Wednesday, April 30, 2014

Fire Sale threat from XP, Heartbleed & IE bugs

Only weeks after the Heartbleed bug was discovered and Microsoft stopped support for Windows XP another major security issue has been revealed which may further compound problems for Internet users. The issue is so serious that some have suggested these security holes could allow hackers to initiate a 'Fire Sale' cyberattack.

Microsoft security holes

On Saturday 26th April Microsoft reported that a security hole existed in all versions of Internet Explorer from version 6 through to 11. The issue has been deemed so serious that the US and UK governments issued an unprecedented advisory saying that people avoid using the browser until the hole is patch and instead use Google Chrome, Mozilla Firefox of Apple's Safari browser [Daily Mail / Washington Post / CNET].

Microsoft said it was already aware of "limited, targeted attacks" to exploit the security flaw which could enable hackers to gain access and user rights to a computer [BBC]. This could allow hackers to obtain passwords, remove and syphon off user date or insert malware and turn the PC into a botnet.

The discovery is significant given the huge number of people still using the browser. Estimates for Internet Explorer's overall market share range from 27.4% to 54.13%, as of October 2012.

No support for XP

The discovery is all the more worrying given the exploit appears to have been present for at least 12 years since it exists in version 6 of the browser. Furthermore, whilst Microsoft will eventually issue a patch there will be a great many users who will not receive it. Anyone still using Windows XP will not receive any support for their operating system and that includes security updates for Microsoft products such as Internet Explorer.

Again estimates vary, but there are still a significant number of people who continue to use Windows XP. The operating system, originally released in 2001, is still used by many government organisations who have failed to upgrade, often due to cost implications. Windows XP is also used in many ATMs, and while those systems could also be vulnerable to hackers most are in closed systems [ZDNet / Bloomberg / ZDNet].

China threat

While individual users can mitigate risk by using a different browser and operating system, the risks come from those who fail to update their systems. China in particular is a case in point. Windows XP is estimated to run on almost 70% of China's computers, while it's only used by 27% by the rest of the world. And while some security firms such as Qihoo 360 have taken on the task to update users not everybody will receive updates [CIO / EcumenicalNews].

China's users of Windows XP must of course register for the product. However many of China's computer users do not have legitimate products and there is a poor understanding of the importance of updating operating systems and software. According to Microsoft 90% of their software used in China, including Windows XP, is pirated meaning most computers have never been updated & are ripe for exploitation [Engadget].

As such millions of users in China could find their computers being taken over and used for malicious purposes. According to one top white-hat hacker, James Forshaw, a vulnerability researcher for Context Information Security, unsupported Windows XP machines in China could pose a threat to the Internet in general if bot-herders round up significant numbers of them to use as launch pads for malicious exploits [NetworkWorld]. This could spell disaster for millions of people not only in China but around the world.

Security

The problem lies in the fact that most people do not take computer and Internet security seriously enough. While one individual may increase their own layers of security such as installing timely operating system updates, running anti-virus software such as Norton or McAfee, and using password managers, others both in professional and non-professional quarters do not.

Thus data shared between one individual and another might not be secure if the third party has failed to take care of their own security. Even if you don't do Internet banking, the data held on some social networking sites could still be useful to criminals. And while one individual might keep their password safe and secure, another user and 'friend' might not. Following Heartbleed many people failed to update their passwords for compromised services which included Facebook amongst others. Thus a hacker, taking advantage of the Heartbleed bug, could potentially access some users' accounts and use that access to create phishing attacks or sift for information about others.

Patching holes

More worrying is where banking or financial institutions continue to use systems that are vulnerable. For example there are suggestions that Windows XP can put SOX, HIPAA and credit card security-compliance at risk [NetworkWorld].

Some firms and governments have paid Microsoft for continued updates. The British government, for example, has paid the software giant £5.5 million for continued support for one more year [Guardian / Telegraph]. The Dutch government has also paid Microsoft to keep its systems updated [ZDNet]. However these measures are merely a stop-gap and will not address the issue in the long term.

Lack of information

Indeed the publicity and understanding of a security threat can be a major factor in mitigating such security threats. Given the number of people potentially affected by the ending of support for Windows XP, the Heartbleed Bug and the security holes in Internet Explorer, the reportage has been relatively scant. Many companies failed to inform their users and information outside tech websites was often confused and contradictory.

'Fire Sale'

Of course Ukraine, the Korean ferry disaster and European elections are important issues. but the recent security issues are arguably far more significant. Indeed some have suggested these recent holes and exploits could lead to a 'Fire Sale', a term used to describe a hypothetical attack by computer hackers on vital networks [Wired].

The term 'Fire Sale' was first coined in the Die Hard movie "Live Free or Die Hard" in which hackers attempted a cyberwarfare attack that performed a three-stage systematic attack on the United States' computer infrastructure.

The film may well have been fiction, but the shocking truth is that the world's computer systems are vulnerable to attack and common flaws make such attacks easier and more likely.

tvnewswatch, London, UK

Saturday, April 26, 2014

Rumours fly after Google+ chief Vic Gundotra quits

There has been wild rumours and speculation after Vic Gundotra announced he was to step down and leave Google for pastures new [BBC].

Gundotra was the main driving force behind Google's social network Google+, and his leaving the company has driven speculation that the search giant may consign the platform to the scrap heap.

The main source for such rumours came from the website TechCrunch which described Google+ as the "Walking Dead" and suggested it would "no longer be considered a product, but a platform" and thus "ending its competition with other social networks like Facebook and Twitter."

Despite the article being widely quoted and shared on social networks, many have dismissed the suggestions.

One prominent voice was Yonatan Zunger, Google+'s Chief Architect, who said the information contained in the TechCrunch article was "BS" [bullshit].

"The TechCrunch article is BS," Zunger said, "Google+ isn't going anywhere, I can promise you."

Killing redundant products

Of course, anyone using Google+ may well have been justifiably concerned that their favourite social network might be consigned to history. Google has "retired" many of its products that it has deemed "redundant".

In the past few years Google has closed countless services which it said had lacked take-up. In 2011 Google dropped property search within its Maps citing lack of use. Google Desktop was also retired the same year and Google Health was shutdown in early 2012. Google Wave's retirement became one of the most talked about closure, especially given the huge publicity surrounding its launch.

Google Wave which started life in 2009 was hung out to dry within 3 months of its public release in May 2010 and by 2012 had been closed down altogether.

Google+ launch

Launched in 2011 Google+ provides a stream of content such as photos and status updates that its users post for their friends. Its original selling points included a way to create groups of contacts, or "circles," to share more specific types of information. Another is Hangouts, a popular messaging tool that enables group video chat.

The sharing of photos is a key part of the platform. Video & pictures may be set to automatically upload from a user's mobile device or even added to Google+ photos from Google Drive. Thereafter a user may select these to share with individuals, circles or even to an email address of a person not yet on Google+. And in recent months Google has added what it calls Google Awesome where automated algorithms put together movies or animated Gifs which may be shared.

Google+ has also been integrated into the sign-in procedure of Google's various services, including Gmail, YouTube and Google Play. Using a single login and password users are obliged to use their real name which also appears on any reviews or comments they post on Google platforms, an effort to reduce spamming and abusive behaviour.

While Google has received some criticism for some of its changes in log-in procedures and real name policies, the social network has grown significantly with a supposed 540 million active users, though remains far smaller than Facebook which claims more than 802 million [WSJ / The Register].

Trust

Killing the social network could prove to be suicidal for Google. While not as popular as Facebook and Twitter, Google+ has gained a large number of loyal users who would be disappointed and angry should the search giant decide to shut the service down.

Its closure would also reduce trust in the company. People would justifiably be concerned about the safety of other services such as Google Drive or GMail.

Certainly Google+ might change from its form, but it is unlikely to be killed off. It must also be noted that one of the authors of the TechCrunch article, Alexia Tsotsis, owns shares in Facebook, Yahoo!, and Twitter, while the other, Matthew Panzarino, is described in his TechCrunch bio as "relentlessly covering Apple and Twitter." Of course this does not explain their information or sources, but it could be partly why they closed the article by comparing Google+ to an "unwelcome hairy spider" whose integration is a form of "grating party crashing." And according to one blog it draws their credibility into question.

TechCrunch has based much of its assertions on anonymous sources which say that staff are being reshuffled. But reassignment is hardly proof of anything in a company which is in constant flux and redevelopment.

Angry beehive

While not completely dismissing the TechCrunch article other tech websites have asserted that Google+ still has a place, providing a particular niche for certain individuals.    

Mashable describes the social network as an "angry beehive" of enthusiastic users. The types of user also tend to be different, often more involved in technology and specialised interests, and according to Mashable's Chris Taylor, a little bit "weird". Indeed there has been an angry response from many users at the suggestion that Google+ could shut shop.

For its part Google has denied the rumours and meanwhile stated that Google+ Vice President of Engineering David Besbris will take command of Google+ [CNET]. The speculation may well continue, but for now the safety and future of the social network is assured.

As for Vic Gundotra, he has only praise for the company he is leaving but left no clue as to where he is heading next, something that is also open to speculation.

tvnewswatch, London, UK

Friday, April 11, 2014

Heartbleed bug gives Internet users massive headache

This week Microsoft ended its support of Windows XP meaning that that up to 25% of Windows users in the world could be vulnerable to increased attacks by hackers. While serious this was nothing compared to the reports that OpenSSL, which is meant to encrypt communications between a user's computer and a web server, had bugs.

Discovery of bug

The bug was independently discovered by a team of security engineers at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team. Codenomicon team found the Heartbleed bug while improving the SafeGuard feature in Codenomicon's Defensics security testing tools and reported this bug to the NCSC-FI for vulnerability coordination and reporting to OpenSSL team.

Given the name Heartbleed by the Codenomicon team, it was deemed "a serious vulnerability in the popular OpenSSL cryptographic software library".

This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet, the team said. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs), the team added, on a special website set up following its discovery.

Catastrophic

Dubbed "the biggest security issues that's faced the Internet to date" by some commentators, others described it as even more serious. Bruce Schneier, an American cryptographer, computer security and privacy specialist, said the discovery was "catastrophic" on his blog.

The bug is not only serious in relation to security but also serves as a wake-up call to how security and passwords are handled both by users and the language of the Internet.

Users have been constantly encouraged to use both strong passwords and individual passwords for every website. Furthermore individuals are encouraged to change passwords frequently. However, even those who might have followed such advice would still have been vulnerable to the so-called Heartbleed bug since it had remained undiscovered for at least two years. This would have made it possible for any group or individual with knowledge of its existence to harvest information from users of websites where OpenSSL was employed.

NSA & espionage

In fact some have suggested that this may have been behind the NSA's supposed ability to monitor individuals' Google or Facebook accounts. Although the NSA could have used the Heartbleed vulnerability to obtain usernames and passwords, as well as so-called session cookies to access online accounts, this would have only allowed them to hijack specific accounts whose data they obtained. For the NSA and other spies, the real value in the vulnerability lies in the private keys used for SSL that it may allow attackers to obtain [Wired / EFF].

Cracking SSL to decrypt Internet traffic has long been on the NSA's wish list and according to the Guardian, in an article published in September 2013, the NSA and Britain's GCHQ had "successfully cracked" much of the online encryption Internet users rely on to secure email and other sensitive transactions and data.

Schneier is one of many who have questioned how such a major issue could have been included in the OpenSSL technology, and suggested that, within the context of the PRISM scandal, intelligence agencies may have played a part. "At this point, the odds are close to one that every target has had its private keys extracted by multiple intelligence agencies," he said.

"The real question is whether or not someone deliberately inserted this bug into OpenSSL and has had two years of unfettered access to everything."

Some of the concerns as regards NSA snooping pre-dates the existence of Heartbleed. Nonetheless, the discovery of Heartbleed raises the issue concerning Internet security and privacy once again.

Reporting & advice

Following its discovery on Friday 4th April, Google immediately patched the gaping security hole, as did other tech companies that were made aware of it before it was finally made public on Monday 7th. Even then news leaked out slowly and with much confusion over what people should do. On Tuesday 8th April the BBC reported the vulnerability but gave no clear advice as to what users might do to remain safe online. Indeed even the BBC later reported the whole issue had brought nothing but confusion. 

Other websites were more forthright and suggested Internet users change all their passwords. Time ran with just such a headline and Tumblr, the photosharing website now owned by Yahoo, suggested users take the day off and revise their password list.

"This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug," Tumblr wrote on an online post.

Bad advice

Whilst such suggestions seemed good advice on the face of it, following through could have left some people even more exposed than they were already. Should a website or server not made appropriate changes and updated certificates and patches, Internet users may, by changing their password pass this on to third parties. Indeed given the vulnerability was now public there would be a far stronger chance that vulnerable websites would be targeted by hackers looking for such data.

In fact the best advice was in fact to sit back a little and wait. Users were correctly advised by some news outlets to check to see whether a website was vulnerable, and whether it had carried out the necessary updates. Only then should users change passwords.

The Heartbleed website itself helped by providing a tool in order to identify affected sites.

Other independent technology websites helped out by providing lists of affected sites and others which were not. Mashable provided a useful list and some advice alongside, while Github also published an extensive list of vulnerable websites [as of 8th April]. Mainstream media reports were however scant on detail. For example ABC cited only a handful of well known tech companies such as Google, Facebook and Yahoo.

The general advice now was that people should change passwords, with the caveat that the site be checked to see that it had patched the security holes. On Wednesday 8th April the BBC reported that both "tech firms" and "security advisors" were urging people to change all their passwords, advice that was repeated on other news outlets throughout the week [Daily Mail].

But other reports in other media suggested the opposite. On the same day the Guardian wrote that "security experts" were warning people not to update passwords.

Confused reports

But what of the tech firms, banks and websites themselves? It appeared they were just as clueless, confused or simply remained silent over the whole issue.

Few sent emails or posted messages on their websites concerning the bug and as to what their users might do.

Indeed given the possibility that even banks might have been affected there might well have been a sense of panic from many uses of online banking systems. Yet banks were either evasive or non committal.

When contacted by the Daily Mail on the 9th April many of Britain's major banks would not comment on whether passwords should be changed. The HSBC said they were 'monitoring' the situation and a Lloyds spokesman said they would not comment on security issues.

Yet in an article published in the Daily Mirror it reported that Lloyds, NatWest and the Royal Bank of Scotland had said their websites were not vulnerable to attack. On the other side of the Atlantic there was just as much confusion. CBC reported that banks weren't at risk but CNN said they could not verify whether American Express and a number of other financial companies were vulnerable. By Thursday the Telegraph provided some clarification in its list which showed UK banks were unaffected

Meanwhile no major banking organisation made any public statement to their users through their websites, email or letter.

In truth, even if vulnerable to the OpenSSL bug most banks have a second layer of security such as the use of special USB sticks, electronic keypads or interfaces within pages which evade keylogging viruses. Nonetheless the absence of information has left some people who use the Internet confused and worried.

Outside of banking there are things that may also have helped prevent third parties accessing data such as 2-step-verification as used by Google and others. Essentially this requires a mobile phone to which special codes are sent in order to log-in at an unfamiliar location or computer.

No-one safe

Such methods can certainly help to protect users but as Reuters reported on Wednesday there is little most people can do to protect themselves from such bugs.

With OpenSSL used on about two-thirds of all web servers there is much patching to be done. To look at it another way it affects more than 60% of the world's websites and some half a million servers. This will be difficult for the millions of websites and companies involved [PCWorld]. In the meantime hackers will be attempting to exploit the remaining open holes.

And with the cat out of the bag, and with many sites still unpatched it is open season for hackers and phishers. Kurt Baumgartner, a researcher with security software maker Kaspersky Lab, told Reuters his firm uncovered evidence Monday that a few hacking groups believed to be involved in state-sponsored cyber espionage were running scans shortly after news of the bug first surfaced on Monday.

By Tuesday, Kaspersky had identified scans coming from "tens" of actors, and the number increased on Wednesday after Rapid7 released a free tool for conducting such scans. "The problem is insidious," Baumgartner said. "Now it is amateur hour. Everybody is doing it."

The risks go further with Kaspersky Lab's Baumgartner saying that devices besides servers could be vulnerable to attacks because they run software programs with vulnerable OpenSSL code built into them.

Others affected

They include versions of Cisco Systems Inc's AnyConnect for iOS and Desktop Collaboration, Tor, OpenVPN and Viscosity from Spark Labs. The developers of those programs should have either updated their software or published directions for users on how to mitigate potential attacks.

Indeed many have already addressed the issue though many users of such services did not get an update emailed to them [VPNspblog]. Instead updates were often posted on social media such as one by 12VPN on Twitter which stated that their webservers were patched and their VPN methods were not affected. As such many users may well have missed this important message.

Problems were further compounded when Cisco and Juniper revealed their server equipment was also affected by Heartbleed [WSJ]. And while the average user of Facebook of Google changed their passwords, the issues surrounding Cisco and Juniper equipment could be time consuming. According to Jaime Blasco, director of AlienVault Labs, part of AlienVault LLC, it will take longer to fix networking equipment and software because Cisco and Juniper will have to rely on customers applying the patches they push out. "It's more painful to update these kinds of devices," Blasco said. "You have to go one by one." [Business Week]

Juniper and Cisco equipment is widely used around the world including China where it has been employed in the so-called Great Firewall of China. It is unclear if China's censorship machine was or will be affected, but websites across China were in just as much as a panic as the rest of the world to patch up the security holes.

Hackers exploit bug

On Thursday both Xinhua and the People's Daily reported that major websites were "taking steps" to mitigate problems. The People's Daily also said there were signs that some hackers had already taken advantage of the flaw, but did not elaborate further. And according to Wang Minghua with the National Computer Network Emergency Response Technical Team Coordination Center, "a surge in such attacks could be expected soon". The US have also issued warnings saying hackers are already exploiting the bug [BBC]. 

All this was surely enough to give anyone potentially affected by Heartbleed a severe headache. The damage may turn out to be small, but as the Guardian this week discussed, there is a risk such flaws could reoccur in the future. With programmer Robin Seggelmann, who wrote the code for the part of OpenSSL that led to Heartbleed, saying it was an accident, the risk of a human error recurring is a sure bet [Mashable].

tvnewswatch, London, UK