Symantec boss puzzles over McAfee Intel deal

Symantec's head honcho has confidently predicted the security firm will not suffer the same acquisition fate as arch-rival McAfee, which Intel agreed to buy in a surprise $7.68bn blockbuster deal back in August.

The McAfee deal is only the high-water mark in a wave of acquisitions that have swept the information security market over recent months, as IT platform firm such as Intel and HP have piled into the market segment.

However Enrique Salem, chief exec of the security and storage software firm, said Symantec's market capital exceeds $12bn so any deal would be the largest ever IT industry deal, effectively dismissing the possibility that a buy-up might happen.

During a keynote presentation at the Symantec Vision conference in Barcelona this week a senior Intel marketing exec said its relationship with Symantec would continue as before even after the McAfee deal closes.

Simon Holland, tech director EMEA for Intel's theft-protection product line, answered a question on the effect of the McAfee deal by saying it doesn't affect the relationship with Symantec. Holland said: "Symantec is an Intel technology partner and we will continue to collaborate in the corporate and consumer marketplace as well as embedded and channel," Holland explained.

A four-piece live band that played Holland on stage for a short presentation followed by a question-and-answer session cheekily accompanied his entry with an instrumental version of Michael Jackson's Beat It, a barb he seemed to take in good grace.

Questioned later by journalists on the same deal, Salem was far less diplomatic and said the industry and buyers were still "scratching their heads" and trying to come up with a "good explanation" for the McAfee-Intel deal. Intel has said it wants to use the deal to make security, along with energy efficiency and connectivity, one of the three pillars of future computing - but Salem questioned where the value of running more security functions in hardware would accrue.

"You can do some things better in silicon, but silicon is not a complete on its own," Salem argued.

"At the minimum the deal is a distraction for [McAfee's] management and an opportunity for us," he said.

A team in Symantec is on a constant lookout for possible tie-ups in the industry. They were well aware that a possible sale of McAfee was on the cards, but Intel "wasn't even in the top five" of possible buyers. Salem said scenarios had suggested HP, EMC and Oracle were all more likely buyers of McAfee. He suggested that Intel was trying to diversify itself through the deal but pointed out that McAfee's sales would only make up 5 per cent of Intel's revenues post closure.

Salem was even more dismissive about the competition posed by Microsoft's freebie Security Essentials anti-virus scanner to Symantec's important consumer security business. "Microsoft failed with OneCare," he said. "We're focused on security and have the resources to innovate and develop next generation products."

Spanish entertainment industry feels wrath of Anonymous

Spain's copyright society (SGAE) came under attack by hacktivists from Anonymous on Thursday as part of the latest phase of a high-profile campaign against organisations that hassle file-sharers.

A distributed denial of service attack, officially launched at midnight (Central European Time) on 7 October , crashed the organisation's website on Wednesday even before it even officially began. The assault is a repeat of tactics previously used against the websites of Recording Industry Association of America (RIAA), the Motion Picture Association of America (MPAA) and UK law firm ACS:Law, among others.

Spanish security firm Panda Security estimates 200 Spaniards are among the 700 protesters flooding the SGAE's sgae.es website with useless traffic, much of its generated using LOIC (Low Orbit Ion Cannon) DDoS software. Another Spanish entertainment industry site, promusicae.es, is also down as a result of the same traffic flooding tactics.

The loosely organised group, which traces its origins back to the notorious 4chan image board, is running the ongoing Operation "Payback: is a bitch" in response to legal threats towards BitTorrent tracker sites such as The Pirate Bay as well as individual file-sharers. The group justifies its denial of service tactics against targeted websites by saying they are the same as those earlier adopted by an Indian firm hired by the Bollywood film industry.

Luis Corrons, technical director of PandaLabs, explained: "We have been in contact with SGAE to advise them of the proposed attack. The way things are progressing, it will be no surprise to see cyber protests organised country by country targeting different copyright protection associations."

Panda is tracking the progress of the attacks, as well as the amount of downtime of targeted sites, via its corporate blog here.

Adobe PDF ranked as the main malware threat for the past quarter

BitDefender urges caution.

Adobe PDF malware has been named as the main threat from the last quarter.

According to BitDefender study in the UK for the period July to September 2010, the PDF malware Exploit.PDF-JS.Gen was the number one malicious threat, claiming 6.11 per cent of the total infections.

Nick Billington, managing director of BitDefender UK and Ireland, said: “Our timely quarterly study chimes with security industry experts' opinion that PDF is far from the perceived safe option and continues to be a potent threat to PC security.

“While most people understand to not open attachments or executable files in spam messages, fewer recognise and understand that PDFs can contain malicious code that exploits vulnerabilities in Adobe PDF Reader leaving the PC infected with a virus.”

See original article on scmagazineus.com

Secure Computing Magazine

Android phone auto reverts jailbreaks

A new Android smartphone from T-Mobile ships with hardware that thwarts jailbreakers by automatically restoring modified devices to their original factory state.

The HTC G2, which began shipping on Tuesday, reinstalls the original firmware when it is rebooted, much to the chagrin of would-be jailbreakers trying to root the device so they can run their own software and third-party apps not approved by T-Mobile. While they managed to modify the smartphone, they soon found those changes were undone as soon as they rebooted the device.

The discovery has generated howls of protest from those who believe that people who buy hardware devices ought to be able to use them however they see fit. Apple has long closed jailbreak holes in iOS updates and Texas Instruments lobbed legal threats at hobbyist who posted the cryptographic keys used to modify calculators. Google even has the ability to remotely install or uninstall apps on Android phones.

But HTC seems to have upped the ante with a hardware-based approach to meddlesome users who have the gall and often the expertise to shun the self-serving restrictions put in place by device and OS manufacturers.

It's not entirely clear how the devices are able to reset themselves. Blogger Lauren Weinstein speculates the new G2 is using a firmware rewrite system to replace '/system' mods with the 'official' firmware upon reboot. Security researcher Jon Oberheide tells Threatpost much the same thing. Both say it's too early to tell if there's a way to defeat the rollback mechanism.

What we can say for now is that the anti-jailbreak capability is sure to offend a core group of Android enthusiasts who are drawn to the mobile OS's open platform, which by definition can be modified by anyone. It's a pity, because there's a lot to like about the device, including its ability to play high def video seamlessly. Unless the jailbreak override can be overridden, consider it a deal breaker.

Apple tops public vulnerability list

Trend Micro Threat Report shows Apple has more public flaws than Microsoft or Adobe

Apple was hit by the most publicly divulged security vulnerabilities in the first half of this year, according to a report from Trend Micro.

The security firm's biannual Threat Report showed Apple had nearly 180 entries on the Common Vulnerabilities and Exposures (CVE) list, which tracks publicly reported flaws.

Apple was followed closely by Microsoft, with Oracle, Adobe and Cisco rounding out the top five.

 

The vulnerability threat is far more multipronged than just patching Windows or updating Flash and Acrobat/Reader

 

"While some vendors receive a significant amount of press attention for vulnerabilities... the vulnerability threat is far more multipronged than just patching Windows or updating Flash and Acrobat/Reader," the report said.

"In addition, some of the vendors with large numbers of vulnerabilities focus on enterprise software, with correspondingly longer patch cycles that potentially leave users at risk," it added.

Trend Micro also stressed that having a higher number of CVEs doesn't necessarily mean a vendor is less secure than others. For example, while Adobe ranked fourth in terms of number of public CVEs, one exploit called TROJ_PIDIEF that uses PDFs to target Acrobat software had 666 different detection names in the first half of this year.

"Each detection name represents multiple in-the-wild variants, resulting in a total number of new PDF threats numbering into the thousands – in only six months," the report said.

In total, 2552 such vulnerabilities were reported in the first half of the year, down from 3,086 in the first half of 2009. "However, it should be noted that this does not mean that the vulnerability threat is lessening," the report said. "Not all vulnerabilities receive a CVE; many vulnerabilities that are privately reported to vendors are not included in the system."

Apple hadn't returned request for comment at the time of writing.

 

This article originally appeared at pcpro.co.uk

Copyright © PC Pro, Dennis Publishing, PC Authority, Haymarket Media

Facebook unveils changes to enhance privacy

Facebook on Wednesday rolled out new features designed to make people feel more comfortable putting photos, videos, and other personal data online.

In a blog post, CEO Mark Zuckerberg unveiled an overhauled version of Facebook Groups that allows users to share certain content with select people, rather than with everyone listed as a friend. Vacation photos, for instance, might be shared only family members and a team rosters might be shared only with other members of one's Fantasy Football league. It was one of three features Zuckerberg announced.

We've heard loud and clear that you want more control over what you share on Facebook to manage exactly who sees it and to understand exactly where it goes, Zuckerberg wrote. With this new Groups experience and the other tools we're rolling out today, we're taking a few important steps forward towards giving you precise controls.

Also unveiled was a new dashboard that tells users at a glance how various Facebook apps are using their data. The panel shows all the apps a user has authorized, what data they use and when the data was last accessed.

Zuckerberg also said Facebook was adding a tool that allows users to download everything they've ever posted to the social networking site. The photos, wall posts, and other content is archived in a zip file that is downloaded only after a user has entered a password and answered appropriate security questions.

The changes are better than nothing, but it wouldn't be surprising to find that hackers or courts of law make mince meet of the finer-grained sharing controls. As we've said before if it's not something you want shared with world+dog, you probably shouldn't put it online.

Facebook will begin rolling out the features later on Wednesday.

Expert: ACTA No Longer Gutting Internet Freedom

The United States is caving on the internet section of a proposed international intellectual property treaty, meaning its one-time quest to globally dictate Draconian copyright rules has come to an abrupt halt.

That’s what Michael Geist, an Anti-Counterfeiting Trade Agreement expert at the University of Ottawa, concluded Wednesday after the United States released the proposal’s latest draft. (.pdf)

“If you’re a Wired U.S. reader, from an internet perspective, this really doesnt change much of anything,” Geist said in a telephone interview.

At one point, the United States was demanding the nine negotiating nations and the European Union adopt rules similar to the U.S. Digital Millennium Copyright Act, which gives internet service providers immunity from copyright violations if they take down content at the request of a rights holder. In Canada, where Geist teaches, there is no such take down requirement.

Another part of the DMCA makes it illegal to traffic in tools to circumvent Digital Rights Management. Language in the text does not make this a mandatory, global requirement.

Another scuttled provision, which is not part of the DMCA, would have required ISPs to discontinue internet access to repeat copyright offenders. The watered down version requires “cooperation between ISPs and content owners.

“There are no new strict legal requirements for telcos,” he said.

And the United States’ quest for a global anti-camcording law is also out the window.

Negotiating entities include Australia, Canada, Japan, South Korea, Mexico, Morocco, New Zealand, Singapore and Switzerland the United States and the European Union. At one point, the Obama administration called the draft’s text a “national security” issue. The European Union was one of the staunchest opponents of the United States’ internet proposals.

Here are some other Wednesday takes on the latest draft from La Quadrature Du Net, Public Knowledge and Knowledge Ecology.

Photo top: k.l. macke/Flickr
Photobottom: vinzv/Flickr

See Also:

• ACTA Backs Away From 3 Strikes
• ACTA Draft: No Internet for Copyright Scofflaws
• Europe Worries U.S. Bowing to ‘Industry’ in ACTA Talks
• Report: U.S. Fears Public Scrutiny Would Scuttle IP Treaty Talks
• Here’s That Leaked Copyright Treaty Document
• Copyright Treaty Is Policy Laundering at Its Finest

Hacked Voting System Stored Accessible Password, Encryption Key

An internet-based voting system that was hacked last week by researchers at the University of Michigan stored its database username, password and encryption key on a server open to attack.

Alex Haldeman, a computer scientist at the university, has detailed the vulnerabilities and hacking techniques his students used to completely control the system last week, changing votes and programming the system to play his school’s fight song “Hail to the Victors” after each voter cast their ballot.

The hack, unnoticed by election officials until researchers notified them, forced election officials to take the system offline and adopt a contingency plan for the November elections.

Washington, DC, began testing its internet voting system last Tuesday in advance of the November elections. The system, paid for in part with a $300,000 federal grant, is designed to let overseas military and civilian voters cast ballots quickly, instead of relying on the postal system to deliver their votes in a timely manner.

But within 36 hours of the system going live, Haldeman’s team found and exploited a shell-injection vulnerability that “gave us almost total control of the server software, including the ability to change votes and reveal voters secret ballots.”

We modified all the ballots that had already been cast to contain write-in votes for candidates we selected. (Although the system encrypts voted ballots, we simply discarded the encrypted files and replaced them with different ones that we encrypted using the same key.) We also rigged the system to replace future votes in the same way.

We installed a back door that let us view any ballots that voters cast after our attack. This modification recorded the votes, in unencrypted form, together with the names of the voters who cast them, violating ballot secrecy.

The hack left lots of traces that an intrusion detection system should have caught. Nonetheless, it went unnoticed for two business days until Friday afternoon when several testers directed election officials to the Michigan fight song playing on their $300,000 voting system.

See also:

• Voting System Pwned by Michigan Wolverines

WebLeague "profile.php" SQL Injection

WebLeague is a PHP-based web application. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "name" parameter of the "profile.php" script before using it in an SQL query. WebLeague version 2.2.0 is affected.

Ref: http://www.securityfocus.com/bid/43558

10.40.38 - CVE: CVE-2009-4560
Platform: Web Application - SQL Injection

Hackers hijack open-source internet voting system

An internet voting system designed to allow District of Columbia residents to cast absentee ballots has been put on hold after computer scientists exploited vulnerabilities that would have allowed them to rig elections and view secret data.

The system, which was paid for in part by a $300,000 federal grant, was hijacked just 36 hours after Washington DC elections officials began testing it ahead of live elections scheduled for next month. Scientists from the University of Michigan pulled off the hack to demonstrate the inherent insecurity of net-based voting.

None of this will come as a surprise to internet security experts, who are familiar with the many kinds of attacks that major websites suffer from on a daily basis, one of the scientists, J. Alex Halderman, wrote on Tuesday on the Freedom to Tinker blog. It may someday be possible to build a secure method for submitting ballots over the internet, but in the meantime, such systems should be presumed to be vulnerable based on the limitations of today's security technology.

The pilot system, which was built on open-source software, was deployed a week ago Tuesday, and just 36 hours later, the team was able to take full control of it. Even though their attack caused computers that were used to cast votes to play their alma mater's fight song, it took elections officials until Friday to suspend the site.

It has since been reinstated, but residents can use it only to download ballots that they can print and return by postal mail. Internet voting has been suspended.

The voting application was written on the Ruby on Rails framework and ran on top of the Apache web server and the MySQL database. The scientists were able to hijack the system after they discovered that they could upload ballots with almost any string they wanted. By inserting Unix commands into the file names, they were able to take almost total control of the server software, including the ability to change votes and reveal voters' secret ballots, Halderman said.

A file named ballot.$(sleep 10)pdf, for instance, caused the server to pause for 10 seconds. They used similar techniques to install a backdoor on the system that allowed them almost unfettered system access.

DC officials deployed the system even after Common Cause and a group of computer scientists and election-law experts warned city officials that the trial posed an unacceptable security risk that "imperils the overall accuracy of every election on the ballot, The Washington Post reported. Among other shockers in Halderman's post is the revelation that highly secret data, including the database username and password, were stored on the server.

Adobe Reader purged of hole that was under attack

Adobe has patched 23 security vulnerabilities in its Reader document viewer, including one that criminals were exploiting to install malware on the PCs of unwitting victims.

At least 18 of the other flaws also made it possible for attackers to remotely hijack users' PCs, Adobe said in an bulletin released on Tuesday. The patch updates Reader and its sister application, Acrobat, to versions 9.4 and 8.2.5.

Adobe accelerated the release of the patch after researcher Mila Parkour uncovered a sophisticated attack circulating by email that exploited a stack overflow. The exploit was notable because it bypassed defensive protections Microsoft has built into more recent versions of Windows, such as ASLR, or address space layout randomization, and DEP, or data execution prevention. (The bypass was made possible by a programming mistake on Adobe's part.)

The booby-trapped PDF files, which were sent to select individuals and company employees, also contained three separate font packages so they worked on multiple versions of the Adobe programs. To allay victims' suspicions, the malware used a stolen digital certificate to sign some of its files.

Another vulnerability addressed in Tuesday's update actually resides in code associated with the Adobe Flash Player that's embedded in Reader and Acrobat. Attackers were exploiting the flaw in Flash until Adobe squashed the bug in that application last month. There are no reports so far that it was targeted in the company's PDF software.

It's been a tough couple of years for Adobe, which by many estimates is the second most attacked software maker behind Microsoft. With its highly complex code residing in the vast majority of the world's PCs, it allows exploit writers to maximize their profits.

Adobe has responded to the attacks by designing a security sandbox for Reader and Acrobat that will separate the applications' processes from the critical functioning of the underlying operating system. Of the dozen or so real-world attacks that have exploited vulnerabilities in Reader over the past few years, none of them would have succeeded against the application had it employed the sandbox, Adobe's senior director of product security and privacy, Brad Arkin, said in July.

The feature, to be called Adobe Reader Protected Mode, will be included in the next major release of the application, which is due out before the end of the year. Adobe's Kyle Randolph released an initial round of technical details about the new design on Tuesday here.

Building a sandbox into an application as complex as Reader has been compared by some to adding a basement to a 20-story building after it's already been erected. Versions 7 and 8 of Internet Explorer have a similar feature, and so does Google's Chrome browser.

Adobe's plans to follow suit shows it is making good on its promise to make its users safer. One area where the company can still improve is its warning to those updating Reader and Flash that they may need to temporarily disable their anti-virus software. This kluge puts users at risk. It's time Adobe developers fixed it.

APBook Admin Login Multiple SQL Injection Vulnerabilities

APBook is a PHP-based guestbook application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "username" and "password" fields of the "admin/index.php" script. APBook version 1.3.0 is affected.

Ref: http://www.securityfocus.com/bid/43452

10.40.33 - CVE: Not Available
Platform: Web Application - SQL Injection

Army Updates Espionage Rulebook Following Leaks to WikiLeaks

The Army has updated a 17-year-old rulebook on espionage following internal leaks of classified information to the secret-spilling site WikiLeaks.

The update, released Monday, now requires troops to alert authorities if they suspect someone is leaking classified information to the media or any other unauthorized person, according to the Associated Press, identifying media leaks specifically for the first time. It also requires the Army to create a central system to collect threat reports and for soldiers to report incidents of someone removing classified information from their proper work area.

The previous version of the guidelines simply required troops to report cases of treason or attempted intrusions into automated systems, the AP notes. The Army insists the update is not related to the WikiLeaks leaks but is simply part of a comprehensive review.

In May, a former Army intelligence analyst named Bradley Manning was arrested for allegedly leaking a classified Army video showing a gunship attack in Iraq, which WikiLeaks published in April.

In online chats with a former hacker, Manning claimed to have leaked the video as well as a trove of other classified data to WikiLeaks, including a separate video showing the notorious May 2009 air strike near Garani village in Afghanistan — which WikiLeaks has acknowledged possessing but has not yet published — and a database covering 500,000 events in the Iraq War between 2004 and 2009. Manning said the database included reports, dates, and latitude and longitude of events, as well as casualty figures. According to WikiLeaks insiders, the site is preparing to publish a cache of Iraq War documents on October 18. It appears to be similar to a database of Army reports from the Afghan war that WikiLeaks published in July.

Manning also took credit for leaking a cache of database of 260,000 classified U.S. diplomatic cables to WikiLeaks. Although the site published at least one cable earlier this year that Manning appeared to take credit for in the chats, WikiLeaks founder Julian Assange, in a Twitter message, has denied possessing a cache of 260,000 State Department cables.

Manning has been charged with downloading the classified Iraq video and transmitting it to a third party, in violation of the Espionage Act, 18 U.S.C. 793(e), a section of the act that involves passing classified information to an uncleared party, but not a foreign government.

He’s also charged with allegedly abusing access to the government’s Secret-level SIPR network to obtain more than 150,000 U.S. State Department cables, as well as an unspecified classified PowerPoint presentation.

Voice-routing call fingerprint system fights 'vishing'

Security researchers in the States say they have developed a cunning new method of "fingerprinting" voice calls that could offer a route to trustworthy caller ID and a barrier against so-called "vishing" or voice phishing.

The tool is called PinDr0p, and works by analysing the various characteristic noise artifacts left in audio by the different types of voice network - cellular, VoIP etc. For instance, packet loss leaves tiny gaps in audio signals, too brief for the human ear to detect, but quite perceptible to the PinDr0p algorithms. Vishers and others wishing to avoid giving away the origin of a call will often route a call through multiple different network types.

Theres a joke: On the Internet, no one knows youre a dog'. Now thats moving to phones, says Mustaque Ahamad of the Georgia Institute of Technology. The need is obvious to build security into these voice systems ... PinDr0p needs no additional detection infrastructure; all it uses is the sound you hear on the phone.

According to the system's inventors, there's no way for vishers or other voicey villains to eliminate the traces a given system of call routing leaves in the audio eventually received at the other end.

Theyre not able to add the kind of noise were looking for to make them sound like somebody else, says Patrick Traynor, GIT compsci prof. Theres no way for a caller to reduce packet loss. Theres no way for them to say to the cellular network, Make my sound quality better.

The PinDr0p analysis can't produce an IP address or geographical location for a given caller, but once it has a few calls via a given route, it can subsequently recognise further calls via the same route with a high degree of accuracy: 97.5 per cent following three calls and almost 100 per cent after five.

Naturally a visher can change routings easily, but even so PinDr0p can potentially reveal details that will reveal a given call as being false. A call which has passed through a Russian cell network and P2P VoIP is unlikely to really be from your high-street bank in the UK, for instance.

The GIT researchers hope to develop a database of different signatures which would let their system provide a geolocation as well as routing information in time.

This is the first step in the direction of creating a truly trustworthy caller ID, says Traynor.

The PinDr0p research was funded by the US National Science Foundation. There's a statement on it here.

Penis pill spam shrinks

Penis pill spam dramatically shrunk over the weekend after a notorious spam affiliate brought down the shutters on its own operation.

Spamit, a mainstay of the so-called Canadian Pharmacy business, announced its intention to shut up shop last week, saying that increased attention on its business had made it impossible to carry on (at least in its present form).

Perhaps surprisingly the closure happened as promised, with Cisco and several other sources reporting a "significant decrease" in global spam volumes as a result.

Few security experts expect the respite from junk mail to last for long, much less cause the wider collapse of the Canadian Pharmacy business. For one thing the market for the sale of prescription drugs, such as Viagra, without a prescription is simply too lucrative to fold anytime soon.

Affiliate programs act as a cut-out for spammers, performing functions such as designing website templates, operating back-end order fulfillment servers and processing credit card payments, as well as the shipping and tracking the physical goods. They pay a commission to spammers for orders received.

Junk mailers in general use these services because any websites they established would be more quickly subject to takedown orders. Besides this, spammers have their jobs cut out maintaining botnets and figuring out ways to evade spam filters to worry about e-commerce processing.

Spamit was different from other operations because it also ran its own highly extensive spamming operation using the infamous Storm botnet.

Firms such as Spamit and bulker.biz are collectively referred to as Canadian Pharmacy operations because the websites customers use are supposedly located in Canada. Actual order fulfillment can come from countries such as India and China, among others. Often the goods delivered to consumers of these services are placebos or adulterated with contaminates that pose a risk to users' health.

A more detailed explanation of the Canadian Pharmacy business can be found in our earlier story here.

The impending closure of Spamit was first reported by security blogger Brian Krebs last week.

Cryptome vows to pursue those who breached site

Cryptome.org was breached over the weekend after miscreants took control of an email account used to manage the a whistle-blowing website, which predates Wikileaks by a decade.

Cryptome founder John Young said on Tuesday that he planned to pursue those responsible for the hack, and he suggested his computer system may also have been breached. A previous note left on the site's homepage said only that an Earthlink email address and a Network Solutions account used to manage the website had been compromised. The site was then defaced and all 54,000 files on it were deleted, Cryptome had said.

Tuesday's admission came in response to questions from Wired.com reporter Kim Zetter, who said she had spoken to someone who claimed to be responsible and showed her screenshots to back up the claim.

The hacker claims to have accessed John Young's email at Earthlink, a federal crime, and Zetter said she was shown screen shots of email to prove access. Zetter cited specific John Young emails the hacker claimed to have, one a confidential tip to Wired's Noah Shachtman using a pseudonym.Zetter said she confirmed with Shachtman that he had received the tip from the pseudonym.

Zetter also said the hacker claims to have accessed John Young emails and other material concerning Wikileaks, specifically related to "Wikileaks insiders" and material submitted to Wikileaks. Zetter said the hacker claims to have downloaded 7 Terabytes of Cryptome and John Young material. That is a thousand times the 7GB on Cryptome, thus the hacker is exaggerating or has downloaded material from John Young's computer system, another federal crime.

John Young told Zetter to report that Cryptome has no objection to rummaging through Cryptome material, it is all open source, but that the crimes of accessing private email, the ISP account and John Young's computer system will be pursued. "We will burn the hacker's ass for that," we said to Zetter, "be sure to print that."

US-based journalists have long asserted they protected by a patchwork of state laws that prevent their unpublished reporting from being confiscated by police and law enforcement agents. Zetter almost certainly would do the same here. The privilege is by no means a sure thing. Just ask Jason Chen, the Gizmodo editor whose computers were confiscated in Apple's fevered attempt to recover a lost iPhone 4G prototype.

Man ordered to pay Facebook $1bn

A Canadian man has been ordered to pay Facebook $1bn Canadian for a barrage of more than 4 million penis-enlargement ads he posted on user walls in 2008.

That same year, a California court ordered Adam Guerbuez to pay the social networking site $873m for hacking into members' accounts and sending sexually explicit messages." After Guerbuez failed to heed the demand, the case was brought in Quebec Superior Court, where the judgement was upheld last week, according to published news reports here and here .

Converted into Canadian currency, the judgement is about $1bln.

The California court fined Guerbuez $100 US in damages and $100 US in punitive damages for each of the 4.36 million messages he was accused of posting. The Montreal man never fought the charges, so Facebook ultimately prevailed in the case.

Not that Facebook has much chance of collecting. Guerbuez filed for bankruptcy in August and the site is one of several creditors listed. An order barring him from having a Facebook account or otherwise being involved with the site remains in effect.

Secret-Spilling Sources at Risk FollowingCryptome Breach

Secret-spilling site Cryptome was hacked over the weekend, possibly exposing the identities of whistleblowers and other confidential sources, according to a hacker who contacted Wired.com and claimed responsibility for the breach.

The hacker said two intruders from the group Kryogenics breached the long-running site, where they gained access to a repository of secret files and correspondence. Among them, the hacker claimed, were the records of self-proclaimed WikiLeaks insiders who have been the source of several unconfirmed tips supposedly detailing internal WikiLeaks matters.

Wired.com could not confirm the identity of the hacker, who asked to be identified as “Ruxpin” or “Xyrix.” To verify his claims, the hacker showed Threat Level screenshots of Cryptome founder John Young’s Earthlink account inbox and Cryptomes directory. The latter showed two WikiLeaks file paths, a list of about 30 names and e-mail addresses of sources who communicated with Cryptome, and the contents of at least one e-mail between Young and a Wired.com contributor from 2008. The Wired.com contributor and Young have authenticated the e-mail.

The hacker said they broke into Cryptome using a stolen e-mail password for an Earthlink account belonging to Young. They then used the e-mail account to reset the password for his site’s hosting account. The hacker claims they copied 6.8 terabytes of data from Cryptome, though “no files were deleted or altered.”

“Everything was copied for analysis, one of the hackers wrote Threat Level in an e-mail interview. “Cryptome is an interesting read indeed.” He added that only data that had relatively new time stamps is being given thought. There is simply too much to sift through.”

Young, reached by phone, confirmed some of the information provided by the hacker but disputed other assertions.

He didnt know how the hackers got into his site or if data was deleted but said that “all the files were inaccessible,” and that Network Solutions had to restore content from a backup. He disputed the amount of data the hackers say they obtained.

“We had a little over 7 gigabytes, but not terabytes,” he said. “Weve never had that much.”

Regarding the WikiLeaks insiders, although he acknowledged that some of them communicated with what appear to be e-mail addresses that could identify them, he doesnt believe theyre actual WikiLeaks insiders and says hes never done anything to verify their identities, and that the e-mail addresses could have easily been spoofed.

Ive not verified any of those and dont know how one would,” he said. “Ive been quite skeptical of anyone claiming to be a WikiLeaks insider.”

The hack of Cryptome would seem to illustrate the real value that a site like WikiLeaks offers. Cryptome, a proto-WikiLeaks, has published many important leaks since it was launched in 1996, exposing government secrets and gaffes.

The site, however, doesn’t provide the kind of secure, anonymized submission process that Wikileaks boasts. Instead, it uses e-mail addresses controlled by Young, raising the risk that sensitive sources could be exposed by this and other hacks. Despite many controversies surrounding WikiLeaks and its founder, that site has never had a security breach, as far as anyone knows. But now Cryptome has.

The WikiLeaks Connection

According to the hacker, Cryptome’s WikiLeaks files contain ample communication between Young and about half-a-dozen supposed WikiLeaks insiders who, out of purported discontent with WikiLeaks founder Julian Assange and his management of the organization, have sent Cryptome unverified tips about supposed malfeasance and other activities inside WikiLeaks.

Young, who has long been suspicious of WikiLeaks’ motives, began publishing the tips this spring, despite expressing doubts publicly about their veracity. The tips prompted the ire of WikiLeaks, which referred to them as a “smear campaign” and has disputed that the sources are insiders.

Cryptome’s hacker claims that although some of the “insiders” initially communicated anonymously with Cryptome using a PGPBoard drop box, they later used personal e-mail addresses for ongoing correspondence, thus potentially exposing their identities to anyone with access to Cryptomes files.

“Six [WikiLeaks insiders] are on familiar terms with John Young,” he told Threat Level. “Their real names are exposed in their signatures and in their messages. They are using familiar, personal accounts to communicate with Young.”

The hacker noted that someone@wikileaks.org writes about problems with their leader and problems with money. He sends a PDF (was published to the site recently), some chat logs, and information about the encryption process for submits that he thinks is suspicious. This is from one of the regulars.

He declined to identify the WikiLeaks correspondents or the e-mail addresses they used.

“Their privacy is to be respected, and they will not be exposed or compromised,” he wrote. “We believe in preserving the system of transparency that Cryptome and other websites represent.”

The hacker claimed that Young demanded proof from the insiders to verify their connection to WikiLeaks and that “he gets it with ease” from them.

They are legitimate,” the hacker wrote. “Those who are not, appear to get trolled (John Young is absolutely hilarious) and moved to a different folder.

Asked if the identities of other anonymous sources of Cryptome were also exposed, he replied, Yes, all of them are. [Youngs] address books were compromised, and many of the messages were not sent from anonymous emails … there are over hundreds. Too many to easily quantify.”

How They Got In

The whois record for Cryptome, which is hosted by Network Solutions, listed the site contact address as jya@pipeline.com, one of Young’s accounts.

The hackers got the password for the e-mail account through Earthlink’s customer service center. Earthlink handles customer service for Pipeline accounts and uses a system, called MIDAS, that stores customer passwords in the clear, according to the hacker.

Any EarthLink employee using MIDAS can do this without effort, he wrote. MIDAS is a legacy ssh application that many of the employees do not use, preferring a web interface called Spirtle instead.

Earthlink did not return a call for comment.

The hacker said Earthlinks system was breached about a month ago, at which time Cryptomes login credentials were seized.

Armed with that password, according to a Network Solutions spokesman, the hackers then initiated a password reset for Cryptomes hosting account using an online form. Network Solutions sent an automated e-mail to Youngs Pipeline account with a link to reset the password. The hackers, who had control of the e-mail account, then used the link to reset the Network Solutions Cryptome password twice — to passw0rd1 and then letmein1 — locking Young out of his account while they rummaged through Cryptomes content.

The hackers said they decided to breach Cryptome primarily to harass a fellow hacker named Josh Holly, aka TrainReq, by posting a message identifying Holly as Cryptomes hacker. Holly is best known for hacking into Miley Cyruss Gmail account and stealing provocative photos she purportedly sent of herself to singer Joe Jonas.

Cryptome is a popular website, the hacker wrote Threat Level. Many people would have seen the joke (defacement), and the person (Trainreq) would have been subsequently bombarded with inquires about that to which he was clueless.

The message included a shout-out to fellow Kryogenics members EBK and Defiant — Christopher Allen Lewis and James Robert Black, Jr. — who were recently sentenced to 18 months and 4 months in prison respectively for a stunt in which they replaced Comcasts homepage with a shout-out to fellow hackers.

The Cryptome hackers deleted the shout-out to Holly before many people saw it, however. “It did not have the intended effect,” the hacker wrote. “Josh Holly was sleeping and unavailable for trolling.”

They replaced it with another one identifying “Ruxpin” as Cryptomes hacker. Its not known if Ruxpin is one of the hackers behind the hack, since the hackers acknowledged they initially intended to point blame for the hack at someone else. It’s also not known if Ruxpin is the real handle for the hacker who communicated with Threat Level.

In addition to the shout-outs, the hackers left a note for Young: “Dear John. Rest assured that the integrity of the data hosted here has not been altered. We like Cryptome and needed your site because it was popular. Sorry. Godspeed”

Young was not amused and says he’s determined to hunt down the intruders.

One of the things Im interested in is how much prowling they did beyond Cryptome, he said. Any rummaging in our e-mail is different than rummaging in Cryptome. Were going to burn his or her ass with that.

See also

• Miley Cyrus Hacker Raided by FBI
• Comcast.net Hijacker Gets 4 Months
• Comcast.net Hijackers Sentenced to 18 Months

Latest Zeus attack propagated via fake iTunes receipt

Attackers are sending out spam messages spoofing an iTunes store receipt.

U.S. and international authorities may have just made a serious dent in the manpower behind the Zeus botnet, but dozens of arrests aren't stopping the data-stealing trojan from spreading.

The latest Zeus spam campaign targeted iTunes users and attempted to trick them into installing the insidious malware, designed to hijack online banking credentials from its victims, security firms warned this week.

The messages, which appeared to have been sent from Apple's iTunes Store with the address donotreply@itunes[dot]com, arrived with the subject "Your receipt #" followed by a random number, Fred Touchette, senior security analyst at email protection vendor AppRiver, wrote in a blog post Tuesday. The fake receipts claimed the recipient's iTunes order cost hundreds of dollars.

“People buying music from iTunes are getting used to seeing these receipts in their inboxes,” Touchette told SCMagazineUS.com on Tuesday. “If [attackers] can get them nervous about the amount of the receipt, they can get them to click on a link.”

Links in the bogus receipt lead to one of approximately 100 domains ending in .info, all of which were registered with GoDaddy. Once clicked, the links redirected users to another site where the Zeus trojan is waiting to infect victims.

The final site that users landed on attempted to automatically download a file claiming to be Adobe Flash Player, but it actually was the malicious payload, Touchette said.

The messages began cropping up on Friday, not long after a separate spam run spoofing the social networking site LinkedIn aimed to foist Zeus on victim PCs. The iTunes campaign is no longer active, and all the domains that attackers were using have been blacklisted, Touchette said.

In the past, attackers have used fake iTunes receipts to lure users to websites selling pharmaceuticals, as well as phishing sites that try to trick users into logging into fake web pages to dupe them into handing over account credentials, researchers at Mac security firm Intego, wrote in a blog post Tuesday.

U.S. and foreign authorities last week announced a series of arrests disrupting an international cybercrime operation linked to Zeus.

The latest attacks indicate that even in spite of last week's arrests, the cyber gangs that use Zeus have not been phased and do not plan on stopping, Touchette said.

“Zeus hasn't shown any signs of letting up,” he said. “Zeus has been so readily available on the underground forums as a kit that many people have their hands on it. It's going to be difficult to put a dent on its output.”

Last week's Zeus arrests focused primarily on so-called money mules, who allegedly laundered stolen funds for Zeus-based attacks against U.S. and U.K. bank account holders.

As a result, the arrests likely will place some money mule operations out of business in the short term but will not stop to bank fraud overall, Avivah Litan, vice president and distinguished analyst at Garner wrote, in a blog post Friday.

“The arrests will not stop (Automated Clearing House) and wire fraud,” Litan wrote. “It just slows down the ability for the fraudsters to use Zeus to commit it. There are many other attack vectors that enable the crooks to get into online bank accounts and money transfers that don't use Zeus."

See original article on scmagazineus.com

Secure Computing Magazine

New Reader, Acrobat from Adobe fixed for 23 flaws

Adobe closes a whopping 23 vulnerabilities in new release.

Adobe on Tuesday released updated versions of its flagship Reader and Acrobat products to close a whopping 23 vulnerabilities, including two publicly known issues.

The "critical" holes are plugged in Reader 9.4 for Windows, Macintosh and UNIX and Acrobat 9.4 for Windows and Mac. Users of Reader/Acrobat 8.2.4 are advised to upgrade to 8.2.5.

All but four of the flaws could lead to malicious code execution, according to an Adobe security bulletin.

The updates were due to be released Oct. 12, but moved up a week due to active exploits targeting a zero-day vulnerability confirmed by Adobe last month. That unpatched flaw, which garnered vulnerability tracking firm Secunia's most severe rating of "extremely critical," could be targeted to crash a user's machine or take complete control of it, according to a previous advisory from Adobe.

Five days after that disclosure, Adobe revealed another unpatched bug affecting Reader and Acrobat. However, unlike the other zero-day, Adobe said it is not aware of any in-the-wild attacks targeting the vulnerability.

Both Reader and Acrobat contain mechanisms to update to the latest versions, Adobe said. As an alternative, users can follow the instructions contained in Tuesday's bulletin.

The next quarterly updates for Adobe Reader and Acrobat are due Feb. 8, 2011.

See original article on scmagazineus.com

Secure Computing Magazine

WebLeague Multiple SQL Injection Issues

WebLeague is a PHP-based web application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "username" and "password" fields of the "Admin/index.php" script. WebLeague version 2.2.0 is affected..

Ref: http://www.securityfocus.com/bid/43557

10.40.37 - CVE: CVE-2009-4561
Platform: Web Application - SQL Injection

MySITE SQL Injection and Cross-Site Scripting Vulnerabilities

MySITE is a PHP-based content management application. The application is exposed to multiple issues because it fails to sufficiently sanitize user-supplied input. 1) A cross-site scripting issue that affects the "query" parameter in the "portal/modules.php" script. 2) A SQL injection issue that affects the "pid" parameter of the "print.php" script.

Ref: http://www.securityfocus.com/archive/1/513968

10.40.27 - CVE: Not Available
Platform: Web Application - Cross Site Scripting

Blog Ink (Blink) Multiple SQL Injection Issues

Blog Ink (Blink) is a PHP-based blog system. The application is exposed to multiple SQL injection issues because the "db.php" script fails to sufficiently sanitize user-supplied data to the "username" and "password" parameters of the "login.php" script.

Ref: http://www.securityfocus.com/bid/43284

10.40.32 - CVE: Not Available
Platform: Web Application - SQL Injection

Software dev turned rogue trader gets jail and 4.9bn fine

The French software developer turned rogue trader who brought French bank Socit Gnrale (SocGen) to the verge of bankruptcy has been jailed for three years and fined 4.9bn ($6.7bn)

Jerome Kerviel used purloined login codes from his co-workers and forged emails to create fictitious accounts. He gambled billions from the fake accounts on the derivatives market, taking increasingly risky positions that eventually went spectacularly wrong. The highly leveraged hedge fund trades between late 2007 and early 2008 exceeded SocGen's market value of 50bn. Unwinding these positions when they were discovered in early January 2008 coincided with a dramatic drop in European stock markets and resulted in losses that ran into billions.

Kerviel, 33, used knowledge gained during five years of software development prior to his appointment as a trader on the bank's futures desk in 2005 to circumvent controls and offload jaw-dropping losses onto fictitious investors.

All this was done using rudimentary skills to carry out a low-tech hack that simply involved manipulating the Excel spreadsheet reports that were providing the bank's management with trading updates. The whole episode was a prime example of a failure of trading controls, even more catastrophically exposed by the subsequent US sub-prime market collapse.

The fraud was exposed in January 2008, leading to Kerviel's arrest. SocGen unsurprisingly fired Kerviel soon after. Since then, he has gone back to his old job as a computer consultant, after a short spell of around six weeks on remand. Defence lawyer Olivier Metzner said Kerviel has not gained financially from the fraud.

Kerviel was found guilty of breach of trust, forgery and computer hacking by a Paris court and sentenced to jail for five years, with two years suspended, at a hearing on Tuesday.

The court rejected Kerviel's defence that bank bosses were aware of his activities and did nothing until his early successes went spectacularly pear-shaped. He claimed other traders at SocGen were also taking hugely risky gambles. SocGen denied these allegations, maintaining that Kerviel acted alone and without authorisation.

Kerviel, who reportedly co-operated with investigators after his arrest, plans to appeal.

Meanwhile SocGen officials say the fine against Kerviel is purely symbolic and will not be enforced, which is just as well because French media reckon it would take him 120,000 years to repay the fine on an IT consultant's salary.

Russian authorities detain suspected bank carding kingpin

Russian authorities have detained a Ukrainian citizen accused of overseeing a criminal operation that used fraudulent credit cards and passports to siphon large amounts of cash out of banks around the world.

The detention of the unnamed suspect came as Department K of the Russian Interior Ministry stopped the actions of the international criminal group the Ukrainian allegedly led, according to a press release (Google translation here) issued on Monday. The group, which was made up of at least 50 members, siphoned more than $660,000 out of 17 Russian banks between January and June alone.

Russian authorities also confiscated more than 100 counterfeit credit cards and an encoder used to write data to cards' magnetic stripe.

The action comes as authorities in Ukraine, the US, and UK last week rounded up dozens of people suspected of participating in bank fraud related to Zeus, a prolific computer trojan that specializes in stealing banking credentials of its victims. Most of those arrested were accused of being money mules who used fraudulent passports to launder money stolen from compromised accounts. Five of those detained in Ukraine were accused of orchestrating the overarching scheme.

Russian authorities didn't say if those detained were related to the same crime ring, but the activities they're accused of sound remarkably similar. Some of the Russian suspects are accused of using fake passports to mislead bank employees.

Symantec pushes mobile security onto Android and iOS

Symantec is extending its support of smartphone platforms in a bid to make its security and management technology as ubiquitous in the mobile world as it is on the desktop.

The security giant announced added support for Android and Apple iOS platforms to its mobile security and management portfolio during the opening of its Symantec Vision conference in Barcelona today. This is in addition to existing support for Windows Mobile, Symbian and BlackBerry smartphones

The technology covers functions such as device security, encryption and authentication. Password policy enforcement, remote wipe and device inventory functions are also included in enterprise versions of the software.

VeriSign Identity Protection (VIP) Access for Mobile, PGP Mobile and Symantec Endpoint Protection Mobile Edition are the three main products in Symantec's push to sell both enterprises and service providers on its ability to minimise problems such as mobile network misuse, malware proliferation and spam. The enterprise versions of the product are available immediately, with the telecoms carrier versions coming online next quarter. Symantec paid $1.3bn to buy VeriSign in May and intends to make good of this investment with increased sales in mobile technology.

"We're going to embed user-authentication technology for VeriSign in all our products," Enrique Salem, Symantec's chief exec, told reporters. "This is different from the digital certificate business and will involve an identifier and a challenge question, together with geo-location."

The payment by phone concept has been kicking around the IT industry for some years. It's an appealing idea but many pieces need to fall in place to realise the vision. Handset manufacturers, mobile telcos, payment providers, banks and retailers all need to be on board - quite apart from the security piece, which Symantec is in as good a place as anyone in the security market to supply.

Salem acknowledged the difficulty of the IT industry as a whole to make the e-wallet concept a reality. Symantec's strategy is to focus on building bilateral relationships, starting with a small number of retailers and payment providers.

"There's not going to be one ID for the internet," Salem said. "The idea that there will be one authoritative service is far-fetched. It's not going to happen."

Symantec also wants to persuade consumers to buy Norton Mobile Security for Android, possibly in extension to existing desktop versions of Symantec's consumer-focused security software, to tackle the yet-to-emerge threat of malware capable of infecting Android devices. While it's true that a couple of SMS Trojans infecting Android smartphones have appeared in Russia, the problem is minuscule compared to the hundreds of thousands of strains of Windows-specific worms, Trojan, viruses, rootkits and botnet agents that have been the mainstay of the security threat landscape for many years.

Spuds for laptop fraudsters strike in Huntingdon

The potatoes for laptop bait-and-switch fraudsters have been at it again, relieving a couple in Huntingdon of 650 in exchange for a bag of spuds and a few bits of cardboard.

BBC Cambridgeshire reports that the unfortunate couple were approached in Huntington High Street last week by a man supposedly punting a second-hand laptop.

He showed them a laptop in a rucksack, and they then went to withdraw 650 in cash to buy said PC.

They then handed over the cash, but after the vendor made his excuses and left, they opened the bag to see they had nothing to show for their readies but a bag of potatoes and some cardboard.

The police have said the alleged vendor was white, aged about 30, at least 6 foot tall and had reddish brown hair and stubble. There was no description of the laptop, or the potatoes.

Last week's scam marks a return to form for practitioners of the root veg for laptop bait and switch.

We've seen a steady stream of stories where fraudsters take money off gullible marks only to palm them off with a sack of spuds. Last month we saw a stylish change of pace when a fraudster in Reading used onions instead of potatoes to pull off a similar scam.

This may have indicated a new gang moving in on the not terribly lucrative scam. Alternatively, the con artists may have been caught between their early crop and late crop spuds, necessitating the use of the much more pungent substitute.

Iran nuclear plant shutdown due to 'leak'

Delays in bringing Iran's nuclear plant online at Bushehr are due to a "small leak" and nothing to do with the infamous Stuxnet worm, according to the country's energy minister.

Bushehr was due to begin producing electricity in November, following the transfer of fuel to the core in September, but power production is being delayed until "early 2011" following a leak in a storage pool, according to Ali Akbar Salehi, Iran's vice president and political boss of its nuclear programme, AP reports. Salehi did not specify whether radioactive material was involved in the leak, much less whether any plant personnel were exposed to danger.

"During a washing process prior to loading the actual nuclear fuel, a small leak was observed in a pool next to the reactor and was fixed," Salehi said, Iran's IRNA news agency reports. "This leak delayed activities for a few days."

Plant officials have previously admitted that the Stuxnet worm, a sophisticated strain of malware capable of sabotaging industrial plant control systems, had infected the laptops of an unspecified number of workers.

This admitted infection has nothing to do with the months-long delay at Bushehr, according to Salehi. Iran's deputy industry minister, Mohsen Hatam, added: "All (infected) platforms have been scanned, cleaned and sent back to their respective industries."

Stuxnet, which was first widely identified in July, is capable of reinfecting supposedly disinfected systems, so Hatam's assurances that the country has its malware problem under control cuts little ice. The worm is capable of spreading from infected USB sticks or across unsecured networks. Once inside the system it uses the default passwords to command the software. Infections have been recorded in India and Indonesia as well as Iran and Russia.

Last week Iran intelligence officials said the country had arrested an unspecified number of "nuclear spies" over the Stuxnet infection. These arrests remain unconfirmed by independent sources.

One favoured (though disputed) theory is that the worm was developed in Israel and introduced by Russian sub-contractors who worked at Bushehr. Stuxnet has backdoor components and attempts to connect to two (now disconnected) servers. The malware uses two stolen digital certificates and no less than four zero-day Windows flaws.

The sophistication of the worm has provoked widespread speculation that the malware was developed by an intelligence agency and targeted at Iran, the country where infection was first detected. Israel has emerged as the obvious prime suspect in this malfeasance.

Iran claims its nuclear programme is solely for civilian purposes such at electricity generation and scientific research. However other countries, led by the US and Israel, fear the country wants to use the plant to enrich uranium and make nuclear weapons.

iPhone app tagged as terror tool

A Tory alarmist is squawking about the technology behind an iPhone app that he claims could enable an airline-hunting terrorist to more easily stalk his prey.

"Anything that makes it easier for our enemies to find targets is madness," Tory MP Patrick Mercer told the Daily Mail. "The Government must look at outlawing the marketing of such equipment."

Yes, that Patrick Mercer the same worthy who warned of explosives in terroristic breast implants, and of HIV-infected needles in Taliban bombs. Incidentally, he's also the man who reportedly stuck his mistress with an 8K bill for flat-refurbishment, and the character who was sacked by David Cameron for alleged racist remarks.

Plane Finder finds targets aplenty in and around Heathrow

The target of Mercer's condemnation is the technology behind Plane Finder AR, which uses data from the publicly available Automatic Dependent Surveillance Broadcast (ADS-B) system that airlines are deploying to improve flight tracking and traffic control.

Plane Finder uses that data to provide an augmented-reality display of a commercial flight's number, registration, speed, altitude, and distance when a handset's camera is aimed at an airliner either parked or in flight.

And a terrorist needn't be concerned with juggling his FIM-92 Stinger while attempting to hold his iPhone correctly in order to get a decent signal. He could also choose either Plane Finder HD for the iPad or just plain Plane Finder for Android.

For that matter, a bad guy could simply buy his own ADS-B receiver for around 200, and hook it up to a Windows box running software such as PlanePlotter. And if the terror-minded miscreant is baffled by the intricacies of a USB A/B cable, he could simply install personal ADS-B software such as AirNav Systems' AirNav Live Flight Tracker, which gets its data online.

That USB bafflement would be understandable, considering the technical competence exhibited by luckless losers such as Times Square bomb bozo Faisal Shahzad, Nigerian crotch bomber Umar Farouk Abdulmutallab, and shoe bomber and finalist in "World's Ugliest Man" contest Richard Reid.

Those jihadist jugheads could hardly put together a system as intricate as that used by Plane Finder's developer, Pinkfroot, which gathers its data from a network of ADS-B receiverequipped aircraft enthusiasts and compiles it into a central database that's accessed by its apps.

All the data is open to the public although if fearmongers such as Mercer continue to stoke public sentiment, it may not be for long.

"We have packaged information that is freely broadcast," Lee Armstrong, a Pinkfroot director, told the Daily Mail. "We haven't had any objection from the authorities in the UK or anywhere else in the world."

The UK Department for Transport isn't particularly worried, either. A spokesman told the Daily Mail: "This application might be new but the ability to track aircraft isn't."

Finally, it is to be noted that according to many of the Plane Finder reviews in the iTunes App Store, the only terror attacks engendered by the app are bugs and a cascade of error messages.

In sum, it appears highly unlikely that Plane Finder will hatch heinous-halfwit havoc. The hullabaloo over the app has merely resulted in more ink for Mercer and free publicity for Pinkfroot.

Net fraudsters dupe NRL supporters

More than 100 buyers netted.

At least 100 people were suspected of falling prey to internet fraudsters offering non-existent tickets to the National Rugby League (NRL) grand final on Sunday, NSW Police said today.

Police from Flemington Local Area Command, located near the Olympic precinct in Sydney where the match between St George-Illawarra and Sydney Roosters was held, reported that a group of people had been instructed to meet at a hotel near the stadium about 2.5 hours before kick-off.

The group was waiting to meet with a ticket seller who allegedly failed to materialise.

"When the seller failed to arrive with the tickets as arranged, victims attempted to contact the seller by phone. All attempts were unsuccessful and police were called in," NSW Police said in a statement.

"At this time police believe at least 100 people have been victims of the scam, which involved buying tickets to the Grand Final via the internet.

"Police have spoken with a number of victims, however, suspect there may be some who left the hotel before police arrived."

Victims or people with information were urged to contact contact Flemington Police or Crime Stoppers on 1800 333 000.

Copyright © iTnews.com.au . All rights reserved.

iPhone apps put user privacy at risk

A large number of applications that run on Apple's iOS collect serial numbers that uniquely identify the hardware device, according to a study that warns the practice could compromise users' privacy.

Apple bills the UDID, or Unique Device Identifier, as a tool for developers to identify iPhones, iPads, and iPod touches when remotely storing application preferences, video game high scores, and similar types of data. Although UDIDs have largely escaped the criticism of privacy advocates, they could in many respects be as troubling as the Processor Serial Number system Intel included with the Pentium 3 in 1999, until the feature was pulled following a firestorm of protest from civil libertarians.

The iPhone's UDID is eerily similar to the Pentium 3's Processor Serial Number (PSN), Eric Smith, assistant director of information security and networking at Bucknell University in Pennsylvania, wrote in the report.

While the Pentium 3 PSN elicited a storm of outrage from privacy rights groups over the inherent risks associated with the sharing of such information with third parties, no such concerns have been raised up to this point regarding the iPhone UDID. AS UDIDs can be readily linked to personally-identifiable information, the 'Big Brother' concerns from the Pentium 3 era should be a concern for today's iPhone users as well.

The research paper is the latest to highlight the lack of privacy controls offered by many smartphones. The study was released the same week that separate computer scientists found that a large percentage of apps available in Google's competing Android Market reported users' phone numbers, locations, or handset device numbers to remote advertising servers without explicitly telling users this was happening.

Both platforms warn users what personal information an app they want to install can access, but neither state precisely what information is collected or how it is used.

Smith analyzed 57 apps including those in the iTunes Store's top 25 free and top free news categories by running them through a packet sniffer that monitored the data they sent to remote servers. Of those, 68 percent transmitted UDIDs to servers under the control of developers or advertisers, while another 18 percent sent encrypted data that could have included the unique serial number. Just 14 percent of the apps were confirmed not to send UDIDs.

What's more, a BBC News app that was analyzed included a tracking cookie that didn't expire for four years, while ABC News set a cookie that persisted for 20 years. The existence of these long-lived persistent cookies could allow for third parties to link UDIDs from old, discarded phones to individuals' new phones as they upgrade to the newest iPhone model every few years, Smith warned.

Apple's application guidelines admonish developers that you must not publicly associate a device's unique identifier with a user account. But there's nothing stopping them from doing so. Indeed, a CBS News app transmits both the UDID and the iDevice's user-assigned name, which is often the full name of the owner. A substantial number of applications including those from Amazon, Facebook and Twitter have the ability to link UDIDs to real-world identities, Smith said.

A PDF of Smith's report is here.

Voting System Pwned by Michigan Wolverines

It’s a win for the University of Michigan Wolverines, . . . if not for anyone else.

After election officials in Washington, DC, egged on hackers to have a go at their new internet voting system, they did just that. The result was Michigan’s fight song “Hail to the Victors” played to voters after they cast their ballots.

Election officials were testing their new pilot voting system in advance of elections in November, but had to pull it down on Friday after the hackers seized it.

Officials initially cited “usability issues” that had been brought to their attention, but the election board’s chief technology officer later admitted to the Washington Post that “the integrity of the system had been violated.”

A Michigan professor apparently “unleashed his students” on the system to get the win for Michigan.

The system, which was paid for in part with a $300,000 federal grant, was supposed to allow about 900 military personnel and overseas voters the ability to cast absentee ballots. But officials now say the voters will only be able to download their ballots via the system and will then have to send them in separately — via post, e-mail or fax – to be counted.

Common Cause, computer scientists and others had warned city officials that the system was a security risk, but board officials had dismissed their concerns.

Stop. Think. Create a Better DHS Cybersecurity Slogan.

The Department of Homeland Security kicked off its new computer security campaign called “Stop. Think. Connect.” on Monday as part of National Cyber Security Awareness month.

Computer security is a nice thing and having more of it is good, but “Stop. Think. Connect.” easily counts as one of the most useless slogans ever created.

So we and the U.S. need your help to come up with a new one, or else the entire net will certainly face a total BSOD/Twitter fail-whale meltdown of epic proportions.

DHS wants to convince citizens to do something to fight online crime and hackers, and it thinks it needs a campaign along the lines of the memorable Smokey the Bear and Click It or Ticket campaigns.

The problem is it’s not clear at all what you are supposed to stop, think about or connect to. The tagline isn’t explained at all on the website, the downloadable PDF or the 15-slide PowerPoint presentation (nothing encourages cyber security like asking people to download a PowerPoint file). You can also become a “friend” of the campaign by submitting your email address here.

I’m scratching my head wondering what these imperatives are actually telling people to do.

Stop what? Downloading Powerpoint presentations from the web? Stop forwarding on chain e-mails? Stop using IE 6?

Think about what? I’m assuming the answer here is “the children”. We should always be thinking of “the children”.

Connect? To what? With whom? I’d guess the answer was “the children” again, but I’m pretty sure connecting with “the children” online is bad.

Personally, I would have gone with some like “Look left, look right, look left again before clicking a link.” It’s cheaper than a firewall and doesn’t require a monthly subscription.

Got a better slogan?

October is the National Cyber Security Awareness month, and the fed’s campaign to make computing safer needs a better slogan than Stop. Think. Connect., and we need your help. Submit your slogan below and/or vote up your favorites. We’ll close the poll at the end of the week, and submit the top ones to DHS.

Show slogans that are: hot | new | top-rated or submit your own slogan

Submit a Slogan

While you can submit as many slogans as you want, you can only submit one every 30 minutes. No HTML allowed.

Back to top

VS Panel "results.php" SQL Injection Issue

VS Panel is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. VS Panel version 7.5.5 is affected.

Ref: http://www.securityfocus.com/bid/43545

10.40.36 - CVE: CVE-2009-3595
Platform: Web Application - SQL Injection

Multi Website "Browse" Parameter SQL Injection Issue

Multi Website is a PHP-based web application. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input before using it in an SQL query. Specifically, this issue affects the "Browse" parameter when the "action" parameter is set to "vote". Multi Website version 1.5 is affected.

Ref: http://www.securityfocus.com/bid/43243

10.40.31 - CVE: CVE-2009-3150
Platform: Web Application - SQL Injection

Anti-virus vendor trio plug website flaws

White-hat hackers have uncovered vulnerabilities on the websites of anti-virus firms that created a phishing risk.

Cross-site scripting (XSS) bugs of varying severity were found on the websites of Symantec (here), Eset (here) and Panda Security (here) by Team Elite, the white-hat hackers who discovered the flaws. We notified all three firms of the issue and all three responded by plugging the flaws in good time.

Coding errors that give rise to cross-site scripting flaws are endemic in web development. This class of vulnerability might, for example, allow a hacker to present content from third-party sites (pop-ups, malicious scripts etc.) as if it came from a site a surfer was trying to visit and that site alone. As such these flaws are very handy for phishing attacks that attempt to trick the unwary into handing over their credentials to untrusted sites.

A XSS flaw on Twitter's website was exploited by the infamous onMouseover worm last month, a point security firms were jumping over themselves to comment on. The XSS flaws on anti-virus firms websites were not exploited and no harm was done.

Nonetheless Symantec et al should be especially careful to set a good example in web security. That's what these firms sell after all, but experience shows that XSS problems are commonplace even in the information security vendor market.

And because groups such as Team Elite go looking for them these problems regularly get a public airing. Even though there's evidence of miscreants exploiting these vulnerabilities that's no reason to dismiss them, as one Team Elite member explain in an email to El Reg.

"XSS vulnerability is a high level vulnerability which could allow an attacker to steal sensitive data such as login information and other credentials," he said. "I can assure you that our team does not do such things, we don't hack any websites, we simply deliver the proof of concept, spread the knowledge of existing vulnerability so the companies can correct those bugs for the good of their own."

"I've noticed that all three security vendors have fixed the bugs on their websites, which is very positive," he added.

Iran boasts of Stuxnet 'nuclear spies' arrests

Iran claims to have arrested spies it blames for planting the infamous Stuxnet worm on its network and attempting to clobber its Bushehr nuclear power plant.

Heydar Moslehi, Iran's intelligence minister, told the semi-official Mehr news agency that the country had arrested an unspecified number of "nuclear spies" (nationality unknown). He claimed that Iran was right on top of the Stuxnet infection, implausibly adding his ministry had achieved complete mastery over government computer systems.

All of the destructive activities perpetrated by the oppressors in cyberspace will be discovered quickly and means of combating these plans will be implemented, Moslehi said, the New York Times reports.

The paper tellingly adds that the arrests could not be independently confirmed.

The Stuxnet worm, first confirmed in July, infects SCADA systems manufactured by Siemens, creating a stealthy rootkit capable of re-programming compromised industrial control systems. The malware can spread from infected USBs and by exploiting default passwords in weakly-secured networks.

The sophistication of the worm has prompted many cyber security experts to speculate that it must be the work of an intelligence agency bent on sabotage. Rather than imagining that some Jason Bourne-style cyberspy - or a Mossad team - parachuted into Iran bearing infected USB sticks, a more plausible theory is that Russian sub-contractors who worked on Bushehr nuclear power plant deliberately infected its systems.

However, work was done years ago, so the idea that any of these sub-contractors might still be in Iran seems implausible.

Moslehi claims that the Stuxnet infection is under control also take some believing, especially since anti-virus analysts have recently discovered that the malware can re-infect supposedly cleaned systems. The extent of the infection in Iran is unclear. Managers at Bushehr admit only that the worm has infected personal computers at the controversial facility.

Independent analysis by Kaspersky Labs suggests the worm is actually more active in Indian and Indonesia than in Iran.

The lack of solid evidence hasn't, of course, stopped security pundits from sounding off about with some describing it as a "cyber super-weapon". Much has been made of the hidden reference in the worm code to the date 19 May 1979, when a Israeli businessman was executed in Iran, and the use of the file path "marts" (b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb). This is a supposed Old Testament biblical reference to Hadassah (which means Myrtle), a figure from the Book of Esther who warns of a plot against the Jews.

The Parallax View

An entertaining debunking of this conspiracy theory comes from Mary Landesman, an anti-virus expert at ScanSafe. She notes the myrtus is more commonly known as myrtle, a family of plants related to eucalyptus. She also repeats the observation that Stuxnet is more prevalent in Indonesia than Iran.

The Israeli-superworm conspiracy theory is, at best, based on isolated features of the worm and speculation rather than analysis, Landesman complains. A close look at the code itself reveals that Stuxnet has a "kill date" of 24 June, 2012. This date is significant in astrology because it "is the date that Pluto in Capricorn squares off against Uranus in Aries", a so-called grand cross.

Based on this, the date, and the arguable botanical reference, Landesman argues that that author of the worm could be a 31-year-old botany and astrology geek with a knowledge of SCADA-systems and an obsessive personality, rather than an Israeli cyber-saboteur working with a paid Russian stooge as per the conventional theory.

You can read Landesman's entertaining debunking here.

Met chief fears Brit cybercrime gangs

Britain's most senior police officer has raised fears that home-grown organised gangs are waking up to the low risks and high rewards of cybercrime.

Sir Paul Stephenson, Commissioner of the Metropolitan Police, issued the warning in a Sunday newspaper article highlighting the importance of specialist officers. Debate around policing in the run-up to the Comprehensive Spending Review has so far been dominated by calls to preserve bobbies on the beat.

"At the moment, British criminals would probably have to buy 'packages' of bogus identities or virus kits from foreign criminal organisations. But for how long?" he wrote.

Sir Paul's warning challenges the common view that large-scale cybercrime is generally associated with Eastern European gangs. Only last week, the Met's Police Central e-Crime Unit (PCeU) charged 11 Estonians, Latvians and Ukranians with stealing millions of pounds using bank details harvested by the Zeus Trojan.

Yet "there are disturbing signs that 'traditional' British organised crime is waking up to the profits and uses of e-crime," Sir Paul wrote.

"PCeU regularly receives calls from other Met units informing them that criminal gangs are using cyber communication to plan their crimes and launder the proceeds."

Traditionally, drug gangs would commit robberies to pay debts when they lost a shipment to law enforcement, but Sir Paul suggested the relative ease of cyber attacks makes them increasingly attractive to British career criminals.

"There is a risk that cyber crime will become their main source of cash flow," he wrote.

The PCeU was set up in 2008 and serves as the national unit for investigating cybercrime. However, the Home Office recently cut its small budget by 14 per cent, ahead of the CSR, which is expected to bring further cuts of about 30 per cent across policing.

Sir Paul concluded with a call to protect PCeU and other specialist units.

"We must... ensure that, if British crime gangs take up e-crime as enthusiastically as we fear, we can match the skills at their disposal. We must have the expertise to stay ahead of the criminals.

"Uniform officers alone will not keep the streets safe specialist detectives are just as crucial to ensuring we are all better protected."

His article for The Sunday Telegraph is here.

Ministry of Sound floored by Anonymous

Ongoing denial of service attacks spearheaded by Anonymous have knocked out the website of the Ministry of Sound, as well those of its payment provider and solicitors, Gallant Macmillian.

Macmillan is attempting to identify and sue individuals who allegedly uploaded music from the Ministry of Sound's music catalogue. Slyckr reports that the attacks against the MoS and Associated website started on Sunday evening (UK time).

The sites remain unavailable at the time of writing on Monday morning.

Its legal action marked the Ministry of Sound as a candidate for attacks launched by the loosely affiliated Anonymous collective against the entertainment business and, in particular, organisations that harass alleged file-sharers. Operation Payback: is a bitch, which began two weeks ago, has already floored the websites of the MPAA, RIAA and ACS:Law.

A scorecard on these various attacks, detailing site downtimes, along with an interview with a member of Anonymous, can be found in a blog post by Panda Security here.

Hamfisted attempts to restore ACS:Law's website following the attack resulted in the publication of its email archives, allowing activists and journalists to pick through its business plans and tactics. ACS:Law's Andrew Crossley's dismissive remarks about the original assault in an interview with El Reg prompted the denizens of 4Chan to redouble their attack on the site, triggering a series of events that exposed the hugely embarrassing private email archive to world+dog.

Man vindicated for videotaping his own traffic stop

Maryland state police were wrong to arrest and charge a man for taping his own traffic stop and posting it on YouTube, a judge ruled earlier this week.

Anthony Graber was charged with illegal wiretapping for recording plainclothes state trooper J.D. Uhler jumping from his unmarked sedan and drawing his gun -- and waiting a good five seconds before identifying himself as a police officer. The tape was shot with a conspicuous, helmet-mounted camera that captured the video and audio of the confrontation.

On Monday, a Maryland state judge stated in no uncertain terms that the felony charge never should have been filed.

Those of us who are public officials and are entrusted with the power of the state are ultimately accountable to the public, Circuit Court Judge Emory A. Plitt Jr. wrote. When we exercise that power in a public forum, we should not expect our activity to be shielded from public scrutiny.

The stop took place on the side of a busy highway in full view of the public.

Under such circumstances, I cannot, by any stretch, conclude that the troopers had any reasonable expectation of privacy in their conversation with the defendant which society wold be prepared to recognize as reasonable.

In fairness to the trooper, the video shows Graber zig zagging in and out of traffic and, at one point, popping a wheelie at what appears to be close to 100 mph. The motorcyclist paid the ticket and thought that would be the end of it.

But after he posted the video on YouTube, police raided his home, hauled away his computers and the state's attorney charged him under a law that went onto the books before cell phones even existed.

Graber is one of an increasing number of US citizens who have been criminally charged for videotaping cops as they go about their official duties in public places. He was defended by the American Civil Liberties Union of Maryland.

5 Key Players Nabbed in Ukraine in $70-Million Bank Fraud Ring

Ukrainian authorities have arrested five key suspects in a massive international bank fraud ring that used malware to steal at least $70 million from small businesses, municipalities, churches and others in the U.S.

The five are alleged to be part of a multi-national ring that includes about 60 other suspects who were arrested this week in the U.S. and the United Kingdom for their roles in schemes that used the Zeus malware to infect computers and steal bank log-in credentials from more than 300 victims in the U.S.

The ring attempted to steal $220 million from bank accounts, but have only succeeded to nab a third of this, due to coordinated efforts by the Federal Bureau of Investigation with authorities in the U.K., the Netherlands and Ukraine.

The FBI wouldn’t disclose the names of the five suspects seized by Ukrainian authorities Thursday or indicate what role they played in the ring other than to say that at least $14 million in actual losses has been attributed so far to them specifically and that they were very proficient in utilizing the Zeus malware successfully.

But a bureau official, who asked not to be named, said the busts show that top criminal players are being taken out — not just the low-hanging fruit who operate as mules.

“These cyber criminals think that they are hiding over in a different country and are untouchable,” the official said. “This shows that we are working with our joint partners internationally and that [the criminals] can be held accountable for their actions.”

The ring began having success about a year and a half ago, the FBI source says, when they began targeting hospitals, universities, municipalities and small business across the country.

Hackers in East Europe would send targeted phishing e-mails to chief financial officers, accounting officers and treasurers at the victim organizations — people who would have access to an organization or company’s online bank accounts — and infect their computers with a Zeus trojan. The malware would steal the log-in credentials for the bank account, allowing the hackers to initiate money transfers out of the accounts, known as automated clearing house (ACH) transfers. The hackers were able to siphon huge sums in multiple transfers — in some cases hundreds of thousands of dollars from a single account — before the victim or bank realized what was happening.

In August, for example, thieves were able to purloin $600,000 from the Catholic Diocese in Des Moines in this manner.

On Tuesday, authorities in the UK announced they had arrested 20 suspects involved in the theft of at least $9 million from UK bank accounts. This figure could rise to $30 million as more evidence is amassed.

This announcement was followed on Thursday by one from U.S. authorities in New York who said they had charged 37 people from East Europe who served as so-called money mules and organizers.

These individuals, most of whom are 20-something East Europeans in the U.S. on student visas, were recruited on Russian social networking sites and elsewhere to aid the thieves. The students, once in the U.S., were given fake passports to open fraudulent bank accounts that were used by the hackers in East Europe to receive stolen funds from victim bank accounts. The mules then either transferred the money to other accounts outside the U.S. or withdrew it and smuggled cash bundles back to East Europe, keeping between 8 and 10 percent for their trouble.

The FBI source said that more than 3,500 mules have participated in the fraud operations in the U.S. alone, both
U.S. citizens and foreign residents.

The mules often claim to be unwitting participants, asserting they were hired to help companies do what were characterized as legitimate payment processing. In the case of the Catholic Diocese in Des Moines, one mule told security blogger Brian Krebs that the money he helped process was going to be used as part of legal settlements for victims of clergy abuse.

The U.S. investigation into fraudulent ACH transfers, dubbed Operation Trident Breach, began in May 2009 when FBI agents in Nebraska learned of ACH transfers that were going to 46 different bank accounts throughout the U.S. As other cases popped up around the country, agents began to coordinate efforts. To date, the bureau has tracked 390 cases of ACH fraud that have resulted in 92 suspects being charged and 39 arrests. It’s unclear if they’re all related to one ring.

“This may all link back [to the same ring],” the FBI source said, “but at this point in time we don’t want to specifically state that it does. But this organization is one of the most significant . . . and most successful in their attacks on small and medium businesses.”

Although the arrests in the U.S. have nabbed mostly mules and their managers, the arrest of the five suspects in Ukraine hits at a higher echelon of the ring.

The FBI says the operation is a testament to the relationships it has developed in the last four years through attaches overseas and through cybercrime agents that are embedded in law enforcement agencies in Romania, Estonia, the Netherlands and elsewhere.

See also:

• U.S. Charges 37 Alleged Mules and Others in Online Bank Fraud Scheme
• British Raid Nabs 19 Suspects in $9 Million Online Bank Heist

New Clues Point to Israel as Author of Blockbuster Worm, Or Not

New clues released this week show a possible link between Israel and sophisticated malware targeting industrial control systems in critical infrastructure systems, such as nuclear plants and oil pipelines.

Late Thursday, security firm Symantec released a detailed paper with analysis of the headline-making code (.pdf), which reveals two clues in the Stuxnet malware that adds to speculation that Israel may have authored the code to target Iran.

Or, they could simply be red herrings planted in the code by programmers to point suspicion at Israel and away from other possible suspects.

The malware, called Stuxnet, appears to be the first to effectively attack critical infrastructure and in a manner that produces physical results, although there’s no proof yet any real-world damage has been done by it. The malware’s sophistication and infection of thousands of machines in Iran has led some to speculate that the U.S. or Israeli government built the code to take out Iran’s nuclear program.

Symantec’s paper adds to that speculation. It also provides intriguing data about an update the authors made to it in March of this year that ultimately led to it being discovered. The update suggests the authors, despite launching their malware as early as June 2009, may not have reached their target by March 2010.

The code has so far infected about 100,000 machines in 155 countries, apparently beginning in Iran and recently hitting computers in China. Researchers still have no idea if the malware reached the targeted system it was designed to sabotage.

Liam O’Murchu, researcher at Symantec Security Response, said in a press call Friday that even though the malware’s command-and-control server has been disabled, the attackers can still communicate with infected machines via peer-to-peer networking. Symantec hopes that experts in industrial control systems who read their paper may help identify the specific environment Stuxnet was targeting.

“We hope someone will look at the values and say this is a configuration you’d only find in an oil refinery or power plant,” said O’Murchu. “It’s very important to find out what the target was. You can’t tell what [Stuxnet] does unless you know what it was connected to. ”

The code targets industrial control software made by Siemens called WinCC/Step 7, but is designed to deliver its malicious payload to only a particular configuration of that system. About 68 percent of infected systems in Iran have the Siemens software installed, but researchers don’t know if any have the targeted configuration. By contrast, only 8 percent of infected hosts in South Korea are running Step 7 software, and only about 5 percent of infected hosts in the U.S. do. An apparent “kill” date in the code indicates that Stuxnet is designed to stop working June 24, 2012.

The first clue that may point to Israel’s involvement in the malware involves two file directory names – myrtus and guava – that appear in the code. When a programmer creates code, the file directory where his work-in-progress is stored on his computer can find its way into the finished program, sometimes offering clues to the programmer’s personality or interests.

In this case, Symantec suggests the name myrtus could refer to the biblical Jewish Queen Esther, also known as Hadassah, who saved Persian Jews from destruction after telling King Ahasuerus of a plot to massacre them. Hadassah means myrtle in Hebrew, and guavas are in the myrtle, or myrtus family of fruit.

A clue to Stuxnet’s possible target lies in a “do not infect” marker in the malware. Stuxnet conducts a number of checks on infected systems to determine if it’s reached its target. If it finds the correct configuration, it executes its payload; if not, it halts the infection. According to Symantec, one marker Stuxnet uses to determine if it should halt has the value 19790509. Researchers suggests this refers to a date — May 9, 1979 — that marks the day Habib Elghanian, a Persian Jew, was executed in Tehran and prompted a mass exodus of Jews from that Islamic country.

This would seem to support claims by others that Stuxnet was targeting a high-value system in Iran, possibly its nuclear enrichment plant at Natanz.

Or, again, both clues could simply be red herrings.

O’Murchu said the authors, who were highly skilled and well-funded, were meticulous about not leaving traces in the code that would track back to them. The existence of apparent clues, then, would belie this precision.

One mystery still surrounding the malware is its wide propagation, suggesting something went wrong and it spread farther than intended. Stuxnet, when installed on any machine via a USB drive, is supposed to spread to only three additional computers, and to do so within 21 days.

“It looks like the attacker really did not want Stuxnet to spread very far and arrive at a specific location and spread just to computers closest to the original infection,” O’Murchu said.

But Stuxnet is also designed to spread via other methods, not just via USB drive. It uses a zero-day vulnerability to spread to other machines on a network. It can also be spread through a database infected via a hardcoded Siemens password it uses to get into the database, expanding its reach.

Symantec estimates it took between 5 and 10 developers with different areas of expertise to produce the code, plus a quality assurance team to test it over many months to make certain it would go undetected and not destroy a target system before the attackers intended to do so.

The WinCC/Step 7 software that Stuxnet targets connects to a Programmable Logic Controller, which controls turbines, pressure valves and other industrial equipment. The Step 7 software allows administrators to monitor the controller and program it to control these functions.

When Stuxnet finds a Step7 computer with the configuration it seeks, it intercepts the communication between the Step 7 software and the controller and injects malicious code to presumably sabotage the system. Researchers don’t know exactly what Stuxnet does to the targeted system, but the code they examined provides a clue.

One value found in Stuxnet – 0xDEADF007 – is used by the code to specify when a process has reached its final state. Symantec suggests it may mean Dead Fool or Dead Foot, a term referring to an airplane engine failure. This suggests failure of the targeted system is a possible aim, though whether Stuxnet aims to simply halt the system or blow it up remains unknown.

Two versions of Stuxnet have been found. The earliest points back to June 2009, and analysis shows it was under continued development as the attackers swapped out modules to replace ones no longer needed with new ones and add encryption and new exploits, apparently adapting to conditions they found on the way to their target. For example, digital certificates the attackers stole to sign their driver files appeared only in Stuxnet in January 2010.

One recent addition to the code is particularly interesting and raises questions about its sudden appearance.

A Microsoft .lnk vulnerability that Stuxnet used to propagate via USB drives appeared only in the code in March this year. It was the .lnk vulnerability that ultimately led researchers in Belarus to discover Stuxnet on systems in Iran in June.

O’Murchu said it’s possible the .lnk vulnerability was added late because the attackers hadn’t discovered it until then. Or it could be they had it in reserve, but refrained from using it until absolutely necessary. The .lnk vulnerability was a zero-day vulnerability — one unknown and unpatched by a vendor that takes a lot of skill and resources for attackers to find.

Stuxnet’s sophistication means that few attackers will be able to reproduce the threat, though Symantec says many will try now that Stuxnet has taken the possibility for spectacular attacks on critical infrastructures out of Hollywood movies and placed them in the real world.

“The real-world implications of Stuxnet are beyond any threat we have seen in the past,” Symantec writes in its report. “Despite the exciting challenge in reverse engineering Stuxnet and understanding its purpose, Stuxnet is the type of threat we hope to never see again.”

Graphs courtesy of Symantec

See also:

• Blockbuster Worm Aimed for Infrastructure, But No Proof Iran Nukes Were Target
• SCADA System’s Hard-Coded Password Circulated Online for Years