook isn't alone when it comes to this kind of tracking. In fact, it's a pretty crowded neighborhood," he said.

"Some big and reputable companies have been using 'super tracking cookies' to gather info on where users' browsers have been and where they go," Olds added. "Some sites using this and other kinds of tracking technology are aimed at children, making it even creepier."

Brad Shimmin, an analyst at CurrentAnalysis, noted that Google is one of the companies that makes use of cookies. For example, he said, the search giant "automatically added all Gmail contacts to people's Google Buzz accounts without asking, making Buzz an opt-out social network. That drew quite a bit of wrath. Sadly, so long as Facebook corrects missteps such as this -- as they have done in the past -- I don't foresee this event creating a substantial backlash."

Rob Enderle, an analyst at Enderle Group, said cookie use is an old issue, and he said people should at least be aware, if not hyper vigilant, of the tracking policies of Internet companies.

"If anyone thinks they aren't being tracked on the Web, they have clearly missed a meeting," said Enderle. "Folks should realize that their Web history can generally be reconstructed and that the best practice is to avoid doing anything on the Web you'd be embarrassed talking about."

Enderle doesn't expect that the latest Facebook brouhaha will cause users to flee the site, or lead to an immediate FTC investigation. However, if such privacy and security concerns continue to be raised, anything is possible.

"I think users have largely become numb to disclosures like this, and Facebook has promised to fix the problem," he added.

"But it builds on an impression of distrust, which eventually could result in litigation, the departure of customers for a seemingly more-secure service, or government action," Enderle said. "Both Facebook and Google are at real risk here if they don't get a tighter handle on what they do with personal information. The path they are on will eventually lead to heavy government regulation if they aren't more careful."

source - http://www.computerworld.com/s/article/9220402/Facebook_tracking_prompts_call_for_FTC_probe?taxonomyId=17

5 secrets to building a great security team

2011-09-26T04:22:00.000-07:00

Here are five teambuilding lessons from Caterpillar's security organization.

CSO - For a security industry leader, Tim Williams is a pretty modest guy. As the former head of ASIS International and now as global security director for the $42.5 billion construction equipment manufacturer Caterpillar, Williams has won his share of recognition, which he doesn't take lightly.

But Williams would much rather tell you about his team--the individuals and their accomplishments--than about himself. His speech is strikingly devoid of the first-person singular. He declines to be photographed by himself for articles about his security work, saying his team members deserve the credit.

Creating and sustaining team spirit are clearly strong suits for Williams, who joined Caterpillar in 2006 after leadership stints at Nortel, Boise Cascade and Procter & Gamble. In a home-office-centric culture that valued longevity with the business, he quickly set about assembling a team that would embody the precepts of what he calls contemporary enterprise security risk management (ESRM).

Here are the top five things he did to revitalize the team and mitigate risks across the entire enterprise:

1. Rethink everything. After taking stock for a few weeks of how the then-56-person security team operated, Williams moved swiftly to establish a global team focused on ESRM. ESRM takes a holistic view of the risks to people, networks and intellectual property. Williams felt Caterpillar had some exposure that needed to be addressed immediately. Two pressing issues: The security team had been based almost exclusively at headquarters in Peoria, Ill., and Williams felt there had been an unusual focus on physical security.

"We pushed the physical security responsibility back to property managers around central Illinois. We changed the outsourced partner and we established relationships out in the facilities with people who could manage the opportunity much more closely," says Williams. He established regional security directors globally, covering Asia, Europe and the Middle East, and the Americas. "We were able to attract some of the best talent in the market at the time. They had the language capabilities and the cultural competency," he says.

[Also see Keeping employees safe in global hotspots]

Many, like Graham Giblin, now regional security director for Europe, the Middle East and Africa, had lived in the areas they cover. For a company that had had a "Peoria first" mentality, this was a big departure. "Our internal focus transitioned to a global focus," Giblin says.

Williams wrote a three-year operating plan detailing the revamped group's strategic vision and alignment with corporate objectives, roles and responsibilities. Williams' work at P&G gave him a deep and abiding love of precise process management, which served him well as he restructured the team.

"If you don't have your processes clearly defined in a well-written strategy or operating plan, you could end up chasing what other groups believe your priorities are, versus those issues that actually pose the greatest risk or threat to the enterprise," Williams says. "We articulated our plan to other staff groups, business leaders, and our executive management and the board, obtained agreement, and then set out to urgently execute the plan."

Not everyone made the transition. "Many of our colleagues wanted us to return back to what we did before--the global role was not one they were prepared for or found interest in," says Williams. There were also those who could not perform as the bar was raised. In all, the security function shed more than half its original group. Happily, many found other roles within the company.

Moving so quickly and making major reductions caught the culture a bit by surprise. To ease the transition, Williams enlisted the aid of a few human resources specialists and an internal communicator (who is discussed in Step 4) to help people understand what was happening and why.

2. Formalize underserved functions. Soon after he arrived, Williams put in place global crisis management processes and personnel as part of his effort to re-engineer enterprise security. These processes were to be overseen by the newly minted regional security directors.

Todd Wagner was working in computer forensics for Caterpillar when he was recruited to crisis management. "We didn't have a formal group at that time," he says. "We now handle any crises that may impact Caterpillar--everything from natural disasters to terrorism to major disruptions in our supply chains." Wagner brought experience as a shift commander for the FBI's Terrorism Command Center to his new role as crisis coordinator for Caterpillar.

The crisis management team had to mobilize to support local staff in Japan during the March earthquake and tsunami. Caterpillar immediately dispatched a crisis manager to the area. "Our first priority was to make sure our people are safe," says Wagner. Caterpillar has 5,000-odd employees at three Japanese facilities, the closest of which is a little over 100 miles from the site of the disaster, outside the evacuation zone.

[Also see 3 tabletop exercise scenarios]

"Anytime we have a situation like that, we locate travelers, expatriates and local employees and make sure they're safe," says Wagner. Caterpillar has internal programs to track business travelers. "We don't stop until we get through to them and can confirm they are safe. If we couldn't do that, we would go to the local authorities. We also work with a local company that has boots on the ground that can help us track the person down. We might even send someone out to knock on the door of their hotel or house."

All Caterpillar personnel and family members were ultimately accounted for. So far the company has held off pulling its people out of the disaster zone, but Williams, Wagner and the rest of the team are monitoring the situation, including radiation levels, closely, checking in daily with the Caterpillar VP in Japan. Production has been reduced but not halted by the crisis.

Ironically, just before the natural disaster struck Japan, Wagner attended a statewide disaster preparedness exercise run by the Department of Homeland Security. "We did a tabletop exercise involving an earthquake on the New Madrid fault line [in Illinois]. We have dealt with tsunamis. The new piece was the nuclear fallout."

Now nuclear catastrophe takes its place on the spectrum of risks facing Caterpillar employees, wherever they may be.

3. Demand proven business skills. Karen Frank remembers the day, early in Williams' tenure as CSO, when he called an all-staff meeting to tell everyone they should seriously consider getting an MBA if they had not already done so. "I had never thought of it," says Frank, brand protection and investigations manager.

She decided to take advantage of Caterpillar's tuition reimbursement policy and pursue the degree. Williams' emphasis on personal growth and development "made me feel important," she says. "You can support the business much better if you understand the principles of business decision-making."

Williams himself has an MBA, which made him a huge believer in its value. "I really saw the benefit and the ability to talk in depth with business leaders and get it from a business standpoint," he says. And it drives him to distraction when people suggest sending employees to take a course that only teaches the "language of business."

[Read How to get an MBA without losing your mind, family or job]

"Spouting catchphrases can get you into more trouble than it is worth. It's better to take the time to really understand business principles through in-depth coursework. You need that immersion so you can put all the pieces together," he says. It's fine to refer to internal rates of return in a presentation, but you better know where that number comes from and the thresholds set by your company.

The new generation of security leaders understand business as well as they understand security. Many would prefer a business person as their deputy rather than a security person--security is easier to pick up. Says Williams, "I'm proud to be someone rooted in both worlds--I simply couldn't have succeeded as CSO of a Fortune 100 company if I weren't."

4. Create a communications czar for security. As noted, Williams made some sweeping changes when he came to Caterpillar--changes that shook up the old regime. In addition to asking for help from HR, he pulled in Ashley Hunt from the corporate public affairs office to be his communicator for security. Unusual? Yes, but invaluable, as it turned out.

Hunt helped communicate the reorganization of the security team to both affected employees and the broader group. "She has helped all the employees understand the real risks they face," says Williams. "Ashley is a force multiplier for us."

Now her role is much more proactive. She publishes a monthly security bulletin on the intranet--basically a newsletter with a variety of awareness information on topics such as travel security, scams and fraud. She includes some general awareness articles, too. "We help people understand the real security risks at Caterpillar. We want to change that perception of security and [of] the role each employee plays in creating a safe and secure environment," says Hunt. She believes employees view security as having a higher value within the organization now, and they have a better understanding of the role they play in enterprise risk management.

For example, the Global Security function offers several educational resources concerning travel security. It's part of Hunt's job to help the team inform employees that this material is available. "Every traveling employee has an opportunity to participate in online security awareness training, receive security alerts while they travel and have access to 24/7 travel security advice," says Hunt.

Other teachable topics include terrorism, workplace violence, crisis preparedness, and information security.

Hunt spends roughly half her time on security matters and the other half on general corporate affairs. She has not yet encountered anyone who performs her role at another company. Williams hasn't either. "[The security department] is one of the best internal clients I have ever had. You know what you're going to get when you work with them," she says. Williams is a straightforward guy, pleasant to work for, requiring little second guessing on strategy or tactics. "He values communication, which makes my work more effective for Caterpillar and more fulfilling for me personally," says Hunt.

5. Nurture dissent. File this one under easy to say, hard to do. Williams encourages his staff to bring honest disagreement to the table--respectfully, of course--whenever it comes up. "He's very open," says Frank. "He is open to the opinions of others."

"On our teams, we have direct, crucial conversations," says Williams.

"We have respect, but we get the conversations on the table. I solicit people to challenge management. That is so critical. It creates much better decisions when people can respectfully and openly challenge assumptions, thinking and decisions." Giblin, for example, may disagree on how certain processes and protocols are implemented in his region, and he feels comfortable letting Williams and the rest of the team know. Like Williams, he encourages his staff to bring up differing points of view.

[Read How to build a security management team]

It's not just disagreeing; anyone can say they don't agree. "People should point out if they think we should look at something from a different perspective. It's healthy to have differing opinions on issues--it keeps us away from the traps of groupthink--and keeps all of us focused. It happens every week."

At Caterpillar, the voice of the individual is important--maybe moreso than at most companies--though in some regions, that can be tricky. In most countries, "there still is a gap between what people think and what they feel comfortable saying," says Williams. "What they do want is the opportunity to influence decisions."

No matter where Caterpillar employees are located, they have at least one thing in common: the knowledge that the company's whole is more important than its individual members. Williams learned this the hard way when he praised one of his regional security directors for a job well done. The executive almost resigned because he felt the credit should go to his team.

It's an odd lesson for Williams to have to learn anew, given his own unshakable devotion to teamwork. He is immensely proud of the team he has assembled. As he works on his security plan for the next five years, he trusts they will be at his side, helping to carry the ball. "They excel daily. I am very proud of this team," he says. "Each person is mutually supportive and doing a great job."

source - http://www.computerworld.com/s/article/9220129/5_secrets_to_building_a_great_security_team?taxonomyId=17

Malware burrows deep into computer BIOS to escape AV

2011-09-15T11:46:00.000-07:00

Mebromi rootkit also targets master boot record

Researchers have discovered one of the first pieces of malware ever used in the wild that modifies the software on the motherboard of infected computers to ensure the infection can't be easily eradicated.
Known as Trojan.Mebromi, the rootkit reflashes the BIOS of computers it attacks to add malicious instructions that are executed early in a computer's boot-up sequence. The instructions, in turn, alter a computer's MBR, or master boot record, another system component that gets executed prior to the loading of the operating system of an infected machine. By corrupting the processes that run immediately after a PC starts, the malware stands a better chance of surviving attempts by antivirus programs to remove it.
In addition to posing a threat to end users, Mebroot could create serious obstacles to antivirus developers in producing products that scrub computers clean of detected threats without harming the underlying system.

A flowchart from Symantec detailing Mebromi's BIOS tampering process.

"Storing the malicious code inside the BIOS ROM could actually become more than just a problem for security software, giv[en] the fact that even if antivirus detect[s] and clean[s] the MBR infection, it will be restored at the next system startup when the malicious BIOS payload would overwrite the MBR code again," Webroot researcher Marco Giuliani wrote in a blog post published Tuesday. "Developing an antivirus utility able to clean the BIOS code is a challenge, because it needs to be totally error-proof, to avoid rendering the system unbootable at all."
He went on to say the job of ridding malicious instructions added to the BIOS ultimately should be left to the makers of the motherboards that store the startup code. Because the BIOS is stored on an EEPROM, or electronically erasable programmable read-only-memory chip, modifications have the potential to render a computer largely inoperable with no easy way to fix it.
The discovery represents one of the few times researchers have documented malware used in the wild that modifies the BIOS. In the late 1990s, malware known as CIH/Chernobyl did much the same thing on machines running Windows 9x by exploiting a privilege escalation bug in the Microsoft operating systems. In 2007, proof-of-concept software known as IceLord also reportedly made changes to the BIOS of infected machines, but there are no reports it has ever been used in actual attacks.
Mebromi is able to attack only BIOS ROMs made by Award, a manufacturer that was purchased by Phoenix in the late 1990s. The malware checks the BIOS ROM each time the PC boots up. If it's made by Award and the malicious instructions aren't found, Mebromi adds the code by reflashing the chip on the motherboard. According to Giuliani, it was first documented by the Chinese security company Qihoo 360, and primarily infects computers in that country.

Symantec researchers have more about Mebromi here. ®
This article was updated to clarify the type of chip stores the BIOS.

source - http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/

Cloud computing and mobile devices increasing the risk of e-crime

2011-09-10T13:32:00.000-07:00

Business leaders are concerned that the use of cloud computing and the rise in mobile devices like smartphones and tablets in the workplace could lead to an increase in electronic crime, according to research by consulting firm KPMG.

Some 200 security leaders were surveyed in the E-Crime 2011 Report, 68 per cent of whom said that the use of cloud computing has the potential to increase the risk of e-crime to their business.

More notably, a whopping 92 per cent of respondents regard the rising use of smartphones and tablets as increasing the risk of e-crime.

The rise in home working and mobile workers also raises concerns. Around 83 per cent said that the use of hardware by staff for personal and business use could lead to a rise in incidents.

Underlining these worries is the fact that 53 per cent of respondents reported that security threats requiring action have increased in the past 12 months.

Mark Waghorne, head of KPMG's I-4 programme, which works with security advisors at some of the world's leading companies, told V3 that the level of concern is surprising but that IT staff have no choice but to mitigate against these risks.

"We know that IT staff have worries over the new wave of technology that's growing in use, and the consumerisation of IT, but the level of concern shows just how wary staff are of the threats," he said.

"However, there's no point in IT staff trying to stop the use of technology like cloud computing as the benefits are numerous, so it's important to set up the right policies and be aware of the different types of attack that could take place."

Waghorne explained that attacks range from social engineering to suspect LinkedIn invitations, spear phishing and device loss or theft.

Organisations also need to consider the importance of training to make staff aware of the risks and threats especially when using mobile devices.

"You can put the right security procedures in place but if staff aren't aware of the risks, of avoiding clicking on suspect links, for example, it's worthless, so making users aware of what to avoid is vital," he said.

Researchers show off homemade spy drone at Black Hat

2011-09-05T09:30:00.000-07:00

Wi-Fi Aerial Surveillance Platform can crack Wi-Fi passwords and intercept cell phone calls

Two security researchers Wednesday unveiled a remote controlled, unmanned aerial vehicle (UAV) that is capable of cracking Wi-Fi passwords, exploiting weak wireless access points and mimicking a GSM tower to intercept cell phone conversations.

The Wi-Fi Aerial Surveillance Platform (WASP) was built by Mike Tassey and Richard Perkins, two security researchers seeking to show how an ordinary remote controlled hobby airplanes can be easily converted into something more sinister.

The WASP system, introduced by the pair at the at the Black Hat conference being held here this week, is upgraded version of a model unveiled at last year's Defcon hacker conference in Las Vegas.

The bright yellow, six-foot, 13-pound spy drone is capable of flying at altitudes of up to 22,000 feet and staying aloft for up to 45 minutes at a time.

Updates include the ability to function as a spoofed GSM tower to intercept cell phone conversations, and to intercept Bluetooth communications.

The airframe of WASP is a surplus U.S. Army drone that was used for target practice purposes. The rest of the hardware and the software used in the drone are all readily available technologies, according to Tassey and Perkins.

The plane packs a small Linux-based computer running the Backtrack 4 suite of penetration testing tools. Another of its systems is designed to collect telemetry data that is sent to a ground-based base station which then uses it for real-time tracking.

The base station also serves as a network router for connecting other workstations to the payload on the drone, and houses systems used to offload processor intensive applications, such as password cracking.

Perkins and Tassey also installed a new Universal Software Radio Peripheral (USRP) that allows the drone to mimic a GSM cell phone tower. The technology can be used to spoof a cellular provider's mobile service so that outbound calls made by users of that server are routed through the USRP.

The GSM spoofing ability is borrowed from a demonstration last year at Defcon by hacker Chris Paget, which showed how cell phones could be tricked into connecting with specially rigged "towers' placed close enough to the target phones.

The updated unmanned aerial vehicle supports 4G networks and is capable of receiving and executing instructions delivered over the Internet from anywhere in the world.

The pair said the drone parts and its construction cost some $6,000.

According to Perkins, such drones are easy to build and deploy.

The model displayed at BlackHat yesterday can stay aloft for about 45 minutes and can travel up to 25 miles, he said. It can be programmed to fly a particular route, and to circle over and gather data from specific targets, Perkins added.

Though UAVs are required by law to fly under 400 feet, the drone that was displayed at Black Hat can fly at up to 22,000 feet where it would be relatively hard to spot by many radar systems.

"It allows you to bypass physical security barriers. Fences and walls are no longer barriers" with this kind of an aerial eavesdropping, Perkins told Computerworld after the Black Hat presentation.

Perkins and Tassey said they built the updated drone demonstrate how easy it is for someone with basic engineering skills to cobble together a system the could be used for nefarious purposes.

"You don't need a PhD from MIT to do this," Perkins said. "Everything is easily available."

source - http://www.computerworld.com/s/article/9218866/Researchers_show_off_homemade_spy_drone_at_Black_Hat

Hackers crack crypto for GPRS mobile networks

2011-09-05T09:23:00.000-07:00

Your cellphone data intercepted

A cryptographer has devised a way to monitor cellphone conversations by exploiting security weaknesses in the technology that forms the backbone used by most mobile operators.

Karsten Nohl, chief scientist of Berlin-based Security Research Labs, said the attack works because virtually all of the world's cellular networks deploy insecure implementations of GPRS, or general packet radio service. Some, such as those operated by Italy's Wind or Telecom Italia, use no encryption at all, while Germany's T-Mobile, O2 Germany, Vodafone, and E-Plus use crypto that's so weak that it can easily be read by unauthorized parties.

He plans to release software on Wednesday at the Chaos Communication Camp 2011 that allows hobbyist hackers to snoop on GPRS traffic that uses no encryption. He will also demonstrate ways to use cryptanalysis to decrypt GPRS traffic that's protected by weaker ciphers.

“The interception software to be released tomorrow puts GPRS operators with no encryption at an immediate risk,” he told The Register on Tuesday evening. “All other GPRS networks are affected by the cryptanalysis that will be presented but not released at tomorrow's conference. Those operators will hopefully implement stronger encryption in the time it takes others to re-implement our attacks.”

Nohl characterized most of the cryptographic protection offered by GPRS as “hopelessly out-dated.” For one thing, a lack of mutual authentication allows rogue base stations to harvest data from unsuspecting mobile phone users. And for another, short encryption keys make attacks with rainbow tables feasible.

What's more, virtually all of the world's networks that use GPRS use no encryption at all, or use weak encryption. (A stronger 128-bit encryption scheme is available but isn't used by any carrier, Nohl said.) That makes it possible to passively monitor data with a Motorola C-123 phone he and fellow researcher Luca Melette modified or to crack the encrypted traffic they capture using a method they've recently refined.

Over the past two years, Nohl has released a steady stream of research and open-source software and hardware designs intended to pressure carriers to upgrade the security of their networks.

In 2009, he coordinated the release of a 2-terabyte rainbow table to crack calls made on networks using GSM, or global system for mobile communications. A few months later, he augmented that work with low-cost hardware that cracked the secret channel-hopping code used to prevent interception of radio signals as they travel between cellphones and base stations.

In 2010, he bundled many of the various tools he helped develop into a comprehensive piece of software that gave amateurs the means to carry out many of the attacks. That same year, other cryptographers cracked the encryption scheme protecting 3G phone calls before the so-called Kasumi cipher had even gone into commercial use.

The attacks to demonstrated Wednesday generally work by passively intercepting unencrypted traffic, by using a fake base station to force encrypted traffic to be downgraded into an unencrypted state, or to be cracked using rainbow tables.

Mobile operators vulnerable to the GPRS attacks told The New York Times they planned to monitor Wednesday's presentation. None of their statements addressed why their networks fail to use strong encryption to protect GPRS traffic. ®

This article was updated to correct details about the cracking of the Kasumi cipher and to clarify that the tool demonstrated Wednesday intercepts data, not calls.

source - http://www.theregister.co.uk/2011/08/10/gprs_cellphone_call_snooping/

10 scariest hacks from Black Hat and Defcon

2011-08-12T21:31:00.001-07:00

Researchers showed all manner of serious attacks on everything from browsers to automobiles.

source - http://www.networkworld.com/slideshows/2011/081011-blackhat-defcon-hacks.html#slide1

Smartphone images can hijack BlackBerry servers

2011-08-11T21:51:00.000-07:00

RIM squashes high-severity bug

Research in Motion has squashed a nasty bug in its BlackBerry server software that allowed it to be commandeered when handset users received messages containing booby-trapped images.

The flaw in various versions of the BlackBerry Enterprise Server carried a Common Vulnerability Scoring System rating of 10, the most severe score possible. The vulnerability resides in a part of the software that processes PNG and TIFF images for rendering on BlackBerry smartphones. An attacker could exploit the flaw by embedding a link to a malicious image in a message or email sent to a BlackBerry user. The user need not click on a link or or image or view the email for the attack to succeed.

“These vulnerabilities could allow an attacker to execute arbitrary code using the privileges of the BlackBerry Enterprise Server login account,” RIM warned in an advisory. Successful exploitation could allow an attacker to gain access to and execute code on the BlackBerry server.

The threat is serious enough that organizations using the BlackBerry server software should patch immediately. If that's not possible, admins can work around the problem by disabling inline images and rich content for smartphone users following instructions here and http://docs.blackberry.com/en/admin/deliverables/10872/Disable_Rich_Content_Email_286781_11.jsp.

BlackBerry Enterprise Server version 5.0.3 MR3 and later for Microsoft Exchange and IBM Lotus Domino aren't vulnerable. ®

source - http://www.theregister.co.uk/2011/08/11/blackberry_high_severity_bug/

Ten year old hacker exposes iPhone and Android flaws

2011-08-10T23:09:00.000-07:00

Exploit affects games running on mobile devices

A 10-year-old California girl's presentation at the Black Hat hacker conference is getting a lot of attention.

The girl, who uses the pseudonym "CyFi," revealed a zero-day exploit in games on iOS and Android devices that independent researchers have confirmed as a new class of vulnerability, reports CNET's Seth Rosenblatt.

Zero-day exploits are used or shared by attackers before the developer of the target software knows about the vulnerability.

The girl first discovered the flaw earlier this year because she was bored with the pace of farm-style games.

While CyFi isn't revealing which games are affected, most of them have time dependent factors. She opened up the exploit by manually advancing a phone or tablet's clock to force a game ahead in time. Some games block such a trick but the young hacker says she found ways to avoid those detections such as disconnecting the phone from Wi-Fi and making incremental clock adjustments.

CyFi's presentation was part of DefCon Kids, a new offshoot of the annual hacker convention that features an area where kids can learn how to do things like open master locks, do certain kinds of hacks, code in scratch and communicate in code.

While her presentation at DefCon was her first public vulnerability disclosure, CyFi said she was only a little nervous. An artist, girl scout and downhill skier, she has spoken publically numerous times, usually at art galleries as a member of "The American Show," an underground art collective. According to her bio on the DefCon Kids website, CyFi has had her identity stolen twice.

Rosenblatt points out that the new DefCon Kids programming reflects that "members of the hacking community are getting older and raising families."

source - http://news.techworld.com/security/3295715/ten-year-old-hacker-exposes-iphone-and-android-flaws/

Microsoft patches critical IE9, Windows bugs

2011-06-17T23:07:00.000-07:00

Fixes 34 flaws, including multiple 'drive-by' vulnerabilities, in host of products

Microsoft today patched 34 vulnerabilities in Windows, Internet Explorer (IE), Office and other software, 15 of them labeled "critical" by the company.

The large number of updates -- as well as the fact that Microsoft issued them two hours later than usual -- will put pressure on enterprise administrators, one expert said.

"No doubt IT administrators will have to pick and choose where to act first," said Wolfgang Kandek, chief technology officer for Qualys.

Of the 16 updates, which Microsoft calls bulletins, nine were pegged critical, the most-serious rating in the company's four-step scoring system, while the remaining seven were tagged "important," the next-most-dangerous category.

While the number of bugs patched today was significantly less than the record 64 Microsoft fixed in April, it was the second-highest total for the year. The 16 bulletins were just one off the record, also set last April.

Fifteen of the 34 total vulnerabilities were rated critical, 17 were ranked important, and two were marked as "moderate."

Microsoft picked four of the 16 updates to highlight, and urged customers to roll out the quartet as soon as possible.

"Our top priorities are MS11-050, MS11-052, MS11-043 and MS11-042," Jerry Bryant, group manager with the Microsoft Security Response Center (MSRC), said in an interview earlier today. Bryant listed the four in the order of priority.

Among the deploy-immediately bulletins, MS11-050 offered 11 patches for IE that Microsoft and independent experts pinned to the top of their lists.

"This one is at the top of the list, as it always is when Microsoft patches IE," said Andrew Storms, director of security operations for nCircle Security. "But it's also the first IE9 update, and certainly does look to be true that Microsoft had this bug at the time it launched IE9, or a few days later."

Storms was referring to Microsoft's testing process, which usually lasts two months or more. That timeline would have precluded an IE9 patch in April, the first update scheduled after the browser shipped.

Microsoft habitually patches IE on even-numbered months; the last time it issued a security update for its browser was in April, when it fixed five flaws. Today's, however, was the first critical update for IE9, the browser that Microsoft shipped in mid-March. Four of the 11 patches in MS11-050 affected IE9, said Microsoft.

Nine of the 11 bugs in IE that Microsoft patched today could be exploited by attackers with a "drive-by" attack that requires users to simply visit a malicious Web site.

MS11-052 also affected IE, although Microsoft labeled it as a Windows update.

"The vulnerability is in Windows, but the attack vector is through Internet Explorer," said Bryant. "But IE9 is not affected by this update. [The issue] was addressed before IE9 released..., so that's part of the 'newer is better' message we're getting out to customers," Bryant added.

Only IE6, IE7 and IE8 can be used to exploit the vulnerability patched in MS11-052, not rival browsers, Bryant confirmed.

MS11-043 and MS11-042 were also called out by Bryant today. The former, which patches a single vulnerability in how Windows handles the SMB (server message block) protocol, could be used in what Bryant called a "browse-and-own" attack.

On the bright side, said both Bryant and Storms, many companies have blocked outbound SMB traffic at the firewall, which would prevent exploits of the flaw patched in MS11-043.

"I think this may be difficult to exploit in the real world," said Storms.

MS11-042 updates DFS (distributed file service), which is used by administrators to group shared folders located on different servers, to patch a pair of bugs -- one critical the other important, in Windows. Microsoft rated the flaw as critical only on Windows XP and Windows Server 2003.

"[MS11-042 and MS11-043] are interesting, but I think they're technically more challenging to attackers," said Kandek.

In fact, Kandek rated MS11-045, an eight-patch update for Excel, the spreadsheet included with Microsoft Office on Windows and Mac, as the second-most-serious of today's collection, immediately after the IE-oriented combo of MS11-050/MS11-052.

"Microsoft ranks it only as 'important' because the user is required to open an attacker-provided file, but we believe that attackers have shown often enough that they have the skills to make opening the file enticing to users," said Kandek.

"If I was the attacker, this would certainly be one I would use, if only because users tend to trust Excel files," Kandek added.

Of the eight vulnerabilities patched in the Excel update, only one affected the newer versions, Excel 2007 and Excel 2010 on Windows; two impacted Excel 2011 on the Mac.

"It's blatantly clear that the newer Office software is much better and more secure," said Storms.

Microsoft also issued updates today for SQL Server, its Forefront 2010 security product, the .Net Framework and Silverlight development platforms, and the virtualization hypervisor included with Windows Server 2008 and Server 2008 R2.

June's security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services (WSUS).

source - http://www.computerworld.com/s/article/9217623/Microsoft_patches_critical_IE9_Windows_bugs?taxonomyId=17&pageNumber=2

Mobile phones are great for phishers, researchers find

2011-05-28T06:00:00.000-07:00

DG News Service - Computer users seem to be getting better at spotting fake websites that are trying to steal their passwords, but when it comes to mobile phones, the deck is most definitely stacked against them.

Researchers at the University of California, Berkeley, recently took a look at 100 mobile applications, written for Android and the iPhone, and then thought up 15 techniques that scammers could use to write malicious programs that steal the victim's user name and password on websites such as Facebook or Twitter.

Their research underscores a thorny issue that promises to demand more attention as users increasingly reach to their mobile phones when they want to go online.

The problem is that mobile users are being trained to enter their passwords and user names into mobile apps.

The first time one mobile program wants access to another -- for example, if Groupon for iPhone wants to share something on Twitter -- the program typically pops up a window that invites the user to sign into that website. But there's usually no way to be sure that the login site is legitimate and that the phone's owner is really sending his user name and password to Twitter.

PC browsers have Web address bars, green warning lights and other features to help Internet users know if they're being tricked by phishers, but that's not the case in the mobile world. Phones are so small there often just isn't space for these protections.

In tests, researchers have shown that it's almost impossible for mobile-phone users to distinguish real websites from fakes, thanks to the small screens on mobile phones.

The Berkeley researchers said it would be easy for a criminal to develop a malicious program that could either spy on users as they typed in their passwords, or direct them to a phishing site that looked exactly like the real thing.

David Wagner, a Berkeley computer science professor, believes that until there are better ways for mobile applications to talk with each other, this could be a very hard problem to solve. "The reason we wrote this paper was because we saw the potential risk and we did not have a good solution," he said.

In their paper, Wagner and co-author Adrienne Felt conclude, "mobile users' passwords for several major sites (notably including Facebook and Twitter) might be at risk."

One person who's working on a fix is Markus Jakobsson, principal scientist of consumer security at PayPal. He's developing software that would work with smartphone operating systems, called Spoof Killer. It would keep track of which applications and websites are legitimately supposed to ask for login credentials and simply block the fake ones from working.

Jakobsson thinks there could be a surge of spoofing in the next year or so as the mobile phone becomes the most popular way to surf the Web. "It just makes sense to me, to attack the predominant platform," he said.

Right now, there are not a lot of phishing attacks that specifically go after mobile users, according to Dave Jevans, chairman of the Anti-Phishing Working Group. But he agreed that phishing e-mails are more effective when they end up in mobile-phone mailboxes. "The antiphishing technologies on the mobile phone are inferior compared to what is available on the Windows platform," he said.

However, when it comes to mobile devices, Jevans said he's more worried about malicious apps than about phishing e-mail messages.

Phone makers have security checks to prevent malicious programs from getting included in their app stores. But a criminal could distribute a program that seemed legitimate at first and then flip a switch on a server somewhere and suddenly turn it into a password-stealing phishing program, said Kevin Mahaffey, chief technology officer and founder of mobile security software vendor Lookout. "It's this whole new world of mobile malware that gets around the security controls," he said.

Luckily, the malicious programs that Mahaffey has seen so far haven't been like this. They've been obvious, engaging in bad behavior from the start. "Right now, the bad guys haven't figured out that you can make something good and then turn it bad after a period of time," he said.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Source - http://www.computerworld.com/s/article/9217122/Mobile_phones_are_great_for_phishers_researchers_find?taxonomyId=17&pageNumber=2

UPDATE: Facebook API flaw discovered

2010-11-14T06:33:00.000-08:00

Social media management company Sendible says it's working with Facebook on issue

Social-networking services provider Sendible says it's uncovered a major flaw in how Facebook works and is cooperating with Facebook to fix the issue.

Facebook and Twitter flunk security report card

Sendible said in a blog post late Tuesday night that it noticed the problem when "one of our users sent an update to a few popular Facebook pages, assuming they would appear to come from his profile. Instead, they posted as if they had come from the page itself." Sendible adds, "Usually these posts appear as the Facebook user and not as the Facebook page itself."

When Sendible contacted the user, he replied: "I wanted to post only a few facebook walls as a fan — and for some reason, posted as the page Owner. Weird."

TechCrunch yesterday got wind of the problem after the news site received "about a half dozen tips" about Facebook pages "including Google, Coca-Cola, YouTube, South Park, the Daily Show, Team Coco and others are now sending out a malicious link to all of their following that reads 'Change Your Facebook Background Here!', adding it would be advised not to click on it." TechCrunch said those that clicked on the link were directed "to a page outside of Facebook that asks you for information about you," and reported that the bottom of the page read "Powered by AWeber Email Marketing."

Yesterday, TechCrunch surmised that the Facebook app Sendible -- which has a service that lets fans of Facebook pages update multiple pages at once -- was "compromised in a major way."

However, Sendible refuted that, saying it has actually "helped discover a security flaw in Facebook's API." Sendible said no user accounts were compromised and that it was not hacked.

Sendible then said, "To ensure this doesn't happen again, we've agreed with Facebook to remove the feature on Sendible that allows fans of Facebook pages to update multiple pages at once. Facebook has also agreed to release a patch by the end of the day so that no other Facebook applications will be affected."

Sendible did not respond to further requests for clarification.

A Facebook spokesperson said: "We began removing the posts immediately upon discovering them and shortly after they were made. They were caused by a temporary bug on Facebook that allowed certain posts requested by an application to be rendered when they shouldn't have. Upon discovering the bug, we immediately began work to fix it. It's now been resolved, and these posts can no longer be made. We're not aware of any cases in which the bug was used maliciously."

Android bugs let attackers install malware without warning

2010-11-14T06:30:00.000-08:00

No permissions necessary

Researchers have disclosed bugs in Google's Android mobile operating system that allow attackers to surreptitiously install malware on users' handsets.

The most serious of the two flaws was poignantly demonstrated on Wednesday in a proof-of-concept app that was available in the Google-sanctioned Market. Disguised as an expansion for the popular game Angry Birds, it silently installs three additional apps that without warning have access to a phone's contacts, location information and SMS functionality and can transmit their data to a remote server.

It took Google about six hours to pull the bogus app, said Scio Security CTO Jon Oberheide, one of the two researchers to discover and exploit the vulnerability. What will be harder to lock down are the special security tokens the web giant uses to authenticate Android users so they don't have to expose their passwords to third-party services. The proof-of-concept works by exploiting weaknesses in that Android token system.

“It abuses that token to perform the same actions the legitimate Market app would perform, but without asking for permission,” Oberheide told The Register. “Through some of the research, we realized we could use this one specific token for the Android service to bypass the restrictions on the permission system.”

Zach Lanier, a senior consultant at Intrepidus Group, also worked to discover the bypass bug. He and Oberheide plan to provide more details at an internal security conference scheduled for Thursday at Intel's Oregon campus.

"We've begun rolling out a fix for this issue, which will apply to all Android devices," a Google spokesman said. "As always, we advise users to only install applications they trust."

Oberheide said that his disclosure came the same day that a researcher with Basingstoke, UK-based MWR InfoSecurity demonstrated a separate bug in the Android browser that lets attackers install malware on a fully patched HTC Legend running Android 2.1. Although the most recent Android version is 2.2, figures supplied by Google show that 64 percent of users have yet to be upgraded to it.

Nils, who doesn't disclose his surname to journalists, didn't respond to emails seeking comment. He is scheduled to present his findings on Thursday at the Blackhat security conference in Abu Dhabi.

Oberheide is same researcher who in June forced Google to wield Android's then-secret remote kill switch when he released a pair of applications to demonstrate how easy it is to use Market to bootstrap a rootkit onto Android phones.

The two most recent attacks “operate entirely in userspace and leverage weaknesses present in the Android platform ad common HTC handsets to achieve their goals,” Oberheide said. They came the same week that attack code exploiting a browser vulnerability in older Android phones was released. ®

source - http://www.theregister.co.uk/2010/11/10/android_malware_attacks/

Aldi data breach shows payment terminal holes

2010-10-09T05:13:00.001-07:00

Thieves hit point-of-sale terminals in Aldi grocery stores in 11 states

A debit card breach disclosed late last week by discount grocer Aldi Inc. shows how hardware hacks are starting to pose as much of a threat to payment card data as software-based attacks.

Batavia, Ill.-based Aldi, which operates 1,100 stores in 31 states, disclosed on Oct. 1 that hackers tampered with payment terminals at stores in 11 states from June to August.

The hackers gained access to various debit card data, such as name, account data and personal identification numbers (PINs) of an undisclosed number of customers, the company said.

So far, officials said that hacked terminals were discovered at Aldi stores in Connecticut, Georgia, Illinois, Indiana, Maryland, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, and Virginia. All the hacked terminals have been replaced, the company said.

More than 1,000 Aldi shoppers in the Chicago area and from Indianopolis have already reported fraudulent activities related to breaches at Aldi stores. There have been similar reports in other states as well. Analysts estimate that there could be some tens of thousands victims.

Analysts said the number of payment terminals and the widespread area affected by the Aldi breach makes it unusual. It comes at a time of growing concerns about the security of payment terminals.

Typically, payment terminal breaches are localized because hackers must physically access each device to manually tweak or replace the internal electronics.

The geographic breadth of the Aldi attack suggests intricate planning, said Jim Huguelet, a Sugar Grove, Ill.-based consultant, who advises clients on payment security issues. "It looks like this was the work of a network of criminals who went into stores and somehow distracted store personnel long enough to take out PIN pads and swap them out with retrofitted devices" designed to steal payment data, he said.

The theft of the PIN data suggests that the crooks most likely used a transparent overlay of some type so that that customer PIN numbers could be captured before it was encrypted, Huguelet said. It is also more than likely that the rogue PIN pads allowed the attackers to capture payment card data wirelessly from within the store itself or from a nearby location such as a parking lot.

The tampering likely occurred over a period of several months, he said.

Colin Sheppard, director of incident response at Trustwave, which provides security auditing services to large retailers, said that such attacks against U.S. retailers have grown over the past couple of years, as criminals are finding the tactic a relatively easy way to obtain magnetic stripe and PIN data.

Also driving the trend is the easy and growing availability of sophisticated counterfeit payment terminal kits designed for use in such schemes he said. Many of the rogue kits are offer virtually the same appearance and functionality as terminals used in stores. The rogue devices also support Bluetooth and GSM to enable quick, wireless transfer of stolen payment card data, he said.

"There are certainly rings of fraudsters, largely from Eastern Europe, that are descending on the streets of America, literally traveling up and down highways and inserting skimming devices on ATM machines," said Avivah Litan, an analyst with Gartner. "So I can certainly believe that these same types of fraudsters are organized to attack multiple stores in multiple states simultaneously."

In Aldi's case, the scheme likely started with the theft of just one point of sale device, she said, "They figured out how it worked, how to tamper with it and how to steal the PINs," she added. The next step was to hire people to take part in the mass attacks, Litan said.

"I'd expect to see more of this type of attack in the coming year," she said.

source - http://www.computerworld.com/s/article/9189982/Aldi_data_breach_shows_payment_terminal_holes?taxonomyId=17

BlackBerry backup encryption broken by Russians

2010-10-09T05:09:00.000-07:00

A Russian company that specialises in cracking tools claims it has broken the password protection used to secure data backups from BlackBerry smartphones.

According to Elcomsoft, a weakness in the way BlackBerry has implemented the apparently secure 256-bit AES encryption in its PC and Mac backup program, BlackBerry Desktop Software, makes it possible to carry out a successful password recovery attack on the backup archive with relative ease.

'Relative' in this context means breaking a 7-charcter password consisting of small letters with two capitalisation in around half an hour using an Intel Core i7 processor. More complex variations of this basic password could be broken in three days using the same hardware, the company claims, before adding that using graphics hardware such as the ATI Radeon HD5970 card would cut this considerably.

“In short, standard key-derivation function, PBKDF2 [password-based key derivation function], is used in a very strange way, to say the least. Where Apple has used 2,000 iterations in iOS 3.x, and 10,000 iterations in iOS 4.x, BlackBerry uses only one,” says Elcomsoft’s Vladimir Katalov in an explanatory blog posting.

The BlackBerry archive encryption is also carried out using the desktop or Mac PC, rather than the smartphone itself, which means that the data is exchanged in unencrypted for, Katalo adds.

What such a backup archive contains will vary from user to user, but in the case of a managed business user, will likely be all data from the BlackBerry, including contacts, email, and password settings for email and WiFi.

Almost as an aside, the company says the same software will also do the same for iPhone, iPad and iPod Touch backups, although it is clear that the possibility of attacking backups made from a device famously used by President Obama is the bigger prize.

Elcomsoft has given itself a controversial reputation with previous cracking tools, including one to derive some WiFi WPA encryption passphrases, which was, coincidentally, updated last week.

source - http://news.techworld.com/security/3242117/blackberry-backup-encryption-broken-by-russians/

Google steals security page from Mozilla's Firefox

2010-08-28T01:45:00.000-07:00

Will add blocking of outdated plug-ins to Chrome at unspecified future date

Computerworld - Google will take a page from Mozilla's security playbook and block outdated plug-ins from launching in its Chrome browser, part of a new effort to keep users safer, the company said Monday.

In a post to the Chromium blog, a trio of Google security engineers announced that Chrome would refuse to run plug-ins if they were found to be out of date, and thus, potentially vulnerable to exploitation of known bugs.

Chromium is the name of the open-source development project that feeds into the Chrome browser.

Google did not spell out when the blocking of outdated plug-ins would be added to Chrome, saying only that it would happen in the "medium-term." Nor did the Google engineers specify which plug-ins would be blocked. Chrome will assist users in updating old plug-ins, they said.

Chrome will also display a warning when a site calls on an infrequently-used plug-in, said Chris Evans, Julien Tinnes and Michal Zalewski of Google's security team. "Some plug-ins are widely installed but typically not required for today's Internet experience," they said. "For most users, any attempt to instantiate such a plug-in is suspicious and Google Chrome will warn on this condition."

Evans, Tinnes and Zalewski did not elaborate on how Chrome would define "infrequently-used."

Google did not reply to requests for clarification and more information on the timeline of the impending changes to Chrome.

By making this move with Chrome, Google is following in the footsteps of Mozilla, which has already equipped its Firefox browser with the ability to block outdated plug-ins.

Mozilla added basic plug-in checking to Firefox 3.5 last September, but fleshed out the feature in Firefox 3.6, which debuted in January. The newest Firefox checks browser plug-ins, such as Adobe's Flash Player or Apple's QuickTime, to make sure they're up to date, then blocks vulnerable plug-ins from loading and shows users how to update the software.

Both Mozilla and Google have said the new features represent a response to the rapid increase in the number of attacks against vulnerable plug-ins, especially Adobe's Flash Player and Reader.

According to some estimates, attacks against browser plug-ins, particularly Adobe's popular Reader PDF viewer, are quickly climbing. In the first quarter of 2010, PDF exploits accounted for 28% of all malware-bearing attack code, antivirus vendor McAfee said in April.

In other security arenas, Chrome is already ahead of Firefox. For example, Google's browser now automatically updates Adobe's Flash Player behind the scenes. And two weeks ago, Google added an integrated PDF viewer to the "developer" build of Chrome for Windows and Mac.

Chrome accounted for 7% of all browsers used last month, according to the most recent data from Web metrics company Net Applications. Meanwhile, Firefox owned a 24% usage share in May.

source - http://www.computerworld.com/s/article/9178678/Google_steals_security_page_from_Mozilla_s_Firefox

Critical security holes in Adobe Shockwave

2010-08-28T01:39:00.000-07:00

Adobe has shipped a Shockwave Player update to fix 20 security holes, some serious enough to lead to system takeover attacks.

The vulnerabilities, rated “critical,” affect Shockwave Player 11.5.7.609 and earlier versions for Windows and Macintosh.

From Adobe’s advisory:

Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.7.609 and earlier versions on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.

Users of Adobe Shockwave Player 11.5.7.609 and earlier versions should immediately upgrade to version 11.5.8.612 using this link: http://get.adobe.com/shockwave/.

source - http://www.zdnet.com/blog/security/critical-security-holes-in-adobe-shockwave/7226?tag=mantle_skin;content

First malware discovered that targets Android

2010-08-13T21:46:00.000-07:00

The malware is believed to be the first to target the Android mobile operating system

Researchers at Russian security company Kaspersky Lab say they've discovered the first malicious software program to target Google's Android mobile operating system.

Android 2.2: How to install Flash on Froyo

The application masquerades as a media player, according to a Kaspersky blog post. But if it is installed, the rogue application begins secretly sending SMSs (Short Message Service) to a premium rate number presumably belonging to the hackers who created it.

There have been isolated cases of spyware programs that run on the Android platform, an open-source mobile operating system created by Google. But the fake media player application, which Kaspersky dubbed "Trojan-SMS.AndroidOS.FakePlayer.a," is the first one believed to specifically target Android, Kaspersky said.

"Kaspersky Lab recommends that users pay close attention to the services that an application requests access to when it is being installed," the company said. "That includes access to premium rate services that charge to send SMSes and make calls."

The application is simply called "Movie Player," according to Lookout, a company that makes mobile phone security and management software. The malware does apparently warn users they may be charged for SMSs if they install it. The SMSs costs "several dollars," Lookout's blog said.

Lookout suggested that Android users check the permissions of the media player applications and revoke any that mention charging for SMSs. The malware may not spread far, however, for a couple of reasons.

"So far this has only affected Android smartphone users in Russia and only works on Russian networks," Lookout said. "As far as we know, there is no indication that this app is in the Android Market."

Google said in a statement that users see a screen after downloading an application that explains what information and system resources that application can access, such as their phone number or the SMS function.

"Users must explicitly approve this access in order to continue with the installation, and they may uninstall applications at any time," Google said. "We consistently advise users to only install apps they trust. In particular, users should exercise caution when installing applications outside of Android Market."

As another defense against this malware, users can set their phone to only download applications that are in the Android Market

Mobile devices have not been afflicted by malicious software to the extent of desktop OSes such as Windows, but security analysts have said they expect that to change as smartphones become more widely used and gain more capabilities.

Last year, Trend Micro analyzed a piece of mobile malware known as "Sexy Space," which ran on Symbian S60 OS devices. Infected phones would send SMSs to everyone in the phone's contact list with a link to a Web site. If someone clicked the link, they would then be prompted to install Sexy View, which purported to offer pornography-related content.

In 2005, the Symbian Series 60 OS was targeted by Comwar, a worm that spread via Bluetooth and MMS (Multimedia Messaging Service). The first for-profit mobile malware, Redbrowser, was discovered in 2006.

Redbrowser used a social-engineering ploy written in Russian to lure users to manually install it, which limited the rate at which it spread. The malware sent SMSes to a phone number that charged around $6 per message, targeting even lower-end mobile devices running the J2ME (Java 2 Mobile Edition) software, which at the time ran on some 1 billion devices from vendors such as Nokia, Motorola and Research in Motion.

source - http://www.networkworld.com/news/2010/081110-new-android-malware-texts-premium-rate.html?hpg1=bn

'Unhackable' Android can be hacked, Black Hat researchers say

2010-07-30T09:41:00.001-07:00

Network World - LAS VEGAS -- Once thought to be unhackable, the Android phone is anything but, according to researchers presenting at Black Hat 2010.

FBI details worst social networking cyber crime problemsNot only has malicious software cloaked in a wallpaper application stolen personal information from infected phones and sent it to a Web site in China, but researchers from Lookout Mobile Security have found a way to take the phones over completely - including top-of-the-line models hawked by major wireless carriers.

In one presentation, Lookout's CEO John Herring said the Jackeey Wallpaper app, which has been downloaded millions of times, can gather passwords, browser history, the subscriber ID and SIM card numbers and text messages.

In a separate presentation, researchers said top-of-the-line Android phones used by Sprint and Verizon can be taken over completely by attacking known flaws in the Linux operating system that underpins Android, researchers reported at Black Hat 2010. "It gives you root control, and you can do anything you want to do" with the phone, says Anthony Lineberry, a researcher for Lookout Mobile Security.

U.S. should seek world cooperation on cyber conflict, says ex-CIA director
'Unhackable' Android can be hacked, Black Hat researchers say
Update: ATM hack gives cash on demand
BitBlaze tool boosts bug-hunting productivity 10-fold
Apple patches Safari ahead of Black Hat talk, launches add-on gallery
Black Hat: Most browsers can be made to give up personal data
AT&T: We don't intend to stop Black Hat demo
Bug reporting could be a hot topic at Black Hat
What to watch at Black Hat and Defcon
Black Hat reflects a changing industry, says founder
More from Black Hat 2010
The company says Android's reputation for security may be exaggerated. "It survived the recent pwn2own slay fest unscathed, but this does not mean it is safe by any means," the company said in describing Lineberry's talk.

The best way to distribute malware that could exploit the flaw - known as CVE-2009 1185 - is via Android applications that customers might acquire free or buy from the Android Market. Installing the booby-trapped application would give root control of the device, Lineberry says. "Root is kind of God mode in the context of Linux. Once you have that, you have pretty much any system privilege."

CVE-2009 1185 has been known for more than a year and can be patched, but so far the carriers have not issued patches, Lineberry says. The root-control exploit has been successfully carried out in Lookout labs on EVO 4G (Sprint), Droid X (Verizon), and Droid Incredible (Verizon) as well as older models G1 and Hero, he says.

But root control is unnecessary in order to carry out the type of attack executed by Jackeey Wallpaper, according to another Lookout researcher, Tim Wyatt. Applications require permissions in order to access features of the phone, and these permissions can be exploited. So, for instance, an application that tells the customer the nearest Chinese restaurant would need access to the phones GPS capabilities.

When selling applications, developers must list all the permissions the application requires to work, and the customer must sign off on allowing those permissions. An application that sorts SMS messages but requires Internet access may seem suspicious, and customers might bail out of buying the application.

But some permissions sound innocuous, Wyatt says. Customers might not know what the permission "Import Android log" means, but approve an application that requires it because the name of the permission doesn't sound threatening. But the logs can reveal browsing histories, passwords, phone numbers and a wealth of other data, he says.

Malicious applications with Internet permissions can be crafted to send the data in the background or display innocuous Web sites to mask where the data is being sent, Wyatt says.

The best course for users is to beware the applications they buy and if they are suspicious, not to download the apps, Lineberry says.

Lookout has carried out a study it calls the App Genome project that examined Android and iPhone applications for what permissions they have and what malicious activity they might carry out with the set of permissions they have. An application might use the permissions legitimately, but in the hands of a hacker could cause mischief, the company says.

Part of the permission system in Android allows applications to tap each other's resources, so an application without permission to access the Internet might have access to an application that does and so use the Internet anyway, the researchers say.

source - http://www.computerworld.com/s/article/9179863/_Unhackable_Android_can_be_hacked_Black_Hat_researchers_say?taxonomyId=17

100 million Facebook accounts exposed

2010-07-30T09:39:00.000-07:00

'Hack' highlights users' lax approach to privacy

The details of 100 million Facebook users - a fifth of the social networking site's members - have been posted online by a security analyst, in a stark demonstration of the potential privacy weaknesses of social networks.

In a detailed blog post, Ron Bowes of Skull Security explained that he used a simple piece of code to perform the scrape, which took any data not already locked down within personal privacy settings. However, as of this morning, his web site and the blog post were unavailable.

The list of users has been shared on peer-to-peer site The Pirate Bay, and included in the packaged files are names and Facebook URLs.

Facebook is calm about the hack, explaining that the information that was taken had already been made public by users.

"This information already exists in Google, Bing, other search engines, as well as on Facebook," the social network said.

"No private data is available or has been compromised. Similar to a phone book, this is the information available to enable people to find each other, which is the reason people join Facebook."

However, the firm is investigating whether the collection of information in this way was a violation of its terms and conditions.

Graham Cluley, senior technology consultant at security firm Sophos, concurred with Facebook's stance, explaining that it was enabled by lax user controls.

"This wasn't really a 'hack' as such, as the guy who collected this information didn't have to break into accounts to access the information," he said.

However, Cluley added that, rather than highlighting an issue with Facebook's security in itself, the attack had displayed a lack of knowledge and awareness among users, and is indicative of the way Facebook makes it difficult for users to control their own accounts.

"Facebook has gradually eroded its users' privacy over the years in an attempt to share more information with the rest of the internet," he said.

"The only information in the torrent file is the user's name and Facebook URL. If they had also scooped up other information from the profiles (which is publicly available) then that would clearly be more dangerous."

Cluley said he hoped the incident would prompt social network users to harden their security settings.

"Facebook users need to wake up to the risks of sharing too much information online, and examine their Facebook security settings closely to ensure that they are not divulging too much to people they don't know."

The way that the apparent vulnerability was exposed and shared also drew scorn from Cluley, who suggested that Bowes had acted irresponsibly.

Bowes said that he took and published the details to highlight the problems people face using Facebook, but Cluley remained sceptical.

"In my view his collecting of this data, although not illegal, was irresponsible, and I cannot imagine that he has done anything to make the internet a more secure place through his actions," he said.

source - http://www.v3.co.uk/v3/news/2267280/fifth-facebook-accounts-exposed

Hacker claims to have found Skype hole

2010-07-13T07:14:00.001-07:00

Skype's security credentials have been called into question by a developer who claims to have released a software library that emulates an encryption algorithm used by the popular VoIP service.

Sean O'Neill, best known for designing the EnRUPT hash algorithm, has released program code which emulates the RC4 algorithm used by Skype to encrypt communications over its network.

Skype is widely used in home and business environments, and the company guards its source code fiercely.

This has led to numerous attempts to crack the encryption algorithm which would result in conversations being deciphered to 'plaintext'.

An initial analysis of the code appears to show that O'Neill's solution is a partial exposure of Skype's privacy measures.

However, given the resourceful nature of hackers, a small crack could expand into a gaping fissure in a relatively short space of time.

The developer has decided not to reveal further details of his exploits until his presentation at the respected Chaos Communication Congress in December.

Until then, O'Neill has uploaded his code allowing other hackers to test and potentially carry on his hard work.

The wait until O'Neill reveals the extent of his breach of Skype's encryption could result in firms thinking twice before they use the application.

However, Skype hit back at O'Neill in a strongly worded statement. The firm said it was proud of its software's security and that the hacker's efforts "in no way" compromises this.

"We believe that the work being done by Sean O'Neil, who we understand was formerly known as Yaroslav Charnovsky, is directly facilitating spamming attacks against Skype and we are considering our legal remedies," the statement continued.

"Whilst we understand the desire for people to reverse engineer our pro tocols with the intent of improving security, the work done by this individual clearly demonstrates the opposite.

source - http://www.v3.co.uk/v3/news/2266248/hacker-claims-found-skype-hole

Bank insider charged over ATM malware scam

2010-04-11T04:57:00.000-07:00

An IT worker at Bank of America has been charged with hacking ATM systems so that machines handed out cash without recording his transactions, IDG reports.

Rodney Reed Caverly, of Charlotte, North Carolina, was charged with a single count of computer fraud over the alleged creation of malware that infected bank computers and ATMs. The alleged miscreant used his inside knowledge as a member of staff responsible for designing and maintaining computer systems and cash machines to carry out the crime, prosecutors charge.

Fraudulent withdrawals took place between March 2009 and October 2009. Losses to the bank are unspecified at this stage of legal proceedings, but above the $5,000 minimum necessary to file computer fraud charges.

Bank Infosecurity reports that the fraud, which did not affect customer accounts, was detected using the BofA's internal control system.

Caverly, who faces charges punishable upon conviction by a prison sentence of up to five years, is next due to appear before a Charlotte court next Tuesday (13 April).

source - http://www.theregister.co.uk/2010/04/08/bofa_atm_hack_charges/

Ex-Army man cracks popular security chip

2010-02-21T01:20:00.000-08:00

How to open Infineon's Trusted Platform Module

Hardware hacker Christopher Tarnovsky just wanted to break Microsoft's grip on peripherals for its Xbox 360 game console. In the process, he cracked one of the most heavily fortified chips ever put into a consumer device.

The attack by the former US Army computer-security specialist is notable because it goes where no hacker has gone before: into the widely used Infineon SLE 66PE, a microcontroller that carries the TPM, or Trusted Platform Module designation of security. The hack means he can access sensitive data and algorithms locked away in the chip's digital vault and even make counterfeit clones that could fool the many devices that rely on it.

"I can get inside this chip without killing it and I can get through all the security countermeasures it has in place, physical and in software," Tarnovsky, who is principal engineer for Flylogic, told The Register in an interview that covered many of the behind-the-scenes elements of the hack.

Its genesis came when Tarnovsky learned that manufacturers of video game controllers had to obtain a license from Microsoft for the peripherals to work on the Xbox 360. The requirement offended his sense of fair play, so he put his reverse engineering muscle to breaking it.

"I was very surprised they would put a security chip in a wired controller, as well as a wireless controller," he said. "It's very monopolistic what they've done. They have a right to do it, but I have a right to break it too."

After dissecting a controller, he found that the chip that allowed it to communicate with the Xbox was made by Infineon. He eventually purchased dozens of related microcontrollers on the Hong Kong surplus market for 15 cents apiece.

He then employed an electron microscope called a focused ion beam workstation (price tag $250,000 used) that allowed him to view the chip in the nanometer scale so he could manipulate its individual wires using microscopic needles.

It took Tarnovsky four months to develop techniques for probing the chip and another two months to apply them to breaking the 66PE.

What he found was a chip that was locked down with multiple levels of defenses. Optical sensors, for instance, were designed to detect ambient light from luminous sources. And a wire mesh that covered the microcontroller was aimed at disabling the chip should any of its electrical circuits be disturbed.

"One wrong move and I vaporize a track on the chip," Tarnovsky said.

Indeed, some 50 of the chips were vaporized in the course of the hack. But over time, he learned how to use the needles to penetrate the chip's inner recesses so he could tap sensitive data that remains unencrypted so it can be processed.

Using the tungsten as microscopic bridges, Tarnovsky said, he can digitally clone chips used to prevent piracy of satellite TV service, to disable unauthorized cartridges in printers - or to make Xbox game controllers.

"You could counterfeit this chip," he said, although he stressed he had no plans to use the hack for illegal purposes.

In a statement sent to Infineon customers last week, the company noted the time and expense required for Tarnovsky to crack the chip. But the company went on to say it was a sign of attacks to come and said engineers were already working on a more secure successor to the 66PE.

"In contrast to conventional solutions, the SLE 78 family now utilizes encryption even in the CPU itself, leaving no plaintext for the attacker," the release stated. "Technical advances of that scale are only possible if the CPU itself is designed 'from the scratch' by the hardware manufacturer with security in mind, right from the beginning."

The physical attack on the 66PE is similar to hacks cryptographers have recently waged on proprietary encryption algorithms in cordless phones and the world's most popular smartcard. In all of them, the secret formula was lifted after sanding down the chips' silicon and examining its circuitry using an electron or optical microscope.

"More and more things are moving to hardware, and as things move to hardware, people are analyzing these devices and getting the algorithms out and putting them back in the software," Tarnovsky said.

While the risks of physical attacks are in many cases inevitable, he said the cracking of the 66PE was aided by its abundant supply on international surplus markets, which is something Infineon may want to consider as it readies its new generation of ultra-secure microcontrollers.

"If this is supposed to be such a secure device and it's common-criteria certified, why are they available on the used surplus market?" he said. "This device should not have been readily available for a researcher like me." ®

source - http://www.theregister.co.uk/2010/02/17/infineon_tpm_crack/

USB stick security flaw puts data at risk

2009-11-06T09:34:00.000-08:00

Security firm warns of imminent threat to sensitive information

USB sticks have been found to contain a significant security flaw which could be exploited to break into millions of computers around the world, according to researchers at MWR InfoSecurity.

The UK firm claimed that the flaw could allow the creation of USB sticks that "interrogate a computer and download the contents".

The researchers added that such devices are just months away from development, and are likely to be used by malevolent and sophisticated criminals to steal the contents of entire hard drives.

"What millions of us have seen in countless James Bond and other spy thrillers around the world has now taken a step closer to being realised," said Alex Fidgen, commercial director at MWR InfoSecurity.

"The bad guy plugging a small device into the system and removing sensitive data is no longer theoretical. It is possible."

Criminals could exploit a flaw in the driver software of USB devices to take control of systems and steal information. Fidgen claimed that MWR InfoSecurity has been concerned about these security implications for some time.

"Hackers are becoming more and more sophisticated, and business is under threat. Up until now people have felt secure in the knowledge that a simple USB stick could not copy their information without their permission. We have proved that it is not the case," he said.

The firm claimed that it has already cracked one operating system using its tools, and is now turning its attention to others. Fidgen added that the researchers had built the hack to raise awareness of the security issues, and had shared their findings with the UK government's Centre for the Protection of National Infrastructure.

Researchers crack WPA encryption in 60 seconds

2009-09-03T10:16:00.001-07:00

Japanese researchers claim to have found a way to break the Wi-Fi Protected Access (WPA) encryption system used in wireless routers in just 60 seconds.

Toshihiro Ohigashi of Hiroshima University and Masakatu Morii of Kobe University plan to explain their method at a technical conference on 25 September in Hiroshima.

The attack potentially gives hackers a way to read encrypted traffic sent between computers and certain types of routers that use the WPA encryption system.

The fact that WPA could be broken has been known for some months, but the researchers have exploited a theoretical attack and made it practical.

An earlier technique, developed by researchers Martin Beck and Erik Tews, worked on a smaller range of WPA devices and took between 12 and 15 minutes.

Both attacks work on WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm.

The WPA standard was originally designed as an interim encryption method as Wi-Fi security was developing, and has long since been superseded by WPA2. However, a fair bit of WPA with TKIP kit is still in use.

Newer WPA2 devices that use the stronger Advanced Encryption Standard algorithm remain safe for now.

info from http://www.v3.co.uk/v3/news/2248580/researchers-crack-wpa

IIS bug gives attackers complete server control

2009-09-03T10:08:00.000-07:00

A hacker has uncovered a previously unknown bug in Microsoft's Internet Information Services webserver that in some cases gives attackers complete control of vulnerable machines.

Proof-of-concept code published Monday has been confirmed to give remote root access to servers running version 5 of IIS on Windows 2000 with Service Pack 4. And according to Nikolaos Rangos, the hacker who released the exploit, IIS6 is also vulnerable, even when a memory stack mechanism known as cookie protection is enabled.

The vulnerability appears to be triggered only in limited circumstances, specifically when IIS is set to enable the file transfer protocol and there is a writable folder. While that suggests the majority of IIS installations aren't vulnerable, the universe of affected systems is still big enough to give the security conscious pause.

"I have customers who have Windows 2000 servers and I scold them frequently." said Rodney Thayer, CTO of security research firm Secorix. "I think that's pretty bad, because if Microsoft says it's end of life and they're claiming it's not supported, then you shouldn't be running any software that the vendor says is not supported."

According to Microsoft's website here, mainstream support for IIS5 expired in 2005, but extended support remains in effect until July 2010. Support for Windows 2000 SP4 ends "24 months after the next service pack releases or at the end of the product's support lifecycle, whichever comes first," according to this page.

A Microsoft spokeswoman said company researchers are looking in to the report and will issue a public statement when they're finished. There are no reports of any such vulnerabilities being exploited in the wild, she added.

In May, Rangos disclosed another serious bug in IIS that left the popular web server vulnerable to a simple attack that exposed password-protected files and folders. Microsoft has since fixed it.

The claim of a bug in IIS is just one of three security advisories that greeted IT professionals on Monday morning. A separate vulnerability affecting a wide range of Linux kernels allows unprivileged local users to read parts of kernel memory that may contain sensitive information. While problematic, the bug - unlike like a critical NULL pointer dereference flaw published two weeks ago - doesn't directly lead to privilege escalation.

The hole has been plugged in Linux 2.6.31-rc7, but there appears to be no fix in the more stable 2.6.30.x series yet, Jon Oberheide, the security researcher who published Monday's disclosure, told The Register.

A third vulnerability disclosed Monday affects Google's Chrome browser and could be used in some cases by malicious websites to track web users.

info from http://www.theregister.co.uk/2009/08/31/iis_bug_reported/

This article was updated to reflect the official dates support expires for IIS and Windows 2000.

More holes found in Web's SSL security protocol

2009-07-31T19:28:00.000-07:00

IDG News Service - Security researchers have found some serious flaws in software that uses the SSL (Secure Sockets Layer) encryption protocol used to secure communications on the Internet.

At the Black Hat conference in Las Vegas on Thursday, researchers unveiled a number of attacks that could be used to compromise secure traffic travelling between Web sites and browsers.

This type of attack could let an attacker steal passwords, hijack an on-line banking session or even push out a Firefox browser update that contained malicious code, the researchers said.

The problems lie in the way that many browsers have implemented SSL, and also in the X.509 public key infrastructure system that is used to manage the digital certificates used by SSL to determine whether or not a Web site is trustworthy.

A security researcher calling himself Moxie Marlinspike showed a way of intercepting SSL traffic using what he calls a null-termination certificate. To make his attack work, Marlinspike must first get his software on a local area network. Once installed, it spots SSL traffic and presents his null-termination certificate in order to intercept communications between the client and the server. This type of man-in-the-middle attack is undetectable, he said.

Marlinspike's attack is remarkably similar to another common attack known as a SQL injection attack, which sends specially crafted data to the program in hopes of tricking it into doing something it shouldn't normally do. He found that if he created certificates for his own Internet domain that included null characters -- often represented with a \0 -- some programs would misinterpret the certificates.

That's because some programs stop reading text when they see a null character. So a certificate issued to www.paypal.com\0.thoughtcrime.org might be read as belonging to www.paypal.com.

The problem is widespread, Marlinspike said, affecting Internet Explorer, VPN (virtual private network) software, e-mail clients and instant messaging software, and Firefox version 3.

To make matters worse, researchers Dan Kaminsky and Len Sassaman reported that they had discovered that a large number of Web programs are dependant on certificates issued using an obsolete cryptographic technology called MD2, which has long been considered insecure. MD2 has not actually been cracked, but it could be broken within a matter of months by a determined attacker, Kaminsky said.

The MD2 algorithm was used 13 years ago by VeriSign to self-sign "one of the core root certificates in every browser on the planet," Kaminsky said.

VeriSign stopped signing certificates using MD2 in May, said Tim Callan, vice president of product marketing at VeriSign.

However, "large number of Web sites use this root, so we can't actually kill it or we'll break the Web," Kaminsky said.

Software makers can, however, tell their products to not trust MD2 certificates; they can also program their products to not be vulnerable to the null-termination attack. To date, however, Firefox 3.5 is the only browser that has patched the null-termination issue, the researchers said.

This is the second time in the past half-year that SSL has come under scrutiny. Late last year, researchers found a way to create a rogue certificate authority, that could in turn issue phoney SSL certificates that would be trusted by any browser.

Kaminsky and Sassaman say there are a raft of problems in the way SSL certificates are issued that make them insecure. All of the researchers agreed that the x.509 system that is used to manage certificates for SSL is out-of-date and needs to be fixed.

Security certificate warnings don't work, researchers say

2009-07-24T23:21:00.000-07:00

Every Web surfer has seen them. Those "invalid certificate" warnings you sometimes get when you're trying to visit a secure Web site.

They say things like "There is a problem with this Web site's security certificate." If you're like most people, you may feel vaguely uneasy, and -- according to a new paper from researchers at Carnegie Mellon University -- there's a good chance you'll ignore the warning and click through anyway.

In a laboratory experiment, researchers found that between 55 percent and 100 percent of participants ignored certificate security warnings, depending on which browser they were using (different browsers use different language to warn their users).

"Everyone knew that there was a problem with these warnings," said Joshua Sunshine, a Carnegie Mellon graduate student and one of the paper's co-authors. "Our study showed dramatically how big the problem was."

That's not great news. Often the warnings pop up because of a technical problem on the Web site, but they can also mean that the Web surfer is being redirected somehow to a fake Web site. URLs for secure Web sites begin with "https."

The researchers first conducted an online survey of more than 400 Web surfers, to learn what they thought about certificate warnings. They then brought 100 people into a lab and studied how they surf the Web.

They found that people often had a mixed-up understanding of certificate warnings. For example, many thought they could ignore the messages when visiting a site they trust, but that they should be more wary at less-trustworthy sites.

"That's sort of a backwards understanding of what these messages mean," Sunshine said. "The message is validating that you're visiting the site you think you're visiting, not that the site is trustworthy."

If a banking Web site shows a message that its security certificate is invalid, that's a very bad sign, security experts say. It could mean the Web surfer is being subjected to a so-called man-in-the-middle attack. In this type of attack, the criminal inserts himself between the Web surfer and the site he's visiting, in the hopes of stealing information.

Security experts have long known that these security warnings are ineffective, said Jeremiah Grossman, chief technology officer with Web security consultancy White Hat Security. That's because users "really don't know what the security risks mean," he said via instant message. "So they take the gamble."

In the Firefox 3 browser, Mozilla tried to use simpler language and better warnings for bad certificates. And the browser makes it harder to ignore a bad certificate warning. In the Carnegie Mellon lab, Firefox 3 users were the least likely to click through after being shown a warning.

The researchers experimented with several redesigned security warnings they'd written themselves, which appeared to be even more effective. They plan to report their findings Aug. 14th at the Usenix Security Symposium in Montreal.

Still, Sunshine believes that better warnings will help only so much. Instead of warnings, browsers should use systems that can analyze the error messages. "If those systems decide this is likely to be an attack, they should just block the user altogether," he said.

Even when visiting important Web sites like banks, "people are still dramatically ignoring the warnings," he said.

Netbooks may pose security risk to businesses

2009-03-09T03:05:00.001-07:00

Netbooks have made headlines since their 2007 launch, but their cheap cost could also carry a steep price tag, due to lax security that makes them easier prey for viruses and hackers.

Since their introduction less than two years ago by Taiwan's Asus, nearly all major PC makers, including Acer, Dell, HP and Lenovo, have jumped on the netbook bandwagon.

But their no-frills nature, combined with low computing power, could combine to create the perfect storm for hackers and virus creators looking for easy targets, analysts say.

Sam Yen, China marketing manager at antivirus software maker Symantec, said: "The internet is full of dangers, regardless of what computer you are using. But keeping in mind that the netbook is primarily used to surf the internet, those dangers are possibly multiplied many-fold, especially if there is no antivirus software installed in the machine."

Price tags as low as $300 (£210) mean netbooks often lack such standard gear as firewalls and other antivirus software typically found in other computers, leaving them highly vulnerable to attacks.

Pranab Sarmah, an analyst at the Daiwa Institute of Research, said: "Frankly, netbook security is not there yet. The positioning of the netbook means PC brands are going to do whatever it takes to make the price point attractive to consumers, which means keeping costs low."

Netbooks were a glimmer of light in the tech sector last year, and IDC research firm says they could dramatically outperform the overall PC market in 2009. It forecasts netbook shipments will more than double to nearly 21 million units this year, compared with about four percent growth to 305 million units for all PCs.

Netbook pioneer Asus believes its models already include built-in security features and other options that are sufficient for the typical user, said Samson Hu, who runs the company's netbook operations.

Read this

Roundup: The best bits from CeBIT 2009
Read more
"We've got a tie-up with Symantec where users who want to can pay a little more for that additional security," he said. "We've received lots of good feedback from users, but of course, everyone should be aware of internet security issues when they are connected to any network."

Some experts say netbooks' inability to run effective security could crimp future growth, scaring away lucrative corporate users who regularly deal with sensitive data. Corporate buyers now account for more than half of all PC sales.

Eric Ashdown, senior director for security strategy and risk management at Accenture, said: "For most companies, they'll still choose conventional laptops that allow them to run software that protects the information hidden inside it."

"If I'm somebody doing corporate IT work, I wouldn't be looking at netbooks as a viable option. I would need more security, which they can't offer right now."

Loop Hole in the Internet!!

2008-07-28T07:08:00.000-07:00

SAN FRANCISCO (AFP) - - Internet security researchers on Thursday warned that hackers have caught on to a "critical" flaw that lets them control traffic on the Internet.

An elite squad of computer industry engineers that labored in secret to solve the problem released a software "patch" two weeks ago and sought to keep details of the vulnerability hidden at least a month to give people time to protect computers from attacks.

"We are in a lot of trouble," said IOActive security specialist Dan Kaminsky, who stumbled upon the Domain Name System (DNS) vulnerability about six months ago and reached out to industry giants to collaborate on a solution.

"This attack is very good. This attack is being weaponized out in the field. Everyone needs to patch, please," Kaminsky said. "This is a big deal."

DNS is used by every computer that links to the Internet and works similar to a telephone system routing calls to proper numbers, in this case the online numerical addresses of websites.
The vulnerability allows "cache poisoning" attacks that tinker with data stored in computer memory caches that relay Internet traffic to its destination.

Attackers could use the vulnerability to route Internet users wherever the hackers wanted, no matter what website address is typed into a web browser.

The threat is greatest for business computers handling online traffic or hosting websites, according to security researchers.

The flaw is a boon for "phishing" cons that involve leading people to imitation web pages of businesses such as bank or credit card companies to trick them into disclosing account numbers, passwords and other information.

"I was not intentionally seeking to cause anything that could break the Internet," Kaminsky said Thursday during a conference call with peers and media. "It's a little weird to talk about it out loud."

Kaminsky built a web page, www.doxpara.com, where people can find out whether their computers have the DNS vulnerability. As of Thursday, slightly more than half the computers tested at the website still needed to be patched.

"People are spending tens of thousands of hours getting this patch out the door," Kaminsky said.
The US Computer Emergency Readiness Team (CERT), a joint government-private sector security partnership, is among the chorus urging people to quickly protect computers linked to the Internet.

"Just like you should wear a seat belt going down the road to be safe in a car accident, the same applies here," said Jerry Dixon, a former director of cyber security at the US Department of Homeland Security.

"The patch is your seat belt. The exploit is out there and you definitely need to take precautions. Now is not the time to keep waiting."

Two "exploits," software snippets that take advantage of the vulnerability, have been unleashed on the Internet in the past 24 hours, Securosis analyst Rich Mogul said during the conference call.

"The threat is there," Mogul said.

reference from Yahoo.com.sg

Microsoft Surface! Latest Techonolgy

2008-02-12T09:15:00.000-08:00

Surface is essentially a Windows Vista PC tucked inside a table, topped with a 30-inch reflective surface in a clear acrylic frame. A projector underneath the surface projects an image onto its underside, while five cameras in the machine's housing record reflections of infrared light from human fingertips. The camera can also recognize objects placed on the surface if those objects have specially-designed "tags" applied to them. Users can interact with the machine by touching or dragging their fingertips and objects such as paintbrushes across the screen, or by placing and moving tagged objects.

Surface has been optimized to respond to 52 touches at a time. During a demonstration with a reporter, Mark Bolger, the Surface Computing group's marketing director, "dipped" his finger in an on-screen paint palette, then dragged it across the screen to draw a smiley face. Then he used all 10 fingers at once to give the face a full head of hair.

In addition to recognizing finger movements, Microsoft Surface can also identify physical objects. Microsoft says that when a diner sets down a wine glass, for example, the table can automatically offer additional wine choices tailored to the dinner being eaten.

Prices will reportedly be $5,000 to $10,000 per unit. However Microsoft said it expects prices to drop enough to make consumer versions feasible in 3 to 5 years.

The machines, which Microsoft debuted May 30, 2007 at a technology conference in Carlsbad, California, were set to arrive in November 2007 in T-Mobile USA stores and properties owned by Starwood Hotels & Resorts Worldwide Inc. and Harrah's Entertainment Inc. But with delays in developing custom applications for each of the partners, it will take until spring 2008 before the machines start showing up at these locations.

Network Analyzers

2008-01-18T05:12:00.000-08:00

A network analyzer is an instrument used to analyze the properties of electrical networks, especially those properties associated with the reflection and transmission of electrical signals known as scattering parameters (S-parameters). Network analyzers are used mostly at high frequencies; operating frequencies can range from 9 kHz to 110 GHz.[1]

Special types of network analyzers can also cover lower frequency ranges down to 10 Hz. These network analyzers can be used for example for the stability analysis of open loops or for the measurement of audio and ultra sonic components.[2]

The two main categories of Network Analyzers are

Scalar Network Analyzer (SNA) - Measures amplitude properties only
Vector Network Analyzer (VNA) - Measures both amplitude and phase properties
A VNA may also be called a gain-phase meter or an Automatic Network Analyzer. An SNA is functionally identical to a spectrum analyzer in combination with a tracking generator. As of 2007, VNAs are the most common type of network analyzer, and so references to an unqualified 'network analyzer' most often mean a VNA. The three biggest VNA manufacturers are Agilent, Anritsu, and Rohde & Schwarz.

A new category of network analyzer is the Microwave Transition Analyzer (MTA) or Large Signal Network Analyzer (LSNA), which measure both amplitude and phase of the fundamental and harmonics. The MTA was commercialized before the LSNA, but was lacking some of the user-friendly calibration features now available with the LSNA.

Capability Maturity Model Integration

2008-01-11T07:54:00.000-08:00

Capability Maturity Model® Integration (CMMI®) is a process improvement approach that provides organizations with the essential elements of effective processes. CMMI best practices are published in documents called models, which each address a different area of interest. There are now two areas of interest covered by CMMI models: Development and Acquisition.

The current release of CMMI is Version 1.2. There are two version 1.2 models now available:

CMMI for Development (CMMI-DEV), Version 1.2 was released in August 2006. It addresses product and service development processes.

CMMI for Acquisition (CMMI-ACQ), Version 1.2 was released in November 2007. It addresses supply chain management, acquisition, and outsourcing processes in government and industry.

Regardless of which model you choose, CMMI best practices should be adapted to each individual organization according to its business objectives. Organizations cannot be CMMI "certified." Instead, an organization is appraised (e.g., using an appraisal method like SCAMPI) and is awarded a 1-5 level rating. The rating results of such an appraisal can be published if released by the appraised organization.

Information Technology

2008-01-11T07:49:00.000-08:00

Information technology (IT), as defined by the Information Technology Association of America (ITAA), is "the study, design, development, implementation, support or management of computer-based information systems, particularly software applications and computer hardware." IT deals with the use of electronic computers and computer software to convert, store, protect, process, transmit and retrieve information, securely.

Recently it has become popular[citation needed] to broaden the term to explicitly include the field of electronic communication so that people tend to use the abbreviation ICT (Information and Communications Technology), it is common for this to be referred to as IT & T in the Australasia region, standing for Information Technology and Telecommunications.

Today, the term information technology has ballooned to encompass many aspects of computing and technology, and the term is more recognizable than ever before. The information technology umbrella can be quite large, covering many fields. IT professionals perform a variety of duties that range from installing applications to designing complex computer networks and information databases. A few of the duties that IT professionals perform may include data management, networking, engineering computer hardware, database and software design, as well as the management and administration of entire systems.

test

2007-01-18T00:15:00.001-08:00

bah