Author: Sean Gallagher

This morning, as Senator Ted Cruz launched his bid to become president of the United States, some people who visited his site thought he might also want to become a Nigerian prince. At least, that’s what his site’s certificate said.

It turns out that Cruz’ campaign had registered to use CloudFlare as the content delivery network for its WordPress-based tedcruz.org site, anticipating a flood of traffic from would be supporters. But because the Cruz campaign hadn’t yet uploaded a certificate to identify the site for secure visits, CloudFlare’s systems automatically assigned the site one of its own certificates, CloudFlare CEO Matthew Prince told Ars. “The Cruz campaign didn’t do anything wrong,” he said. “It was an automated process on CloudFlare’s part.” The certificate that the Cruz campaign’s site got assigned to was also assigned to nigerian-prince.com.

The Ted Cruz campaign site’s new certificate.

2 more images in gallery

CloudFlare assigns multiple sites to each of its own pool of SSL certificates, Prince said, “to limit consumption of IP addresses. By default we put more than one site on a certificate—if you don’t upload your own certificate, then you share one.” As soon as it was noticed that the Cruz campaign site shared a certificate with nigerian-prince.com—a site that displays only a joke about Nigerian “419” scams—CloudFlare and the Cruz campaign uploaded a new, private certificate, though tedcruz.org still appears on the certificate for nigerian-prince.com.

(video link)

With Ars sending writers around the globe to visit GE research centers, we wanted our readers to share in with some of the experiences we’re having during these travels. These blog posts are meant to convey some highlights, rather than being an exhaustive account of our trip.

After Lee Hutchison got back from witnessing how GE is building smarter composites at the company’s Global Research Center in Munich, he handed off the virtual travel baton to me. My mission? I wanted to dive deeper into how GE is tapping into Internet of Things (IoT) technology, or what GE calls the Industrial Internet.

That quest took me to San Ramon, California, the home of GE Software, where I learned about the big data and analytics platform GE is building in hopes of squeezing ever-higher levels of efficiency out of all of its industrial operations. The company is working on a platform called Predix, which taps into the data generated by control and diagnostic systems in addition to the domain knowledge of the people who built them. The goal with Predix is to create a platform that can build analytic software and other services in order to help GE and its customers squeeze more efficiency out of industrial operations. Predix leverages what the company calls an industrial “data lake”—a massive cloud store of telemetry and other data from industrial systems that it then uses to build models and analytical applications.

Harel Kodesh, GE Software’s chief technology officer, explained that he also hopes Predix will eventually act as a sort of “app store,” allowing selected third-party developers to build applications for industrial customers based on the streams of data being pushed to the cloud. For example, Christina Brasco, a GE Software data scientist, was using data sets gathered from GE’s fleet of aircraft engines to build mathematical models that change how GE does jet engine maintenance. Brasco’s creation aims to predict when engines will need maintenance and schedule it to happen in advance to prevent unexpected, unscheduled downtime that could cost airlines millions in lost revenue. (We’ll look a bit deeper into this kind of Internet of Things analytics later this week.)

A researcher at OpenDNS Security Labs has developed a new way to automatically detect and block sites used to distribute malware almost instantaneously without having to scan them. The approach, initially developed by researcher Jeremiah O’Connor, uses natural language processing and other analytics to detect malicious domains before they can attack by spotting host names that are designed as camouflage. Called NLPRank, it spots DNS requests for sites that have names similar to legitimate sites, but with IP addresses that are outside the expected address blocks and other related data that hints at sketchiness.

The practice of using look-alike domain names as part of an effort to fool victims into visiting websites or approving downloads is a well-worn approach in computer crime. But recent crafted attacks via “phishing” links in e-mails and social media have gone past the well-worn “typo-squatting” approach by using domain names that appear close to those of trusted sites, registered just in time for attacks to fly under reputation-scoring security tools to make blacklisting them harder. Fake domain names such as update-java.net and adobe-update.net, for example, were used in the recently discovered “Carbanak” attacks on banks that allowed criminals to gain access to financial institutions’ networks starting in January 2013 and steal over $1 billion over the next two years.

Many security services can screen out malicious sites based on techniques such as reputation analysis—checking a centralized database to see if a site name has been associated with any malware attacks. But because attackers are able to rapidly register new domains with scripted systems that look relatively legitimate to the average computer user, they can often bypass reputation checks—especially when using their specially crafted domain names in highly targeted attacks.

In a blog post today, the Google Security team announced changes to policies on full disclosure of bugs found by Project Zero, the security research team that uncovered zero-day vulnerabilities recently revealed in Microsoft’s Windows 8.1 and Apple’s OS X operating systems. Those disclosures, which were made 90 days after Google alerted Microsoft and Apple in accordance with Project Zero’s strict release policy, stirred controversy because they had not yet been patched—and gave attackers time to leverage them before Microsoft and Apple distributed fixes.

The announcement, authored by Project Zero’s Chris Evans and Ben Hawkes, Google Security’s Heather Adkins, Matt Moore, and Michal Zalewski, and Google Security Vice President Gerhard Eschelbeck noted, “Disclosure deadlines have long been an industry standard practice,” citing the disclosure policies of the Carnegie-Mellon CERT, Yahoo, and TippingPoint’s Zero Day Initiative. Deadline policies for vendor disclosure “improve end-user security by getting security patches to users faster,” the Google team stated.

Project Zero set a 90-day deadline, and since Project Zero’s launch, Google’s team claimed, “of the 154 Project Zero bugs fixed so far, 85% were fixed within 90 days. Restrict this to the 73 issues filed and fixed after Oct 1st, 2014, and 95% were fixed within 90 days.” The Microsoft and Apple bugs disclosed and other deadline misses by vendors, they noted, “were typically fixed very quickly after 90 days. Looking ahead, we’re not going to have any deadline misses for at least the rest of February.”

A malware campaign targeting European defense organizations, governments, and media organizations first detected on Windows computers late last year has now spread to iOS devices, according to a report by security researchers at TrendLabs. The spyware campaign, called “Operation Pawn Storm,” has been linked by some researchers to the Russian government, beginning as tensions between Europe and Russia rose over the crisis in Ukraine.

Pawn Storm began with “spear phishing” attacks and targeted Web attacks from fake Outlook webmail pages and “typo-squatting” websites that used site names close to those of legitimate sites. Now, the attack has spread to Apple iOS devices—without having to jailbreak them. “We have seen one instance wherein a lure involving XAgent”—one of the two malware components discovered so far—”simply says ‘Tap Here to Install the Application,'” the researchers reported. The “lure” website then delivers the malware via Apple’s ad-hoc provisioning feature for developers. A .plist file on the remote server will install the application over broadband or Wi-Fi. The user would have to click through a dialog to approve the installation, requiring a higher level of social engineering than most phishing attacks.

Once installed, the XAgent malware connects to a command and control (C&C) server and uploads data from the device, including text messages, contact lists, pictures, Wi-Fi status and Wi-Fi networks connected to, installed apps, and running processes. The malware can also take photos, capture screen grabs, start voice recording, and collect location data on the device. However, it appears the malware was written for iOS 7, and it is unable to hide itself or automatically restart itself on iOS 8 devices. The second malware agent, which is disguised as a game called “MadCap,” is focused on recording audio and only works on jailbroken devices.