Security

A zero-day flaw in the TLS and SSL protocols, which are commonly used to encrypt Web pages, has been made public.

Security researchers Marsh Ray and Steve Dispensa unveiled the TLS (Transport Layer Security) flaw on Wednesday, following the disclosure of separate, but similar, security findings. TLS and its predecessor, SSL (Secure Sockets Layer), are typically used by online retailers and banks to provide security for Web transactions.

Ray, who works with Dispensa at two-factor authentication company PhoneFactor, explained in a blog post this week that he had initially discovered the flaw in August and demonstrated a working exploit to Dispensa at the beginning of September.

Read more of "Zero-day flaw found in web encryption" at ZDNet UK.

Microsoft said on Tuesday that it is investigating reports of a zero-day vulnerability affecting Windows 7 and Vista.

The flaw in Windows 7 could allow an attack which would cause a critical system error, or "blue screen of death," according to researcher Laurent Gaffie.

Gaffie wrote in his blog that the flaw lies in a Server Message Block 2 (SMB2) driver.

"SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionality," wrote Gaffie in a blog post Monday.

Gaffie said he had contacted Microsoft. Comments on his blog by other users said that the flaw could lead not only to denial of service, but could also lead to remote code execution.

Microsoft said in a statement on Tuesday that it was investigating, but said it is "currently unaware of any attacks trying to use the claimed vulnerability or of customer impact."

Computer security publication "The H" wrote on Tuesday that its German sister publication had tested the proof-of-concept code, and that while the exploit had caused a reboot on Vista, the exploit had not worked on Windows 7.

Metasploit creator HD Moore said in a tweet on Tuesday that an SMB bug appeared to have been introduced into Vista SP1. Coder Josh Goebel said in a blog post that he had added the exploit code to Metasploit.

Tom Espiner of ZDNet UK reported from London. CNET News' Ina Fried contributed to this report.

(Credit: Apple)

The next version of Apple's OS X, which is due out Friday, may bundle antivirus capabilities.

Mac security firm Intego said that the latest version of the operating system, Mac OS X Snow Leopard, could have an antimalware feature, according to reports, in a blog post Tuesday.

The company published a screenshot which it said was of the security feature detecting a Trojan in a download, made via Apple's Safari Web browser.

Intego pointed out that the most recent Mac adverts compare Mac security favorably to PCs. However, security experts have historically been divided over the relative security of Microsoft and Apple code, while some point out that any comparison is further complicated by the differing market penetration of Macs and PCs.

Tom Espiner of ZDNet UK reported from London.

Australian researchers have demonstrated a way to prove core software for mission-critical systems is safe.

The researchers this week said they can prove mathematically that code they have developed, designed to govern the safety and security of systems in aircraft and motor vehicles, is free of many classes of error.

Australia's Information and Communications Technology Centre of Excellence (Nicta), a private-sector research organization, this week announced the completion of the first formal machine-checked proof of a general-purpose operating-system kernel. The kernel is called the secure embedded L4 (seL4) microkernel.

Lawrence Paulson, professor of computational logic at Cambridge University's Computer Laboratory, who developed the Isabelle generic proof assistant Nicta modified to check its kernel, told ZDNet UK that the microkernel breakthrough would have a trickle-down effect for businesses.

"I regard the software industry as a real mess," Paulson said on Thursday. "If you've ever used a computer you know how unreliable they are. This is an important way of making it better."

While rigorously testing high-quality code is expensive, said Paulson, developing such tests and operating systems for specialized purposes would have the secondary effect of improving software in general.

Paulson added that teams in Europe had also made breakthroughs in the formal verification of computer systems, giving the German Verisoft project as an example.

Nicta principal researcher Gerwin Klein, who leads the formal verification research team, said in a statement that previous research had concentrated on giving proofs for specific system properties.

"Formal proofs for specific properties have been conducted for smaller kernels, but what we have done is a general, functional correctness proof which has never before been achieved for real-world, high-performance software of this complexity," said Klein.

Nicta claimed that many kinds of attack, such as those exploiting buffer-overflow vulnerabilities, would not be successful against the seL4 microkernel.

The intellectual property generated by the Nicta research will be handed over to Open Kernel Labs, a Nicta spinoff firm, for further development. The research took four years, and was conducted by 12 Nicta researchers, in conjunction with the University of New South Wales.

Tom Espiner of ZDNet UK reported from London.

Gary McKinnon has lost his high court bid in the U.K. to avoid extradition to the U.S. for hacking into military systems.

McKinnon had tried to argue that former home secretary, Jacqui Smith, was legally wrong to push for the extradition despite his diagnosis of Asperger's syndrome and that the director of public prosecutions was also wrong to opt for extradition despite having sufficient evidence to prosecute McKinnon in the U.K.

Gary McKinnon

(Credit: ZDNet UK)

However, Lord Justice Stanley Burnton and Justice Alan Wilkie dismissed both claims on Friday. McKinnon now has 28 days to launch an appeal at the Royal Courts of Justice. According to his solicitor, Karen Todner, McKinnon and his legal team will also appeal to the Law Lords, and Todner has made a fresh approach to President Obama.

"I have today sent a letter to President Barack Obama signed by 40 members of a cross parliamentary group of MPs asking him to step in to bring this shameful episode to an end," Todner said in a statement on Friday. "It is a sad state of affairs if this government cannot protect our most vulnerable of citizens."

In her statement, Todner also referred to the judges' decision as "inhumane" and "an affront to British justice."

The decision comes almost seven years after McKinnon, from North London, was indicted by the U.S. Department of Justice in November 2002. He was charged with intentionally damaging a federal computer system, and with breaking into 97 computers belonging to the U.S. Army, U.S. Navy, U.S. Air Force, U.S. Department of Defense, and NASA.

McKinnon has never denied the hacks, although his legal team has disputed the cost of the damage he allegedly caused--around $700,000, according to U.S. authorities. The Londoner said he had been looking for suppressed evidence of extraterrestrial life and pointed out the poor security that had been applied to the affected systems.

The case has had ramifications beyond the hacks themselves, as it has drawn attention to the extradition treaty that exists between the U.K. and the U.S. The U.S. can demand a suspect be extradited from the U.K. without providing prima facie evidence, which McKinnon's defense team have argued is not reciprocal.

McKinnon has also been diagnosed by the autism expert Simon Baron-Cohen with Asperger's syndrome, a disorder on the autism spectrum.

If he is convicted in the U.S., McKinnon faces up to 70 years in a maximum security federal prison. Legal team has argued that, given his condition, the situation would put him at risk of psychosis or even suicide.

Politicians and celebrities have rallied behind McKinnon, arguing that he should serve any potential sentence in the U.K., rather than in the U.S.

Correction at 8:25 a.m. PDT: The details of the extradition treaty between the U.S. and the U.K. have been tweaked.

David Meyer and Tom Espiner of ZDNet UK reported from London.

Digital certificate warnings in Web browsers are not an effective security measure, according to Carnegie Mellon researchers.

The researchers, who plan to present their findings on August 14 at the Usenix Security Symposium in Montreal, found over the course of two experiments that certificate warnings were ineffectual. The warnings appear when a browser detects a problem with a Web site's certificate and arrive as a pop-up with a message such as: "There is a problem with this Web site's security certificate."

In an online study conducted among 409 participants, the researchers found that the majority of respondents would ignore warnings about an expired Secure Sockets Layer (SSL) certificate. The more tech-savvy the user, the more likely they would be to ignore it, the study found.

SSL certificates are designed to provide the user with a degree of confidence about the authenticity of a Web site they are visiting. As a technical security mechanism, the certificate allows the browser to validate the authentication chain for the Web site server. While SSL certificates often expire for benign reasons, an expired certificate can also indicate that the user could be the victim of a man-in-the-middle attack.

The Carnegie Mellon researchers found that a high percentage of users were willing to ignore warnings about certificates that were out of date. For example, of the 50 percent of Firefox 2 users polled who could identify the term "expired security certificate," 71 percent said they would ignore the warning.

"Far too many participants exhibited dangerous behavior in all warning conditions," wrote the researchers in their paper, titled "Crying Wolf: An Empirical Study of SSL Warning Effectiveness."

Respondents were able to identify other risks indicated by browser certificate notifications. Of the 59 percent of Firefox 2 users who understood the significance of a "domain mismatch" warning, 19 percent said they would ignore the hazard. A domain mismatch, where the URL displayed does not match the URL of the destination site, indicates the user may be the victim of a phishing attack.

The Carnegie Mellon team conducted a second study, with 100 participants and under lab conditions. Online businesses can pay to have authorities vouch for the digital certificate on their Web sites, and browsers keep a list of these 'trusted authorities' for checking when a site is visited. To spoof a phishing site, the researchers removed these certificate authorities from the trusted authorities list in each of the browsers used in the study, which were iterations of Firefox 2, Firefox 3, and Internet Explorer 7. As a consequence, the participants were shown an invalid certificate warning when they navigated to a bank Web site.

Again, high percentages of users ignored the warnings. For example, of the technologically savvy Firefox 2 users, 69 percent ignored an expired certificate warning from their bank.

There has been some debate as to whether browser warnings could be so onerous they make people simply switch to a different browser. This behavior was observed by the researchers, who noted that a small percentage of participants asked the researchers if they could switch to using a different browser when presented with a certificate warning.

The findings for the second study are also presented in the "Crying Wolf" paper.

The Carnegie Mellon team advocated scrapping certificate-validity warnings, saying that a better approach may be to block users from making unsafe connections and get rid of warnings in benign situations.

Tom Espiner of ZDNet UK reported from London.

Two researchers for Hewlett-Packard have created a browser-based darknet, an idea that could make it easier for businesses to keep eavesdroppers from uncovering confidential information.

Darknets are encrypted peer-to-peer networks normally used to communicate files between closed groups of people. Most darknets require a certain level of technological literacy to set up and maintain, including taking care of the necessary servers. However, HP researchers Billy Hoffman and Matt Wood plan next week to demonstrate a browser-based darknet called "Veiled," which they claim requires little proficiency to set up and run.

"This will really lower the barriers to participation," Wood told ZDNet UK. "If you want to create a darknet, you can send an encrypted e-mail saying, 'Here's the URL.' When (the recipient visits) the Web site, the browser can just get (the darknet application) going."

Hoffman and Wood are scheduled to demonstrate the technology next week at the Black Hat security conference in Las Vegas.

Wood said HP does not want to turn the project into a commercial product. While the company does not plan to make the source code available, the researchers do plan to open source their idea, so to speak, so other security researchers can "pick up the baton."

"HP has no desire to patent or copyright or release any code," Wood said. "Black Hat is one of the top security conferences, and we want to get this cool idea into the hands of people who are really smart."

Businesses could use browser-based darknets to set up workgroups to exchange commercially sensitive information, or to have a means of making anonymous suggestions to management, Wood said. "I like the idea of a suggestions box on the Web," he said. "It provides an anonymous way to make suggestions to your boss."

HP's darknet research came about when the researchers realized the potential of new browser technologies, according to Wood.

Browsers with HTML 5 support--such as recent versions of Firefox, Safari and Internet Explorer--allow files to be stored "persistently" on the client, for working on them when offline. This feature, coupled with the distributed grid-computing nature of a darknet, means files can be effectively uploaded in perpetuity, even when the initial browser has been shut down. It also makes the darknet resilient, said Wood.

"One of the benefits of a darknet is that they are distributed," said Wood. "To destroy it, you would have to take down all of the clients, because if one server gets compromised, you just shift to a different server. They can hop around."

Advances in JavaScript engines, such as Google's Chrome V8 and Mozilla's TraceMonkey, have also helped make browser-based darknets possible, according to Wood. These engines allow browser-based communications to be set up quickly and encrypted. The Veiled darknet uses RSA public key cryptography, but any cryptography will work.

"Cool advances in JavaScript technology allow encryption in the browser," said Wood. "Browsers are getting really powerful."

Tom Espiner of ZDNet UK reported from London.

A security researcher has released zero-day code for a flaw in the Linux kernel, saying that it bypasses security protections in the operating system.

The source code for the exploit was made available last week by researcher Brad Spengler on the Dailydave mailing list. According to the researcher, the code exploits a vulnerability in Linux version 2.6.30, and 2.6.18, and affects both 32-bit and 64-bit versions. The 2.6.18 kernel is used in Red Hat Enterprise Linux 5.

The exploit bypasses null pointer de-reference protection in the mainline kernel, which could allow an attacker to gain root control of a system, Spengler wrote.

It also uses arbitrary code execution to disable security features such as auditing, Security-Enhanced Linux (SELinux), AppArmor and Linux Security Module, while making the applications running outside the kernel believe that SELinux is still operating.

In the notes for his source code, Spengler said the exploit is strengthened if SELinux is applied to the operating system. SELinux is a set of modifications that can be applied to the kernel to harden it, by providing a set of security policies.

"Having SELinux enabled actually weakens system security for these kinds of exploits," he wrote.

Security training organization the Sans Institute called the exploit "fascinating." In a blog post on Friday, Sans Institute incident handler Bojan Zdrnja said that the exploit uses the Linux compiler to overcome the security features.

"The compiler will introduce the vulnerability to the binary code, which didn't exist in the source code," wrote Zdrnja. "This will cause the kernel to try to read/write data from 0x00000000, which the attacker can map to userland--and this finally pwns the box."

In his notes on the source code, Spengler said that a workaround would be for administrators to compile the kernel with fno-delete-null-pointer-checks.

Tom Espiner of ZDNet UK reported from London.

The Symbian Foundation has acknowledged that its process for keeping malicious applications off Symbian OS-based phones needs improvement, after a Trojan horse program passed a security test.

The botnet-building Trojan, which calls itself "Sexy Space," passed through the group's digital-signing process, Symbian's chief security technologist Craig Heath said Thursday. Heath said the group is working on improving its security-auditing procedure.

"When software is submitted, we do try to filter out the bad eggs," Heath told ZDNet UK. "When apps are submitted, they are scanned. We are looking at how they could be scanned better."

Developers must submit the mobile applications they build to the Symbian Foundation for checking for the applications to be accepted by handsets with the Symbian operating system. Once the submission has been accepted, the applications are digitally signed by Symbian. Digital signatures, which are cryptographic security features, are designed to provide an amount of assurance that software for download comes from a trusted source.

The first stage of Symbian's signing process, antivirus scanning, is done automatically using an antivirus engine. Once an application has been submitted and scanned, random samples are then submitted for human audit.

In the case of the low-risk Sexy Space Trojan, which was disguised as a legitimate application called ACSServer.exe, the Trojan had not been subjected to human scrutiny, Heath said.

The Symbian Foundation became aware that Sexy Space was a Trojan two weeks ago, and the signature was revoked then, Heath said. However, an error on Symbian's servers meant the application was available for download until this week.

On the Symbian Signed Web site, the group's antivirus-scanning provider is identified as Finnish company F-Secure. Mikko Hyppönen, F-Secure's chief research officer, told ZDNet UK on Friday that the malware authors had probably tested their Trojan against the F-Secure antivirus engine to circumvent security measures.

"Virus writers scan their malware, and keep modifying it until it passes the filters," Hyppönen says. "Obviously, the signing process can be and has been circumvented."

Symbian uses graded signing processes for mobile applications, according to Hyppönen. The Sexy Space malware went through its express signing process, which is designed for freeware. "It shows the express signing process is not foolproof, but it's still much better than the apps not being signed at all," Hyppönen said.

Symbian is in the process of upgrading its automated scanning processes, Heath said, adding that human auditing is also going to be improved. However, human auditing will probably not be expanded, as this introduces cost and time delays into the process, he said.

The group is looking to automate more of the work involved in publishing applications. "Today, most of the processes behind (Symbian) require manual tasks," the organization said in a blog post on the launch of its new Symbian Horizon program. "Our goal for the near future is to develop a system that will automate this work allowing us to scale the program to include as many apps as possible."

The Symbian Horizon program intends to select applications submitted by developers and then support them through their development and submission to mobile app stores. Symbian said that one of the aims of Horizon was to automate the publication of apps as far as possible.

Tom Espiner of ZDNet UK reported from London.