Common bugs in networking systems are placing PCs, printers, and storage devices at risk, according to security researchers.

According to the security team at Rapid7, technology used worldwide in both routers and standard networking equipment is making it possible for hackers to potentially infiltrate approximately 40 million to 50 million devices worldwide.

The vulnerability lies in the standard known as Universal Plug and Play (UPnP). This standard set of networking protocols allows devices, such as PCs, printers, and Wi-Fi access points, to communicate and discover each other’s presence. After discovery, devices can be connected through a network in order to share files, printing capability, and the Internet.

In a white paper released today, researchers from the security software maker said that while UPnP might make network setup cheaper and more efficient, it harbours a severe security risk.

The paper focuses on programming flaws in common UPnP discovery protocol (SSDP) implementations, which can be exploited to crash the service and execute arbitrary code, the exposure of the UPnP control interface (SOAP) on private networks, and programming flaws in both UPnP HTTP and SOAP overall.

Over 80 million unique IPs were identified that responded to UPnP discovery requests from the Internet due to the “misconfiguration” of the UPnP SSDP discovery service across thousands of products. Over 73 percent of all UPnP instances discovered through SSDP were derived from only four software-development kits (SDKs).

In addition, the UPnP SOAP service was found to provide access to device functions that should not be allowed from distrusted networks–such as opening holes in a firewall.

Rapid7 also said that the two most commonly used UPnP software libraries both contain remotely exploitable vulnerabilities. For example, in the case of the Portable UPnP SDK, “over 23 million IPs are vulnerable to remote code execution through a single UDP packet.” A patch has been released, but it will take a long time before this patch is included in vendor products, according to the firm.

The paper states:

In most cases, network equipment that is “no longer shipping” will not be updated at all, exposing these users to remote compromise until UPnP is disabled or the product is swapped for something new. The flaws identified in the MiniUPnP software were fixed over two years ago, yet over 330 products are still using older versions.

The team’s findings are below.

(Credit: Rapid7)

The researchers say that over 1,500 vendors and 6,900 products were identified and vulnerable to at least one of these security flaws. Vendors with vulnerable products include Belkin, Linksys, and Netgear. These flaws, unless disabled or fixed, could allow hackers access to confidential business files, passwords, or grant them control over devices including printers and webcams remotely.

Chris Wysopal, chief technology officer of security software firm Veracode, told Reuters that the publication of these findings would bring widespread attention to UPnP, commenting:

This definitely falls into the scary category. There is going to be a lot more research on this. And the follow-on research could be a lot scarier.

The firm suggests that in order to combat the possible threat, end users, firms, and ISPs shouldidentify and disable any UPnP endpoints within their systems and networks, and be aware that many devices come with UPnP enabled by default.

By Charlie Osborne for Zero Day

Twitter rang in Data Privacy Day by updating its transparency report with another round of numbers and some changes in how it presents the figures.

The report gives a view on the number of user information requests made by governments around the world. Also included are requests to remove illegal content and copyright violation notices the company receives.

As for the changes, the transparency info was moved to a new homepage. Twitter made the data more visual, and the new site is littered with graphs and charts to help users digest the info.

The social media site also added more detailed information on how the United States asks for this data, whether through subpoenas, court orders or search warrants.

Tweet the police

This is the second transparency report from the social network since it started releasing this sort of data in July. The first report focused on the first half of 2012.

Just like last time, Twitter gave the global numbers while the information is broken down by country for users to sift through.

From July to December of 2012, Twitter received 1,009 requests for users’ information from governments around the world. That’s up from 849 requests made in the first half of the year.

To put that into context, Twitter has about 200 million monthly active users, according to an official tweet from last month.

These information requests are generally for criminal investigations, but are also sometimes used in emergency cases.

Of those 1,009 requests, 57 percent produced at least some information to authorities. Of the 849 requests from the first part of 2012, at least some data was produced about 63 per cent of the time.

The company received 42 request to remove illegal content in the last part of the year, compared to six removal requests from January to June of last year. In later 2012, Twitter got 3,268 copyright notices, down from 3,378 earlier in the year.

For some perspective, Google reported its transparency numbers last week. The search engine received about 21,000 user information requests in the last half of 2012, producing some data 66 per cent of the time.

Ask Google

But Twitter isn’t the only company taking note of Data Privacy Day. Google also published a new Legal Process FAQ on its own transparency site, which Twitter emulates.

The new FAQ is a guide through the legal processes involved when governments request user data. It explains what Google does when it receives these requests and what governments need to do to get access to the data.

One of the more informative sections breaks down what types of data the U.S. government can request through different legal processes. For example, a subpoena can force Google to disclose a user’s registration info on YouTube, and a court order can reveal the contents of Gmail messages.

It’s a good breakdown of the whole legal process involved and gives an insight into how companies in general deal with these requests. It’s also a good place to start if you know you were targeted by one of these requests.

But, as both Google and Twitter noted in blogs, these reports are more about starting conversations than reporting numbers.

“It’s our continued hope that providing greater insight into this information helps in at least two ways: first, to raise public awareness about these invasive requests; second, to enable policy makers to make more informed decisions,” Jeremy Kessel, Legal Policy Manager, wrote on the Twitter blog.

Ooo, “invasive.” We like the language.

By Clint Demeritt 

Common Problems with Passwords

Use Different Passwords Everywhere

Why would you do this when it’s so easy to just type “fido” at every password prompt? Here’s why: If “fido” gets cracked once, it means the person with that info now has access to all of your online accounts. A study by BitDefender showed that 75 per cent of people use their email password for Facebook, as well. If that’s also your Amazon or PayPal password and it’s discovered, say good-bye to some funds, if not friends.

Remember the Underwear Meme

The saying goes like this: Passwords are like underwear. You should change them often (okay, maybe not every day). Don’t share them. Don’t leave them out for others to see (no sticky notes!). Oh, and they should be sexy. Wait, sorry, I mean they should be mysterious. In other words, make your password a total mystery to others.

You can make your password sexy if you really want, however. I won’t judge.

Avoid Common Passwords

If the word you use can be found in the dictionary, it’s not a strong password. If you use numbers or letters in the order they appear on the keyboard (“1234″ or “qwerty”), it’s not a strong password. If it’s the name of your relatives, your kids, or your pet, favourite team, or city of your birth, guess what-it’s not a strong password. If it’s your birthday, anniversary, date of graduation, even your car number plate, it’s not a strong password. It doesn’t matter if you follow this with another number. These are all things hackers would try first. They write programs to check these kinds of passwords first, in fact.

Other terms to avoid: “god,” “money,” “love,” “monkey,” “letmein,” and for the love of all that’s techie, if you use “password” as your password, just sign off the Internet right now.

Strong Password Solutions

How to Build Strength

To create a strong password, you should use a string of text that mixes numbers, letters that are both lowercase and uppercase, and special characters. It should be eight characters, preferably many more. A lot more. The characters should be random, and not follow from words, alphabetically, or from your keyboard layout.

So how do you make such a password?

1) Spell a word backwards. (Example: Turn “New York” into “kroywen.”)

2) Use l33t speak: Substitute numbers for certain letters. (Example: Turn “kroywen” into “kr0yw3n.”)

3) Randomly throw in some capital letters. (Example: Turn “kr0yw3n” into “Kr0yw3n.”)

4) Don’t forget the special character. (Example: Turn “Kr0yw3n” into “Kr0yw3^.”)

You don’t have to go for the obvious and use “0″ for “o,” or “@” for “a,” or “3″ for “e,” either. As long as your replacement makes sense to you, that’s all that matters. A “^” for an “n” makes sense to me.

Other Tips

Choose something simple to remember as a password, but whenever you type it, put your fingers on the wrong keys-maybe one key to the left or right. Then a password like “kroywen” becomes “jeitqwb” or “ltpuerm.” This is only going to work for non-perfectionist touch-typists. And skip this tip if you type passwords on your phone; you’ll only sprain a thumb trying to be inaccurate instead of letting the inaccuracy flow naturally.

Another option is to pick a pattern on the keyboard and type based on that. For example, a counter-clockwise spin around the letter d could result in “rewsxcvf.” Throw in some random caps and numbers to really lock it down.

Perhaps the easiest thing to remember is an acronym from a phrase of your choice. “We didn’t start the fire, it was always burning” becomes “wdstfiwab” based on the first letters of each word.

Remember, the longer the password, the stronger it is, always. Something more than 15 characters is very difficult to remember, but it’ll be a breeze with a mnemonic.

Third-Party Passwords

If you don’t trust yourself to create an unbreakable password, there are plenty of tools that will make one for you. The PC Tools Secure Password Generator, for example, makes one based on your criteria: how long, include (or don’t) mixed case, numbers, punctuation, similar character replacement, etc. It even provides a phonetic pronunciation guide that you use as your mantra while typing the password, for example:

MA7ApUp# is MIKE – ALPHA – seven – ALPHA – papa – UNIFORM – papa – hash

Password Testing

If you’re worried that your password of choice isn’t strong enough, check it at How Secure is My Password?. The site will even tell you how long the average PC would take to crack it. For example, cracking “kroywen” would take 13 minutes, “kr0yw3n” would take about 2 hours, “Kr0yw3^” 15 days, and “MA7ApUp#” about 3 years.

You can tell from these results that mixing capital and small letters are better for strength and more characters (eight instead of seven) also make a huge difference. Adding a single capital letter to the end of “Kr0yw3^,” such as “Kr0yw3nZ,” boosts the crack time to 3 years. Throw another special character in (“Kr0yw3^Z!”) and it jumps to 237 years.

Password Tracking and Changes

It’s easy for me to say that you should use a strong password and then expect you to remember that messy non-word string of characters. But how dare I suggest you use a different password on every site you visit and account you own. That’s madness!

Or is it? Here’s a simple trick that would make your already steroid-strong password even more muscular, while individualising it for each entry. Simply take the first three letters of the site or service you’re entering and append them to the beginning or end of your strong password. On Amazon, you’d have “Kr0yw3^AMA.” Your email could be “Kr0yw3^EMA.” Facebook would be “Kr0yw3^FAC.” Notice I always use all caps for the appended letters, just to crank up the security. This can work for banks, shopping, social networks, you name it. It’s like creating a thousand passwords you can remember easily.

Every few months, you should change all of your passwords-everywhere. Even if you made a password that would take a few centuries to hack, you might have shared it with a co-worker or boyfriend or girlfriend, right? What happens when they become ex-co-workers or an ex-BF or ex-GF? Yeah, you can probably guess.

You could change your base (“Kr0yw3^”), which might be easy if you based it on an acronym for a longer phrase. Or you could change the appended letters by moving them to the front or even the middle (“Kr0yFACw3^” for Facebook). Perhaps switch to the last three in the service name (“OOK” for Facebook.) You could even stick in the date of the change. It’s your call.

You’ll be most annoyed when you encounter that select few sites that only let you have a short password of four, six, or even eight characters. What might have seemed easy before is going to soon becoming a vexing problem when you embrace the might of a strong personal password paradigm.

The Right Advice is Wrong

Some experts will tell you to do a couple of things that go against conventional password wisdom. And the reasons are simple: productivity.

For example, I read a treatise on why you should write down your passwords, especially if you actually go the distance and use a unique string of characters for every log in. The amount of time you could lose trying to remember each password whenever you have to type it in may not be worth it. Just try to keep the list somewhere that’s not readily accessible, such as in your wallet. A desk drawer at work is not optimal for keeping out snooping co-workers.

Related advice from a Microsoft researcher says that having multiple passwords is also not worth the effort. Or, more specifically, the indirect costs of the effort of tracking them all. That’s right, that big list of passwords I just said to put in your pocket? Maybe it’s not worth it.

Of course, all such worries are moot if you follow the advice above and create super-seekrit-strong passwords that you can easily remember.

Source: IT Pro

That’s not impossible — GPU computing in the cloud makes cracking passwords much easier. If you care about an account, your password needs at least 12 characters. That can be two or more common words together rather than a single Brobdingnagian word.

But what allowed a hacker who just wanted a cool Twitter handle to get so much access to Honan’s accounts were failures in the security processes at both Amazon and Apple, and good old human error. Forget zero-day vulnerabilities and buffer overruns and heap-spraying attacks. If you forget that security has to be a combination of people, process and technology, then someone is going to get hacked.

Technology as secure as the Enigma machine isn’t enough if people and processes are insecure

I’m not quite sure why Amazon ever allowed customers to add a credit-card number to their account over the phone — some oddity of the US banking system, because it’s easier than typing it in on a phone screen? But allowing someone to add a security credential to their account and then use it almost immediately is clearly a bad idea.

It’s something that many credit-card and banking-fraud systems look for, actually. You could force a waiting period between entering and using a new credential, or insist on out-of-band confirmation — such as the emails you get when you set up new accounts with many websites — or you could stop someone adding a new security credential without confirming an existing security credential.

The problem here is that Amazon was conflating a service — adding a new way to pay — with a security check — using a credit card number to reset an account. It amounted to a process failure it’s since fixed, compounded by Apple using just the last four digits of a credit card for a password reset. Presumably, Apple employees weren’t asking for the other security features such as the expiry date and security code because they weren’t being used for a purchase, and there’s some dispute as to whether that was official policy or not. If it was, that’s a process failure. If not, it’s people failure.

Security experts sometimes joke that two-factor authentication stands for, “Something you’ve lost and something you’ve forgotten” — a physical object that you can prove is in your possession as well as a password you can memorise. In this case it was, “Something you can find out and then pretend to remember”.

But we do forget passwords and lose or break physical items such as keycards and tokens. Having a live human being as the last resort for regaining access to your account is a good thing, but you have to make it an annoying process for legitimate users to avoid making it to easier for hackers to get around.

Social engineering means getting someone to break the rules. Having good rules and training people to understand why they’re important is the best protection.

My bank gets some of that right and some of it wrong. For example, I have to type in a code it texts to my phone to set up a new standing order. That’s good two-factor authentication. But I recently lost access to my business bank account because the banking site told me I’d changed computers, which I hadn’t, or IP address, which I hadn’t either.

What I had done was swap back to the Windows 7 image I took before installing Windows 8 CP so I could upgrade to Windows 8 RP, deleting or replacing whatever cookie the bank had used last to identify my computer — often this is a randomly-generated number. I was confronted by a set of security questions that should have unlocked my account. But my account was set up before those security questions were added to the system and my answers didn’t work.

When I phoned the bank, the security procedure involved asking me a lot of other questions. Not just my name, address, date of birth and company name, but when I opened the account, who else could operate it, full security details from the account credit card plus details of the balance and recent transactions that you wouldn’t know unless you’d already hacked me.

That’s a good process and lot more secure than security questions you can find the answer to on Facebook. One US bank warns you to pick answers that no-one else can give and then asks for the name of your first boyfriend or girlfriend. At least one other person on the planet knows that even if you haven’t told the world on a social network.

I couldn’t answer all the questions straightaway. We stayed on the phone for half an hour running through alternative but equally secure questions before I’d proved my identity enough for the bank to reset the security-question prompt. That’s people applying the process well. No, they didn’t reset my password. They just let me set up new security questions but answering them didn’t get me into my account. I still needed both my password and passcode to log in.

All this is a crutch for dealing with the broken system of passwords that’s going to keep letting us down. A much better idea would be to use something harder to copy, find online, crack and lose.

It’s not perfect, but using the trusted-platform model (TPM) that’s in many modern PCs would be a good start. Windows 8 PCs will have TPMs in far more systems. Firmware TPMs are built into Windows RT tablets and SoC devices running Windows 8 and even consumer PCs will start to include them because Windows 8 uses the TPM to help guard against rootkits that mess with the operating system directly.

You can use a TPM as a virtual smartcard in Windows 8, so you could tie important accounts to the hardware of your PC — which wouldn’t change if you upgraded your OS or logged in from a different network.

Lose, break or replace your PC? The recovery system can use a mobile phone for secondary authentication — something you’re less likely to lose control of than an email address — and fall back to a call centre, with well-trained people following a good security process.

Source:  Mary Branscombe ZDNet

A report from Kaspersky Lab investigated the trends of 10 million randomly selected members of its customer base across the world and found that nearly a quarter of users were still using old versions of browsers. 23 per cent of those surveyed in August 2012 had not updated to the most modern iteration of their program, while 8.5 per cent were using completely outdated browsers, putting their data and computer health at great risk.

Kaspersky says “[s]uch reluctance to upgrade is a key addition to the negative outlook on web-born threats.” Up to date browsers plug security holes and offer extra features protecting against the latest exploitations, whereas cybercriminals have a far greater number of vulnerabilities ready to be exposed on old versions. “What is even worse,” the firm says, “failing to upgrade most likely affects other programs as well – including the direct gateways.”

Just under 80 per cent of the research sample had the latest version of a browser, but Kaspersky reports that a large proportion of these users are still likely to have an outdated browser installed on their computer. Even if someone is using an up to date Google Chrome, having an older version of Internet Explorer lingering on the desktop can leave security holes open.

As our recent guide to fundamental Internet security emphasised, keeping systems updated ranked alongside using a modern web software as one of the key tips, and Kaspersky said Chrome recorded the fastest times for completing updates. Opera and Firefox, on the other hand, lagged “significantly” behind.
by Will Dalton,

The founder of file-sharing site Megaupload has been granted bail by a New Zealand court.

Kim Dotcom, 38, has been in prison since 20 January at the request of the US authorities.

He faces charges in the US for one of the biggest copyright infringement cases in the country’s history.

The site is accused of costing copyright holders more than $500m (£320m) in lost revenue.

Flight risk

North Shore District Court Judge Nevin Dawson overturned two previous rulings that the millionaire, who is a German national, was an “extreme flight risk” because he had the money and connections to get out of the country.

The judge said the risk had diminished because all his funds were seized and no new assets or bank accounts had been uncovered.

Speaking to reporters in Auckland, Mr Dotcom said he was “relieved to go home to see my family, my three little kids and my pregnant wife”.

On 17 February Mr Dotcom was charged with three new criminal copyright counts and five new wire fraud counts.

That is on top of one count of racketeering, one count of conspiracy to commit money laundering and two counts of criminal copyright infringement charges.

US authorities are seeking to extradite Mr Dotcom, who changed his name legally from Schmitz, and three other co-defendants who had earlier been granted bail.

Denied charges

The US Justice Department and Federal Bureau of Investigation allege that Megaupload and its related sites made millions in ‘criminal proceeds’ by sharing pirated copies of movies, music and other content.

Founded in 2005, the site was shut down by authorities last month.

They also seized millions of dollars worth of assets owned by Mr Dotcom including luxury cars, artwork and investments.

Mr Dotcom has denied any criminal misconduct and has said he will fight extradition to the US.

The Serious Organised Crime Anency (SOCA) has seized music blog RnBXclusive and charged its owners with fraud – as well as threatening users of the site with jail time and an “unlimited fine.”

RnBXclusive was a blog that claimed to be “dedicated in bringing you the latest and hottest music around since 2008,” and offered downloads of some of the latest hit songs, as well as contemporary music videos. However, SOCA claims – with wording that seems more akin to physically taking property from an artist – that “The majority of music files that were available via this site were stolen from the artists.”

The most worrying part about this takedown however, is the message that follows in bold red text: “If you have downloaded music using this website you may have committed a criminal offence which carries a maximum penalty of up to 10 years imprisonment and an unlimited fine under UK law.”

Visiting the site now you get the above messages, as well as a quoted table of your IP address, browser choice and operating system along with the current time. SOCA saw fit to display this along with the message: “The above information can be used to identify you and your location.” Is this a warning or a threat? It seems closer to the latter when you read “SOCA has the capability to monitor and investigate you, and can inform your internet service provider of these infringements.”

Adding insult to potential criminal charges, the finger shaking concludes with the message: “As a result of illegal downloads young, emerging artists may have had their careers damaged. If you have illegally downloaded music you will have damaged the future of the music industry.” The message also offers an alternative to regular RnBXclusive users: pro-music.org.

As leader of the Pirate Party UK, Loz Kaye points out, as noble as it may seem to be protecting the profits of artists, is it really the job of SOCA? The Serious Organised Crime Agency (which according to the official website is designed to tackle “Class A drugs, people smuggling and human trafficking, major gun crime, fraud, computer crime and money laundering”) is threatening those that downloaded music with a decade in jail and bankrupcy levels of fines.

Many users of the site and commenters have taken to the official Facebook page of RnBXclusive, with the consensus being quite uniform. In regards to the site damaging artists careers one stated: “This couldn’t be more incorrect! There are countless artists that I’ve discovered through this website and later supported!” Another: “Most artists actually encourage there music being downloaded, for example drake’s album “Take Care” had over 100 million illegal downloads in the world but still went platinum :/.”

Others merely posted links to alternatives, suggesting the takedown to be ineffective as well as worrying. One however, im1music.net is also inaccessible. However there is no official posting of a SOCA message there as of yet, so whether the organisation is involved in the downtime is unknown.

A new Wall Street Journal report reveals how hackers had access to Nortel Networks’ corporate computer systems for nearly 10 years.

The report claims that, the attack started way back in 2000 and was initiated by the hackers based out of mainland china by using seven stolen passwords belonging to the telecom firm’s executives.

The breach, which was followed by hackers installing spyware in Nortel’s computer systems, ended up compromising many “technical papers, research-and-development reports, business plans, employee emails and other documents”. This shocking revelation came from Brian Shields – the Nortel veteran who was heading the internal investigation in the case.

Though it has been reported that the attacks originated from China, Sophos analyst Graham Cluley stated that blaming the Asian dragon immediately without having sufficient evidence was certainly not the appropriate thing to do.

“It’s very hard to prove a Chinese involvement. Yes, the data might have been transmitted to an IP address based in Shanghai, but it is possible that a computer in Shanghai has been compromised by.. say.. a remote hacker in Belgium,” Cluley explained, reported PC Mag.