Real Science Guide

Friday, January 3, 2014

Unencrypted Windows crash reports give 'significant advantage' to hackers, spies

Windows' error- and crash-reporting system sends a wealth of data unencrypted and in the clear, information that eavesdropping hackers or state security agencies can use to refine and pinpoint their attacks, a researcher said today.

Not coincidentally, over the weekend the popular German newsmagazine Der Spiegel reported that the U.S. National Security Agency (NSA) collects Windows crash reports from its global wiretaps to sniff out details of targeted PCs, including the installed software and operating systems, down to the version numbers and whether the programs or OSes have been patched; application and operating system crashes that signal vulnerabilities that could be exploited with malware; and even the devices and peripherals that have been plugged into the computers.

"This information would definitely give an attacker a significant advantage. It would give them a blueprint of the [targeted] network," said Alex Watson, director of threat research at Websense, which on Sunday published preliminary findings of its Windows error-reporting investigation. Watson will present Websense's discovery in more detail at the RSA Conference in San Francisco on Feb. 24.

Computerworld - Windows' error- and crash-reporting system sends a wealth of data unencrypted and in the clear, information that eavesdropping hackers or state security agencies can use to refine and pinpoint their attacks, a researcher said today.

Sniffing crash reports using low-volume "man-in-the-middle" methods -- the classic is a rogue Wi-Fi hotspot in a public place -- wouldn't deliver enough information to be valuable, said Watson, but a wiretap at the ISP level, the kind the NSA is alleged to have in place around the world, would.

"At the [intelligence] agency level, where they can spend the time to collect information on billions of PCs, this is an incredible tool," said Watson.

And it's not difficult to obtain the information.

Microsoft does not encrypt the initial crash reports, said Watson, which include both those that prompt the user before they're sent as well as others that do not. Instead, they're transmitted to Microsoft's servers "in the clear," or over standard HTTP connections.

If a hacker or intelligence agency can insert themselves into the traffic stream, they can pluck out the crash reports for analysis without worrying about having to crack encryption.

And the reports from what Microsoft calls "Windows Error Reporting" (ERS), but which is also known as "Dr. Watson," contain a wealth of information on the specific PC.

When a device is plugged into a Windows PC's USB port, for example -- say an iPhone to sync it with iTunes -- an automatic report is sent to Microsoft that contains the device identifier and manufacturer, the Windows version, the maker and model of the PC, the version of the system's BIOS and a unique machine identifier.

By comparing the data with publicly-available databases of device and PC IDs, Websense was able to establish that an iPhone 5 had been plugged into a Sony Vaio notebook, and even nail the latter's machine ID.

If hackers are looking for systems running outdated, and thus, vulnerable versions of Windows -- XP SP2, for example -- the in-the-clear reports will show which ones have not been updated.

View the original article here

7 sneak attacks used by today's most devious hackers

InfoWorld - Millions of pieces of malware and thousands of malicious hacker gangs roam today's online world preying on easy dupes. Reusing the same tactics that have worked for years, if not decades, they do nothing new or interesting in exploiting our laziness, lapses in judgment, or plain idiocy.

But each year antimalware researchers come across a few techniques that raise eyebrows. Used by malware or hackers, these inspired techniques stretch the boundaries of malicious hacking. Think of them as innovations in deviance. Like anything innovative, many are a measure of simplicity.

[ Verse yourself in 14 dirty IT security consultant tricks, 9 popular IT security practices that just don't work, and 10 crazy security tricks that do. | Learn how to secure your systems with the Web Browser Deep Dive PDF special report and Security Central newsletter, both from InfoWorld. ]

Take the 1990s Microsoft Excel macro virus that silently, randomly replaced zeros with capital O's in spreadsheets, immediately transforming numbers into text labels with a value of zero -- changes that went, for the most part, undetected until well after backup systems contained nothing but bad data.

Today's most ingenious malware and hackers are just as stealthy and conniving. Here are some of the latest techniques of note that have piqued my interest as a security researcher and the lessons learned. Some stand on the shoulders of past malicious innovators, but all are very much in vogue today as ways to rip off even the savviest users.

Stealth attack No. 1: Fake wireless access pointsNo hack is easier to accomplish than a fake WAP (wireless access point). Anyone using a bit of software and a wireless network card can advertise their computer as an available WAP that is then connected to the real, legitimate WAP in a public location.

Think of all the times you -- or your users -- have gone to the local coffee shop, airport, or public gathering place and connected to the "free wireless" network. Hackers at Starbucks who call their fake WAP "Starbucks Wireless Network" or at the Atlanta airport call it "Atlanta Airport Free Wireless" have all sorts of people connecting to their computer in minutes. The hackers can then sniff unprotected data from the data streams sent between the unwitting victims and their intended remote hosts. You'd be surprised how much data, even passwords, are still sent in clear text.

The more nefarious hackers will ask their victims to create a new access account to use their WAP. These users will more than likely use a common log-on name or one of their email addresses, along with a password they use elsewhere. The WAP hacker can then try using the same log-on credentials on popular websites -- Facebook, Twitter, Amazon, iTunes, and so on -- and the victims will never know how it happened.

Lesson: You can't trust public wireless access points. Always protect confidential information sent over a wireless network. Consider using a VPN connection, which protects all your communications, and don't recycle passwords between public and private sites.

Stealth attack No. 2: Cookie theftBrowser cookies are a wonderful invention that preserves "state" when a user navigates a website. These little text files, sent to our machines by a website, help the website or service track us across our visit, or over multiple visits, enabling us to more easily purchase jeans, for example. What's not to like?

Answer: When a hacker steals our cookies, and by virtue of doing so, becomes us -- an increasingly frequent occurrence these days. Rather, they become authenticated to our websites as if they were us and had supplied a valid log-on name and password.

Sure, cookie theft has been around since the invention of the Web, but these days tools make the process as easy as click, click, click. Firesheep, for example, is a Firefox browser add-on that allows people to steal unprotected cookies from others. When used with a fake WAP or on a shared public network, cookie hijacking can be quite successful. Firesheep will show all the names and locations of the cookies it is finding, and with a simple click of the mouse, the hacker can take over the session (see the Codebutler blog for an example of how easy it is to use Firesheep).

Worse, hackers can now steal even SSL/TLS-protected cookies and sniff them out of thin air. In September 2011, an attack labeled "BEAST" by its creators proved that even SSL/TLS-protected cookies can be obtained. Further improvements and refinements this year, including the well-named CRIME, have made stealing and reusing encrypted cookies even easier.

With each released cookie attack, websites and application developers are told how to protect their users. Sometimes the answer is to use the latest crypto cipher; other times it is to disable some obscure feature that most people don't use. The key is that all Web developers must use secure development techniques to reduce cookie theft. If your website hasn't updated its encryption protection in a few years, you're probably at risk.

Lessons: Even encrypted cookies can be stolen. Connect to websites that utilize secure development techniques and the latest crypto. Your HTTPS websites should be using the latest crypto, including TLS Version 1.2.

Stealth attack No. 3: File name tricksHackers have been using file name tricks to get us to execute malicious code since the beginning of malware. Early examples included naming the file something that would encourage unsuspecting victims to click on it (like AnnaKournikovaNudePics) and using multiple file extensions (such as AnnaKournikovaNudePics.Zip.exe). Until this day, Microsoft Windows and other operating systems readily hide "well known" file extensions, which will make AnnaKournikovaNudePics.Gif.Exe look like AnnaKournikovaNudePics.Gif.

Years ago, malware virus programs known as "twins," "spawners," or "companion viruses" relied on a little-known feature of Microsoft Windows/DOS, where even if you typed in the file name Start.exe, Windows would look for and, if found, execute Start.com instead. Companion viruses would look for all the .exe files on your hard drive, and create a virus with the same name as the EXE, but with the file extension .com. This has long since been fixed by Microsoft, but its discovery and exploitation by early hackers laid the groundwork for inventive ways to hide viruses that continue to evolve today.

View the original article here

As Twitter hires, HP fires

With the attention given to Twitter's IPO, one might assume that the tech industry is dependent on its success. It isn't. Not even close.

For sure, Twitter's initial public offering in November made some people awfully rich -- the social networking company's market capitalization now ranges near $35 billion and its shares trade at around $65 apiece, more than double the share price of Hewlett-Packard stock.

At best, though, Twitter is likely to remain a mid-sized employer unless it buys a television network with its eventual cash.

Computerworld - With the attention given to Twitter's IPO, one might assume that the tech industry is dependent on its success. It isn't. Not even close.

At best, though, Twitter is likely to remain a mid-sized employer unless it buys a television network with its eventual cash.

Twitter, according to its IPO filing, has about 2,000 employees, and a long list of job openings. Perhaps, in time, it may equal Facebook current workforce of 5,800.

As HP cuts, who is hiring?

Headcount data is from annual reports and represent global headcounts, unless otherwise noted. Few tech firms breakout domestic versus hiring overseas.Apple data does not include 3,100 full-time equivalent workers in 2008, 2,800 in 2010 and 4,100 in 2013. About 42,800 of Apple 2013 employees work in the company's Retail segment. Google 2012 figures include 12,433 from Motorola Mobile and 4,995 from Motorola Home. Google Sold Motorola Home in 2012, reducing its overall headcount. HP 2008 figures include its EDS acquisition. Microsoft data includes 35,000 international in 2010 and 41,000 international in 2013.

The point of showing the Twitter and Facebook employment numbers is to create scale for HP's just announced layoff of 5,000 workers. Relative to HP's total workforce of 317,000, the cut amounts to just 1.5%, but compared to the amount of hiring now underway at Web-based firms, it's a significant hit to tech employment overall.

The question now for HP is whether it can can adapt to overcome slowdowns in the PC, server and printer businesses and resume its revenue growth. If it succeeds at that, HP could add jobs by the thousands and at a speed that would take a Web-based firm years to achieve. On the other hand, it could also shed jobs by the thousands if it fails.

This latest HP layoff plan, detailed in a Security Exchange Commission filing last week, is on top of 29,000 job cuts previously announced by HP CEO Meg Whitman. HP doesn't breakout hiring/firing by region, so it's not known many U.S. workers are affected.

HP's importance to employment goes well beyond its own payroll.

There are thousands of HP-related jobs at resellers, consulting and professional services firms. Many IT professionals have invested careers in HP-specific technologies certifications and training, and HP systems can be found in most Fortune 1000 firms.

At this stage, analysts aren't predicting any specific long-term outcome for HP. They do see a company being hit by some significant changes in the use of devices ranging from PCs to tablets, and in data centers where users are moving more workloads to the cloud.

HP is "getting rid of redundant employees left over from acquisitions and shifting to more of a software focus and adjusting for market changes," said Rob Enderle, principal analyst, Enderle Group, citing printer sales in particular.

View the original article here

Why one company declined cloud-based 'crisis communications system'

Cloud-based services are still often seen as too risky for sensitive information. Take the case at Kingsport, Tenn.-based Eastman Chemical Company, which said "no" to the cloud when designing its new crisis communications system.

Eastman Chemical, which operates chemical manufacturing facilities, decided to put in a new messaging system for interactive early warning notifications to thousands of employees in the event of any kind of emergency. They wanted one that would be IP-based with integration with Microsoft Lync VoIP, Eastman’s Active Directory as well as its legacy corporate pagers and radio systems. They could have chosen a cloud-based option from the vendor they selected, AtHoc. But it was decided the data Eastman Chemical might be sharing from its dispatch center was simply too sensitive to consider using a cloud-based service.

Network World - Cloud-based services are still often seen as too risky for sensitive information. Take the case at Kingsport, Tenn.-based Eastman Chemical Company, which said "no" to the cloud when designing its new crisis communications system.

In its emergency communications system, Eastman Chemical Company said no to the cloud.

"Eastman retains all messages on the Eastman network," says Keith Bennett, area supervisor, plant protection services, emphasizing that no emergency notification message is allowed to leave the Eastman corporate network, even though a cloud-based notification service for this was possible through AtHoc.

+MORE ON NETWORK WORLD Cloud Security Alliance offers ultra-high cloud security plan +

Through the customized crisis communications system, a central dispatch system is functioning around the clock in order to direct a range of notifications to individual computers, VoIP phones, texting, RSS feeds, as well as e-mail, phones, pagers and two-way radios.

The kind of information that could be sent to thousands of Eastman employees via the IP-based live response system might pertain to anything from tornados, fire, medical and chemical safety to possible terrorism. It’s tailored to send messages to appropriate individuals via VoIP phones, mobile devices and computer pop-ups, allowing them to respond about safety status. “We needed to take advantage of new technologies but we use legacy radios and pagers," Bennett points out.

Because it’s considered “operations critical” messaging, Eastman decided that this was all too sensitive to permit the information to travel outside its private network and into the cloud and it was a requirement that AtHoc had to build the system for Eastman to keep it closed in that way.

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com

Read more about cloud computing in Network World's Cloud Computing section.

View the original article here

Windows 8 regains uptake mojo, XP restarts death slide

Windows 8 surged in December to end the year with almost 12% of the user share of all Windows personal computers, while the destined-for-retirement Windows XP restarted its decline after a two-month pause, a Web analytics company said Thursday.

Both were good signs for Microsoft, which has bet its future on Windows 8 and implored customers to abandon the aged Windows XP.

According to Net Applications, Windows XP fell 2.2 percentage points in December to 29% of all desktop and notebook computers worldwide, the first time it breached that 30-percent barrier. But the 12-year-old operating system still accounted for nearly a third -- 32% -- of Windows-powered PCs.

Computerworld - Windows 8 surged in December to end the year with almost 12% of the user share of all Windows personal computers, while the destined-for-retirement Windows XP restarted its decline after a two-month pause, a Web analytics company said Thursday.

Both were good signs for Microsoft, which has bet its future on Windows 8 and implored customers to abandon the aged Windows XP.

Meanwhile, Windows 8's and 8.1's combined user share of all computers reached 10.5%. Of the systems running Microsoft's OS, Windows 8/8.1 owned a user share of 11.6%.

Both operating systems had taken a break in October and November from earlier trends: Windows XP's gradual decline and Windows 8's deliberate growth.

Their December changes were the largest since September, Net Applications data showed.

The gain by Windows 8 and 8.1 was likely due to new PC purchases in the last month of 2013: Most consumer systems come equipped with the newest version, Windows 8.1, which accounted for 34% of the combined total, up from November's 28%.

Windows 8's increase put some more distance between it and Windows Vista, the 2007 OS bust: The gap between it and Windows 8 increased by seven-tenths of a percentage point in December.

But Windows 8 remained far behind Windows 7's adoption. Fourteen months after its debut, Windows 7 powered 23.1% of all Windows systems, nearly twice that of Windows 8. In fact, Windows 7 grew its user share last month, adding nine-tenths of a percentage point to end December at 47.5% of all computer operating systems, and at 52.4% of those running a flavor of Windows. Both were records for the 2009 operating system, hinting that it will remain a standard for years to come.

The decline in Windows XP may have contributed to the increase of Windows 7 as well as Windows 8 and 8.1, as some users migrated from the 2001 OS to Windows 7 as a way to forestall trying the radically-redesigned Windows 8. Most businesses, analysts have said, will stick with Windows 7 as long as possible rather than incur the costs of another migration.

Microsoft must be smiling at the revival of Windows XP's downturn: The company has been aggressive in its efforts to convince customers to ditch Windows XP before it's retired from security support on April 8, 2014. For the most part, those messages have been received, even if Microsoft would prefer a faster rate of desertion: In the last 12 months, XP's user share has dropped 10 percentage points, representing a 26% decline.

Using XP's average changes over the last 12 months, Computerworld now forecasts that Windows XP will power between 25% and 26% of all personal computers at the end of April.

Net Applications measures operating system user share by tracking unique visitors to approximately 40,000 sites that rely on its analytics software.

View the original article here

Undaunted by major Snapchat leak, Stanford marching band pays homage to homegrown app at Rose Bowl

Network World - The Stanford marching band, known for its creative and sometimes controversial musical extravaganzas, geeked out during halftime of the 100th Rose Bowl football game on New Year’s Day by collectively forming themselves into the ghostly shape of the Snapchat logo on the field.

The Stanford marching band formation is the Snapchat logo. #RoseBowl100 pic.twitter.com/Mbn5pfFvno
— Daniel Brusilovsky (@danielbru) January 1, 2014

Photo-sharing app Snapchat, which was started by a pair of Stanford students in 2011, boasts a friendly ghost called “Ghostface Chillah” as its logo. Though the spookiest thing about Snapchat this week was the revelation of a major leak of the iPhone/Android program by a computer security group that said phone numbers and user names of 4.6 million users was exposed.

The security hole is a big blow to Snapchat, for discretion and privacy have been big selling points. It has gained popularity because of users’ ability to share photos that are only visible for a few seconds to specific recipients.

The Stanford marching band’s tribute to the Snapchat logo seemed to baffle the game’s halftime commentators on TV, and also probably puzzled many in the audience. As one woman tweeted:

Um the band in the rose bowl halftime show just made the snapchat logo and my dad is adamant that its a tree. He's 67 he doesn't even KNOW.
— Jay T (@OtherJuliette) January 1, 2014

One recent validation of Snapchat’s popularity were reports that the company turned down a $3 billion buyout offer from Facebook, which is said to be losing some users to the service, along with other social offerings such as Twitter and Instagram.

Though it appears Snapchat is not all-powerful: Even its logo’s appearance at halftime of the Rose Bowl game couldn’t help Stanford beat Michigan State, much to the delight of some:

Stanford should lose the Rose Bowl because their marching band performance was a salute to snapchat.
— Adrienne (@_heyadrienne) January 2, 2014

Read more about voip & convergence in Network World's VoIP & Convergence section.

View the original article here

Virtualization, security advances on tap for ADCs

The application delivery controller has been more than a simple accelerator and load balancer for some time now, becoming an increasingly important component of enterprise network infrastructures over the past couple of years.

This growth in importance is illustrated by a recent Infonetics research study, which found that ADC revenues in the second quarter grew by 4% year over year, while WAN optimization, a related network management technology, saw an 11% decline over the same period.

Network World - The application delivery controller has been more than a simple accelerator and load balancer for some time now, becoming an increasingly important component of enterprise network infrastructures over the past couple of years.

As 2014 kicks off, two of the main issues for the growing ADC market are security and virtualization – the technology has several features that have implications for denial-of-service protection, and the trend toward SDN and network virtualization has many people looking for software-only application delivery.

But the technology isn’t going to turn into a cloudified, all-inclusive network management panacea overnight – experts say there is still some way to go.

+ALSO ON NETWORKWORLD: ABC's of ADCs in the cloud | ADC: It's a platform, not a product | How to shop for ADCs+

F5 Director of Technical Marketing Alan Murphy says that modern ADCs are a natural fit for the security role, particularly in light of the fact that most of today’s denial-of-service attacks target the application layer to begin with.

“The network tools that protect network perimeters from security attacks are great at network-level stuff – knowing what IP address it’s coming from, going to, source, and then protocol,” he says. “But once the attacker moves over to the application, manipulating what’s going on over the protocol … issuing a million DNS requests, for example – that’s going over the network, but the attack is actually against the DNS application infrastructure.”

ADCs, adds F5 Senior Product Marketing Manager Lori MacVittie, are better-suited than traditional firewalls to identify and defend against this type of attack, particularly where detection and classification are concerned.

“As we continue to evolve into the next year, it really becomes more important to start analyzing the behavior of the interaction with the application, and that’s something that application delivery is well-suited to do,” she says.

So will 2014 be the year to ditch your enterprise firewall and entrust everything to the ADC? Not entirely. Citrix Senior Product Management Director Steve Shah acknowledges that the issue is a hot one in the ADC market.

+ MORE ON NETWORK WORLD Read the entire list of our Outlook 2014 articles +

“Right now, the ADC landscape is getting a little conflated with the whole firewall landscape,” he says. “Do ADCs take on firewall responsibilities or don’t they? Or do we maintain separation of responsibilities? And this is where I actually believe that [in] 2014, we’re going to see further clarification of that, and I believe that separation of duties is going to win out here.”

View the original article here