Archive for October, 2012

Malware starts using the mouse to hide itself

Tuesday, October 30th, 2012

Malware production is a lucrative industry for both the malware writers who sell their work and security companies who sell us, the end users, protection. In order for the malware writers to get paid they need to develop malware that evades detection by the security companies, and in order to do that they’ve come up with some clever, yet quite simple techniques.

Security vendors have to analyze and detect millions of potential threats every year. In so doing they can regularly update the anti-malware software running on our machines and provide up-to-date protection. However, you can’t analyze all potential threats by hand, so automated threat analysis systems are employed. These typically look at suspicious files in a virtual machine and test each one quickly to see if it poses a threat.

The malware developers know such systems exist and have therefore employed countermeasures to try and avoid detection. These measures center around detecting whether they are being run in a virtual environment by checking registry entries, drivers, system services, which ports are available, and what processes are being run. If anything points to a virtual environment being present the malware shuts down and effectively hides from the automated system.

In the never ending cat and mouse game these two parties play, the security vendors can also try and hide the fact code is being run in a virtual environment, which in turn leads malware writers to develop new ways of detecting one. The latest of these quite simply uses the mouse or goes to sleep before kicking into action.

Symantec has discovered that some malware won’t start running unless it detects activity from the mouse. Why would malware writers do this? Mouse activity is done by a user, and in an automated threat analysis system a user isn’t present and therefore no mouse activity is required.

Malware checking for mouse activity (upper code segment) and deciding to sleep and then wait to execute (lower code segment)

Some malware has also been found to go to sleep for several minutes and then wait several more minutes once active before infiltrating a system. The reason for this is a typical automated threat analysis system looks at individual files very quickly, so waiting to execute helps ensure the malware is on a real system and not a virtual test environment.

The checks are clever because they are so simple. That simplicity also makes them relatively easy to fool. All Symantec needs do is add some simulated mouse movement to their testing system to fool the mouse check. As for the malware that waits before executing, it may just be a case of tweaking the system time in order to jolt any sleeping malware into action so it can be detected.


DOE flips switch on Titan, world’s newest fastest supercomputer

Tuesday, October 30th, 2012

Powered by CPU-GPU hybrid architecture, reaches 27 quadrillion calculations/second. Department of Energy’s Oak Ridge National Labs today powered up Titan, a new supercomputer with 299,008 CPU cores, 18,688 GPUs, and more than 700 terabytes of memory. Titan is capable of a peak speed of 27 quadrillion calculations per second (petaflops)—ten times the processing power of its predecessor at Oak Ridge—and will likely unseat DOE’s Sequoia supercomputer (an IBM BlueGene/Q system at Lawrence Livermore National Laboratory) as the fastest in the world.

Based on the Cray XK7 system, Titan consists of 18,688 computing nodes, each with an AMD Opteron 6274 processor and an NVIDIA Tesla K20 GPU accelerator. The NVIDIA GPUs provide most of the computing horsepower for simulations, with the Opteron cores managing them. True to its name, Titan is big—it takes up 4,352 square feet of floorspace in ORNL’s National Center for Computational Sciences.

The combination of GPUs and CPUs dramatically reduces the electrical power consumption required to generate the computing power required. “Combining GPUs and CPUs in a single system requires less power than CPUs alone,” said Jeff Nichols, ORNL’s Associate Laboratory Director for computing and computational sciences. In his written statement on the launch, he called Titan a “responsible move toward lowering our carbon footprint.”

Titan is an upgrade to Jaguar, a Cray XK6 system which as of June was the sixth fastest supercomputer in the world, drawing seven megawatts at its 2.3-petaflop peak performance. Titan will provide about 10 times that performance at nine megawatts. To achieve the same performance using solely Opteron CPUs, according to NVIDIA officials, Titan would have had to have been four times larger and would have consumed over 30 megawatts of power. The move to a hybrid CPU/GPU architecture is another step down the road toward “exascale” computing systems—with a goal of achieving 1,000 quadrillion (or 1 quintillion) computations per second.

ORNL researchers have been preparing for the shift to Titan’s hybrid architecture for the past two years as the upgrade from Jaguar was planned, and several projects are already set to run on the new architecture. James Hack, Director of ORNL’s National Center for Computational Sciences, said “Titan will allow scientists to simulate physical systems more realistically and in far greater detail. The improvements in simulation fidelity will accelerate progress in a wide range of research areas such as alternative energy and energy efficiency, the identification and development of novel and useful materials and the opportunity for more advanced climate projections.”


DoS vulnerability affects older iPhones, Droids, even a Ford car

Friday, October 26th, 2012

Publicly available code allows hackers to disable Wi-Fi in a range of products.

The iPhone 4 and a slew of older devices from Apple, Samsung, HTC, and other manufacturers are vulnerable to attacks that can make it impossible to send or receive data over Wi-Fi networks, a security researcher said. code published online makes it trivial for a moderately skilled hacker to disable older iPhones, HTC Droid Incredible 2s, Motorola Droid X2s, and at least two-dozen other devices, including Edge model cars manufactured by Ford. The Denial-of-Service vulnerability stems from an input-validation error in the firmware of two wireless chips sold by Broadcom: the BCM4325 and the BCM4329. The US Computer Emergency Readiness Team has also issued an advisory warning of the vulnerability.

“The only requirement to exploit the vulnerability is to have a wireless card that supports [the] raw inject of 802.11 frames,” Andrés Blanco one of the researchers from Core Security who discovered the vulnerability, told Ars. “The Backtrack Linux distribution has almost everything you need to execute the POC provided in the advisory.”

The Core Security advisory said that Broadcom has released a firmware update that patches the “out-of-bounds read error condition” in the chips’ firmware. Device manufacturers are making it available to end users on a case-by-case basis since many of the affected products are older and already out of service.

Blanco said the exploit makes it impossible for an affected device to send or receive data over Wi-Fi for as long as the DoS attack lasts. Once the malicious packets subside, the device will work normally. Other device functions are unaffected by the Wi-Fi service interruption. He said it’s possible the bug could be exploited to do more serious things.

“We are not sure that we could retrieve private user data but we are going to look into this,” he said.


South Carolina reveals massive data breach of Social Security Numbers, credit cards

Friday, October 26th, 2012

Approximately 3.6 million Social Security numbers and 387,000 credit and debit card numbers belonging to South Carolina taxpayers were exposed after a server at the state’s Department of Revenue was breached by an international hacker, state officials said Friday.

All but 16,000 of the credit and debit card numbers were encrypted, the officials said.

The state’s Department of Revenue became aware of the breach Oct. 10 and an investigation revealed the hacker had stolen the data in mid-September, after probing the system for vulnerabilities in late August and early September.

The vulnerability exploited by the attacker was closed Oct. 20.

During a press conference Friday, South Carolina Governor Nikki Haley described the attack as international and “creative in nature.”

Asked if she knew where the attack originated from, she said she does but declined to name the location because it might hurt the law enforcement investigation. She did, however, say she wants the hacker “slammed to the wall.”

“We want to make sure everybody understands that our State will respond with a big, large-scale plan that is somewhat unprecedented to take care of this problem,” Haley said.

The state will provide affected taxpayers with a year of credit monitoring and identity theft protection service from Experian.

“Anyone who has filed a South Carolina tax return since 1998 is urged to visit or call 1- 866-578-5422 to determine if their information is affected,” the Department said.

“While details are still emerging, we can already say that this breach of records at the South Carolina Department of Revenue (SCDOR) is exceptional, both in terms of the large number of records compromised and the potential damage to confidence in state government that may result,” Stephen Cobb, a security evangelist at security firm ESET, said via email Friday.

“The cost is also going to be enormous, given that South Carolina may be required to pay for identity theft protection services for anyone who has paid taxes in South Carolina since 1998,” he said.

“Encryption of the data may slow down the process by which the stolen records are converted into cash through identity theft and fraudulent accounts, although that will also depend on the strength of the encryption,” Cobb said.

Cobb pointed out that this breach came only a couple of months before people can start filing their income tax returns.

“Fraudulent electronic claims for refunds are a huge problem for the Internal Revenue Service (IRS) as criminals can easily make fake versions of the income tax withholding form known as W-2, showing that the employer withheld more tax than was owed,” Cobb said. “Employers often dont inform the IRS of taxes withheld until several months into the New Year.”


Critical flaw found in software used by many industrial control systems

Friday, October 26th, 2012

CoDeSys runtime flaw allows hackers to execute commands on critical industrial control systems without authentication, researchers say

CoDeSys, a piece of software running on industrial control systems (ICS) from over 200 vendors contains a vulnerability that allows potential attackers to execute sensitive commands on the vulnerable devices without the need for authentication, according to a report from security consultancy Digital Bond.

The vulnerability was discovered by former Digital Bond researcher Reid Wightman as part of Project Basecamp, an ICS security research initiative launched by Digital Bond last year.

CoDeSys, a piece of software running on industrial control systems (ICS) from over 200 vendors contains a vulnerability that allows potential attackers to execute sensitive commands on the vulnerable devices without the need for authentication, according to a report from security consultancy Digital Bond.

The vulnerability was discovered by former Digital Bond researcher Reid Wightman as part of Project Basecamp, an ICS security research initiative launched by Digital Bond last year.

Described as a design issue, the vulnerability is located in the CoDeSys runtime, an application that runs on programmable logic controller (PLC) devices. PLCs are digital computers that control and automate electromechanical processes in power plants, oil and gas refineries, factories and other industrial or military facilities.

The CoDeSys runtime allows PLCs to load and execute so-called ladder logic files that were created using the CoDeSys development toolkit on a regular computer. These files contain instructions that affect the processes controlled by the PLCs.

According to the Digital Bond report, the CoDeSys runtime opens a TCP (Transmission Control Protocol) listening service that provides access to a command-line interface without the need for authentication.

The company has created and released two Python scripts: one that can be used to access the command line interface and one that can read or write files on a PLC running the CoDeSys runtime. There are plans to convert these scripts into modules for Metasploit, a popular penetration testing framework.

Depending on the PLC model, the command-line interface allows a potential attacker to start, stop and reset PLC programs; dump the PLC memory; get information about the tasks and programs running on the PLC; copy, rename, delete files on the PLC filesystem; set or delete online access passwords and more.

CoDeSys is developed by a company called 3S-Smart Software Solutions based in Kempten, Germany. According to the company’s website, the software is used in automation hardware from over 200 vendors.

The vulnerability and scripts were tested on only a handful of products from the 261 potentially affected vendors, Digital Bond founder and CEO Dale Peterson said Thursday in a blog post. One of those PLCs was running Linux on an x86 processor while another was running Windows CE on an ARM processor.

“This attack can be used not only to control the PLC but also to turn the PLC into an ‘agent’ to attack other devices in the network,” Ruben Santamarta, a security researcher from security firm IOActive, said Friday via email. Santamarta found vulnerabilities in industrial control systems in the past as part of Project Basecamp.

“We are aware of this security issue,” Edwin Schwellinger, support manager at 3S-Smart Software, said Friday via email. “A patch is under development but not released. We are working with high pressure on these issues.”

The vulnerability is only exploitable by an attacker who already has access to the network where the PLC runtime operates, Schwellinger said. Runtime systems should not be accessible from the Internet unless additional protection is in place, he said.

“Quite a few vulnerable CoDeSys systems are Internet-exposed,” Reid Wightman, who now works as a security consultant for IOActive, said Thursday on Twitter. “Some found via shodan [a search engine], some found via custom scanning.”

“No PLC should be accessible from the Internet ever,” Santamarta said. However, many networks are compromised via advanced persistent threats — malware that provides attackers with local network access — and in those cases the perimeter doesn’t matter anymore, he said.

“As much as possible avoid to expose PLCs and PLC networks to public networks and Internet,” Schwellinger said. Customers should use additional security layers like virtual private networks (VPNs) for remote access, should install firewalls and should restrict access to sensitive networks only to authorized people, he said.

“Anything related to the SCADA [supervisory control and data acquisition] environment is a serious matter,” said Luigi Auriemma, a security researcher at vulnerability research firm ReVuln who previously found and disclosed vulnerabilities in SCADA systems, via email Friday. “If you can control the PLC then you can control the infrastructure.”

For example, after infecting PLCs at Iran’s Natanz nuclear fuel enrichment plant, the Stuxnet malware altered their programming and destroyed around 1,000 uranium enrichment centrifuges. The attack is believed to have set back Iran’s nuclear program by up to two years.

Fortunately, there are some workarounds that vendors can implement in the absence of an official patch.

“The tools do not work on at least one of the vendor’s products, who chooses to remain anonymous,” Peterson said. “The vendor has a security development lifecycle (SDL) that included threat modeling. They identified the threat of uploading rogue ladder logic and other malicious files, saw that this was not addressed by the CoDeSys runtime, and added a ‘security envelope’ around the runtime. So basically the user, or attacker, is required to authenticate before he can gain access to the port the CoDeSys runs on.”

Meanwhile, users of the affected products can implement network segmentation, access control lists, firewalls and intrusion prevention systems, Santamarta said.


Boarding pass barcodes ‘can be read by smartphones’

Friday, October 26th, 2012

A vulnerability in US domestic airline boarding pass barcodes could allow travellers to bring unauthorised items on board, says a security expert.

The codes reveal what kind of airport checks a passenger will face and can be read by smartphones, he says.

It could undermine the US’s PreCheck system which randomly decides which frequent fliers can skip part of the pre-boarding security process.

The barcodes could allow passengers to work out if they had been picked.

Selected travellers are able to avoid having to remove their shoes, jackets and belts. In addition they are allowed to leave their laptops and toiletries in their bags.

Unencrypted codes

The security information on the barcodes is only meant to be decoded by Transportation Security Administration (TSA) officers, so it was not thought to be a problem that PreCheck selected which users would get a less rigorous safety check in advance.

The fact that passengers can use their handsets to find out if they have been picked poses a problem, says Christopher Soghoian, principal technologist at the American Civil Liberties Union.

“The disclosure of this information means that bad guys are not going to be kept on their toes anymore,” he said.

The security issue was publicised by aviation blogger John Butler, but had been discussed in specialist online forums since last summer.

“The problem is, the passenger and flight information encoded in barcode is not encrypted in any way,” wrote Mr Butler.

“Using a website I decoded my boarding pass for my upcoming trip.

“It’s all there PNR [passenger name record], seat assignment, flight number, name, etc. But what is interesting is the bolded three on the end. This is the TSA PreCheck information. The number means the number of beeps. 1 beep no PreCheck, 3 beeps yes PreCheck.”

The US Transportation Security Administration (TSA) did not respond to a BBC request for a statement, but has previously said: “TSA does not comment on specifics of the screening process, which contain measures both seen and unseen. In addition, TSA incorporates random and unpredictable security measures throughout the travelling process.”

Encryption issues

Mr Soghoian told the BBC that information about how to make sense of the boarding pass codes had been documented in the International Air Transport Association’s (IATA) implementation guide.

“Thousands of people have reported being able to get the information using their phones,” he added.

There are two ways to become eligible for the PreCheck system.

Passengers can pay $100 (£62) to the US customs agency which then performs a background check. If the passenger is approved it gives him or her the right to use all of the US airlines’ PreCheck systems for five years.

Frequent fliers could also be invited by an airline to use the system for free.

“You have to be in the system first before they let you to potentially be eligible to skip the standard line,” said Mr Soghoian.

“But if you scan the barcode, you can tell 24 hours before you get to the airport that you are not going to undergo a regular search.

“On some random occasion you’ll be sent to the other line anyway – and it was meant to keep terrorists on their toes – but not anymore.”

Security firm Sophos said the revelation was “very worrying”.

“No one should be able to tell in advance what level of security screening they will be receive before an air flight,” said the firm’s senior technology consultant Graham Cluley.

“The risk is that potential attackers could determine in advance which of them is going to be given the weakest screening – and get them to attempt to carry unauthorised item onboard.

“Potential attackers should not be given advance warning of the security measures they will be facing.”

Source:  BBC

Microsoft has no plans for a second Windows 7 Service Pack

Thursday, October 25th, 2012

Waiting for a second Windows 7 Service Pack? Keep waiting – it doesn’t sound like Microsoft will be releasing one.

Sources close to Microsoft’s sustained engineering team, which builds and releases service packs, have told The Register there are no plans for a second Windows 7 SP – breaking precedent on the normal cycle of updating Windows.

Instead, Microsoft will keep updating Windows 7 using patches released each month until support for Windows 7 comes to an end. That date is currently slated for 24 months after the most current SP – that’s SP1, which was released in February 2011 – and would put end of life at January 2020.

The decision not to release a second service pack for Windows 7 comes just at the time when Microsoft would typically be preparing to release the pack.

People have been asking about SP2 since August.

SP2 for Windows XP rolled out nearly three years after the operating system’s release while the Windows Vista SP2 came just over two years later. With the Windows 7 OS having been released in October 2009, we are now at the trailing edge of the standard release window for SP2.

This means every update to Windows 7 since SP1 in February 2011 will need to be applied individually and – if you’ve been holding out – retrospectively.

Asked to comment, Microsoft said it didn’t have anything to say about Windows 7 SP2.

Service packs are a pain for Microsoft, because they divert engineers’ time and budget from building new versions of Windows. In this case, the anticipation for Windows 7’s SP2 comes around the same time as the launch of Windows 8, out later this week. Also, by ending SPs, Microsoft could be pushing customers towards the completely new Windows 8.

SPs are released to bundle up things like monthly updates and can include security and performance updates and support for new hardware. They span monthly updates released through Patch Tuesday; will wrap in fixes to apps like Office; and will impact software affecting the desktop, network and applications like the browser. A single SP means you can wrap up, test and rollout, and update – all in a single software release.

Without a SP you must manually keep up to date on monthly releases.

As Microsoft’s own Service Pack Center, here, advises: “Make sure you install the latest service pack to help keep Windows up to date.”

Aaron Suzuki, chief executive of desktop management and deployment specialist SmartDeploy, quantified the value of SPs – especially to organisations that run hundreds of thousands of desktops – saying: “The usefulness of a service pack is it lets you roll up that [updates and fixes] into a build for an operating system, so you can flip a switch and not worry about performing 50 to 80 updates that take up hundreds of megabytes.”

But IT solutions firm BDNA’s chief technology officer Walker White has a different opinion, and said organisations he has spoken to are satisfied with Windows 7 and felt the Windows 7 SP1 in February solved many problems.

Certainly, the Windows 7 SP1 didn’t go smoothly for Microsoft – in spite of the theory that SPs allows Redmond to wrap up months of releases into a single, digestible bundle.

SP1 saw users take to the forums to complain that the service pack was causing machines to boot with fatal errors, was deleting restore points before installing and had unleashed a reboot looping glitch. Microsoft said it was unable to pinpoint the cause of the problem.

Source:  The Register

Android to beat Windows in 2016: Gartner

Thursday, October 25th, 2012

Google’s Android operating system will be used on more computing devices than Microsoft’s Windows within four years, data from research firm Gartner showed on Wednesday, underlining the massive shift in the technology sector.

At the end of 2016, there will be 2.3 billion computers, tablets and smartphones using Android software, compared with 2.28 billion Windows devices, Gartner data showed.

That compares to an expected 1.5 billion Windows devices by the end of this year, against 608 million using Android.

Android, which reached the market only in 2008, has risen fast to be the dominant smartphone platform, controlling two-thirds of that market. It has taken the No. 2 spot in the fast-growing tablet computer market.

The proliferation of the free software gives Google its edge on the search market – its key profit generator.

Worldwide shipments of personal computers fell by over 8 percent in the third quarter, the steepest decline since 2001, as more consumers flock to increasingly powerful tablets and smartphones for more basic computing.

Microsoft’s Windows has dominated the personal computer industry for decades, but the company has struggled to keep up with shift to wireless, and in smartphones its market share is around 3 percent.

Source:  Reuters

Internet architects mull changes to fight SSL-busting CRIME attacks

Friday, October 19th, 2012

IETF proposes change to long-standing practice of compressing encrypted data.

Engineers who help oversee Internet standards are proposing changes to long-standing website practices in order to guard against a new attack that exposes user login credentials even when they are transmitted through encrypted channels.

The tentative recommendations are included in a draft document filed earlier this week with the IETF, or Internet Engineering Task Force. It is among the first technical documents to grapple with an attack unveiled last month that allowed white hat hackers to decrypt the contents of encrypted session cookies used to log in to user accounts on,, and other sites. (The sites took measures to block the exploit after researchers Juliano Rizzo and Thai Duong gave them advanced notice of their exploit.) Short for Compression Ratio Info-leak Made Easy, CRIME provided a reliable and repeatable means for attackers to defeat the widely used secure sockets layer and transport layer security protocols. Together, they form the basis of virtually all encryption between websites and end users.

CRIME is able to deduce the contents of encrypted communications that use data compression to reduce the amount of time it takes to move packets from one point to another. By injecting different pieces of known data into a compressed SSL data stream over and over and then comparing the number of bytes each time, attackers can use the method to deduce the encrypted contents character by character. The method worked against protected Web communications that used TLS compression or SPDY, an open networking protocol developed by Google engineers.

“It is RECOMMENDED to disable compression when communications are not trivial, unless traffic increase is considerable,” IETF members B. Kihara and K. Shimizu wrote in the draft, which was billed as a “work in progress.” “If data are confidential and other mitigations are inapplicable, compression MUST be disabled, especially when the compression is applied in the lower layer like TLS compression.”

When compressing whole data in the same context is unavoidable, the draft continued, encryption schemes must insert random paddings to prevent disclosure of the original size of the compressed data. “Note that this mitigation cannot prevent attackers from guessing secrets by statistical approaches,” the authors continued. The ineffectiveness of padding wasn’t lost on other cryptographers. “Adding random padding to hide the length of compressed/encrypted data is like setting your Prius on fire because it doesn’t pollute enough,” Johns Hopkins University professor Matthew Green said in a Twitter dispatch. Marsh Ray, a software developer with two-factor authentication provider PhoneFactor, replied: “Or like adding noise to electric cars so hearing impaired people can cross the street?”

This week’s draft will expire in the middle of April and could be updated, replaced, or obsoleted by other documents at any time.


Researchers visit the 19th Century, bring back wireless data center

Friday, October 12th, 2012

Researchers at Cornell University and Microsoft have cooked up a recipe for a wireless data center. That’s right, an entire data center that shuttles information among thousands of machines using not cables but thin air. design throws out traditional switches and networking cables, but it also borrows from a very unusual source: the 19th century mathematician Arthur Cayley.

It turns out that Cayley’s 1889 paper, On the Theory of Groups, gave the researchers a mathematical model for figuring out how to best connect their servers into a wireless network that could keep on chugging even if some of the servers failed.

In a research paper, set to be presented at a technical conference in Austin, Texas, later this month, the researchers talk about ways that 60GHz wireless devices could be tweaked to pump out very high-bandwidth flows of data between the different servers.

The paper is important because the big web companies — including Google and Facebook — are already stretching the limits of how quickly they can pump large amounts of information across their data centers. These companies are exploring new ways of transmitting data using optical wire lines, but their problems could also be solved with a wireless data center like the one proposed by Cornell.

Cornell’s proposal could also significantly reduce power and cost in the data center — another concern for the giants of the web and many other companies.

The paper seeks to solve these problems with a new type of hardware. It doesn’t deal with ordinary servers and ordinary boxy server racks. Cylindrical racks would house pie-shaped servers, and this would facilitate communication not only within the rack but with outside racks as well.

But the real trick is figuring out a way to keep the whole thing running when servers on the rack fail. And that’s where Cayley’s 120-year-old graph theory comes into play.

“Caley’s responsible for showing that we have very strong connectivity,” says Hakim Weatherspoon, a professor with Cornell University who co-authored the paper. “So our wireless center can tolerate a very high level of server failure.”

They call their creation the Cayley data center. It hasn’t been built yet, but if it does get funded, Weatherspoon believes that it will keep on working until 14 percent of the racks or 59 percent of the server nodes fail.

Networking companies have been working on 60GHz networking products for a few years now. These 60GHz transceivers operate at a much higher frequency than the Wi-Fi network you use at home. That means they’re speedier, but without the same range. By using a cylindrical rack design and reworking networking protocols, the Cayley researchers think they can cut down on outside interference and keep data pumping at about 10 gigabits per second. That’s remarkable, considering that 60GHz devices are supposed to operate in the 2- to 7-gigabits-per-second range.

Instead of engaging in back-and-forth communication chitchat you’d see in a typical wireless device, one Cayley server would connect with another, and then blast data, firehose-style to another, before signing off and waiting to receive information. Servers would talk to other machines within the rack using a transceiver on tip of the pie-shaped servers, and they’d reach out to other racks using a second transceiver on the back. So each server would be able to route data to the small number of other servers that it is set up to communicate with. That means every server is a kind of mini-switch — called a Y-switch — and none of the server racks need traditional networking switches for communications.

Because the Y-switch is based on cutting-edge technology, it will cost more than a typical networking card at first, but without the switching and cabling costs, Weatherspoon believes that his data centers will use less power and cost much less to connect.

They’ve already done some initial tests to see if the wireless interference would prevent the Cayley data center from working. Apparently, it won’t. And if they can get tech companies like Intel or Microsoft interested in sponsoring further work, they could build protyotypes. “We think that it is attractive enough to maybe have some companies go a little bit further than what we’ve done,” Weatherspoon says.

Source:  Wired

New security threat at work: Bring-your-own-network

Thursday, October 11th, 2012

Even as IT pros wrestle with the bring-your-own-device (BYOD) trend, corporate security is being further complicated by another emerging trend: bring your own network (BYON).

BYON is a by-product of increasingly common technology that allows users to create their own mobile networks, usually through mobile wireless hotspots. Security professionals say BYON requires a new approach to security because some internal networks may now be as insecure as consumer devices.

Jim Kunick, an attorney with the Chicago law firm Much Shelist, said BYON represents a more dangerous threat to data security than employees who bring their own smartphones or tablets into the office. “The network thing blows this up completely, because it takes the data out of the network the company protects,” he said. “There’s no way to ensure the security of that data. People are running corporate apps and processing corporate and client data using networks that may or may not be secure.

“I mean, no one is sure the Boingo network is secure,” he said.

Kunick, an intellectual property attorney, said BYON is cropping up in start-ups, particularly at software development firms and entities that rely on cloud services.

“[BYON] allows people to run applications in three different cloud-based environments at one time because they’re on their own network, they’re on a network that they contracted with and they’re on the corporate network,” he said.

Initially, BYON should be seen as a policy issue where a company sets rules that ban employees from running private networks. Employees who use hotspots also have contracts with network service providers, he said, and they need to understand how data on that network may be used or further disclosed.

“In any major corporation, I’d assume they control [access] by means of a firewall. And, I have a medical device client [corporation] that encrypts all of their corporate data so you can’t even bring your own device into the company,” Kunick said. “You have to use a laptop that they provide. So it’s without question that you can’t bring your own network in.”

Ted Schadler, a vice president and principal analyst at Forrester Research, said there are even some companies that ask wireless service providers to move their towers.

“I’m aware of certain companies, such as large call centers, asking AT&T and Verizon to move their cell towers from around their buildings because they’re so concerned about unsupervised workers,” he said. “It just exacerbates the challenges.”

Schadler, who spoke at the Consumerization of IT in the Enterprise (CITE) Conference in New York City this week, said that in terms of physical security, there is little companies can do to avert data being shared over hotspot network links.

Steve Damadeo, IT Operations Manager Festo Corp., a producer of pneumatic and electric drive technology, said his first approach with employees who want to use personal technology at work is to educate them. “We try to spend a lot of time talking to employees about why it’s important to make sure when you’re inside our environment that you’re using corporate secure resources,” he said.

Festo hasn’t used wireless jamming or blocking technology because it is trying to keep wireless communications as open as possible.

Like many enterprises, Festo has multiple secure wireless networks, three of which its employees can access. The company’s primary wireless network is used for access to internal systems and data via authorized mobile devices; users of it are managed via custom-built mobile device management software.

A second network is offered to employees who want connectivity to the World Wide Web via their own mobile devices; that one allows access through a VPN. “We’ve not enabled full BYOD within the company, so at this point we’re able to provide VPN capabilities to them,” Damadeo said.

The third wireless network is for guests, and it is made available on a rotating encryption/key basis for visitors.

One other method of controlling how employees use wireless communications is to have them sign contracts, so that they understand they, too, are responsible for any lost data, Schadler said.

They’re “basically requiring employees sign their life away and indemnify the company against damages, and that makes them think twice,” he said.


Confirmed: Apple-owned fingerprint software exposes Windows passwords

Tuesday, October 9th, 2012

Security consultants have independently confirmed a serious security weakness that makes it trivial for hackers with physical control of many computers sold by Dell, Acer, and at least 14 other manufacturers to quickly recover Windows account passwords.

The vulnerability is contained in multiple versions of fingerprint-reading software known as UPEK Protector Suite. In July, Apple paid $356 million to buy Authentec, the Melbourne, Florida-based company that acquired the technology from privately held UPEK in 2010. The weakness came to light no later than September, but Apple has yet to acknowledge it or warn end users how to work around it. No one has accused Apple of being responsible for the underlying design of fingerprint-reading software.

The UPEK software has long been marketed as a secure means for logging into Windows computers using an owner’s unique fingerprint, instead of a user-memorized password. Last month, Elcomsoft, a Russia-based developer of password-cracking software, warned that the software makes users less secure than they otherwise would be because it stores Windows account passwords to the registry and encrypts them with a key that is easy for hackers to retrieve. It takes only seconds for people with the key to extract a password, company officials said. They withheld technical details to prevent the vulnerability from being widely exploited.

Now, a pair of security consultants say they have independently verified the vulnerability and released open-source software that makes it easy to exploit it. Easily decrypted passwords are stored in one of several registry keys located in HKEY_LOCAL_MACHINE\Software\Virtual Token\Passport\, depending on the application version. The duo said they released the software and additional information so that penetration testers, who are paid to penetrate the defenses of their customers, can exploit the weakness.

“From a penetration testing perspective, local administrator access is required to obtain the necessary registry key’s value, so it only matters if you already have control of the PC,” Brandon Wilson, one of the security consultants, told Ars. “But since so many of these devices are used in corporate environments, it makes it easy to obtain domain credentials, and from there, easily expand an attack to other systems.”

When Protector Suite isn’t activated, Windows doesn’t store account passwords in the registry unless users have specifically configured an account to automatically log in. Security experts have long counseled people not to use automatic log in. Disabling Windows login functionality from within Protector Suite will not remove the password from the registry key, the penetration testers confirmed. If the “passport” for that user is deleted from within the application, the password is also deleted. When uninstalling the application, an option is presented to the user to also delete the passport data. If left, the password remains, and if removed, the password is deleted, Wilson said.

According to Wilson, every version of the software labeled “UPEK Protector Suite” that he and fellow penetration tester Adam Caudill have analyzed has tested positive for the vulnerability. In addition to Dell and Acer, other PC makers that preinstall the software include Amoi, Asus, Clevo, Compal, Dell, Gateway, IBM/Lenovo, Itronix, MPC, MSI, NEC, Sager, Samsung, Sony, and Toshiba. UPEK Protector Suite is also rebranded by Lenovo as ThinkVantage Fingerprint Software, Wilson said.

Given the claims made in the UPEK software that it’s a safe alternative to account logins, it’s surprising there has been no recall or an advisory warning of the vulnerability. Representatives from Apple and Authentec didn’t respond to an e-mail seeking comment for this brief.


Cybercriminals plot massive banking Trojan attack

Friday, October 5th, 2012

Gang plans to use sophisticated malware to initiate illegal wire transfers, RSA says

An international gang of cyber crooks is plotting a major campaign to steal money from the online accounts of thousands of consumers at 30 or more major U.S. banks, security firm RSA warned.

In an advisory Thursday, RSA said it has information suggesting the gang plans to unleash a little-known Trojan program to infiltrate computers belonging to U.S. banking customers and to use the hijacked machines to initiate fraudulent wire transfers from their accounts.

If successful, the effort could turn out to be one of the largest organized banking-Trojan operations to date, Mor Ahuvia, cybercrime communications specialist with RSA’s FraudAction team, said today. The gang is now recruiting about 100 botmasters, each of whom would be responsible for carrying out Trojan attacks against U.S. banking customers in return for a share of the loot, she said.

Each botmaster will be backed by an “investor” who will provide money to buy the hardware and software needed for the attacks, Ahuvia said.

“This is the first time we are seeing a financially motivated cyber crime operation being orchestrated at this scale,” Ahivia said. “We have seen DDoS attacks and hacking before. But we have never seen it being organized at this scale.”

RSA’s warning comes at a time when U.S. banks are already on high alert. Over the past two weeks, the online operations of several major banks, including JP Morgan Chase, Bank of America, Citigroup and Wells Fargo were disrupted by what appeared to be coordinated denial-of-service attacks.

A little-known group called “Cyber fighters of Izz ad-din Al qassam” claimed credit for the attacks, but some security experts think a nation may have been behind the campaign because of the scale and organized nature of the attacks.

In mid-September, the Financial Services Information Sharing and Analysis Center (FS-ISAC) warned banks to be on guard against cyberattackers seeking to steal employee network login credentials to conduct extensive wire transfer fraud. Specifically, the alert warned banks to watch out for hackers using spam, phishing emails, Remote Access Trojans and keystroke loggers to try and pry loose bank employee usernames and passwords.

FS-ISAC also noted that the FBI had seen a new trend where cyber criminals use stolen bank employee credentials to transfer hundreds of thousands of dollars from customer accounts to overseas locations.

Over the past few years, cyber crooks have siphoned off millions of dollars from small businesses, school districts and local governments by stealing online usernames and passwords and using those credentials to make the transfers.

The latest discussion suggests that they now have individual consumer accounts in their crosshairs, Ahuvia said, warning that the gang plans to attempt to infiltrate computers in the U.S. with a little known Trojan malware program called Gozi Prinimalka.

The malware is an updated version of a much older banking Trojan, Gozi, which was used by cyber criminals to steal millions of dollars from U.S. banks. The group’s plan apparently is to plant the Trojan program on numerous websites and to infect computers when users visit those sites.

The Trojan is triggered when the user of an infected computer types out certain words — such as the name of a specific bank — into a URL string.

Unlike the original Gozi, the new version is capable not only of communicating with a central command-and-control server but also of duplicating the victim’s PC settings. The Trojan essentially supports a virtual machine cloning feature that can duplicate the infected PC’s screen resolutions, cookies, time zone, browser type and version and other settings. That allow the attacker to access a victim’s bank website using a computer that appears to have the infected PC’s real IP address and other settings, Ahuvia said.

“Impersonated victims’ accounts will thus be accessed via a SOCKS proxy connection installed on their infected PCs, enabling the cloned virtual system to take on the genuine IP address when accessing the bank’s website,” she said in her alert.

Victims of fraudulent wire transfers will not immediately know of the theft because the gang plans on using VoIP flooding software to prevent victims from getting bank notifications on their mobile devices, she added.

Consumers need to ensure that their browsers are properly updated to protect against drive by downloads, she said. They also need to watch for any suspicious behavior or transactions on their accounts.

RSA has also notified U.S. law enforcement and its own FraudAction Global Blocking Network about the threat, she said. Banks, meanwhile, should consider implementing stronger authentication procedures and anomaly detection tools for spotting unusual wire transfers.


Major banks hit with biggest cyberattacks in history

Monday, October 1st, 2012

There’s a good chance your bank’s website was attacked over the past week.

Since Sept. 19, the websites of Bank of America (BAC, Fortune 500), JPMorgan Chase (JPM, Fortune 500), Wells Fargo (WFC, Fortune 500), U.S. Bank (USB, Fortune 500) and PNC Bank have all suffered day-long slowdowns and been sporadically unreachable for many customers. The attackers, who took aim at Bank of America first, went after their targets in sequence. Thursday’s victim, PNC’s website, was inaccessible at the time this article was published.

Security experts say the outages stem from one of the biggest cyberattacks they’ve ever seen. These “denial of service” attacks — huge amounts of traffic directed at a website to make it crash — were the largest ever recorded by a wide margin, according to two researchers.

Banks get hit by cyberattackers all the time and typically have some of the best defenses against them. This time, they were outgunned.

“The volume of traffic sent to these sites is frankly unprecedented,” said Dmitri Alperovitch, co-founder of CrowdStrike, a security firm that has been investigating the attacks. “It’s 10 to 20 times the volume that we normally see, and twice the previous record for a denial of service attack.”

To carry out the cyberattacks, the attackers got hold of thousands of high-powered application servers and pointed them all at the targeted banks. That overwhelmed Bank of America and Chase’s Web servers on Sept. 19, Wells Fargo and U.S. Bank on Wednesday and PNC on Thursday. Fred Solomon, a spokesman for PNC, confirmed that a high volume of traffic on Thursday was affecting users’ ability to access the website, but he declined to go into more detail.

Denial of service attacks are an effective but unsophisticated tool that doesn’t involve any actual hacking. No data was stolen from the banks, and their transactional systems — like their ATM networks — remained unaffected. The aim of the attacks was simply to temporarily knock down the banks’ public-facing websites.

To get hold of all the servers necessary to launch such huge attacks, the organizers needed to plan for months, Alperovitch said. The servers had to be compromised and linked together into a network called a “botnet.”

That level of pre-planning is a deviation from the kinds of denial of service attacks launched at banks in the past by so-called “hacktivists.” Typically, hacktivists use home PCs infected with malware to amass their botnets. Attacks on this scale would be impossible to carry out with home PCs — users too frequently turn them off or disconnect them from the Internet.

The Islamist group Izz ad-Din al-Qassam Cyber Fighters publicly claimed responsibility for the attacks in what it called “Operation Ababil,” but researchers are divided about how seriously to take their claims. The group has launched attacks in the past, but those have been far less coordinated than the recent batch.

Sen. Joe Lieberman, an Independent from Connecticut, said in a C-SPAN interview on Wednesday that he believed the attacks were launched by Iran.

“I don’t believe these were just hackers who were skilled enough to cause disruption of the websites,” he said. “I think this was done by Iran … and I believe it was a response to the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions.”

A call requesting comment from the Department of Homeland Security’s cybersecurity office was not immediately returned.

A cybersecurity firm following the attacks also expressed doubt about the connections between the Cyber Fighters and the bank attacks. On social networks and chat forums, the group urged its followers to use a mobile “low orbit ion cannon” — a software tool typically used by Anonymous and other hacktivist groups to direct a massive flood of traffic at a targeted site.

That tool was not used in the attack, according to Ronen Kenig, director of security products at network security firm Radware.

“Supporters of this group didn’t join in the attack at all, or they joined in but didn’t use that tool,” said Kenig. “The attack used a botnet instead.” He doesn’t think the Cyber Fighters would have access to a botnet as advanced as the one used by the attackers.

But CrowdStrike’s Alperovitch said he is “quite confident” the perpetrator was the Izz ad-Din al-Qassam Cyber Fighters, since they announced each attack well before it was carried out, and the attack wasn’t that sophisticated — it just took significant planning. PNC was the last target on the lists the Cyber Fighters have circulated, but more attacks could still be coming.

Both researchers agree that the controversial anti-Muslim YouTube video was not the initial impetus for the attacks, as the Cyber Fighters claimed in messages recruiting volunteers to join in. Before the video was even released, the group claimed responsibility for similar attacks.

“The video is simply an excuse,” Alperovitch said. “It’s a red herring.”

Source:  CNN

Yet another Java flaw allows “complete” bypass of security sandbox

Monday, October 1st, 2012

Flaw in last three Java versions, 8 years worth, puts a billion users at risk.

Researchers have discovered a Java flaw that would let hackers bypass critical security measures in all recent versions of the software. The flaw was announced today by Security Explorations, the same team that recently found a security hole in Java SE 7 letting attackers take complete control of PCs. But this latest exploit affects Java SE 5, 6, and 7—the last eight years worth of Java software.

“The impact of this issue is critical—we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6, and 7,” Adam Gowdiak of Security Explorations wrote, claiming the hole puts “one billion users” at risk.

Gowdiak wrote that Security Explorations successfully pulled off the exploit on a fully patched Windows 7 32-bit computer in Firefox, Chrome, Internet Explorer, Opera, and Safari. Although testing was limited to Windows 7 32-bit, Gowdiak told Computerworld that the flaw would be exploitable on any machine with Java 5, 6, or 7 enabled (whether it’s Windows 7 64-bit, Mac OS X, Linux, or Solaris).

The bug lets attackers violate the “type safety” security system in the Java Virtual Machine. “A malicious Java applet or application exploiting this new issue could run unrestricted in the context of a target Java process such as a Web browser application,” Gowdiak told Computerworld. “An attacker could then install programs, view, change, or delete data with the privileges of a logged-on user.”

Gowdiak and his team have found a total of 50 Java flaws. While this latest one apparently isn’t being exploited in the wild yet, another that was being exploited was patched by Oracle last month, reportedly four months after Oracle learned of the vulnerability.

Gowdiak reported today that he provided Oracle with a technical description of the latest flaw, as well as “source and binary codes of our Proof of Concept code demonstrating a complete Java security sandbox bypass in the environment of Java SE 5, 6, and 7.”

We asked Oracle for comment this afternoon and have not heard back yet.


FCC to buy out TV broadcasters to free up mobile spectrum

Monday, October 1st, 2012

Over the last decade, it has become increasingly obvious that America’s spectrum resources are mis-allocated. The proliferation of cell phones, and more recently smartphones and tablets, has given mobile providers a voracious appetite for new spectrum. But a big chunk of the available spectrum is currently occupied by broadcast television stations. With more and more households subscribed to cable, satellite, and Internet video services, traditional broadcast television is looking like an increasingly outmoded use of the scarce and valuable airwaves.

Yet there’s no easy way to re-allocate the spectrum to higher-valued uses. Theoretically, broadcasters’ licenses are subject to periodic renewal by the Federal Communications Commission. But incumbent broadcasters have controlled their channels for so long that they’ve come to be regarded as de facto property rights. And needless to say, the politically powerful broadcasters have fiercely resisted any efforts to force them to relinquish their spectrum.

In February, Congress passed legislation instructing the Federal Communications Commission to tackle this problem using a strategy called “incentive auctions.” The commission began the formal rule-making process for the scheme on Friday.

Step 3: profit!

The plan has three phases. In the first phase, the FCC will conduct a reverse auction in which it asks broadcasters to tell the FCC how much it would take for the agency to buy them out. Presumably, the least popular (and, therefore, least profitable) channels will submit the lowest bids. By accepting these low bids, the FCC can free up the maximum possible spectrum at the minimum cost.

Second, the FCC will re-arrange the remaining broadcasters so they’re clustered together in the electromagnetic spectrum. That will free up contiguous blocks of spectrum that can be put to alternative uses.

Finally, the commission will put the newly-freed blocks of spectrum up for auction. If, as expected, the spectrum is more valuable when used for mobile services than broadcast television, then the FCC should reap significantly more from these traditional auctions than it had to pay for the spectrum in the original reverse auctions, producing a tidy profit for taxpayers.

While the broad structure of the program has been dictated by Congress, the FCC is seeking public input on the details. How should the auctions be conducted? Which broadcast stations should be eligible to participate? How should the spectrum assignments be re-arranged in phase 2? How much spectrum should be set aside for unlicensed uses?

Both public interest and industry groups praised the FCC’s initial proposal. John Bergmayer of Public Knowledge pointed out that many broadcast channels were already being viewed primarily via re-broadcast on cable and satellite networks. “It makes little sense to waste spectrum on unwatched signals,” he argued in an emailed statement. “The incentive auction approach strikes an appropriate balance by allowing some broadcasters to ‘cash out’ while putting their spectrum to better use.” And he expressed support for the FCC’s proposal to set aside some of the newly-liberated spectrum for unlicensed uses.

Bergmayer also praised an FCC proposal to update its “spectrum screen,” a set of rules that prevent any single provider from gaining too large a share of the spectrum available in a particular market. The current scheme, he said, “treats all spectrum alike, even though some spectrum bands are better-suited to mobile broadband than others.” As a result, he argued, it has become ineffective at preventing Verizon and AT&T from gaining enough spectrum to threaten competition. He urged the FCC to revise the rules to ensure the new auctions don’t further entrench the dominance of the largest incumbents.

The proposal also won plaudits from the Consumer Electronics Association. “Additional spectrum is not only key to our national competitiveness, but also needed for creating jobs and spurring economic growth,” said the CEA’s Julie Kearney. She called it a “great step forward toward unleashing countless innovative products and services.”