Category Archives: In the News

Security issues should always be taken seriously. Then again, so should consistent exercise and taking regular breaks from madness. Notwithstanding, here's the recent news in the field of security.

Apple Admits Existence of Data-Eating Bug

Read the full article at:

Apple admits existence of data-eating bug guardian.co.uk, Tuesday 13 October 2009 02.04 BST
Bobbie Johnson, San Francisco

(Other links at the end of this excerpt)

Reports of the problem first surfaced more than a month ago, but it was only on Monday that Apple finally responded …

“We are aware of the issue, which occurs only in extremely rare cases, …

Although some users have been able to restore their data after being hit by the bug, many others …erased…

“When logging in to my regular account, everything was gone,” said one user …

“After I had logged out of that account and back into mine my enter home directory had been wiped…

Some reported only minor data loss, however.

“I accidentally logged into the guest account and then logged out and noticed that my background picture was different, and folders that were on the desktop were gone,” said another user. “I was mad, but nothing hurt me too much.”

As well as concerns over, the episode also highlights the importance of properly backing up your data – a hot topic in recent days, given a massive failure to [sic] by Microsoft.

Apple’s admission comes just days after its rival admitted that a problem with its own backup systems had left tens of thousands of American mobile phone customers stranded without access to their data.

Customers who had subscribed to use T-Mobile’s Sidekick handset, which uses software produced by Microsoft … would not be able to recover any of their personal information – … after the company failed to properly back up user information.

… there were no adequate backups to replace the data that had been lost.

“Personal information stored on your device… that is no longer on your Sidekick almost certainly has been lost …

guardian.co.uk © Guardian News and Media Limited 2009
Apple acknowledges Snow Leopard data loss issue | Circuit Breaker – CNET News

AppleInsider | Snow Leopard guest account bug deletes user data [u]

Snow Leopard wiping home directory after guest log-in? | MacFixIt – CNET Review

This article suggests that:
If you need guest account functionality and do not trust the built-in account because of this problem, for now just create a new non-administrator account (call it “Visitor” if you need a semi-decent alternative name) for use as a guest, and customize restrictions for it with parental controls. In most instances this will work just fine, since the only real difference in behavior for guest accounts is that data and settings are reset upon logout.

Apple’s Snow Leopard downgrades Flash

Apple’s Snow Leopard, Mac OS X 10.6, downgrades the Adobe Flash Player installed on systems being upgraded with the updated operating system. The Flash Player version distributed with Snow Leopard is 10.0.23.1. Although this is a later version number than the most recently reported vulnerable version, it was being distributed at the same time as the flawed version and most probably suffers the same critical security issues. Adobe have confirmed the issue exists and recommend that Snow Leopard users update their Flash Player as soon as possible, by visiting http://get.adobe.com/flashplayer/ and installing version 10.0.32.18. Users can check what version of Flash Player they have installed by going to Adobe’s version check

page.

Read the entire article at:

Apple’s Snow Leopard downgrades Flash – News – The H Security: News and features

During the development of Snow Leopard, and as far back as early July, beta versions were shipped which included Adobe Flash Player 10.0.23.1. Towards the end of July, a critical security vulnerability was discovered in Flash Player version 10.0.22.87, the generally available Flash Player version at the time. The Flash Player was updated on the last day of July, to version 10.0.32.18, but it appears either Adobe or Apple did not ensure that this update made it onto the “gold master” of Snow Leopard which, according to reports, was sent to manufacturing in mid August. This master was used to produce the Snow Leopard DVDs, which were made available in stores on August 28th. As a result, users who had updated the Flash Player on Mac OS X 10.5.8 at the start of August, and then upgraded to Snow Leopard will find that they are back to running a version which, although there are no specific security advisories for it, is most probably vulnerable to the same flaws as Flash Player 10.0.22.87.

Another New AES Attack

But, is it merely FUD at this point? For the daily user, this info is nothing to lose sleep over. AES is not broken. Someone can’t open an AES encrypted movie at this point. But, it points out that rust and black-hats never sleep, and neither should white-hats. The library of a studio is theirs to protect for its owner for many years, if not many decades. This is pointing out that what seemed unthinkable not too many years ago is stumbling into the realm of possibility now.

In the article, Mr. Schneier makes recommendations about how to make better choises. It would be good for the powers that be to re-examine their choices and let everyone know that everything is fine. [End Editor Comment]

From Crypto-Gram: August 15, 2009 Anyone interested and capable of reading this blog should be subscribing to Crypto-Gram

Abstract. AES is the best known and most widely used block cipher. Its three versions (AES-128, AES-192, and AES-256) differ in their key sizes (128 bits, 192 bits and 256 bits) and in their number of rounds (10, 12, and 14, respectively). In the case of AES-128, there is no known attack which is faster than the 2^128 complexity of exhaustive search. However, AES-192 and AES-256 were recently shown to be breakable by attacks which require 2^176 and 2^119 time, respectively. While these complexities are much faster than exhaustive search, they are completely non-practical, and do not seem to pose any real threat to the security of AES-based systems.

In this paper we describe several attacks which can break with practical complexity variants of AES-256 whose number of rounds are comparable to that of AES-128. One of our attacks uses only two related keys and 2^39^ time to recover the complete 256-bit key of a 9-round version of AES-256 (the best previous attack on this variant required 4 related keys and 2^120 time). Another attack can break a 10 round version of AES-256 in 2^45 time, but it uses a stronger type of related subkey attack (the best previous attack on this variant required 64 related keys and 2^172 time).

They also describe an attack against 11-round AES-256 that requires 2^70 time — almost practical.

[Editor] The balance of the article is just as important as the above, explaining how critical this is and how it can be mitigated. It also includes references to the original work.

 

Read at: From Crypto-Gram: August 15, 2009

 

Linux kernel vulnerability fixes – Update 3

 

From an article in H Security: Linux kernel vulnerability fixes – Update 3 – News – The H Security: News and features
17 August 2009, 16:40

Update 18 August – There is currently no patch for Red Hat Enterprise Linux (RHEL), but the company does offer a workaround which involves blacklisting certain network protocols so that the exploit that is currently in the wild does not function. The CentOS developers are waiting on a patch to appear from Red Hat and in the interim recommend a similar procedure as a workaround. Novell has said there is no patch yet available for SUSE Linux Enterprise Server.

Update 19 August – Ubuntu have released updates for Ubuntu 6.06 LTS, Ubuntu 8.04 LTS, Ubuntu 8.10, Ubuntu 9.04 and all corresponding versions of Kubuntu, Edubuntu, and Xubuntu. Details of the updates are given in an Ubuntu Security Notice and the updates are available through Ubuntu’s software Update Manager system.

Update 25 August Red Hat, Novell and CentOS have now published updates to address the vulnerability for RHEL 4 and 5, SUSE Linux Enterprise Server/Desktop and opensSUSE 10.3 to 11.1 and CentOS 4 and 5 respectively.

Multiple Adobe security holes closed

All of the fixed vulnerabilities were critical, with most having the potential to allow an attacker to take over a user’s system.

Read the entire IT Pro story at: Multiple Adobe security holes closed | IT PRO – By Asavin Wattanajantra, 3 Aug 2009 at 11:22

Details of how to update the Adobe software can be found in its security bulletin here. Adobe is planning…

Adobe has had a very difficult time this year, with its popular Reader and Acrobat products suffering so many problems

Cyber criminals see PDF-reading software as a good oppportunity …

Fibre-optic networks vulnerable to hacking

Once a successful tap has been achieved, … sniffers, can capture the data.

Read the entire article: Fibre-optic networks vulnerable to hacking | IT PRO – By Asavin Wattanajantra, 3 Aug 2009 at 15:33

“Organisations in the financial, insurance, healthcare, and government sectors deliver sensitive information across fibre-optic cables…

“Hence, capturing or eavesdropping on this data serves not only military purposes. …

The report also includes some past incidents of optical fibre networks being hacked, …

Fouchereau said that as it was impossible to monitor the entire optical fibre network, …

SSL-BlackHat Hacked-‘Urgent’

From an article in IT PRO: Black Hat: It wasn’t just the iPhone that got hacked… | IT PRO – By Asavin Wattanajantra, 3 Aug 2009 at 13:16

This was courtesy of vulnerabilities in SSL, allowing somebody to intercept traffic with what Marlinspike called a null-termination certificate.

Matt Hampton, chief technological officer at Imerja, said: “It’s not just something that can happen with a web browser. Something else needs to have been done beforehand.

He added: “Either a virus or malware has been downloaded on a [targeted user’s] machine that has changed the configuration, so the named servers have been changed.”

This could mean that a targeted user is pointed to a server where the attacker has created fake web pages, which could come from a location as far away as China or Russia.

“Currently if a user clicked on that link they would get a warning, because the browser doesn’t trust the certificate,” he added.

“If [the attacker] has managed to install a null-termination certificate, they won’t get the warning. It’s going to hide the fact that things have been changed.”

This could allow attackers to steal passwords or create fake online banking sites where they could steal credit card details.

Firefox 3.5 is currently protected against the attack, but not earlier versions. Chrome and IE8 are not.

The conference also revealed a hacking attack by researcher Dino Dai Zovi that could allow criminals to take control of Apple computers and steal scrambled data.

There was also a detailed report on Russian cybercrime, with a claim that Eastern European mobsters are justifying their crimes by hiding it behind extreme nationalism and anti-western sentiment.

There was even a presentation on lockpicking forensics, as interest in physical security has become an extension of the growing number of people interested in computer security.

The hacker community is thriving, and another hacker convention in the Defcon conference is currently taking place in Las Vegas.

Reports revealed that somebody tried to hit Defcon attendees this week with a fake ATM placed in the Rivera hotel, which is playing host to the annual event.

It was apparently recording the card details and PIN on anybody trying to use it, but the criminals involved probably didn’t bank on it ending up centre stage of a hacker-focused security event.

The entire article is at: Black Hat: It wasn’t just the iPhone that got hacked… | IT PRO

Civolution Acquires Watermarking Business from Thomson

Civolution announced on Tuesday that it is acquiring the digital watermarking business from Thomson.  Terms were undisclosed.

This move represents further consolidation in the watermarking market, following Dolby’s shutdown of its Cinea video watermarking division last year.  Civolution itself spun out of Philips Electronics and acquired Teletrax, the video broadcast monitoring business that uses Civolution’s technology, late last year.

With this action, the only major players left in watermarking are Civolution and the Korean vendor MarkAny.  Apart from those two, there are a few players in niche markets, such as Verimatrix (IPTV/digital pay TV), Verance (Blu-ray audio), and USA Video Interactive (Internet video delivery).

This development does not necessarily point to decline in the adoption of watermarking.   First of all, Thomson’s watermarking business was known to be in disarray amid management changes.  Thomson has had some recent success with its NexGuard technology for pre-release content protection (which combines encryption and watermarking), but it has been hard to get management’s attention alongside other Thomson product and service properties such as Grass Valley and Technicolor.  Watermarking is more of an enabling technology, which should fit much better at Civolution.

More importantly, the success of watermarking requires standardization.  As I noted last week, standardization in the “secret sauce” of watermarking algorithms is unlikely, and there have been several vendors, each with their own secret sauce.  Consolidation is a market force that will promote de facto standardization.  For example, Thomson and Philips/Civolution were the two suppliers of watermarking technology for digital cinema; with this deal, there is now only one supplier and thus a de facto standard.

Of course it remains to be seen whether Civolution will integrate its two watermarking technologies or leave them be.  Integration is better for the market insofar as it is feasible.

 

Urgent Adobe PDF Reader Alert – UPDATE NOW

This week, Adobe announced a new Security Update and said that they were going to go on a cycle of releasing upgrades on a 3 month cycle, similar to the dates that Microsoft uses for their monthly security patches.

Adobe reiterated that users must look to anti-virus programs for protection.

What are the problems and what does it mean to you?

Obviously, it is common to receive pdf files. What isn’t well understood is that withing the file there can be executable code. That would be fine if it were only multimedia files. But hackers have figured out how to put trojans and viruses into the pdf…which can execute as you read.

These trojans might do nothing obvious, but they could sit in the background collecting data? They might hang out until they decide that circumstances are ripe for spreading onto your network.

SOLUTION: Stop reading this article and upgrade every single copy of Reader on every computer you can get your hands on.

Click here to<a href=”http://www.adobe.com/support/security/bulletins/apsb09-03.html” > download the Adobe update</a>.

CineCert Gets DCI Cert Nod

– DCI announced today that there will be 3 places to send your gear to: CineCert (contact John Hurst), DMC/Keio University in Tokyo, Japan (contact Naoshisa Ohta) and Media Innovation Center of Venice, Italy (contact Angelo D ‘Alessio). The press release is here.]
John made the point,

It should be clear that we will issue a ‘report of compliance’. This is not ‘certification’, which is a charged word, with specific meaning.
In addition, we understand that there will be other announcements about contracts with other labs from DCI in the near future.

Why is this important? There are a few reasons.

Primarily, clients who are involved with VPF agreements obligate themselves to use DCI Compliant equipment. If they don’t, then they can get cut off. This has happened before when early-adopting customers of Avica or XDC could not get movies because their servers couldn’t play JPEG 2000…only MPEG-2.

And consider the poor manufacturer who has to promise that their equipment is DCI Compliant. If they are a public company, they are wary of making such statements since Sarbanes-Oxley regulations prohibit them from taking profit on items that have unknown liabilities. Not having anyone to test for certification puts them in a difficult ‘unknown liabilities’ situation.

And, finally, for the industry itself. In olden times, one recieved a film and one did the best possible with it. The Laws of Physics decreed that the film would degrade, but there was little that the cinema could do to keep the quality up.

Digital can change that. Light, Color, White Point…all those fun SMPTE Standards can be checked for and maintained. (Link to a list in pdf of all completed SMPTE DCinema Documents.) Equipment known to be compliant is the first step to a better picture (and sound~!) for us all, and a level playing field for all cinemas.

Part Two; the implemation of a set of standard quality control procedures built into the cinema’s processes. You can read about that at our sister company’s site: DCinemaCompliance

Senate Legislation Would Federalize Cybersecurity

[Editor] Not discounting privacy and other issues, let’s remember that all DCinema systems are private networks, by any definition…and most are or will be connected to the internet via satellite or optical fibre, or the private phone line modem.

Second, if anyone is following the conversations about the hopes of DCinema and ADA compliance for HI and VI captioning and who might wonder if the government will get involved…perhaps this article will seem interesting…and again, notwithstanding the merits of the idea that there should be standards and they should be monitored. 

Returning to the article…

Currently, government responsibility for cybersecurity is split: The Pentagon and the National Security Agency safeguard military networks, while the Department of Homeland Security provides assistance to private networks. Previous cybersecurity initiatives have largely concentrated on reducing the vulnerability of government and military computers to hackers.

A 60-day federal review of the nation’s defenses against computer-based attacks is underway, and the administration has signaled its intention to incorporate private industry into those defenses in an unprecedented way.

Read the entire article at: <http://www.washingtonpost.com/wp-dyn/content/article/2009/03/31/AR2009033103684.html>

“People say this is a military or intelligence concern, but it’s a lot more than that,” Rockefeller, a former intelligence committee chairman, said in an interview. …

U.S. intelligence officials have warned that a sustained attack on private computer networks …

The Rockefeller-Snowe measure would create the Office of the National Cybersecurity Adviser,…

The proposal would also mandate an ongoing, quadrennial review of the nation’s cyberdefenses….

Last week, Director of National Intelligence Dennis C. Blair told reporters that one agency should oversee …

“The taxpayers of this country have spent enormous sums developing a world-class capability…

Blair acknowledged there will be privacy concerns about centralizing cybersecurity, …