Monthly Archives: December 2014

Flights are now departing again from London airports after airspace over London was closed this afternoon due to a computer failure.

The problem was reported by Eurocontrol just after 3pm London time.

A computer failure is affecting London airspace with potentially severe #flightdelay

At the time of writing, NATS, the organisation that provides the air traffic control service over the UK capital, was reporting that airspace capacity was restricted, although they weren’t saying how restricted, or why.

NATS can confirm that a technical problem has been reported at Swanwick air traffic control centre.

UK airspace has not been closed, but airspace capacity has been restricted in order to manage the situation. We apologise for any delays and our incident response team has been mobilised.

Every possible action is being taken to assist in resolving the situation and to confirm the details.

Further information will be released as it becomes available.

The BBC is reporting that the outage was caused by “a failure of the flight data computer server”, whilst El Reg quotes a Heathrow spokesman describing it as “a power outage at the NATS control centre in Swanwick”.

The UK capital is home to several airports including one of the world’s busiest, London Heathrow, which acts a major international hub and dispatches new flights every 90 seconds.

Flights were suspended as far north as Leeds Bradford Airport and as far south as Southampton.

Passengers were left stranded as incoming and outgoing journeys were stopped and Londoners, who exist beneath an almost perpetual queue of stacking jets, found themselves under clear skies.

AirLive.net’s real time flight maps gave just a hint of what was up.

Congratulations are due to the pilots and air traffic controllers who managed the situation and got everyone either safely grounded or shepherded out of London airspace.

Facts are thin on the ground but so far there’s no hint of foul play in the server failure.

Nevertheless the outage is a timely reminder: computers are just machines and all machines fail eventually. We may not be able to prevent the failure or stop the power going out but we can control how ready we are for when it happens.

Via: sophos

Two California residents have filed a class-action suit against Comcast in federal court for using their home’s wireless router in an effort to create a nationwide network of public WiFi hotspots.

The plaintiffs, Toyer Grear and his daughter, Jocelyn Harris, accused Comcast of “exploiting them for profit,” in the suit filed in U.S. District Court in San Francisco.

Indeed, to compete with large cell phone providers, the company is attempting to build its Xfinity WiFi Hotspot network, a second high-speed internet channel using its customers’ wireless gateway modems. That channel, separate from the one used by its customers, would be the purview of houseguests and customers who are using mobile devices while in range of one of the network. Comcast’s goal is to expand the network to include eight million hotspots by year’s end and to over coverage in 19 of the largest cities in the U.S.

Customers lease their modems from the company, which began activating the network in the Bay Area last fall. While its customers can opt out of the second channel, Grear and Harris contend in the suit that Comcast doesn’t “obtain the customer’s authorization prior to engaging in this use of the customer’s equipment and Internet service for public, non-household use.” And, they contended, customers must bear “the costs of its national WiFi network,” citing a text by Speedify, a Philadelphia-based company, that tested the Internet channel and found that it would put “tens of millions of dollars per month of the electricity bills needed to run their nationwide public Wi-Fi network onto consumers.”

Calling home cable modems “very much ‘Plug-and-Pray’ (plug it in, pray there are no issues),” Trey  Ford, Global Security Strategist at Rapid7, maintained, in comments emailed to SCMagazine.com, that Internet Service Providers (ISPs) “have a poor track record of patch management” for customer premise equipment (CPE). The modems, he said, “are fraught with security issues but vendors are more concerned with making them easy to use than safe, stable and secure for the user.”

The suit also said that tests showed that when the secondary channel is used heavily, customer electricity bills go up 30 to 40 percent.

In addition, the set-up “subjects the customer to potential security risks” by enabling strangers to access the internet through customer routers “with the customer having no option to authorize” or control its use.  As homes in the U.S. become more connected to the internet, “having a safe edge [like a cable modem] is extremely important,” Ford said. “I hope that Comcast has done a good job segmenting the ‘guest’ network from the subscriber’s ‘home network,’ which is critical to the security of users who are forced to partake in this initiative.”

He warned guests to the network to protect themselves because “this wireless network is completely unencrypted.”

In the future, Ford expects security researchers to come down hard on Arris 852 and 862 wireless routers, examining them for security vulnerabilities and holding vendors accountable “in coordinated disclosure processes for any identified flaws.” He warned Comcast and Arris to “efficiently respond to vulnerability notifications from the research community” because the “vulnerabilities will not only bring press attention, but they will likely be referenced” in the Grear-Harris suit.

The father-daughter duo also claimed they’ve experienced “decreased, inadequate speeds on their home Wi-Fi network,” as a result of Comcast’s secondary channel.

They are seeking an injunction against Comcast, forbidding the company from using home wireless routers as part of its public hotspot network as well as unspecified damages because, they said, Comcast violated the Computer Fraud and Abuse Act, California’s Unfair Competition Law, and the state’s Comprehensive Computer Data Access and Fraud Act, California Penal Code.

Via: scmagazine

Verizon is the latest big company to enter the post-Snowden market for secure communication, and it’s doing so with an encryption standard that comes with a way for law enforcement to access ostensibly secure phone conversations.

Verizon Voice Cypher, the product introduced on Thursday with the encryption company Cellcrypt, offers business and government customers end-to-end encryption for voice calls on iOS, Android, or BlackBerry devices equipped with a special app. The encryption software provides secure communications for people speaking on devices with the app, regardless of their wireless carrier, and it can also connect to an organization’s secure phone system.

Cellcrypt and Verizon both say that law enforcement agencies will be able to access communications that take place over Voice Cypher, so long as they’re able to prove that there’s a legitimate law enforcement reason for doing so. Seth Polansky, Cellcrypt’s vice president for North America, disputes the idea that building technology to allow wiretapping is a security risk. “It’s only creating a weakness for government agencies,” he says. “Just because a government access option exists, it doesn’t mean other companies can access it.”

Phone carriers like Verizon are required by U.S. law to build networks that can be wiretapped. But the legislation known as the Communications Assistance for Law Enforcement Act requires phone carriers to decrypt communications for the government only if they have designed their technology to make it possible to do so. If Verizon and Cellcrypt had structured their encryption so that neither company had the information necessary to decrypt the calls, they would not have been breaking the law.

Other companies have designed their encryption in this way, including AT&T, which offers encrypted phone service for business customers. Apple and Android recently began protecting content stored on users’s phones in a way that would keep the tech companies from being able to comply with requests from law enforcement. The move drew public criticism from FBI Director James Comey, and some security experts expect that a renewed effort to stir passage of legislation banning such encryption will accompany Silicon Valley’s increased interest in developing these services.

Verizon believes major demand for its new encryption service will come from governmental agencies conveying sensitive but unclassified information over the phone, says Tim Petsky, a senior product manager for Verizon Wireless. Corporate customers who are concerned about corporate espionage are also itching for answers. “You read about breaches in security almost every week in the press,” says Petsky. “Enterprise customers have been asking about ways to secure their communications and up until this point, we didn’t have a solution.”

There has been increased interest in encryption from individual consumers, too, largely thanks to the NSA revelations leaked by Edward Snowden. Yahoo and Google began offering end-to-end encrypted e-mail services this year. Silent Circle, a startup catering to consumer and enterprise clients, has been developing end-to-end voice encryption for phones calls. Verizon’s service, with a monthly price of $45 per device, isn’t targeting individual buyers and won’t be offered to average consumers in the near future.

But Verizon’s partner, Cellcrypt, looks upon selling to large organizations as the first step toward bringing down the price before eventually offering a consumer-level encryption service. “At the end of the day, we’d love to have this be a line item on your Verizon bill,” says Polansky.

It’s still not clear how big the potential market for consumer-level encryption services is. Chris Soghoian of the ACLU’s speech, privacy, and technology project, believes that Verizon’s approach is unlikely to have wide appeal because of Verizon’s decision not to keep out law enforcement.

Many people in the security industry believe that a designed access point creates a vulnerability for criminals or spies to exploit. Last year reports surfaced that the FBI was pushing legislation that would require many forms of Internet communication to be wiretap-ready. A group of prominent security experts responded strongly: “Requiring software vendors to build intercept functionality into their products is unwise and will be ineffective, with the result being serious consequences (PDF) for the economic well-being and national security of the United States,” they wrote in a report issued in May.

Verizon’s service might well have drawn praise from security experts in the past, Soghoian says, but the past year of revelations about government surveillance has changed the atmosphere. “Today, to roll this out with a backdoor, that’s inexcusable, he says. ” With encrypted phone services being developed to be inaccessible to anyone, he says, “It’s tough to see how Verizon can compete here when they’re designing a product that is less secure.”

Via: businessweek

Cisco Systems plans to expand its security consulting services by acquiring Neohapsis, a small Chicago firm that tells enterprises how to secure their applications.

The Neohapsis acquisition, for an undisclosed sum, is a classic “aqui-hire” intended to bring an experienced team at Neohapsis into the Cisco fold. Neohapsis President and CEO James Mobley and other key players in the 57-employee company came from @stake, a security firm acquired by Symantec in 2004. They will help to run the Cisco Security Services organization under Bryan Palma, who oversees that group and several others within Cisco. The new team should also help to attract more security talent to Cisco, Palma said.

Cisco Security Services has deep expertise in network and infrastructure security, and buying Neohapsis will expand that into the application layer, Palma said. Neohapsis helps clients with cloud, mobile and Web security as well as offering IT risk management and regulatory compliance services, he said. The company’s lab is often the first to discover security threats, Palma said.

Last year, Neohapsis Labs demonstrated a potential IPv6 attack against Windows 8 PCs that would let attackers intercept all Web traffic on a network.

Cisco is expanding its services business as part of a bid to become the world’s biggest IT company and a comprehensive partner for enterprises and service providers. From its core business in network infrastructure, the company is growing its computing, cloud and other businesses and aims to ride the Internet of Things to significant growth in the next several years.

The acquisition is expected to close next month and won’t be material to Cisco’s financial results. The Neohapsis team will remain based in Chicago, Palma said.

Via: cio

Webmasters who patched their sites against a serious SSL flaw discovered in October will have to check them again. Researchers have discovered that the vulnerability also affects implementations of the newer TLS (Transport Layer Security) protocol.

The POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability allows attackers who manage to intercept traffic between a user’s browser and an HTTPS (HTTP Secure) website to decrypt sensitive information, like the user’s authentication cookies.

Initially, researchers believed it affected only SSL 3.0, an aging protocol superseded by TLS 1.0, 1.1. and 1.2. That still put users at risk, since most browsers and servers still supported SSL 3.0 for backward-compatibility reasons. Attackers were able to force a connection downgrade from TLS to SSL and then exploit the vulnerability.

Security researchers have now discovered that the issue also affects some implementations of TLS in products that don’t properly check the structure of the “padding” used in TLS packets.

The problem was first observed in old versions of Mozilla’s NSS (Network Security Services), the cryptographic library used in Firefox and other products, but Google security engineer Adam Langley built a scanner to find out if other products are affected.

He found that some major sites were vulnerable, and it turned out to be because they were using load balancers from F5 Networks and A10 Networks to handle the TLS connections.

“F5 have posted patches for their products and A10 should be releasing updates today,” Langley said Monday in a blog post. “I’m not completely sure that I’ve found every affected vendor but, now that this issue is public, any other affected products should quickly come to light.”

According to Ivan Ristic, who runs the SSL Labs at security vendor Qualys, about 10 percent of servers monitored by the SSL Pulse project are vulnerable to POODLE attacks through TLS. The SSL Pulse project monitors the HTTPS-enabled sites from the list of top 1 million most visited sites published by Internet statistics firm Alexa—around 151,000 sites in November.

Website administrators who want to check if their servers—or load balancers used in front of their servers—are vulnerable, can use the Qualys SSL Labs server test, which has been updated to detect the problem.

“If vulnerable, apply the patch provided by your vendor,” Ivan Ristic said in a blog post. “As problems go, this one should be easy to fix.”

Via: networkworld

A new kind of point-of-sale malware similar to that which struck Target is being sold in underground markets for $2,000.

The malware, LusyPOS, was found on VirusTotal, a website where people can submit malware samples to see if one of several dozen security applications detects it.

It had also been advertised on an underground carding website, where people buy and sell stolen payment card data, said Brian Minick, vice president of the advanced security business of CBTS, a Cincinnati, Ohio-based security company.

“It’s the first we’ve seen of it,” Minick said. “It looks pretty new.”

Retailers across the U.S. have been hit hard by malware that scans the volatile memory of computers connected to point-of-sale systems, which handle card payments. Home Depot said it lost 56 million card details to this type of attack over a six-month period earlier this year, one of the largest data breaches on record.

Nick Hoffman, a reverse engineer with CBTS, wrote in a blog post that LusyPOS shares some of the same characteristics as two other well-known POS malware programs, Dexter and Chewbacca.

In a January report, the security company RSA said Chewbacca was a simple of piece of malware but one that had infected the systems of at least 35 retailers.

Minick said it’s not uncommon for malware writers to borrow code from other programs to make a new malicious application for profit.

“I think is showing reuse of code that was out there,” Minick said in a phone interview Monday. “So these developers are now taking the best of what has been publicly published and reusing that to create a new tool…to try to make a quick buck”

LusyPOS appears to share some of the same source code as Dexter and other characteristics of Chewbacca, Minick said.

For example, LusyPOS uses Tor for communication, which encrypts content. Tor, short for The Onion Router, is a software package that is designed to make people’s Web traffic more anonymous by encrypting and routing it through a network of worldwide servers.

Hoffman found LusyPOS on VirusTotal, which lets people submit malware samples to see if they are detected by more than four dozen antivirus programs. The sample was submitted to VirusTotal on Nov. 30, Minick said.

As of recently, LusyPOS was only detected by seven applications, Minick said. Two of those applications flagged LusyPOS for its use of a Tor package.

Tor is a legitimate tool for protecting one’s privacy on the Web, but it can easily be incorporated into tools that are malicious.

Via: csoonline

Trend Micro has identified a new point-of-sale (POS) threat detected as TSPY_POSLOGR.K.

The presence of debug information in the malware, as well as the lack of any identifiable command-and-control capabilities, has led researchers to believe that TSPY_POSLOGR.K is in a beta testing phase, Christopher Budd, global threat communications manager with Trend Micro, told SCMagazine.com in a Monday email correspondence.

“As with all software it’s hard to say when a ‘beta’ is finished and ready for ‘production,'” Budd said. “In this case, at least, having the missing command-and-control components are key to it being a piece of production malware.”

Because it seems to be in a beta testing phase, researchers have not seen TSPY_POSLOGR.K being widely used, Budd said.

“[From] what we have seen [it] reads data from processes specified in the initialization file,” Budd said. “In this case it’s credit card [and] point-of-sale information. But the component flexibility means it could easily be repurposed for additional data on the infected system.”

Budd referred to the malware sample as a modular and functional component that only takes a single action out of the several involved in a POS breach. He said that other components are needed to take other actions – such as retrieving data dumps – and explained that a complete attack is likely carried out by deploying those other components as part of a package.

The analyzed sample takes actions as commanded by the configuration file, which is not present in the system by default most likely as an obfuscation step, Budd said, adding this makes it harder to understand what actions the malware is taking on infected systems.

“This makes this component more flexible because instructions can be changed in the configuration file rather than rewriting the component itself,” Budd said. “This is consistent with professional software development practices and shows increasing sophistication and professionalism.”

Budd could not share any information on the malware’s origin, but he said that analysis of this component will be beneficial in the future.

“This analysis enables us and others in the industry to build new signatures to detect this particular component,” Budd said. “The developments in new tactics also enable researchers to [better know] additional components and elements of an attack that they should be looking for in the future.”

Trend Micro released a blog post about TSPY_POSLOGR.K on Thursday, just a day after Nick Hoffman, lead reverse engineer at CBTS, posted about POS malware referred to as ‘getmypass.’ Budd said he has not done a full comparison, but indicated that the two threats appear to be the same.

Via: scmagazine

Some e-cigarettes from China have malware hard coded into the charger, providing cyber-criminals with an unusual but effective infection vector, according to online reports.

Reddit user ‘Jrockilla,’ who claims to be ‘an IT guy,’ posted a story last week about a data breach at a large enterprise.

The IT team apparently couldn’t work out the cause of a malware infection on an executive’s computer, given that the user had up-to-date anti-malware protection installed.

He continued:

“They finally asked the executive, ‘have there been any changes in your life recently?’. The executive answered, ‘well yes, I quit smoking two weeks ago and switched to e-cigarettes.’ And that was the answer they were looking for. The made-in-China e-cigarette had malware hard-coded into the charger and when plugged into a computer’s USB port the malware phoned home and infected the system.”

Phil Barnett, EMEA general manager at Good Technology, argued that the news should serve as a warning on the dangers of “a new generation of intelligent devices.”

“While laptops have increasingly sophisticated protection against malware attacks, mobile phones, tablets and wearable technologies do not yet. Malware can spread to these devices very quickly and cause risk to consumers and businesses alike,” he added.

“Any company that allows their data to be stored on a mobile device needs a security and risk management policy that takes into account the diverse and expanding number of sources of potential threats.”

While malware from China is nothing new, there have been allegations in the past that US-produced technology products may also be at risk.

A June 2010 report from the head of the NSA’s Access and Target Development department, cited earlier this year by Glenn Greenwald, claimed the spy agency either receives or intercepts servers, routers and other technology bound for international markets.

It then installs backdoors before repackaging and replacing the factory seal, according to the story.

Fears over such activity led China soon after to begin screening any IT products bound for government departments, although some have argued this in fact is just an excuse for Beijing to reduce US imports.

Via: infosecurity-magazine

Cloud-based gaming is in the security spotlight once more with news that Microsoft’s Xbox Live service was taken offline by a distributed denial of service (DDoS) attack from the hacker collective known as Lizard Squad.

Further, the group, which appears to support ISIS, warned the public via its Twitter feed to expect more DDoS attacks around Christmas. It’s a statement that could be posturing, but Lizard Squad has struck before, targeting Sony’s Playstation Network back in August. At the time, it said that Xbox Live “would be next.”

Apparently, the threat has been made good. In Xbox’s case, the outage was reportedly intermittent in the evening hours of Dec. 1, with Xbox 360 and Xbox One owners reporting that they were unable to connect to Xbox Live. Consoles were responding with the 80151909 error code, which warns that an Xbox Live profile has failed to download.

The cloud service is back online now (and no statement has been yet forthcoming from Microsoft), but the incident, anecdotally at least, does mirror the Sony gaming network attack in terms of impact and outage characteristics.

“We see more and more gaming sites being hit by DDoS attacks, and the reasons run the gamut,” said Igal Zeifman, researcher and product evangelist for Incapsula, in an email to Infosecurity. “Angry gamers looking for revenge on the mods who kicked them out of a community. Rivals in the gaming ecosystem — how-to sites or virtual good exchanges — are looking to take down a competitor for a larger share of the affiliate fees market. Outright extortionists who know the cost of downtime.”

This trend is likely to continue, he added, thanks to how easy it is to mount a DDoS attack these days.

“First, anyone can access ‘DDoS-as-service’ solutions today and generate mid-sized attacks for less than $50,” he said. “Second, the coverage of attacks is instant and widespread. When all you need is a PayPal account, instant Internet notoriety has never been easier.”

Incapsula recently chronicled an attack on a gaming affiliate that lasted 38 days.

Via: infosecurity-magazine

Google today announced that its Cloud Platform is now in compliance with the Payment Card Industry (PCI) Data Security Standards (DSS). This means developers can now hold, process and exchange credit card information from branded credit cards on Google’s cloud computing platform without running afoul of existing regulations.

Until now, Google advised its users that its cloud service wasn’t meant to process or store credit card information. It’s important to remember that just because Google is now compliant, developers can’t just suddenly store all of this information on Google’s servers. It does mean, however, that developers can now use Google’s platform to build their own compliant solutions.

Google’s reference customer for today’s news is WePay (which also today announced that it is using Google as its public cloud provider). “Google Cloud Platform will enable WePay to process our partners’ transactions in a fully scalable, highly available environment with robust security features,” said David Nye, the Director of DevOps at WePay, in a canned statement today. “The new PCI DSS certification that Google Cloud Platform has achieved enables WePay to dynamically grow our infrastructure as fast as our business and our partners’ businesses demand.”

It’s worth noting that Microsoft’s Azure is also PCI-compliant, as is Amazon Web Services.

Via: techcrunch