60 posts • joined 9 Jul 2007
Fair enough. Caching means not *every* HTTPS request is logged. I've updated the article to reflect this.
Additionally, I'm adding the following response from security researcher Moxie Marlinspike, who continues to argue that under the current system, CAs "have a tremendous amount of insight into your browsing history."
His response in full is:
It's true that the OCSP check isn't done with *every* HTTPS request to a site, because the response is cached in the browser for a short time.
It's more like the CA is notified once per "session." If you think about a typical visit to paypal.com, it might involve several requests to the website in order to send or receive a payment. The CA will typically only be notified for the first request, not all of the subsequent ones within a session. For an average user, you can think of it in terms of a CA knowing how many times they sent or received a payment via the PayPal website, but not how many clicks it took them to do it.
In any case, the notion that CAs have a tremendous amount of insight into your browsing history is substantially true.
Re: Who fact-checks these articles?
When a web user visits an SSL-protected page, most browsers will check the see if the certificate has been revoked. This database is maintained by the CA who issued the certificate. The CA gets to see the IP address of the person trying to access the certificate.
This ability was underscored during the investigation into the DigiNotar breach. The investigators were able to determine that more than 300,000 people, mostly in Iran, encountered the fraudulently issued GMail certificate.
I hope this answers the question you and several other readers have raised.
You're right. 9.4.7 is the updated version, not 9.4.6 as previously reported. My apologies. The error has been corrected.
As for the RPC vulnerability, Adobe spokeswoman Wiebke Lips wrote in an email to The Register:
"Note: CVE-2011-4369 was reported after the security advisory (APSA11-04<http://www.adobe.com/support/security/advisories/apsa11-04.html>) was published. The Adobe Reader and Acrobat team was able to provide a fix for this new issue as part of today's update. Note also that at this time, we are only aware of one instance of CVE-2011-4369 being used."
Re: I'd be interested to know
In the report linked in the article, the researchers said they strongly encrypted the data and then permanently destroyed it once their project was completed.
Correction -- Opera doesn't support TLS 1.2 by default
Contrary to what was published earlier, Opera doesn't support TLS 1.2 by default. Our apologies for the error.
Here it is
The exploit code was written to install malware on Windows machines. The vulnerability itself is present in Reader for Unix and Mac OS X as well. Hence, they are vulnerable to attacks, but not the specific attack posted on the Contagio website.
In a word: No
Anonymous Coward, the critical PDF vulnerability in the iPhone is of Apple's making, since it resides in PDF viewing software in Mobile Safari. The iPhone doesn't use Adobe Reader. The bugs are completely unrelated.
For the record, "gaping" was used to suggest how easy it was for this bug to be spotted during a routine audit. A bug need not be easily exploitable for it to be extremely obvious.
Given the ability for Drupal XSS's to silently reset the super user password, I think it's fair to say this bug should have been caught long ago. It wasn't, even after the White House developers gave themselves a big pat on the back for releasing their own code that built off the same buggy module.
That's why the vuln is news and why The Reg stands by this story.
This is an article reporting the contents of a lawsuit that was filed by Google. It contains numerous allegations Google has made about Pacific WebWorks. How is it "simply incredible" that I'd include that detail?
More importantly, what evidence do you have that this detail is incorrect?
The source of that information was the complaint Google filed in federal court.
@s it or isn't it?
Anonymous coward, the bug is present in Windows 2007 RC. It's not present in Windows 2007 RTM.
@Who is Stuart McConnachie?
AC, my bad for not inferring your comment correctly. I assure you McConnachie wasn't trying to take credit for the work of others.
As for your question about the statement, the copy that I've seen lists the fee to the very penny, as in $23,148,855,308,184,500.00.
Not sure if your question is just bait. Assuming it isn't, here's the answer:
In journalism, as in many other aspects of life, there are real-time deadlines. So what to do when it's time to hit to publish button and you still haven't gotten an answer to your question? Do you:
a) lay out the fact that you indeed asked the company for their side of the story and didn't get a response by press time (i.e. an "immediate response")? or
b) not mention it at all and let readers wonder if you bothered to email the company at all?
No, companies aren't at journalists' beck and call. But they have a right to have their voice heard in stories that directly concern them. I was only trying to make sure it was clear I tried to give them that opportunity and for whatever reason had not gotten a response by press time.
The reason we say didn't "immediately respond" is to make it clear that there wasn't a whole lot of time between the time we asked and the time the story was published. In the case of this story, it was about 2 and a half hours.
Here's the text of the NTIA's press release:
Commerce Department to Work with ICANN and VeriSign to Enhance the Security and Stability of the Internet’s Domain Name and Addressing System
For Immediate Release: June 3, 2009
NTIA Contact: Bart Forbes, [phone number and email address removed]
NIST Contact: Chad Boutin, [phone number and email address removed]
WASHINGTON — The U.S. Department of Commerce's National Telecommunications and Information Administration (NTIA) and National Institute of Standards and Technology (NIST) announced today that the two agencies are working with the Internet Corporation for Assigned Names and Numbers (ICANN) and VeriSign on an initiative to enhance the security and stability of the Internet. The parties are working on an interim approach to deployment, by year’s end, of a security technology -- Domain Name System Security Extensions (DNSSEC) -- at the authoritative root zone (i.e., the address book) of the Internet. There will be further consultations with the Internet technical community as the testing and implementation plans are developed.
The Domain Name and Addressing System (DNS) is a critical component of the Internet infrastructure. The DNS associates user-friendly domain names (e.g., www.commerce.gov) with the numeric network addresses (e.g., 126.96.36.199) required to deliver information on the Internet, making the Internet easier for the public to navigate. The accuracy, integrity, and availability of the data supplied by the DNS are essential to the operation of any system or service that uses the Internet. Over the years, vulnerabilities have been identified in the DNS protocol that threaten the authenticity and integrity of the DNS data. Many of these vulnerabilities are mitigated by DNSSEC, which is a suite of Internet Engineering Task Force (IETF) specifications for securing information provided by the DNS.
“The Internet is an ever-increasing means of communications and commerce, and this success is due in part to the Internet domain name and addressing system,” said Acting NTIA Administrator Anna M. Gomez. “The Administration is committed to preserving the stability and security of the DNS, and today’s announcement supports this commitment.”
"NIST has been an active participant within the international community in developing the DNSSEC protocols and has collaborated with various U.S. agencies in deploying DNSSEC within the .gov domain," said Cita M. Furlani, director of NIST's Information Technology Laboratory. "Signing the root will significantly speed up the global deployment of DNSSEC and enhance the security of the Internet.”
The NTIA in the U.S. Department of Commerce serves as the executive branch agency principally responsible for advising the President on communications and information policies. For more information about the NTIA, visit www.ntia.doc.gov.
As a non-regulatory agency, NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life. For more information visit, www.nist.gov.
# # #
You're right. It's a single customer allocation that's enough to support 4 billion versions of today's internet. Story corrected.
That was a typo on my part, which has now been fixed. My apologies.
@Can someone point us to the NMAP signatures?
Nmap creator Gordon Lyon, aka Fyodor, just emailed me to say he expects the Conficker update to be available within the next hour or so. For those who can't wait and don't mind mucking about with manual commands, the code is available at:
Fyodor plans to announce availability of the patch at:
In defense of Charlie Miller
To those criticizing Charlie Miller for sitting on a Safari bug for more than 12 months, please consider the following:
A bug isn't the same thing as an exploit. While Miller discovered the bug more than a year ago, it was only recently that he figured out a way to exploit it so he could remotely execute code. Charlie told me he spent considerable time an effort making this happen. Meanwhile, he has paying clients and hard deadlines to meet. Under the circumstances, I don't think there's anything wrong with him dusting off an old bug when entering this contest.
I Stand corrected
Thanks to Jack and AC for setting me straight. Story has been corrected.
AC, unfortunately, the advisory is less than crystal clear on this.
It says: "To exploit this issue an attacker needs to execute active content (Java, Flash, Silverlight, etc) in the context of a web browser." Elsewhere it says, "Browser plugins (Flash, Java, etc) may enforce access controls on active content by limiting communication to the site or domain that the content originated from."
@Alex King @Patrick Clark
"Maybe it's the shocking spelling in the article title. I too was expecting an insightful article about foot fetishism."
Cute, but reality is that for 305 million Americans, "pedophile" is the preferred spelling. Geez, and people accuse us yanks of living in a cocoon.
@"where sabotage by disgruntled employees is common"
Brent Weaver and others,
No doubt, the overwhelming majority of IT admins are honest, hard-working and law-abiding. But the fact remains that The Reg reports these types of stories with a fair amount of regularity. A small smattering includes:
Anonymous coward, no conspiracy or FUD mangling going on here. Just disclosing that Maone is the creator of a product that competes with these Internet Explorer security measures and pointing out that security researchers with no dog in the fight agree with Maone.
@Details = good
Thanks for the kind words. I've updated the article to include the following paragraph:
Attack strings in separate SQL injections include 17gamo.com/1.js. Researchers say the number of attack sites is too high to keep exhaustive lists, but Shadowserver is doing an admirable job here (http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210)
Someone else asked what platforms the hacked sites were running on. That information wasn't available, but in general SQL injections attack web applications that fail to sanitize user input rather than the underlying database. Many of the SQL injections in the past worked on a variety of database programs. (See http://www.theregister.co.uk/2008/05/14/asprox_attacks_websites/ and http://www.theregister.co.uk/2008/04/25/mass_web_attack_grows/)
Good point. Story updated. Thanks for the suggestion.
If you read the article, you clearly didn't comprehend it. Yes, The Reg uses Google Analytics, just like so many other web sites. But I assure you we don't link it to the admin section of our website for the reasons laid out above.
This point has been repeated umpteen times. Please finally take it in: It would be trivial for anyone with control to urchin.js to add scripts that steal session cookies, siphon the username and password entered and send them to any server of the attacker's choosing. With either of these two pieces of data, Change.gov has now been compromised. This is a risk that The Reg isn't willing to take, and it should be a risk that Change.gov isn't willing to take either.
story updated to correct link
You're right, it was Secretary Brown who said that, not the governor. Thanks for pointing out. Error corrected.
This configuration of OpenVPN should *not* be blocked by most hotspots
To those complaining that OpenVPN is frequently blocked by hotspots, note that the configuration offered here uses port 443, which is open on the typical Wi-Fi network. This is exactly the configuration that JohnG discusses a few comments back.
Sorry, that was a typo. Story has been corrected to show the command is "cd".
AC, I've replaced the link to TG Daily with a link to an MIT site. As of Sunday, it was still hosting the slides.
"At a guess, I'd say MS Remote Desktop. The client has a default setting that maps local printers to the terminal server. The client will advertise all of its local printers to the terminal server, and if the server has a matching driver, the printer will map. This is all recorder in the event log."
Remote Desktop is exactly correct. Should have included that detail in the story.
Do you even think before spewing out such drivel? This won't be the first time Gregory King has spent time before bars. Tami alluded to this, but you're too busy offering knee-jerk reactions to take this in. I suppose if someone inflicted tens of thousands of dollars in damage on your business you'd sit the chap down by a campfire and sing Kumbaya.
And since when is Greg King a "kid"? He's 21 years old. Do try to get your facts straight before posting, will you?
Re: Isn't this the guy...
You must be thinking of the profile we did of a hacker nicknamed SoBe, who recently pleaded guilty to crimes committed while he was a juvenile. That article is at:
El Reg also did an earlier profile of Greg King that you can find at:
@What is free speech
Stranger: You're right: Megan Meier was 13, not 16. The error has been corrected. Thanks for bringing it to our attention.
@BillPhollins RE: PCI Compliace
AC, I think you're confusing the TJX breach with a different breach. TJX secured its network with WEP, allowing the intruders easy assess. TJX also held on to data well after it should have dumped it.
Geez David Wiernicki
Where do you think CNN.com got the story? From the same AP reporter credited. Do feel free to think before commenting in the future.
James Smith, et al.
Ever notice how slow ISPs are to deal with anything? Now multiply the delay by 25,000. I'm pretty sure TippingPoint has better things to do. As for popups and other types of notification: anytime you're running code on an infected machine, you're likely to get unintended consequences. Bottom line, contacting the infected users isn't practical. Anyone who believes otherwise should go ahead and contact each user himself (a list of the infected IP addresses is at http://dvlabs.tippingpoint.com/pub/pamini/kraken_uniq_ips.txt)
M. Burns, if you'd bother to look, you'd notice TippingPoint documented infected IPs and gave a deep dive analysis into their infiltration. What kind of proof do you want?
Ever heard of key signing parties? Even with asymmetrical schemes, there is a need to securely exchange public keys. If a bad guy fools me into using the wrong public key to encrypt a message, the entire system fails.
So yes, an organization of 1,000 people still need to figure out a way to securely distributed their public key to each of their colleagues, and if you do the math, that's very close to 1 million exchanges.
Here in San Francisco, that's how meter is spelled . . . or is it spelt?
Hey Anonymous Coward,
Due to incorrect information supplied to The Register, we got the name of the university wrong in an earlier version of the story. The article has been updated. Thanks for pointing out the mistake.
@Whew, thought it was a serious threat
Kindly read the article. Many if not all of the servers are running Apache.
Many thanks to all the readers who are weighing in. I've just updated the story to respond to comments that there are inaccuracies.
Sorry about the confusion
Based on the number of comments saying the article is confusing, it's obvious we could have done a better job explaining things. Essentially, XXX is correct when writing:
"This article is about a CLIENT vulnerability!
"The malware is changing the DNS setting at the CLIENT (Windows) to make the CLIENT query the WRONG DNS server. You can secure your DNS server to the point of unplugging it and locking it in a bank vault 5 miles underground and it won't fix this problem. All of the servers are functioning as intended and designed (including the "bad" ones).
"Sure, there are DNS server vulnerabilities (some highlighted above) but THIS IS NOT ONE OF THEM.
"The malware ... typically involved a single line of code"
"Only Microsoft can fix this, not the sysadmins for 17,000,000 DNS servers."
The client vulnerability generally works by changing a single registry setting, rather than altering a victim's hosts file. During any given week while the study was being conducted, the researchers found hundreds of URLs pointing to exploits.
The questions about recursion and authoritative, vs forwarding DNS servers are beyond my ken, I'm afraid, so I won't touch them.
Bloch is a Republican
"Bloch is a DEMOCRAT investigating the Bush White House! The wipe happened maybe because HE is being investigated?"
Actually, Bloch is a Bush-appointed Republican.
No harm in viewing Google searches
AC2: Calm down. There is no harm in clicking on the links in the Reg story. They simply take you to a Google page and run a search that shows links to the infected pages. Heck, even clicking on the search results themselves doesn't install malware so long as you don't click yes to popups that ask if they can install software on your machine.
Just to make things extra clear, I've updated the story to say "safe to click if you don't mind "porn" in your url, but you probably shouldn't click on any of search results."
@guess it does not effect everyon
"I'm using Leopard 10.5.1. I ran the heise email check and tried to open the attachment, quickview showed nothing, so I clicked on the email attachment and got the standard security warning:-
“Heise.jpg” may be an application. It was attached to a mail message and will be opened by Terminal. Are you sure you want to open it?"
Wonder what version of Leopard he was using? A pre-final?"
Thanks very much for writing. As noted in the article, The warning fails to run "about 90 percent of the time," with little understanding as to what causes it to display in some cases and not in others.
I've yet to install Leopard on my MacBook Pro, so I can't test Schmidt's demo. I'd be eager to hear the results other Leopard users get.
Story updated to reflect comment from Monster.com representatives.
@Mac or Windows or both?
Good question. According to Mozilla, Linux, Mac and Windows versions of Firefox are vulnerable. We've updated our story to reflect this.
Indeed, it is advance notice. Thanks for spotting that.