Wednesday, 9 October 2013

EU calls for ‘one-stop shop’ data protection body

Data protection artwork
The European Commission (EC) has said a ‘one-stop shop’ for handling data protection laws and complaints is required to help make it easier for businesses to operate across Europe.
As discussions continue to take place on the future Data Protection Regulation, EU justice commissioner Viviane Reding said creating a single authority overseeing data protection issues would have numerous benefits for firms of all sizes.
“It is a key building block of the EU data protection reform and a prime example of the added value of the Regulation. It ensures legal certainty for businesses operating throughout the EU and it brings benefits for businesses, individuals and data protection authorities,” she said.
“Businesses will profit from faster decisions, from one single interlocutor (eliminating multiple contact points), and from less red tape. They will benefit from consistency of decisions where the same processing activity takes place in several member states.”
She said that any authority charged with handling data protection must be given strong powers to ensure it is feared by firms. 
“The authority of the main establishment must retain meaningful powers. If its powers are excessively limited, for instance if it is not responsible for imposing fines, then the benefits of the one-stop shop are lost,” she said.
“The last thing we want is to create problems of coherence and effectiveness, and have new kinds of fragmentation.”
She said this would also have benefits for citizens as it would mean complaints could be lodged in any nation against any firm, irrespective of the company's location.
“The aim is to mend the current system in which individuals living in one member state have to travel to another member state to lodge a complaint with a data protection authority,” she said.
“That is why the Austrian student, Max Schrems, had to travel to Dublin to complain about Facebook. We need to fix this.”
To date debates around data protection laws have stumbled due to concerns raised by several governments, including the UK, which said it could prove too stringent and damage the UK economy by hampering the ability for firms to use data effectively.
Eduardo Ustaran, partner at European law firm Field Fisher Waterhouse, told V3 that the latest round of debate on how best to make a ‘one-stop shop’ work would likely be welcomed by businesses operating across Europe.

“This concept was warmly welcomed by global organisations operating on a pan-European basis, because it will mean that they are only accountable to one regulator for all of their EU data activities,” he said.

“In my view Reding's approach is spot on: one competent regulator seeking to co-operate with the others, and with the opportunity to escalate truly pan-EU matters to the European Data Protection Board (the new name for the Article 29 Working Party).”

Four arrested in UK over Silk Road shutdown

UK authorities have arrested four men believed to have been involved in the infamous Silk Road marketplace, which was shut down last week after an arrest by the FBI.
The UK’s newly established National Crime Agency (NCA) revealed it had arrested four men – one in his 50s from Devon, and three from Manchester in their 20s – shortly after the FBI arrest last week. They had originally been picked up over drug offences.
The Silk Road was a deep web marketplace only accessible through the Tor network, known to facilitate the trade of drugs and offer tutorials on a variety of illegal activities, such as how to make explosives and hack bank machines.
Keith Bristow, the NCA's director general, said that arrests of those alleged to be behind the forum should think again if they believe they can operate online anonymously.
"These arrests send a clear message to criminals: the hidden internet isn't hidden and your anonymous activity isn't anonymous. We know where you are, what you are doing and we will catch you,” he said.
"It is impossible for criminals to completely erase their digital footprint. No matter how technology-savvy the offender, they will always make mistakes and this brings law enforcement closer to them.”
The arrests came about after NCA officers at an agency branch in Exeter worked with US law enforcement staff to identify suspects regarded as “significant users” of the Silk Road. Bristow also confirmed that the NCA would make more arrests in the coming weeks.
Head of the NCA's National Cyber Crime Unit (NCCU) Andy Archibald added that the arrests were just the start of the organisation’s attempts to tackle those operating on the deep web.
"These criminal areas of the internet aren't just selling drugs; it's where fraud takes place, where the trafficking of people and goods is discussed, where child abuse images are exchanged and firearms are traded,” he said. "Stopping this element of serious and organised crime will go a long way to protecting the public."
The arrests will be seen as a coup for the newly formed NCA, and they come amid ongoing crackdowns against cyber criminals. Recently the Metropolitan Police claimed its efforts to stop online theft and scams have saved businesses and citizens over £1bn.

Android users to get Apple-baiting fingerprint protection “by next year

Apple’s fingerprint sensor has drawn a huge amount of attention (and hack attempts) ever since it launched on iPhone 5S – but it seems Android users will get their own fingerprint protection shortly.
A report from USA Today said that a standardized fingerprint security system for Android devices, certified by the FIDO (Fast Identity Online) Alliance, would be available shortly after the new year.
While Apple’s fingerprint sensor has come under fire from security researchers, many of the “hacks” rely on weaknesses in other systems, such as Apple’s Siri voice control – or laborious methods such as “3D printing” latex fingerprints. Neither of these seem likely to see “mass market” use among cybercriminals. The sensor has also reignited the debate about the use of biometrics.
FIDO made no official statement, but posted the news article on its website.
“The intention of FIDO is absolutely that it will allow consumers to have access to mobile services that they can use with very low friction, while keeping good security,” said PayPal’s Chief Information Security Officer Michael Barrett, quoted by PC World. ”That’s explicitly what we want to build.”
Leaked photographs of various handsets have hinted that equipment makers such as HTC might follow Apple’s lead and add biometric security to their handsets. PC World warned in its report that Android users may see a “format war” of competing biometric standards.
Fingerprints are just one of the new technologies supported by FIDO, an industry-wide consortium (backed by a variety of companies including heavyweights such as BlackBerry and Google) which aims to replace passwords with a secure, industry-supported protocol which is also easy to use.
“The possibility of someone having the same fingerprint as you is about 1 in 6 million,” says FIDO. “If you choose to use your fingerprint reader as your FIDO token, your finger becomes the master key for your credential vault where all your FIDO tokens are stored. Each website or application that uses a FIDO token never gets to see your fingerprint and, better yet, they cannot obtain access unless you allow it.
“Unlike a PIN or Password, fingerprints cannot be guessed. You must be physically present to unlock your credential vault. Fingerprint readers do not store your fingerprint; they create a template during setup that can later be used to match your finger with a very high degree of accuracy. These templates are stored in a secure storage area on the device and cannot be accessed by any other software.”
“There is a far greater likelihood that someone could guess your PIN than it would be for that person to use another fingerprint on your device to access your information.”
FIDO is investigating technologies such as fingerprint scanners, voice and facial recognition, and existing solutions such as Near Field Communication (NFC) and One Time Passwords (OTP) , with a view to creating an integrated solution.
“Passwords are running out of steam as an authentication solution. They’re starting to impede the development of the internet itself,” PayPal’s Chief Information Security Officer Michael Barrett said at the Interop Las Vegas IT expo earlier this year.  “It’s pretty clear that we can’t fix it with a proprietary approach.”
Mr Barrett pointed out the results of passwords being published online after data breaches in recent years – showing that insecure passwords such as “12345” and “password” remain among the most commonly used
“Users will pick poor passwords – and then they’ll reuse them everywhere,” says Barrett. “That has the effect of reducing the security of their most secure account to the security of the least secure place they visit on the internet.”
Many companies are offering biometric and two-factor solutions to replace and/or augment current password systems – such as the Bionym bracelet, which uses your unique heartbeat pattern as a password.
Stephen Cobb, Security Researcher with ESET says that we may be on the verge of widespread deployment of biometrics. Cobb says, “Successful implementation of biometrics in a segment leading product could bode well for consumer acceptance.”
“I have been a fan of biometrics as an added authentication factor ever since I first researched multi-factor and 2FA systems 20 years ago, however, user adoption is very sensitive to performance; in other words the iPhone 5S could advance biometrics, or put a whole lot of people off biometrics.”

Newly launched VDS-based cybercrime-friendly hosting provider helps facilitate fraudulent/malicious online activity

Realizing the market segment potential of bulletproof hosting services in a post-Russian Business Network (RBN) world — although it can be easily argued that as long as its operators are at large they will remain in business — cybercriminals continue supplying the cybercrime ecosystem with market-relevant propositions. It empowers anyone with the ability to host fraudulent and malicious content online. A newly launched Virtual Dedicated Server (VDS) type of bulletproof hosting vendor is pitching itself to prospective cybercriminals, offering them hosting services for spam, malware, brute-forcing tools, blackhat SEO tools, C&C (command and control) servers, exploit kits and warez. In addition to offering the “standard cybercrime-friendly” bulletproof hosting package, the vendor is also excelling in terms of the hardware it relies on for providing the infrastructure to its customers.
Let’s take a peek inside the infrastructure ‘facility’, and discuss the vendor’s business model in the over-populated market segment for bulletproof hosting services, currently available to prospective cybercriminals.

Sample screenshot of the currently offered bulletproof hosting options:
Cybercrime_Bulletproof_Hosting_VDS_Virtual_Dedicated_Server Sample screenshots of the used HP Smart Arrays in the service’s infrastructure, and the DIY self-monitoring interface:
Cybercrime_Bulletproof_Hosting_VDS_Virtual_Dedicated_Server_01 Sample screenshots of the actual infrastructure ‘facility’ as featured by the vendor of the bulletproof hosting service:
Cybercrime_Bulletproof_Hosting_VDS_Virtual_Dedicated_Server_02 Cybercrime_Bulletproof_Hosting_VDS_Virtual_Dedicated_Server_03 Cybercrime_Bulletproof_Hosting_VDS_Virtual_Dedicated_Server_04 Cybercrime_Bulletproof_Hosting_VDS_Virtual_Dedicated_Server_05 This service and its infrastructure are a great example of ‘purely malicious in-house infrastructure’ purposely set up to facilitate fraudulent and malicious online activity. The “even if it’s there we still don’t care” mentality results in a situation where despite the fact that the vendor’s infrastructure remains online, it can still get blocked by the industry, consequently preventing hundreds of millions of users from (unknowingly) interacting with it. Unfortunately, as we’ve already seen in previous cybercrime-friendly ISP shut downs, this doesn’t really present a problem to the cybercriminals operating it, thanks to the contingency planning in place, allowing them to quickly restore service to their customers.
In retrospect: How cybercrime-friendly ISPs got affected by successful take downs over the years:
We’ll continue monitoring this market segment, and post analyses of newly launched/competing services, in particular the ones differentiating their UVP (unique value proposition) to prospective cybercriminals.

Microsoft Awards $100,000 Security Bounty for Innovative Research

Many major software companies will pay a "bug bounty" to the first person who reports a particular security hole. Bounty amounts vary, but they can range anywhere from a pat on the back to thousands of dollars. Microsoft's Mitigation Bypass Bounty operates at a distinctly higher level. In order to claim the $100,000 reward, a research must present a brand-new exploitation technique that's effective against the very latest version of Windows. This kind of discovery is quite uncommon, and yet, just three months after announcing this program, Microsoft today made its first $100,000 award.
A History of Cooperation
I spoke with Katie Moussouris, senior security strategy lead for Microsoft Trustworthy Computing group, about this award and about Microsoft's history of working with researchers and hackers. Moussouris joined about six and a half years ago as a security strategist, but "there was a long history of Microsoft engaging with researchers and hackers, even before my time."
Moussouris gave as an example the researchers who discovered the vulnerability that powered the Blaster worm. "Microsoft senior officials visited them in Poland," she said. "They were recruited... They're still working with us for the past decade."
She noted that Microsoft's regular BlueHat conferences "bring hackers to Microsoft to meet our people, to educate and entertain, and make our products more secure." In 2012, Microsoft's BlueHat Prize contest awarded over $250,000 to three academic researchers who came up with never-before-seen innovations.
Current Bounties
"Three months ago we launched three new bounties," said Moussouris, "two of which are still active." During the first 30 days of the Internet Explorer 11 preview, Microsoft offered ordinary bug bounties. "A lot of researchers were holding on, not reporting bugs, waiting for final release," noted Moussouris. "We decided to encourage them to submit those reports." At the end of that program's 30-day run, six researchers had claimed bug bounties totaling over $28,000.
The Mitigation Bypass Bounty specifically rewards researchers who discover a whole new exploitation method. "If we didn't already know about return-oriented programming," said Moussouris, "that discovery would have earned $100,000." It's not just pie-in-the-sky research, either. A researcher who wants to claim this bounty must supply a working proof-of-concept program that demonstrates the exploitation technique.
"There were only three ways an organization could learn about these attacks in the past," noted Moussouris. "First, our internal researchers would come up with something. Second, it would appear in an exploitation contest like Pwn2Own. Third, and worst, it would surface in an active attack." She explained that the current bounty program is available year-round, not just at a competition. "If you're a researcher who wants to play nice, who wants to protect people, there's a bounty available now. You do not have to wait."
And the Winner Is...
Moussouris estimates that discoveries big enough to merit a bounty only happen every three years or so. Her team was surprised and pleased to find a worthy recipient just three months after the bounty program began. James Forshaw, Head of Vulnerability Research for UK-based Context Information Security, becomes the first to receive the Mitigation Bypass Bounty.
In an email to SecurityWatch, Forshaw had this to say: "Microsoft's Mitigation Bypass Bounty is very important to help shift the focus of bounty programs from offence to defence. It incentivises researchers like me to commit time and effort to security in depth rather than just striving for the total vulnerability count." Forshaw continued, "To find my winning entry I studied the mitigations available today and after brainstorming I identified a few potential angles. Not all were viable but after some persistence I was finally successful."
As for exactly what Forshaw discovered, that won't be revealed right away. The whole point is to give Microsoft time to set up defenses before the bad guys make the same discovery, after all!

How NSA tries to compromise Tor anonymity. Tor Stinks document

Top-secret presentation Tor Stinks leaked by Snowden shows the techniques implemented by the NSA to overwhelm Tor Anonymity with manual analysis.

Tor anonymity has been debated many times, according majority security experts it was one of the most secure way to stay on line being far from prying eyes avoiding government surveillance.

Recently a series of events have completely changed this conviction, last year groups of researchers demonstrated the possibility to track users also on Tor networks, thanks to a technique dubbed Traffic Correlation attack it is possible to break Tor anonymity. A few weeks ago it was spread the news that law enforcement was able to discover the Tor user's identity exploiting a flaw in the Firefox browser.
In the last month also Tor network has lost a couple of its most popular entities, Freedom Hosting service and SilkRoad illegal market place were shut down by the FBI, circumstances that suggest that the U.S. Authorities have found a way to track criminals (or have simply decided to apply it) even if protected by the Tor anonymity.

Yesterday Edward Snowden released a new classified intriguing NSA document, titled ‘Tor Stinks’ in which the intelligence agency admits to being able de-anonymize a small fraction of Tor users manually.
"We will never be able to de-anonymize all Tor users all the time' but 'with manual analysis we can de-anonymize a very small fraction of Tor users'"
The document also reveals that NSA was working to degrade the user experience to dissuade people from using the Tor browser.
The NSA strategy relies on the following principles to unhinge Tor anonymity.

  • Infiltrate Tor network running its Tor nodes. Both the NSA and GCHQ run Tor nodes to track traffic back to a specific user, the method is based on the circuit reconstruction from the knowledge of the ‘entry, relay and exit’ nodes between the user and the destination website.

  • Exploiting zero-day vulnerability of Firefox browser bundled with Tor, with this technique NSA was able to get the user's IP address. In this way the FBI arrested the owner of Freedom Hosting service provider accused of aiding and abetting child pornography.
  • NSA also uses web cookies to track Tor user widely, the technique is effective also for Tor Browser. The cookies are used to analyze the user's experience on the Internet, the intelligence agency owned or controlled a series of website that was able to read last stored cookies from the browser on the victim's machine. With this technique the agency collects user's data including the IP address. Of course expert users can avoid this type of control in numerous way, for example using a dedicated browser for exclusive Tor navigation, using only the official preconfigured Tor bundle or properly managing the cookies stored on their machine. Unfortunately the surveillance methods appeared effective for a huge quantity of individuals. I always suggest to use a virtual machine with a live OS for protecting your Tor anonymity, cache and cookies in this way will be lost once the machine is shut down. Documents leaked by Snowden show that the NSA is using online advertisements i.e. Google Ads to make their tracking sites popular on the internet.
The concerning aspect of the history is that other governments could use similar techniques to monitor Tor networks, let's thing to countries such as China, Iran and Syria in which censorship is very strong.
The good news is that despite their effort intelligence agencies are not able to compromise the Tor anonymity for the entire network ... maybe.

Hacking A…Toilet

Go ahead and add toilets to the increasingly long list of hackable consumer devices we’ve been compiling here on the Kaspersky Daily.
In fact, one of the researchers at this year’s Black Hat security conference touched on the subject briefly in a press conference at the event. While I would have loved to have written about it at the time, I ultimately decided to focus on more impactful stuff, but I made a mental note and promised myself that I would come back to it.
Some researchers from Trustwave, an application security firm, issued a security advisory back in August, warning users that the SATIS smart toilet Android application contained a hard-coded BlueTooth verification pin. The pin is “0000,” and entering it could allow an attacker within BlueTooth range to manipulate some of the toilet’s features. Once that pin is entered, one Android device can communicate via BlueTooth with any number of Satis smart toilets in range.
In brief, owners of these smart toilets are exposing themselves to serious practical joke- and unfortunate accident-related risks.
It’s not exactly hacking an insulin pump or a car, but a remotely triggered toilet malfunction sounds pretty awful to me.
More specifically, an attacker, if one ever desired to do so, could install the “My Satis” app, enter the BlueTooth pin, pair their device with however many Satis smart toilets are within range (and let’s be honest: if you have one Smart toilet, you have multiple smart toilets), and launch a handful of attacks ranging from the marginally troubling to the outright devastating. The attacker could – in Trustwave’s words – “cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner.”
More concerning yet (at least to me), an attacker could compel the Satis smart toilet’s lid to open and close or even activate the bidet or air-dry functionalities – again, in Trustwave’s words – “causing discomfort or distress to user.”
It’s not exactly hacking an insulin pump or a car, but a remotely triggered toilet malfunction sounds pretty awful to me.
I am not sure what you can do to protect yourself on this one. It appears that the company that develops the Satis smart toilet, LIXIL, has not yet fixed this bug. I guess you send them a barrage of emails demanding they do so, that’s one option. These toilets also have a thing called “pairing mode” apparently. The guys at Trustwave say that the hard-coded pin and the Android app will only work if the toilets have this “pairing mode” feature enabled. They say you could still cause a toilet to pair with an Android device even if pairing mode is off, but this would only be possible “by observing Bluetooth traffic to learn the toilet’s hardware address and pair with the toilet,” and that sounds pretty complicated. So, on one hand, it’s probably a pretty good idea to turn off pairing mode, but, on the other hand, what is the point of owning a smart toilet if you can’t send it commands from your mobile device. It’s a complicated world…
I can’t say for certain, there are a lot of strange people out there after all, but I have to think most Satis users will be safe from these attacks – given there aren’t too many pranksters in the house. There isn’t much monetary incentive to turn on the bidet when someone is using the toilet. The hard reality here is that Satis users are just going to have to live the fact that multiple Android devices can communicate with a single toilet, allowing pretty much anyone within range to accidentally (or not-so-accidentally) initiate one of the toilet’s features through the My Satis app on his or her Android device.

Gameover trojan hides in SSL

Saboteurs spreading the Gameover banking trojan are using an encrypted secure sockets layer connection to remain undetected and have infected at least a quarter of a million machines.
Researchers at Dell SecureWorks Counter Threat Unit (CTU) detailed attackers' latest schemes to spread the financial malware in a blog post published last Friday.
According to the team, Gameover operators are delivering downloader malware called "Upatre" to victims via spam, then having the downloader retrieve the Gameover payload from infected websites hosting the malware.
Instead of receiving instructions from an attacker-operated command-and-control server, the Upatre downloader uses an encrypted SSL connection to download malware directly from compromised web servers.
The spam is sent via the infamous Cutwail botnet and is designed to look like official correspondence from banks and government agencies.
“The [Upatre] downloader has a small file size and is extremely simple, implementing its functionality entirely in a single function,” the blog post said. “It downloads and executes a file from a hard-coded URL over an encrypted secure sockets layer (SSL) connection from a compromised web server and then exits.”
Gameover carries out many of the standard malicious capabilities of Zeus trojans, like logging victims' keystrokes to steal banking credentials, but has also been packaged with malicious functions that allow it to launch distributed denial-of-service (DDoS) attacks against financial institutions.
In the blog post, Dell SecureWorks included a list of more than 20 websites that had been compromised to host Gameover.
SecureWorks malware technical director Jason Milletary said the process was another way for the Gameover operators to obscure their fraudulent activities.
“It makes it more difficult to detect and block [malicious] traffic on the network, because it's all occurring on the SSL encryption,” Milletary said.
In addition to educating staff on phishing tactics employed by miscreants, Dell SecureWorks advised that organizations consider blocking executable file types and implement solutions that detect incoming malicious emails.