Anonymous and LulzSec trawl Google Code search for security holes

Exotically named hacking tools such as Low Orbit Ion Cannon and #RefRef have garnered plenty of headlines over the last few months but a new report suggests that the world's favourite search engine might be an equally important weapon in the arsenal of cyber-criminals and hacktivists.

The report explains how a simple search on Google Code is all that's needed to uncover a wealth of information that can be used to break into websites, cloud-based services and secure networks.

Google's Code Search is a tool that makes it easy for those with technical know-how to search the vast amount of computer code that is publicly available online.

Researchers from IT security consultancy Stach & Lui report that hacking groups such as Anonymous and LulzSec are using Google Code search for a number of nefarious activities.

With a few well-crafted searches they can uncover passwords for cloud services, configuration files for Virtual Private Networks and find code  that is vulnerable to common website hacking tactics such as SQL injection.

While the findings provide a much-needed wake up call to online businesses, admins and developers, they also offer a fascinating insight into the motivation of hacking collectives such as Anonymous and LulzSec.

According to Stach & Lui ‘Google Hacking’, as the technique is known, is believed to be Anonymous and LulzSec’s primary means of identifying potential targets.
Rather than being motivated by politics or injustice, hacking groups may simply be targeting organisations because Google Code search has turned up a vulnerability too tempting to ignore, making them less political action groups, more malicious 21st century Wombles.

So what can online businesses do to protect themselves from these online, evil Uncle Bulgarias?

The first line of defence is to make sure that developers are following established best practice and that executives are creating a culture where best practice is encouraged and supported. Including passwords in code has always been a bad idea and techniques to prevent and detect SQL injection vulnerabilities are well established.

Businesses should also prepare so that if they are successfully attacked after a data leak they don't lose their shirt. Data stored in the cloud can be rendered useless to attackers by the simple expedient of encrypting it.

Stach & Lui warn that in the businesses using cloud services should also take a close look at the small print; many cloud service providers state that they don't accept responsibility for leaks.

For more on this take a look at the Stach & Lui's Pulp Google Hacking presentation.

Read More...

Researchers Analyzing Attack Patterns With Cloud-Based Malware Data

BARCELONA--Successful targeted attacks against companies such as RSA, Google and others have made huge splashes in the news in the last year or two and drawn a lot of attention to the phenomenon. But it's not just the successful attacks that are interesting, security researchers say. In many cases, the failures contain the really useful data.

Many of the known successful attacks against large enterprises that have occurred in the last couple of years have involved specially crafted email messages sent to a small subset of the organization's employees. The attack on RSA earlier this year, for example, involved an email sent to just a handful of people inside the company and it contained a malicious XLS attachment that had a Flash object embedded in it. One employee opened the attachment and the Flash object then exploited a previously unknown vulnerability and installed some malware on the user's machine and then it was game over.

It's rare to get many details about these kind of attacks, even well after the fact, as victimized companies are reluctant to share the data for fear of looking inept. So security researchers are beginning to rely more and more on the data that they can gather from the targeted attack attempts that they see that are not successful. Martin Lee of Symantec said in a talk at the Virus Bulletin conference here that this kind of intelligence can prove invaluable in finding trends and attack patterns.

The company's cloud-based antimalware service sees about 500,000 malware-infected emails per day and of those, about one in every 5,000 turns out to be a specifically targeted attack. By looking at the kinds of organizations that are being targeted, the industries that they're in and other data such as georgraphic location, Lee said it's possible to identify some interesting patterns.

"We can come up with guesses as to who's next. It's an interesting question to think about," Lee said. "What tends to get overlooked is the attacks that weren't successful and were identified. Once you start pulling the data together, you can analyze it topologically and see what's going on."

Although targeted attacks are often in the news these days and garner a lot of attention, Lee said that it's still just a small percentage of the company's customers that get hit by such attacks on a regular basis. About three percent of the customers are constantly under targeted attacks and some see at least one such attempt every day. Many others, meanwhile, likely see just a few attacks like that each year.

The data provides some interesting insights, Lee said, but it also raises some questions that aren't necessarily answerable right now.

"It's not clear what their business model is with these attacks," he said. "We don't necessarily know how they're making money off of this." Read More...

Google shells out $10,000 to fix 10 high-risk Chrome browser flaws

Summary: The new Google Chrome version 14.0.835.202 also contains Adobe Flash Player 11, a software update that includes several security and privacy goodies.

Google has shipped another Chrome browser update with fixes for several “high-risk” security vulnerabilities that expose Windows, Mac OS X and Linux users to malicious hacker attacks.

The new Google Chrome version 14.0.835.202 also contains Adobe Flash Player 11, a software update that includes several security and privacy goodies.

As part of its bug bounty program, Google spent about $10,000 to buy the rights to the vulnerability information from security researchers.

Details on the vulnerabilities:

• [$1000] High CVE-2011-2876: Use-after-free in text line box handling. Credit to miaubiz.
• [$1000] High CVE-2011-2877: Stale font in SVG text handling. Credit to miaubiz.
• [$2000] High CVE-2011-2878: Inappropriate cross-origin access to the window prototype. Credit to Sergey Glazunov.
• [96150] High CVE-2011-2879: Lifetime and threading issues in audio node handling. Credit to Google Chrome Security Team (Inferno).
• [$4500] High CVE-2011-2880: Use-after-free in the v8 bindings. Credit to Sergey Glazunov.
• [$1500] High CVE-2011-2881: Memory corruption with v8 hidden objects. Credit to Sergey Glazunov.
• [98089] Critical CVE-2011-3873: Memory corruption in shader translator. Credit to Zhenyao Mo of the Chromium development community.

This latest Chrome patch is being delivered via the browser’s silent update mechanism.

Read More...

Google Pushes Update For Chrome to Fix Faulty Microsoft Malware Detection

Google has pushed out an update for its Chrome browser that fixes a problem caused by the incident last week in which Microsoft Security Essentials mistakenly detected the browser as the Zeus bot and removed it from some machines. The update should automatically fix any damaged Chrome installations.

The problem was caused by an erroneous update in the Microsoft Security Essentials antimalware tool that on Friday began detecting the Chrome file as a piece of malware called "PWS:Win32/Zbot", which is another name for the Zeus bot, the infamous banking Trojan that has been wreaking havoc for several years. Users immediately began noticing the problem and Microsoft pushed out an emergency update to the antimalware suite to fix the issue on their end.

But some users still had problems and couldn't get Chrome to work again, even after it was reinstalled. So Google has released an update for the browser that will repair it. The company said that if the browser is running fine on your PC, then there's no need to take any further actions. The new update to Chrome should prevent users from having to uninstall and reinstall Chrome themselves.

There's more information on the new updates on the Google Chrome Releases blog. The company also has step-by-step instructions for users who need to know how to manually uninstall and reinstall the browser. Read More...

Google's Picasa and Yahoo! Groups used to spread spam

One of the most effective techniques anti-spam products have to block spam messages from reaching your inbox is reputation filtering.

Yes, to a degree, anti-spam solutions may still look for v1@gr@ and Mrs. Gaddafi offering you $40 million, but the biggest bang for your buck comes from reputation.
What do you do if you are a spammer? Figure out a way to get a legitimate mail provider to deliver your messages for you...


Here is an example. You can see I have received six emails, all from "Picasa Web Albums" offering me some very spammy subjects. How do they do this? They are simply creating bogus accounts on Google Picasa, uploading a photo of their product, then "sharing" this photo with a personalized spammy message.

Even worse is the abuse of Yahoo! Groups. It has been standard practice for many years that mailing lists require you to confirm you want to subscribe.
Yahoo! Groups seems to have a mechanism built for the convenience of spammers, the ability to add anyone to a group without their permission. Here is an example invitation from a spammer:



Upon receiving something like this you might think you could safely ignore it and not be subscribed. Instead when you read the fine print it explains you are already subscribed to this group and you have to opt-out to not receive messages.
Every time the spammer wants to reach you he can now depend on Yahoo! to send his message, digitally sign it with DKIM, have valid SPF records and successfully evade reputation-based spam filters.



I'm not sure what Yahoo! or Google were thinking when they created systems that allow people to arbitrarily use their email systems to spam people, without any confirmation that the recipient is interested in communicating with the sender.
You can opt-out of receiving these messages, but you shouldn't have to. To test this I clicked the link Yahoo! says will allow me to prevent future spams. I clicked it and got to a page that read:

"Sorry, that link has expired. We do this to prevent abuse."

Huh? I am the victim and you are preventing me from opting out of your ill thought policy? I tried again on a newer spam and was successful in opting out.



Oddly they make me confirm my decision not to let them spam me, very strange workflow here. I expect that Google and Yahoo! should seek our permission before allowing third parties to abuse their systems for sending spam.

Read More...

Microsoft security update treats Chrome as malware

Redmond releases same-day correction, but not before Windows Security purges Chrome from user systems

Microsoft issued today an update to its security software that wrongly identified Google Chrome as malware and purged it from users' systems accordingly. The Redmond giant has since fixed the mistake, but it has left Google with the task of dealing with the fallout.

Coincidentally (of course), the faux pas comes on the heels of news from StatCounter that Chrome is poised to overtake Firefox this year as the No. 2 most-popular browser in the world.

"Google Chrome has been incorrectly marked as malware by Microsoft security software. Please update your Microsoft security software to version 1.113.672.0, which resolves this issue," according to an alert over at the over at the Google Chrome forums.

Microsoft, meanwhile, posted a somewhat vague alert of its own, starting that it had released a security update today with "an incorrect detection for PWS:Win32/Zbot," a password-stealing Trojan that monitors for visits to certain websites. However, Microsoft neglected to specify in its update just what impact this "incorrect detection" had; the update doesn't even mention Chrome. Evidently, Microsoft would prefer to let Chrome users and Google deal with figuring why, exactly, Microsoft Security Center suddenly started deeming Chrome a security threat and purging it from users' systems.

To Microsoft's credit, it did issue a second update the same day that addresses the error: Signature versions 1.113.672.0 and higher include this update.

One affected Chrome user, with the screen name chasd.harris, started a thread on the Google Chrome forums to report his experience. "I have been using Chrome on my office PC for over a year. This morning, after I started up the PC, a Windows Security box popped up and said I had a security problem that needed to be removed," he wrote. "I clicked the Details button and saw that it was 'PWS:Win32/Zbot.' I clicked the Remove button and restarted my PC. Now I do not have Chrome. It has been removed or uninstalled. The Chrome.exe file is gone. Was there really a problem, or is this just a way for Microsoft to stick it to Google?"

Google reps also provided instructions as to how to go about re-installing Chrome.

1. Check that Chrome has been uninstalled.
2. Go to Microsoft Security Essentials (MSE) and update, then verify that the version has a signature of 1.113.672.0 of higher.
3. Reinstall Chrome.
4. Perform a full scan of MSE again.

 

Read More...

Microsoft Pushes Emergency Update After Security Products Call Chrome "Banking Trojan"

Microsoft was forced to push out an emergency update to its Security Essentials and Forefront products Friday after users complained that an updated virus signature intended to spot the Zeus Trojan was, instead, flagging and even removing instances of Google's Chrome Web browser.

The fireworks began early Friday, after Microsoft released an otherwise innocuous signature update for the common Zeus - or Zbot - banking Trojan.

Shortly after it was released, users of Microsoft's Windows Security Essentials and Forefront Security began complaining on Twitter that the products were flagging Chrome as evidence of a Zbot infection and encouraging users to uninstall the product. The Redmond, Washington software firm responded quickly to the complaints, releasing an update to the signature within hours that corrected the detection problem, according to a post on Microsoft's Web page.

"On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot was identified. On September 30th, 2011, Microsoft released an update that addresses the issue." the company said, without mentioning that it was the Chrome browser that was affected.

But users took notice, with many, mindful of Microsoft's reputation as a no-holds-barred competitor, wondering whether the bad signature was a slip-up or a stealth effort to grab back some market share.

"Classifying your competition as malware might be taking things too far MS," wrote a Twitter user with the handle @bryanbrannigan. "Love it! Microsoft Security Essentials just zapped my Google Chrome browser. Let the war begin!" wrote a Twitter user with the handle @EnukSears.

Chrome users who took the bait and allowed their browser to be removed by the Microsoft anti malware were less pleased. Uninstalling Chrome can cause the loss of bookmarks and other browser plug-ins, as well as require a restart of the "infected" system.

Zeus is a ubiquitous Trojan horse program that is often used to steal credentials from online banking customers using both Windows and common mobile platforms. The Zeus source code was leaked online in May and now Zeus components are showing up in a wide range of malware.

Read More...

Faulty Microsoft AV update nukes Chrome browser

Summary: Microsoft has confirmed that its security tools erroneously removed the Google Chrome browser from Windows machines, marking it as a variant of the notorious Zeus (Zbot) malware family.

UPDATE: Microsoft has confirmed that this was caused by a faulty anti-virus definition update that affected about 3,000 Windows users.

Here’s Microsoft’s statement:

“On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot was identified and as a result, Google Chrome was inadvertently blocked and in some cases removed from customers PCs. We have already fixed the issue — we released an updated signature (1.113.672.0) at 9:57 am PDT — but approximately 3,000 customers were impacted. 

A Microsoft spokesperson says affected users should manually update Microsoft Security Essentials (MSE) with the latest signatures. 

“To do this, simply launch MSE, go to the update tab and click the Update button, and then reinstall Google Chrome. We apologize for the inconvenience this may have caused our customers,” the spokesperson said.

ORIGINAL REPORT:

There are numerous reports circulating that the Microsoft Security Essentials anti-malware utility is flagging Google’s Chrome browser as a password-stealing trojan.

In what appears to be a crucial false-positive, Microsoft’s security tools are removing Chrome from Windows machines, marking it as a variant of the notorious Zeus (Zbot) malware family.

Complaints from Chrome users are lighting up support forums this morning:

I have been using Chrome on my office PC for over a year.  This morning, after I started up the PC, a Windows Security box popped up and said I had a Security Problem that needed to be removed.  I clicked the Details button and saw that it was “PWS:Win32/Zbot”.  I clicked the Remove button and restarted my PC.  Now I do not have Chrome.  It has been removed or uninstalled.  The Chrome.exe file is gone.  Was there really a problem, or is this just a way for Microsoft to stick it to Google?  If I reinstall Chrome, will it have my bookmarks and other settings?  Not sure what to do about this, but I much prefer Chrome to Explorer.

And another:

I just tried to reinstall Chrome, and Windows Security stopped it.  Again citing a “severe” threat, “PWS:Win32/Zbot”.  What is going on here?

This Chrome user narrows down the problem:

I have the issue as well. Microsoft Security Essentials is removing it.

MSE Versions:

Security Essentials Version: 2.1.1116.0
Antimalware Client Version: 3.0.8402.0
Engine Version: 1.1.7702.0
Antivirus definition: 1.113.656.0
Antispyware definition: 1.113.656.0

In addition to Microsoft Security Essentials, the Microsoft Forefront Endpoint Protection product is also detecting and removing Google Chrome as a malware threat.  Both products share the same anti-malware engine. Read More...

Crooks Are Looking At Your Mobile Wallet

I’ve read lately about the launch of Google Wallet and how it might revolutionize how we make payments. Instant payments by putting the phone near a terminal and keying in my PIN? Sounds good. As exciting as it might be to try out new technologies, if it has to do with my wallet, though, I think things through twice, or more.

Things to Consider

First off, you need to have an Android phone. Android, while a beautiful piece of software, is the most attacked mobile software in the planet. It’s the most used one now that it surpassed its Apple competitor and there’s no signs of it slowing down. I don’t mean to say that anything running on Android is bad or risky but just keep the ‘most attacked’ angle in mind for now.

Second, it uses NFC, a technology not very unlike RFID. That’s the info-emitting little chip you put on your dog for the vet to identify him. It’s also the little chip on your passport broadcasting your data and the one that your credit card uses as well (if you have a US credit card, that is). It’s a technology that, while extremely useful, it provides a very juicy target for the bad guys. A bad guy with a big antenna pointed at my dog can read her ID number from afar. Okay, that’s not the worst scenario I can picture.

Mobile Platforms Now A Target

Well, I’ve been to a hacker conference or two. Perhaps a lot more, and I can tell you that this thing *will* be a hacker’s target. I don’t mean to scare you off, I’m sure that the good guys have done their job properly and that Google will patch things up if they fail, even slightly. With this I mean to say that if you ever thought that the bad guys weren’t looking right, left, and center to mobile platforms for future ways of attacking, now you can be sure they are.

They don’t target platforms just because it’s fun, but because there’s money involved… and there is now. We’ve been seeing the Android platform under increasing attack for about a year and this news will only accelerate that trend. This puts us, antivirus vendors, in red alert mode for new attacks on Android. At the end of the day, we want to protect you. And your wallet.

Enjoy the Google Wallet technology and the convenience it provides but check the bank statements often (which you should anyway). If you’re feeling especially paranoid about this but still want to try it out, you can always get a pre-paid credit card to pay with. That will give you enough security to feel more at ease.

nb : trendmicro Read More...

Google Plus opens to everyone - but do you still want to join?

If you will pardon the literary allusion (or, if you prefer, the flagrant plundering of someone else's catch-phrase), "Google is a foreign country: they do things differently there."

So differently, in fact, that until legal and community pressure forced Google's hand back in 2008, the company just plain refused to have a link to its Privacy policy on its main search screen. There were already 28 words on Google's home page, and that was that.

Not 27, and definitely not 29. 28 was a matter of religion; of scripture; of liturgy; and of just-jolly-clean design. That meant no room for the word "Privacy."

Eventually, the word "Google" was removed from the copyright notice, and the advertising behemoth was able to make space for privacy. (Conveniently for the Google high priesthood, the copyright symbol © - which appeared on the page and amounts to a word, since it represents a word - was defined as a non-word.)

There are still 28 words on Google's home page - if you allow yourself a fair bit of doctrinal flexibility - but the just-jolly-clean design is today sullied with a crudely-drawn animated arrow pointing at the top left corner. The arrow points at one of the ten or so words in the top menu bar which enjoy that doctrinal exemption: +You.

That's right. Google Plus is now open to everybody.

Just remember two things before you join.

* Social networking services of this sort aren't free. True, there is no cash cost associated with signing up. But you are not Google's customer - those are the advertisers, who pay money to get in front of you, based on the sort of things you do online. This means you are an informal employee, paid in kind to generate traffic and to give up information about yourself which can be monetised by Google.

* You cannot join Google Plus anonymously. You must use your real name - and you need at least two words in your name to qualify - and Google will be the final judge and jury of what constitutes your name, and how you're to write it. Google may even insist that you send it a copy of your passport to prove it.

(Unless you're a celebrity, of course. It seems that William James Adams of the Black Eyed Peas is now on Google Plus with a first name of "will.i.am" and a last name of "." Don't bank on being able to do that yourself.)

Join Google Plus if you wish. According to many people, it's been worth the wait. If you are up there you might want to even follow Naked Security's team.
But make sure you really are sure you are willing to give your true identity to Google.

And remember that you may be forced to prove it by sending a copy of official government-issued identification - even though that's an unwise thing to do if you're serious about protecting your personally identifiable information.

nb : nakedsecurity.sophos

Read More...

Adobe Releases Out-of-Band Patch

Adobe released an out-of-band security update to address six critical vulnerabilities, all affecting Adobe Flash Player.

One of the six, a cross-site scripting vulnerability identified as CVE-2011-2444, is reportedly being exploited in the wild. The bug is reportedly being used in targeted attacks that involve malicious links sent out to targets through email messages.

Adobe attributed the discovery of CVE-2011-2444 to Google, who, in response to finding the vulnerability, issued an update for the Google Chrome browser to prevent attackers from exploiting the security hole.

Users are strongly advised to apply the patches as soon as possible, especially since exploiting any the addressed vulnerabilities can lead to either remote code execution, or information disclosure.

Note that users who utilize multiple browsers may need to update their other browsers separately. Users can visit this page through all their browsers to check if they have the latest version of Adobe Flash Player installed, and this page to update. Here is the list of Adobe Flash Player versions affected by vulnerabilities addressed in this update:

• Flash Player 10.3.183.7 and earlier
• Flash Player 10.3.183.7 and earlier for network distribution
• Flash Player 10.3.186.6 and earlier for Android
• Flash Player 10.3.183.7 and earlier for Chrome users

We will update this post once we find more information about the exploit.

nb : trendmicro Read More...

September Adobe Flash update patches critical vulnerabilities

Adobe has just released an update (APSB11-26) to its ubiquitous Flash software, revving it to version 10.3.183.10 for Windows, Mac, Solaris and Linux, and to version 10.3.186.7 for Android.

Today's release fixes six vulnerabilities in Flash Player, one of which was being used in targeted attacks (CVE-2011-2444). This bug is a cross-site scripting flaw which could allow malicious web pages to take actions on behalf of the logged in user.

Adobe has rated this update as Critical. SophosLabs has assigned it a High rating.
SophosLabs has yet to see any samples in the wild, and notes that CVE-2011-2444 is not straightforward to exploit. Nevertheless, as Adobe reports, this vulnerability has been exploited, albeit only in targeted attacks so far.

Windows, Mac, Solaris and Linux users can download the latest Flash player from http://get.adobe.com/flashplayer.

Do watch out though. If adding the bloat of Flash to your browsing experience isn't enough for you, Adobe has decided to default to bundling it with the Google Toolbar or McAfee trialware for Windows users.



You can untick the box before downloading if you don't want these options.
Maybe that's why Apple won't support Flash on iDevices. No portable versions of Google Toolbar or McAfee?

Android users can download the latest Flash Player from the Android Marketplace and Google Chrome users were automatically updated on September 20, 2011 with protection against these flaws.

nb : nakedsecurity.sophos

Read More...

Security failures could erode public trust in the Internet

Recent attacks could reverberate and undercut the public's faith that the Internet is a trustworthy medium for doing business

There's big trouble in the world of information security, and yet it seems that only a handful of us techies have noticed. What's the problem, you ask? Well, there are actually several problems, but they're all related to one very important issue: public trust. Let's take a look.

The first problem cropped up a few months ago when some miscreants succeeded in compromising a pile of RSA's SecureID tokens, rendering many devices vulnerable to serious attack. That attack caused RSA to undertake a costly replacement of many tokens for its customers. It was also reported to be the key enabler for additional attacks against some of those customers.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

More recently, there have been a few attacks against some commercial certificate authorities (CA) such as DigiNotar in the Netherlands. That one resulted in the attackers generating hundreds of forged SSL certificates purporting to be from Microsoft, Google, and many others.

What do these things have in common, and why should we be so concerned about them? They erode the confidence of some pretty important security infrastructures. In the cases above -- which are just a few among many we've seen lately -- the products involved are used by thousands and thousands of companies and individuals.

The situation with SSL certificates is even more dire -- they are used by millions of people. Indeed, every browser on the planet that can connect to an encrypted site uses SSL, and the certificates form the hierarchical basis of that trust.

SSL certificates need to be signed by a CA. Our browsers and operating systems come with a set of trusted "root CAs." Any SSL certificate signed by a trusted root CA is itself trusted.

So the problem when someone is able to successfully attack a CA is that our basis of trust is compromised, making possible a man-in-the-middle attack, among other things. And that's exactly what reportedly happened to hundreds or thousands of Google Mail customers in Iran. Their "trusted" connections to Google Mail have potentially (or actually) been compromised, exposing their log-in credentials to the attackers -- or worse.

There are some short-term responses that need to be done, of course, and by and large, they are being properly pursued. The DigiNotar CA organization has now effectively been disabled for any computer that has been updated by Microsoft, Apple, etc. Any SSL certificate signed by DigiNotar should now be unworkable.

But that's really not where my primary concern lies. I have strong confidence that the various operating system and browser vendors will quickly patch their products. It's the longer-term issues that are more troubling to me.

My concern is that public trust in vital infrastructures is being severely eroded. That public trust is the real victim of these attacks. If people and companies feel they can no longer use their systems securely, the trickle-down impact can be enormous. It's not likely something we'll notice immediately. The patching and such will be taken care of in an orderly manner. The trust erosion is something that will play out over time, and it can have a crippling effect on our systems. I hope I'm proved wrong on this.

Because of this, operators of public trust systems such as CAs have a greater burden of security that they simply must practice. Things like patch management, secure configurations and application security are considered to be important to normal companies, but they're even more important for systems involving the public trust.

As consumers of these products, we must not accept anything less than extreme care with these public trust systems. Failures there are costly in long-term ways. I've even seen some declarations of "the death of SSL" as a result of these recent attacks.

So what sorts of things should we ensure are in place with our public trust infrastructures? Certainly, they should all follow best-practice approaches in all their security processes and procedures. They should also undergo mandatory and detailed audits of their security. Personally, I want the results of those audits to be openly available.

Now, when I say "audits" in this context, I am talking about significant scrutiny, down to source-code analysis of the applications in use.

I know that much of what I'm saying here is already in place for registered CAs and such, but clearly there have been failures in the recent attacks I cite. I hope that in the response to these attacks the root causes of the failures are carefully studied and analyzed -- and the results become publicized so that we may all benefit from that knowledge.

We all want our systems to be sufficiently trustworthy so that we can put our most important business systems on the Internet. To continue to do that, our security infrastructures simply must be the best of the best. Failing to do that will exact a high price on the public trust -- one that the economies of the world shouldn't have to overcome in today's harsh climate. We must do better.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

nb : infowordl Read More...

Google Wallet - why you shouldn't throw away your wallet just yet

Filed Under: Featured, Mobile, Privacy

Google has announced, to some fanfare, what it hopes will be a revolution in the way we pay for things: Google Wallet.

Google Wallet is a smartphone app (currently only available for the Nexus S 4G Android phone) that aims to replace your credit cards.

It works like this. You go to a store (let's imagine it's a coffee shop), the barista hands you your steaming skinny caramel macchiato and a toasted onion bagel with low fat cream cheese and bacon, and rather than give them your credit card or reach into your pocket for some coins, you..

* take out your smartphone
* unlock it
* run the Google Wallet app
* enter the PIN for your Google Wallet app
* swipe your smartphone against the coffee shop's pay point.

How convenient!

The Google Wallet app uses NFC (near-field communications) technology in your smartphone to wirelessly debit the credit card you have linked with the application.

Here's a video that Google has produced describing Google Wallet.

Human nature being what it is, some people will be nervous of adopting this kind of technology to pay for goods. Just remember how long it took for some people to switch to using credit cards.

The PIN

It looks like Google recognises that some people will be fearful, and is keen for potential users to know that the Google Wallet app is protected by a four digit PIN.

Unless the PIN is entered, the NFC antenna is switched off - meaning that you can't make any purchases. Similarly when the phone's screen is switched off, the NFC antenna is disabled.

The Google Wallet app insists that you re-enter your PIN every five minutes by default - something that I suspect many users will find irritating, and will change to a longer time period for more convenience and less security.
Another concern I have, though, is whether users will choose sensible PINs to protect their Google Wallet.

When you're waiting to slurp your steaming skinny caramel macchiato and munch on your toasted onion bagel with low fat cream cheese and bacon, will you be entering a PIN code that is convenient or one that is more secure?

Research published earlier this year, revealed the top 10 passcodes that iPhone owners use to protect their devices and we have to assume that Google Wallet users will be just as laissez-faire when choosing a PIN.



We already know that 67% of consumers don't have any form of password on their mobile phones.

It's hard to imagine that all users are going to choose a PIN code for their Google Wallet which is hard to crack, let alone different from the one which they should be using to protect all the rest of their smartphone.

So, if you lose your smartphone and have not chosen a sensible PIN code both for the device and a different one for your Google Wallet then there may be opportunities for criminals to take advantage.

Don't throw away your wallet just yet

I don't want to rain on the parade entirely, however. It's not Google's fault that people might choose dumb obvious PINs or use the same PIN code for their digital wallet as for the device itself (although Google might do some work to reduce the likelihood of those happening, or give an option for longer pass codes).
We may be a long way off throwing away our physical wallets entirely - as folks still like to carry around their receipts, driving license, business cards and some old fashioned bank notes - but we will see mobile devices being used more and more for commerce.

It's going to take some years for merchants to invest in the hardware to provide support for Google Wallet, and some may prefer to wait and see how the market plays out and if a rival option becomes more popular.

Always have a backup

I have one piece of advice though, which will probably hold true for many years to come. Think about this. What happens when your smartphone runs out of juice?

You won't be able to open your Google Wallet app to pay for the late night train ride home if the battery is flat. Then you'll be rueing not having a real credit card in your pocket or a couple of notes hidden in the sole of your shoes.

nb : nakedsecurity.sophos

Read More...

How Bug Bounties Are Like Rat Farming

SAN FRANCISCO--It's become fashionable of late to have people from outside the industry give keynotes at security conferences as a way of providing a fresh perspective or unique insight into what security means. Often, that fresh perspective turns out to be some variation of the "I don't know security, so let me tell you how it doesn't relate to my field" speech. Stephen Dubner fixed that.

The co-author of the ridiculously popular Freakonomics books, Dubner is a former New York Times writer and would seem an incongruous choice to kick off the talks at a security conference. But it turns out that he knows more about security than one would think. Maybe even more than he might think. His books are filled with stories meant to show the uninitiated how deeply economics and its offshoots affect our daily lives.

Much the same could be said of security and its numerous sub-disciplines. As recently as three or four years ago, many normal Internt users probably didn't give much thought, if any, to the security of their PCs. If they did think about it, they likely thought in terms of annoying viruses and worms, or maybe identity theft. But the events of the last few years have shown that no one can afford to ignore the reality of the security situation.

In his keynote speech at the United Security Summit here, Dubner said that he had great respect for the job that security professionals do, fighting the good fight against attackers and the occasional nation-state. But his most insightful comments had to do with rat farming.

What is rat farming, you ask. It turns out it's essentially a slightly more disgusting version of bug hunting. Dubner said that he was in Johannesburg, South Africa, recently, and the city was having a serious problem with rats. Officials had tried a number of remedies with no real success, and so they eventually hit upon the idea of offering a small monetary reward for every dead rat turned in. The program was a huge hit, and dead rats started flowing in.

But the idea actually created an entirely new industry: rat farming. Once people discovered that there was money to be made by turning in dead rats, they started breeding the vermin strictly for the purpose of killing them and collecting the cash. Effective, but gross.

But it has a clear analog in the bug-bounty programs that software companies such as Mozilla, Google, Barracuda and others have established in recent years. Those programs offer researchers various cash rewards for reporting vulnerabilities to the companies, and they've been quite successful in drawing submissions from a wide range of people.

But are those bugs being bred in the lab by researchers just to be led to the slaughter for a nice payday? Yes, yes they are. And that's a good thing.

nb : threatpost Read More...

Google patches 32 Chrome bugs, revs browser to v.14

The company also tweaked Mac Chrome for Lion and laid out more than $14K in bug bounties

Google today patched 32 vulnerabilities in Chrome, paying more than $14,000 in bug bounties as it also upgraded the stable edition of the browser to version 14.
The company called out a pair of developer-oriented additions to Chrome 14 and noted new support for Mac OS X 10.7, aka Lion, including full-screen mode and vanishing scrollbars.

[ Get your websites up to speed with HTML5 today using the techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. ]

Google last upgraded Chrome's stable build in early August. Google produces an update about every six weeks, a practice that rival Mozilla also adopted with the debut of Firefox 5 last June.

Fifteen of the 32 vulnerabilities were rated "high," the second-most-serious ranking in Google's four-step scoring system, while 10 were pegged "medium" and the remaining seven were marked "low."

None of the flaws were ranked "critical," the category usually reserved for bugs that may allow an attacker to escape Chrome's anti-exploit sandbox. Google has patched several critical bugs this year, the last time in April.

Six of the vulnerabilities rated high were identified as "use-after-free" bugs, a type of memory management flaw that can be exploited to inject attack code, while seven of the bugs ranked medium were "out-of-bounds" flaws, including a pair linked to foreign language character sets used in Cambodia and Tibet.
Google paid $14,337 in bounties to nine researchers, including $3,500 to "miaubiz" and $2,337 to Sergey Glazunov, another regular bug finder.

The company's security team also credited others, including researchers who work for Microsoft and Apple, for "working with us in the development cycle and preventing bugs from ever reaching the stable channel." Some of those researchers were also awarded bounties, but Google did not spell out the amounts of those awards.

As per its practice, Google barred access to the Chrome bug-tracking database for the 32 vulnerabilities to prevent outsiders from obtaining details on the flaws. The company only opens the database after users have had time to update the browser.

Google also added a pair of developer-only features to Chrome 14, including support for the Web Audio API (application programming interface) and for "native client," an open-source technology that runs software written in C and C++ within Chrome's security sandbox.

The Mac version of Chrome 14 also supports Lion's new approach to scrollbars, which appear only when a user is actively scrolling through the browser window. Chrome 14 also now runs in Lion's full-screen mode, triggered via the icon in the upper right of the browser or by pressing Ctrl-Command-F.

But Chrome's full-screen support isn't polished or finished; the browser won't return to its windowed view with a press of the Escape key, as do Apple's home-grown applications in Lion.

Chrome 14 can be downloaded for Windows, Mac OS X and Linux from Google's website. Users already running the browser will be updated automatically.

nb : infoworld Read More...

Google Fixes More than 30 Flaws in Chrome

Google has fixed more than 30 security vulnerabilities in its Chrome browser with a new version the company released on Friday. The company also paid out more than $14,000 in rewards to the various researchers who reported bugs that were fixed with Chrome 14.0.835.163.

The new version of Chrome includes fixes for 15 high-risk vulnerabilities, but none of the flaws in this release were rated critical by Google's security team. The highest payout for one of the fixed bugs was a $2337 reward for Sergey Glazunov, who reported a bug that caused unintended access to V8 objects in Chrome. Many of the bugs fixed in this version of the browser were discovered by Google's internal security team, which don't qualify for the reward. However, the company still paid out $14,337 in bounties with this release.

Interestingly, Google also included a thank-you to a broad set of researchers--including some at Microaoft and Apple--for their work in helping to prevent certain flaws from ever making it into Chrome stable releases.

"In addition, we would like to thank 'send.my.spam.to', 'Feiler89', miaubiz, The Microsoft Java Team / Microsoft Vulnerability Research (MSVR), Chris Rohlf of Matasano, Chamal de Silva, Christian Holler, 'simon.sarris' and Alexey Proskuryakov of Apple for working with us in the development cycle and preventing bugs from ever reaching the stable channel. Various rewards were issued," Google's blog post said.
The full list of fixes in Chrome is:

• [49377] High CVE-2011-2835: Race condition in the certificate cache. Credit to Ryan Sleevi of the Chromium development community.
• [51464] Low CVE-2011-2836: Infobar the Windows Media Player plug-in to avoid click-free access to the system Flash. Credit to electronixtar.
• [Linux only] [57908] Low CVE-2011-2837: Use PIC / pie compiler flags. Credit to wbrana.
• [75070] Low CVE-2011-2838: Treat MIME type more authoritatively when loading plug-ins. Credit to Michal Zalewski of the Google Security Team.
• [76771] High CVE-2011-2839: Crash in v8 script object wrappers. Credit to Kostya Serebryany of the Chromium development community.
• [78427] [83031] Low CVE-2011-2840: Possible URL bar spoofs with unusual user interaction. Credit to kuzzcc.
• [$500] [78639] High CVE-2011-2841: Garbage collection error in PDF. Credit to Mario Gomes.
• [Mac only] [80680] Low CVE-2011-2842: Insecure lock file handling in the Mac installer. Credit to Aaron Sigel of vtty.com.
• [82438] Medium CVE-2011-2843: Out-of-bounds read with media buffers. Credit to Kostya Serebryany of the Chromium development community.
• [85041] Medium CVE-2011-2844: Out-of-bounds read with mp3 files. Credit to Mario Gomes.
• [$1000] [89219] High CVE-2011-2846: Use-after-free in unload event handling. Credit to Arthur Gerkis.
• [$1000] [89330] High CVE-2011-2847: Use-after-free in document loader. Credit to miaubiz.
• [$500] [89564] Medium CVE-2011-2848: URL bar spoof with forward button. Credit to Jordi Chancel.
• [89795] Low CVE-2011-2849: Browser NULL pointer crash with WebSockets. Credit to Arthur Gerkis.
• [$500] [89991] Medium CVE-2011-3234: Out-of-bounds read in box handling. Credit to miaubiz.
• [90134] Medium CVE-2011-2850: Out-of-bounds read with Khmer characters. Credit to miaubiz.
• [90173] Medium CVE-2011-2851: Out-of-bounds read in video handling. Credit to Google Chrome Security Team (Inferno).
• [$500] [91120] High CVE-2011-2852: Off-by-one in v8. Credit to Christian Holler.
• [91197] High CVE-2011-2853: Use-after-free in plug-in handling. Credit to Google Chrome Security Team (SkyLined).
• [$1000] [92651] [94800] High CVE-2011-2854: Use-after-free in ruby / table style handing. Credit to Sławomir Błażek, and independent later discoveries by miaubiz and Google Chrome Security Team (Inferno).
• [$1000] [92959] High CVE-2011-2855: Stale node in stylesheet handling. Credit to Arthur Gerkis.
• [$2000] [93416] High CVE-2011-2856: Cross-origin bypass in v8. Credit to Daniel Divricean.
• [$1000] [93420] High CVE-2011-2857: Use-after-free in focus controller. Credit to miaubiz.
• [$1000] [93472] High CVE-2011-2834: Double free in libxml XPath handling. Credit to Yang Dingning from NCNIPC, Graduate University of Chinese Academy of Sciences.
• [93497] Medium CVE-2011-2859: Incorrect permissions assigned to non-gallery pages. Credit to Bernhard ‘Bruhns’ Brehm of Recurity Labs.
• [$1000] [93587] High CVE-2011-2860: Use-after-free in table style handling. Credit to miaubiz.
• [93596] Medium CVE-2011-2861: Bad string read in PDF. Credit to Aki Helin of OUSPG.
• [$2337] [93906] High CVE-2011-2862: Unintended access to v8 built-in objects. Credit to Sergey Glazunov.
• [95563] Medium CVE-2011-2864: Out-of-bounds read with Tibetan characters. Credit to Google Chrome Security Team (Inferno).
• [95625] Medium CVE-2011-2858: Out-of-bounds read with triangle arrays. Credit to Google Chrome Security Team (Inferno).
• [95917] Low CVE-2011-2874: Failure to pin a self-signed cert for a session. Credit to Nishant Yadant of VMware and Craig Chamberlain (@randomuserid).
• [$1000] [95920] High CVE-2011-2852: Type confusion in v8 object sealing. Credit to Christian Holler.
  
  nb : threatpost

Read More...