Hacking Expose!: 2011-01-30

Nasdaq admits hackers planted malware on web portal

Monday, February 7, 2011

Nasdaq admitted on Saturday that unidentified hackers had succeeded in planting malware on one of its portals.

The US stock exchange is keen to stress that trading systems were not affected by suspicious files found on Directors Desk, a web-based dashboard application used by an estimated 10,000 execs worldwide. In a statement, Nasdaq said that there was no evidence that customer information had been exposed by breach.

The stock exchange had been asked to stay quiet about the attackers by DoJ investigators until at least 14 February, but it was obliged to go public earlier than planned after the Wall Street Journal broke the story last weekend. Nasdaq has begun the process of notifying customers about the security snafu, which was detected internally by its security screening systems.

Evil hackers subverting stock exchanges for their own gain has been a popular theme of haxploitation flicks for years. However, in reality, one of the few confirmed breaches of any stock exchange happened when a Russian Trading System was compromised by malware back in 2006, notes net security firm Sophos.

It adds that it is likely that the Directors Desk hack was designed to plant malware on the systems of users via drive-by-download attacks.

Late last month, it emerged that the London Stock Exchange and one of its counterparts in the US were in the process of investigating possible hacking attacks. Investigators are assessing whether a collapse in the trading price of five firms last summer might be explained by a breach in the open-source trading system used by the LSE. Officials had previously blamed the entry of incorrect prices for the snafu. An unnamed US exchange is also reportedly in the process of investigating a similar attack.

Anonymous pwns security firm that probed its membership

The Anonymous hacking collective took revenge on a security firm that had investigated its membership on Sunday.

HBGary Federal has been seeking to uncloak the identities of senior members of Anonymous involved in attacks against financial services firms, such as PayPal and Mastercard, that had suspended accounts run by WikiLeaks. The security consultancy had infiltrated IRC chat sessions and Facebook groups used by core members of the Anonymous collective.

In response, Anonymous did a number on HBGary by hacking into its email system and uploading 60,000 emails onto file-sharing networks. Anonymous also defaced HBGary's website with an image explaining their motives as well as taking over the Twitter feed of HBGary's chief exec, Aaron Barr, to tweet abuse as well as supposed details of his home address and social security number. LinkedIn accounts of other senior HBGary execs were also targeted for attack.

Anonymous also posted HBGary's research of the hacking collective, claiming that the names and addresses of Anonymous members gleaned by the firm are largely bogus. The techniques and methods employed during the attack remain unclear.

The assault is far more sophisticated than than usual denial of service attacks deployed by Anonymous volunteers against organisations the earn its displeasure, such as entertainment industry firm-hassling file-sharing sites and the Church of Scientology as well as as those refusing to cash WikiLeaks' cheques.

The assault on HBGary follows the same pattern as a previous assault against ACS:Law, a controversial legal firm that ran a business sending threatening letters to alleged file-sharers.

HBGary's website had been replaced by an "under construction" holding page at the time of writing.

Zeus spreads giant arms wider

More websites host Zeus variants.

Increasing numbers of websites have been seen hosting various versions of the notorious Zeus Trojan, Trusteer has reported.

The volume of networks hosting command and control (C&C) servers for Zeus botnet swarms has also expanded, helping the threat to spread further, the security firm claimed.

Trusteer looked into the IP distribution of sites hosting the Trojan configurations as well, discovering the US was far and away the favourite place for Zeus to hang out.

Almost two-fifths of all Zeus configurations were found to be residing in the US, compared to the UK figure of just 3.5 per cent.

Russia had the second highest share of infections, with 21.6 per cent.

Analysts also mapped out where sites used as Zeus C&C platforms were accessible.

Almost a third were in the US over an 80-day period, with the UK down on six per cent.

“The increasing usage of automated registration and servicing systems on the internet means that human operator monitoring of hosted systems has become less frequent in those countries with good internet access,” Trusteer said in its report.

“As well as driving the cost of hosting downwards, this has the worrying effect of making it all too easy to register and set up a C&C and/or Zeus-infected website plus allied systems, and using the platform to infect the general internet user community.”

Zeus has become infamous in the security industry and remains one of the top threats facing businesses across the world today.

This article originally appeared at itpro.co.uk

Egypt's net ruled by phone, not kill switch

BGP route withdrawals reversed.

A series of phone calls from Egyptian officials might have triggered the shutdown and subsequent reinstatement of internet connections in the country, experts say.

Egyptian internet connections were restored on Wednesday at 8.30pm in Sydney, after a government-imposed outage that lasted five-and-a-half days.

Craig Labovitz, chief scientist at Arbor Networks, saw the country's four largest internet service providers reappear on the global routing table within a half-hour period.

Noor Data Networks - the last to be disconnected - was also late to reconnect, coming online at 9.52pm according to network monitoring site BGPmon.

Arbor Networks' graph of Egyptian internet traffic.

"The return followed a similar pattern to the shutdown," Arbor's Labovitz told iTnews today.

"Following the BGP [border gateway protocol] route announcements, network traffic returned fairly quickly over the space of a half[-hour] or so."

The reconnection process mirrored last week's disconnection which, according to internet information provider Renesys, began with Telecom Egypt seconds before 9.13am in Sydney on 28 January.

Raya Telecom withdrew its border gateway protocol routes to the internet one minute later, followed by Link Egypt, Etisalat Misr and Internet Egypt in four to six minute intervals.

Narelle Clark, vice-president of the Internet Society of Australia, speculated that the networks were withdrawn "with about a phone call's timing".

"What we believe to have happened was a series of phone calls made to the big four Egyptian ISPs, as well as to Vodafone and MobiNil the mobile operators," she told iTnews.

"So [the internet access was controlled] not [with] a kill switch, per se, but an order from the top."

Earlier this week, the Internet Society warned that a rapid reinstatement of Egyptian networks could disrupt traffic in neighbouring regions.

Reconnected routes would spark a wave of traffic path updates that could cause interruptions as routing equipment incorporated the new information into their state tables, Clark explained.

But neither the society nor Arbor observed any technical flow-on issues arising from the reinstatement of Egypt's internet connections.

"The return of Egyptian routes generated some level of churn, but the level of churn was modest and well within normal, expected operational levels," Labovitz said.

"The churn did not create significant issues for other Internet providers in the region."

Outage could cost more than $17.7 million a day

Mobile operator Vodafone reported that the Government had ordered it to shutdown mobile services in Egypt until 29 January.

Vodafone was also forced to send nationalistic messages to the people of Egypt - an order that it criticised, but complied with.

"Vodafone Group has protested to the authorities that the current situation regarding these messages is unacceptable," it stated.

"We have made clear that all messages should be transparent and clearly attributable to the originator."

A spokesman would not elaborate on Vodafone's experience and views, declining to address questions about its business plans for the region.

The company reportedly hired 100 extra workers in New Zealand after temporarily shutting down an 180-seat contact centre in Cairo, Egypt, during violent protests.

According to a Forbes report, OECD estimates that the outage cost Egypt $US18 million ($17.7 million) daily were conservative and neglected to account for outsourcing, e-commerce, and future business concerns.

After Google's regional head of marketing, Wael Ghonim, went missing in Cairo last Friday, the search giant has been appealing to the public for information on his whereabouts.

"A Googler, Wael Ghonim, is missing in Egypt," the company told iTnews this afternoon.

"The safety of our employees is very important to Google, so if anyone has any information please call the following U.K. number: +44 20 7031 300 or email infoaboutwael@google.com."

Before he disappeared, Ghonim asked his Twitter followers to "pray for Egypt".

"Very worried as it seems that government is planning a war crime tomorrow against people," he wrote last Friday.

"We are all ready to die."

Google operated a crisis response page and a "Speak to Tweet" service that allowed Egyptians to communicate online via voice telephone in the face of the internet blackout.

Others, like net activist group Telecomix, were monitoring amateur radio channels and provided virtual private networks and proxies to Egyptian activists who required online anonymity.

FCC Net Neutrality is a Regulatory Trojan Horse, EFF Says

Saturday, February 5, 2011

The Federal Communications Commission’s net-neutrality decision opens the FCC to “boundless authority to regulate the internet for whatever it sees fit,” the Electronic Frontier Foundation is warning.

The civil rights group says the FCC’s action in December, which was based on shaky legal authority, creates a paradox of epic proportions. The EFF favors net neutrality but worries whether the means justify the ends.

“We’re wholly in favor of net neutrality in practice, but a finding of ancillary jurisdiction here would give the FCC pretty much boundless authority to regulate the internet for whatever it sees fit. And that kind of unrestrained authority makes us nervous about follow-on initiatives like broadcast flags and indecency campaigns,” Abigail Phillips, an EFF staff attorney, wrote on the group’s blog Thursday.

And the paradox grows.

In a Friday telephone interview, Phillips was unclear how to solve the problem. What about an act of Congress? How about reclassifying broadband to narrow the FCC’s control if it?

“I’m not sure what I think the right solution is,” she answered.

The agency’s December action has already been attacked on multiple fronts, including two lawsuits.

One side of the debate has focused on claims the FCC overstepped its authority by adopting the principle that wireline carriers treat all internet traffic the same. A chorus of others complain that the FCC wimped out and didn’t go far enough when it comes to wireless carriers.

And the entire debate is littered with competing interests, including the mobile-phone carriers, internet service providers, private enterprise, developers, Congress and, last but not least, the public.

“In general, we think arguments that regulating the internet is ‘ancillary’ to some other regulatory authority that the FCC has been granted just don’t have sufficient limitations to stop bad FCC behavior in the future and create the ‘Trojan horse’ risk we have long warned about,” Phillips said.

But who can be trusted in this debate?

The answer opens Pandora’s box.

Photo: gillianchicago/Flickr

See Also:

Not So Fast! FCC Says Net Neutrality Lawsuits Filed Too Soon
FCC Net Neutrality Rules Slammed From All Sides
Why Google Became a Carrier-Humping, Net Neutrality Surrender Monkey
Appeals Court Throttles FCC’s Net Neutrality Authority
Verizon Files Suit Against FCC Net Neutrality Rules
Dems Go Populist on Net Neutrality
FCC Passes Compromise Net Neutrality Rules
FCC Chief Genachowski on Net Neutrality: Trust Me
Skype, Wireless Companies Fight to Shape Net-Neutrality Regs

Videogame developer defies hacker threat

The publisher of the Runes of Magic videogame is defying a hacker who has threatened to release personal details and payment information on users.

The threats were made in posts to the Runes of Magic forum, promising dire consequences unless staff at games publisher Frogster were treated more fairly and the security of the site was improved. Augustus87 threatened an escalating campaign, starting with taking Frogster's servers offline before progressing towards the phased released of customer account details held by the German firm.

The post was quickly deleted from the forum, but not before it was captured and preserved for posterity in a blog post by Sophos, and elsewhere.

Augustus87 published personal information on 2,000 users, including billing information, in order to prove he had access to sensitive data and to show he wasn't bluffing. To take such an action while simultaneously claiming to be out to protect customers takes a remarkably "twisted logic", a spokesman for net security firm Sophos told El Reg.

Frogster deleted the data before posting a message saying that the information dated from 2007. It reset the passwords of compromised accounts before running a security review, as a statement by the firm explains.

Right after the publication of the attack, Frogster systematically inspected all of its systems for weak spots and backdoors and implemented new firewalls, new user privileges and passwords, as well as introducing further security measures.

Frogster takes protecting its players from these types of risks and threats very seriously and uses all means to contain and prevent them. At the same time, the publisher is pushing on with its continual process of expanding and optimising its technical infrastructure.

The games publisher is keen to emphasise that the vast majority of its subscribers were unaffected by the attack and were able to go on playing the game as normal.

Frogster Chief Operating Officer Dirk Weyel told GameIndustry.biz interview that it had no intention of been coerced into anything by the hacker. Frogster has reported the matter to German police.

It's unclear whether a dedicated (obsessive) gamer or an insider carried out the attack. However, given the unusual list of demands by the hacker - which omits demands for payment - it wouldn't come as too much of a surprise if it turned out that he or she had some past or current affiliation with Frogster.

HMRC warns (again) over tax refund phishing scams

Friday, February 4, 2011

UK taxpayers were officially warned on Friday to have nothing to do with supposed tax refund emails that have begun circulating since the deadline for self-assessment tax returns expired on Monday.

The scam emails claim the recipients (prospective marks) are entitled to a tax refund, which can supposedly be claimed after handing over credit card and other banking details to a linked website. In reality, the replica site of the real HM Revenue & Customs (HMRC) that the email recipients are invited to visit is designed simply to con the gullible into handing over their banking credentials to fraudsters for later abuse. Victims who fall for the phishing ruse risk finding their bank accounts emptied rather than enriched and their personal information sold to other crooks through underground carding forums.

Over the last three months alone, HMRC has shut down 99 websites involved in fake tax rebate emails. Over the last 18 months alone, scam networks have been shut down in Austria, Mexico, the UK, South Korea, the USA, Thailand and Japan. Despite these enforcement actions and the ease of avoiding becoming a victim the scam shows no signs of dying off any time soon.

Government officials say that legitimate tax refund applications are always processed by post rather than by email.

Chris Hopson, director of customer contact at HMRC, commented: As a matter of policy, HMRC will only ever contact customers who are due a tax refund in writing by post. If anyone receives an email offering a tax rebate claiming to be from HMRC, we recommend they send it to phishing@hmrc.gsi.gov.uk before deleting it permanently.

World leaders meet to discuss cyberwar rules of engagement

Rules of engagement for the deployment of cyber-weapons need to be developed, an international security conference is due to be told later today.

The influential EastWest Institute is due to present proposals for the cyberspace equivalent of the Geneva convention at the Munich Security Conference, which has included a debate on cyber-security on its agenda for the first time this year. Delegates to the conference include UK Prime Minister David Cameron, German Chancellor Angela Merkel, US Secretary of State Hillary Clinton and Russian Foreign Minister Sergei Lavrov.

The discussion on rules for cyber-conflict follows months after the infamous Stuxnet worm was blamed for infecting industrial control systems and sabotaging centrifuges at controversial Iranian nuclear facilities. Some have described the malware as the world's first cyber-weapon though cyber-espionage in many guises has undoubtedly been practiced by intelligence agencies across the world for many years.

Computer systems underpin the delivery of essential services, including utilities and telecoms and well as banking and government services. Critical national infrastructure systems are most commonly privately held, at least in the US and Europe. Although attacks against various critical systems are commonplace they tend to be low level information-stealing or denial of service exploits. Many independent experts in cyber-security dismiss talk of cyberwar as hype driven more by the marketing departments of US security contractor giants seeking a new market in cyberspace than by reality on the ground.

Others argue that cyberwarfare (or information warfare) risks are all too real and illustrated by the denial of services attacks that blitzed Estonia off the web and the Operation Aurora assaults against Google and other high-tech firms as well as Stuxnet, a strain of malware that might inspire other forms of malware that attack industrial control kit, perhaps indiscriminately.

The rules of cyberwarfare seek to establish protected domains such as hospital and schools that are off limits for attack. Proportionality in response to attacks and identifying the source of attacks is also likely to enter the debate.

British government sources told the BBC that they were not convinced of the need for a treaty governing conflict in cyberspace, while they conceded the need for a discussion on proportional response and, more particularly, on attributing the source of attack. It is far more difficult to identify the source of a cyber-assault, which can easily be launched from networks of compromised PCs in third-party countries, than the origins of a conventional military assault, which is often proceeded by the gathering of troops and tanks.

Government sources told BBC Newsnight: "How strongly should a state respond to an attack when you do not know who did it, where they did it from or what the intention was? In conventional military terms these questions are easier to answer not so in the cyber-world."

Zero-day update duo to star in upcoming Patch Tuesday update

Microsoft plans to release a dozen bulletins on Tuesday three of which address critical flaws.

The February Patch Tuesday batch includes a fix for a critical Windows thumbnail preview flaw as well as patching an equally serious flaw in how Internet Explorer handles Cascading Style Sheets (CSS). Each of these zero-day vulnerabilities has been exploited in limited hacking attacks.

The remaining updates address lesser flaws in Windows, Office, Microsoft's IIS web server software and Redmond's development platform, Visual Studio.

Net security services firm Qualys notes that a fix for a recently discovered MHTML flaw in Windows/Internet Explorer will not be addressed by the February Patch Tuesday update. Users are advised to apply Microsoft's workaround, pending the availability of a more comprehensive fix.

Times Editor Alarmed By Prospect of WikiLeaks Prosecution

NEW YORK — New York Times executive editor Bill Keller may not regard Julian Assange as a journalistic peer, but he made clear Thursday that he doesn’t think the WikiLeaks founder should face criminal prosecution in the U.S.

Keller joined his counterpart from Britain’s Guardian newspaper and a prominent Harvard Law School professor on a panel at Columbia University on Thursday to discuss Wikileaks, the secret-spilling website that has been publishing U.S. diplomatic cables and battlefield reports from Iraq and Afghanistan.

“Whatever one thinks of Julian Assange, American journalists should feel a sense of alarm” about a potential prosecution of the Australian hacker, said Keller.

Since last year, when Wikileaks published vivid footage of a U.S. helicopter shooting people — including two Reuters employees — the site has become a flashpoint in a rancorous debate over national security, free speech, and journalism.

U.S. Attorney General Eric Holder has said the government is investigating the breach, and many politicians have called for Assange, who is currently in London, to be brought to the United States and put on trial.

So far only one person has been arrested over the leak, a 23-year-old U.S. Army Private First Class named Bradley Manning, who is currently being held in maximum security in the Marine Corps Brig in Quantico, Virginia.

Jack Goldsmith, a Professor at Harvard Law School, and a former Assistant Attorney General, told the panel moderator Emily Bell, the Director of the Tow Center for Digital Journalism at Columbia, that a U.S. attempt to prosecute Assange would face two major challenges.

First, the government would face difficulty in extraditing Assange to the U.S., Goldsmith said, because of the “political offense exception,” which might allow the U.K. to deny an extradition request.

Second, an actual prosecution of Assange would be very difficult, Goldmith said. No journalist has ever been successfully prosecuted for disclosing government secrets.

“It would be very momentous step to bring this prosecution,” Goldsmith said. “I’d imagine there’s a great deal of discussion about the seriousness of bringing a such a prosecution because of the implications for the First Amendment and the press generally.”

Goldsmith said he believes a prosecution will be mounted, but predicted that it will not succeed.

Guardian editor Alan Rusbridger described Assange as a kind of hybrid entity who wears “different hats” at different times — source, entrepreneur, partner, and editor. “Assange is building the brand of Wikileaks, and good luck to him,” he added.

But while Goldsmith distinguished between Wikileaks and The New York Times as journalistic institutions, he said that Wikileaks is “functionally equivalent to what Bill [Keller's] national security reporters do every day.”

Those reporters can sometimes becomes the targets of hackers themselves. Keller said that The Times is currently investigating suspicious activity on the email accounts of three of his reporters. He said three staffers had “virtually identical eruptions on their email accounts” and added that a forensic expert said the accounts were hacked. He declined to go into further details.

Goldsmith argued that Wikileaks should be viewed as part of a larger trend over the last decade or so, during which time the spread of the internet and the proliferation of broadband access has rocked journalism and the media business more broadly.

“This is part of a larger continuum of the digitization of information and the great difficulty the government has in keeping secrets,” Goldsmith said. “There’s going to be an arms race between the government and the media, because the government will lock itself down. And I think the government will ultimately lose that arms race.”

Beware 'I heart U' spam

Valentine's Day attacks may steal your identity or install malware on your PC.

While shops are stocking chocolates, cards and roses for Valentine's Day, cybercriminals are gearing up for the day of love, researchers say.

There are at least 50,000 unique Valentine's Day-themed spam emails in circulation said David Perry, global director of education for anti-virus maker Trend Micro.

Many spoof well-known floral companies and supposedly offer discounts on flowers or Valentine's Day merchandise.

“Don't trust any unsolicited email, ever,” Perry said.

A campaign aims to trick lovers into parting with their email addresses when unsubscribing from future offers, Cristina Buenviaje, an anti-spam research engineer at Trend Micro, wrote in a blog post Wednesday.

The messages, which come with the subject line “Send your Valentine Flowers – from $19.99 with a vase” have a legitimate-looking advertisement for discounted flowers. Clicking an “order now” button redirects users to a site that says the offer is no longer available.

Suspicious users who try to unsubscribe are redirected to a page that tells them to enter their email address to stop receiving messages.

“Users should never unsubscribe from anything they didn't subscribe for in the first place,” Buenviaje wrote. “Entering your email address into this page is like handing it over to spammers.”

Other threats could come from e-cards, which may even look like they were sent from someone a love interest, Perry warned.

With fake e-cards, users are often told they need to install software to view the card, said Randy Abrams, director of technical education at anti-virus maker ESET. But the software usually leads to rogue anti-virus programs or other malware being installed on a victim's PC.

Users should be careful not to click on links or attachments contained in unsolicited emails or instant messages.

Meanwhile, researchers at ESET have already discovered malware on sites with the word “valentine” in the URL, Abrams said.

“Typically, as we get much closer to Valentine's Day, we see an increase in attacks,” he said.

Cybercriminals will likely use search engine optimisation tactics to “poison” Valentine's Day web queries so their malicious links appear near the top of search results.

“Searches related to Valentine's Day start to surge at this time each year,” Abrams said.

“The criminals know what people are looking for and will try to snare uses by optimizing results to drive traffic to their malware.”

Attackers will also likely distribute Valentine's Day-themed malware campaigns on social networking sites such as Facebook, Perry said.

This article originally appeared at scmagazineus.com

Secure Computing Magazine

Cloud comes to Websense Triton

Data-loss prevention and hybrid deployment in a box.

Websense has rebranded its year-old Triton product to include software-as-a-service features.

The solution that combined web, data and email security was enhanced to become the Websense Triton Security Gateway Anywhere. It combined Websense's web and email security gateway technology and the hybrid deployment and data-loss prevention technology into the unified content security gateway.

Websense said it consolidated on-premises email and web security on a Websense V-Series appliance with cloud components.

David Meizlik, director of product marketing for web and data security at Websense, said the new version upgrades email security.

“The best part is that it is fully expandable and you can build it up by adding a licence key and it all comes from Websense,” Meizlik said.

He said the company offered such technology for four to five years and it was built in to add a full data content security capability to ensure compliance and protect data.

“If you want to expand your DLP you can do it on a single appliance.

"We are migrating existing customers to the new appliance with new capabilities. This is a big deal for us, but our other vendors focus on the perimeter or endpoint and we are focusing on the middle on content security.”

Also included in this release is support for Websense web security on the V-Series appliance to provide web filter customers with security, consolidation and expandability to other Triton services.

This article originally appeared at scmagazineuk.com

Secure Computing Magazine

Sony PS3 rootkit rumours rubbished

Suggestions that Sony has added a rootkit with the latest firmware update to its PS3 console have been denounced as bunkum by a leading gaming security expert.

Rumours began flying on the interwebs earlier this week that the official 3.56 firmware upgrade for Sony's consoles gave the consumer electronics giant the ability to execute code on the PS3 as soon as a user goes online.

Sony can use the technology to verify system files or to look for home-brewed games, it was suggested. More sinister still, it was warned, the code can be updated without further firmware updates.

The more excitable elements of the gamer community as well as tech blogs and gaming sites cried foul over the move, with many describing it as the introduction of hidden "rootkit-style" functionality.

But Chris Boyd, a security researcher at GFI Security who has studied the security of online games for several years, points out the development is not new since Sony wrote the ability for it to do remote updates into its terms and conditions since at least 2006.

"It's been known for a while that a networked PS3 will contact Sony servers at start up (whether it has an active PlayStation network account on it or not), which performs various tasks related to error logs, updates and other activities," Boyd (aka Paperghost) told El Reg.

Anyone using a PS3 agrees in the terms of service to allow their console to perform these tasks.

Mark Russinovich found a rootkit in Sony CDs back in 2005, provoking a huge privacy outcry. This has led some enthusiasts and bloggers to suggest that history is repeating itself with the PS3 firmware upgrade.

The PS3 firmware upgrade is nothing like as malign, argues Boyd, who has spoken on X-Box and online gaming security at several security conferences. "Comparing a last ditch attempt at blocking hacks and custom firmware to the truly dreadful CD rootkit is mind boggling."

Sony bundled ill-conceived copy-protection on its music CDs that meant a rootkit was installed if they were played on Windows PCs. This created a vulnerability on affected machines later latched onto by malware writers. Sony withdrew the technology following an outcry.

Comparing this to the PS3 firmware update misunderstands what has actually been done or the practical risks of the move, according to Boyd.

"This is only really a concern if you're interested in modding - otherwise I'm not convinced there's a 'threat' as such," Boyd told El Reg. "I'm still waiting for someone to explain how this 'PS3 rootkit' could be used to run unsigned malicious code on a non-jailbroken box," he added.

Sony recently earned the enmity of the gamer and security communities by suing hackers who figured out a way to run unsigned code on PlayStation 3 consoles without the use of a dongle. The blogiverse has been inclined to ascribe the worst possible motives to anything Sony has done with a console since, regardless of whether it's actually new or how what it's doing sits against other potential threats.

Boyd, who has been vocal in criticising the lawsuits against the PS3 hackers such as geohot, nonetheless argues that gamers need to get a grip. "People will happily download homebrew from Basement Bob which could steal logins/credit card details, but code from the console maker is evil?"

Analysis: The legal means to cut net access

Under what conditions could the Australian Government cut net access?

With internet services cut in Egypt as a desperate Government response to political unrest, the question has inevitably asked - "Could it happen here?" David Havyatt believes it can, but only if Australian democratic values were turned on their head.

As Egypt followed Tunisia with mass protests in response to corruption, the country's communications have progressively been disabled under Government orders.

These events combined with the recent debate at home over internet filtering has naturally led to discussions as to whether the same controls are available to the Australian Government. Most of these discussions have focused on whether freedom of speech could be used as a legal defence by service providers against a shut-down order.

There are three things a Government needs to be able to interfere with communications; the first is the legal authority, the second is the technical capability, but the third and most crucial is the political power.

Critics of the proposed Internet filter have been concerned that it creates the technical capability in every ISP network to block access to designated sites.

But the enabling legislation we have seen so far has specified the criteria for sites to be added to the list. The Government wouldn't have the authority to order that a new site simply be added. To use the filter in this way would be outside the Government's authority.

To make it happen requires political power to have either individuals or corporations directed to comply, or the ability to direct forces to coerce compliance. If the filter debate is any guide, Australian ISPs would be unlikely to respond to an instruction to start blocking access to major sites without the threat of coercive force.

The filter is not, however, the only basis by which Government (or the authorities) could seek to restrict access to communications services. There are significant provisions in the Telecommunications Act 1997.

Section 313 of the Act is a wide ranging requirement for carriers and service providers to provide "help" to enforce law and safeguard national security. The section implies that help is limited to other existing powers like interception and access to stored communications and couldn't be used to disconnect services. So no joy for any aspiring dictators there.

Under section 315 of the Act, the police may ask a carriage service provider to suspend supply of a carriage service if an individual with access to the service has or is likely to take a life.

After several days of discussions with various Government agencies, it seems nobody fully understands what possible scenario could enable a Government to use this law to ask its agencies to force the industry to cut internet access.

My questions have been passed from the Attorney-General's Department to the Department of Broadband (DBCDE), in turn passed to the communications regulator (ACMA) then back to Attorney General again. Hot potato!

The Attorney General's Department instead highlighted the wider powers of section 581 of the same Act, but were again unable to respond as to what scenarios would see these provisions used.

Under section 581 the Attorney-General could direct a carrier or service provider to cease supply or use of a service that is "prejudicial to security". This direction is about the suspension of an entire service, not service to an individual.

To understand this section, it's best to head to the glossary.

Security is as defined under the Australian Security Intelligence Organisation Act 1979, as "the protection of, and of the people of, the Commonwealth and the several States and Territories from: espionage; sabotage; politically motivated violence; promotion of communal violence; attacks on Australia's defence system; or acts of foreign interference; whether directed from, or committed within, Australia or not."

A lot hinges on whether mass rallies - as we have seen in Egypt - constitute communal violence. As the provision is explicitly crafted as a security provision it is unlikely that it would be found unconstitutional under the "implied freedom of speech" which the High Court has previously found.

So from an authority perspective, there are in fact grounds for an Australian Government to cut internet access - in extreme circumstances.

But here is a big disclaimer. The kinds of events we are seeing in Egypt, and Tunisia before it, are not the kind of events that occur in democratic societies governed by a rule of law. They are usually occurring in States where the rulers have near dictatorial powers.

These States are usually supported by "national security forces" that do the bidding of the dictator. In Egypt it has been noted that the bulk of the military are joining the protestors, just as the Russian military did in 1917.

Let's just assume for a moment the unlikely scenario of an Australian Government that had turned rogue, assuming dictatorial powers (perhaps dressed up as a response to some threat).

As has previously been discussed, cutting Australia off from the Internet would be a relatively simple matter, as there are only a small number of cable connections to the country. There are only four cables on the East Coast and one cable on the West to interfere with. The initial plans of NBN Co proposed to have all domestic communications flowing through fourteen points of interconnection.

But even if technically feasible, our security forces would be unlikely to support any action to cut internet access. Whether the country can be cut off from the Internet doesn't rest on questions of technical feasibility nor on the existence of appropriate laws or the constitutionality of those laws. It ultimately rests on the political power of the Government.

So the best defence against the risk of something like this happening is the values we teach to our citizens and our security forces. Would they value the internet enough to resist such an exercise of political power?

The Internet is a democratising and empowering force - it has featured in many recent popular uprisings, for organising events and communicating with the outside world. It has provided to authorities both challenges (its routing structure can survive the failure of any node) and opportunities to exert control (communications are easy to intercept and map).

But ultimately we should remember that what the internet has achieved today owes a debt to the values of the societies that fostered its development.

Consumers urged to step up wireless security

Consumers are once again being urged to use the latest (WPA2) encryption technology and apply strong passwords to protect home networks from snooping and other attacks.

The call comes in a survey by industry trade body the Wi-Fi Alliance, which warned on Wednesday that "borrowing" access to unprotected Wi-Fi access is still commonplace. A poll by the Wi-Fi Alliance, conducted by Wakefield Research, found that one-third (32 per cent) of respondents said they had attempted to get onto Wi-Fi network that wasn't theirs well up from the 18 per cent recorded in an equivalent a December 2008 poll.

By contrast, two in five (40 per cent) of respondents said they would be more likely to trust someone with their house key than with their Wi-Fi network password. Sharing a Wi-Fi password was more personal than sharing a toothbrush, according to a quarter. Wi-Fi Alliance execs compared good password security on wireless networks to car safety measures most people have taken for granted for years.

"Most consumers know that leaving their Wi-Fi network open is not a good thing, but the reality is that many have not taken the steps to protect themselves," said Kelly Davis-Felner, marketing director for the Wi-Fi Alliance. "Consumers can usually activate Wi-Fi security protections in a few simple steps, but much like the seatbelts in your car, it won't protect you unless you use it."

Scanner snares senior servant

A Federal public servant in Australia's Department of Resources, Energy and Tourism has learned the hard way that a policy against using departmental computers to access pornography goes home with the laptop.

In a ruling handed down on Monday (January 31), the Federal Court of Australia has dismissed the 25-year public servants appeal against his dismissal for viewing pornography on his employers laptop, even though it only took place at home.

The pornography seems to have been mild enough. In a detail that has titilated headline-writers at the Sydney Morning Herald, the search term that ended the public servants career was knockers.

However, according to the Federal Court judgment, the material viewed counted as pornography and as such, violated the departments policy. This policy states:

Employees are prohibited from using Departmental ICT facilities to deliberately access, display, download, distribute, copy or store:

pirated software and/or material;
racist material; pornography; or
links to such material.

Justice Nye Perram found that even at home, since the laptop belonged to the department, the policy still applied.

Titillating, but not unfair

To assess the decision, I need to get behind the tabloid-ish titillation that even a broadsheet enjoys using the word knockers in a headline.

The judgment isnt much about pornography. That word appears only about 30 times in a judgment running to nearly 9,000 words. Whats at stake here was whether the Department that owned the laptop could apply a policy that went home with the employee if he took the laptop home.

Justice Perram has said yes.

The department ran a logging and monitoring environment (Spector 360) specifically to ensure that its computers were used in line with its policies, even away from the office. Justice Perren notes that as well as Web browsing, all emails, attachments, and instant messages are also recorded by Spector 360, which filed the 30-second snapshots with servers in the xepartment. It was this software that flagged keywords such as knockers and landed the staffer in hot water.

The judgment also points out that the employee was a member of the departments IT sub-committee, which in the judges mind ruled out the idea that the dismissal might be unfair if the employee didnt know or understand the extent of the logging.

The decision and the stories surrounding it are probably not welcome among those vendors selling monitoring and logging software. Those vendors have been at pains to portray themselves as benign, since their role is to protect business networks against being compromised by careless employees, to protect employers against cyber-slacking, and to make sure that unpleasant stories such as sexual harassment cases dont land on employers because of what pops up on an employees screen in front of others.

The question now going around the internet is whether or not the logging was fair.

While its easy and glib to invoke the privacy of his own home in defense of the unlucky public servant, the problem is as Justice Perren noted: he knew about the monitoring, he knew about the policy, and he knew that the laptop belonged to his employer.

Any member of the Senior Executive Service the Sir Humphrey Appleby strata of Australian public service has at least the spare change to buy a personal laptop for his or her own use. And this doesnt just include searching for knockers: if anyone sends a private email they dont want copied to the boss, it makes sense to separate the personal machine from the professional. Its probably also prudent to keep other personal logins such as bank accounts and credit cards away from a monitored and logged office computer.

One other question remains. According to Spector 360, the software does more than just monitor and report activity it can also block websites. If knockers are so offensive that they fall outside the departments porn rules, and the laptop belongs to the department, why not just block the results?

It would have saved everybody a lot of time and money.

2010: the year of the DDoS

Anonymous to blame.

In a year where the distributed denial-of-service was a by-word for a politically-motivated attack, Arbor Networks' sixth annual worldwide infrastructure security report said that the attacks became mainstream as many were against popular and well-known targets.

Roland Dobbins, solutions architect at Arbor Networks, said Arbor was finding that the size of the largest packet DDoS increased dramatically year-on-year. He said that it was 49GB a second in last year's report and the likelihood is that it is now looking at attacks of 100GB a second.

“That is a 102 percent year-on-year increase and in the time we have been doing these surveys, there has been an increase of 1000 percent in five years," Dobbins said.

"Even with the largest firewall, it is easy for botnets to pass inspection so legitimate users cannot access services. It is a systematic failure. The internet infrastructure is getting fragile”

“We are seeing a significant increase in the number of respondents who say that they will see ten or more DDoS attacks a month, and nine times out of ten they target the end-user and not the service provider.”

Luis Corrons, technical director at PandaLabs, pointed the finger at the loose-knit hacker collective known as Anonymous for the bringing such attacks to prominence.

“It is not because of the tools, they were already there but Anonymous got attention because of people and the media. The tools were there, they did not create it.

“It is more easy to do, we released a black market report and talking about different services they do not need to do anything. The tools are at every level of service and became more and more common and we see more cyber criminal activity.”

The report claimed that application-layer DDoS attacks were increasing in sophistication and operational impact, as 77 percent of its respondents detected application-layer attacks last year.

These attacks target customers and their supporting services, such as domain name systems and web portals.

Data centre operators and mobile/fixed wireless operators reported that application-layer DDoS attacks are leading to significant outages, increased operational expenditures, customer churn and revenue loss.

This article originally appeared at scmagazineuk.com

Secure Computing Magazine

Waledac botnet operators amass 500,000 email credentials

Waledac botnet was rebuilt from scratch and is on the attack again.

After being effectively dismantled last year by a judge's ruling, the Waledac botnet has made a resurgence, and its operators are now in control of a cache of stolen credentials, according to researchers at security firm LastLine.

Researchers were recently able to get an “inside view” of the botnet and discovered that its operators have control of a huge amount of stolen FTP and email credentials, Brett Stone-Gross, a developer and threat analyst at LastLine said on Wednesday. The stolen credentials may have been bought on the underground market or extracted from compromised machines.

Specifically, those behind the botnet are harboring nearly 500,000 email credentials, which likely will be used to deliver spam, Stone-Gross said. Using the stolen credentials to authenticate as the sender before pushing out spam, attackers can bypass IP-based email filtering systems.

“The benefit is that you are using a legitimate mail server rather than compromised machine to send the email,” Stone-Gross said. “IP-based blacklists are pretty much useless at that point.”

Waledac botmasters also have amassed nearly 124,000 credentials to FTP servers. Those behind the botnet use an automated program to login to these servers and upload files that redirect users to sites that serve malware or promote pharmaceuticals.

Last month, researchers discovered 222 websites that had been compromised with this method.

“The Waledac botnet remains a shadow of its former self for now, but that's likely to change given the number of compromised accounts that the Waledac crew possesses,” Stone-Gross wrote in a blog post Wednesday.

A federal judge last February ordered the takedown of nearly 300 domains being used to provide instructions to malware-infected computers, effectively incapacitating Waledac. Later in the year, it seemed the fight to dismantle the botnet was over when Microsoft was granted ownership of the domains.

But despite the security community's best efforts, those behind Waledac began sending out fake e-cards late last year aiming to infect users with malware as a means of rebuilding the botnet, Stone-Gross said.

Criminals have also set up new command-and-control servers to send instructions to infected machines.

“Microsoft took out the command-and-control infrastructure so infected machines couldn't receive instructions,” Stone-Gross said.

“They had to reconstruct the botnet from scratch.”

Around the beginning of the year, botmasters shifted their efforts to money-making ventures and began sending unwanted messages redirecting users to Canadian pharmacy sites that sell cheap drugs, he added.

“Despite [Microsoft's] success last year, it is impossible to monitor and shut down every malicious site as quickly as the perpetrators set them up,” Adam Bosnian, vice president of the Americas at security firm Cyber-Ark said.

“Cybercriminals will continue to finds news ways to perpetrate malicious activity on unsuspecting individuals.”

This article originally appeared at scmagazineus.com

Secure Computing Magazine

British Border Agent Fired for Putting Wife on Terrorist Watch List

A UK border agent lost his job after authorities discovered he’d placed his wife on a terrorist watch list in an attempt to rid himself of her.

The woman was left stranded in Pakistan for three years because she was unable to fly back to the UK after visiting relatives, according to the Daily Mail.

The agent’s act was only detected after he applied for a promotion, and a background check revealed that his wife was on the watch list. He was reportedly sacked for “gross misconduct.”

The unidentified agent worked at the UK Border Agency’s headquarters in South London. He worked with a unit that was responsible for maintaining the watch list. His promotion would have given him an even higher security clearance.

Photo: Dan Paluska/Flickr

See also:

No Fly List Includes the Dead
Eight-Year-Old on TSA Terrorist Watch List Gets Frisked
Former DOJ Official Caught on Terror Watch List
Threshold for Getting onto No-Fly List Lowered
FBI: 19,000 Matches to Terrorist Screening List in 2009

No, Hackers Cant Open Hoover Dam Floodgates

The U.S. Bureau of Reclamation is shooting down a key legislative talking point: that the internet “kill-switch” legislation is needed to prevent cyberterrorists from opening the Hoover Dam’s floodgates.

The brouhaha started last week, when legislative aideson the Homeland Security and Governmental Affairs committee offered Threat Level examples of why the Protecting Cyberspace as a National Asset Act was needed. The bill, one aide said, would give the president the power to force “the system that controls the floodgates to the Hoover Dam” to cut its connection to the net if the government detected an imminent cyberattack.

At a panel in Washington last week, a GOP staffer working on the bill was even more terrifying. “We are very concerned about an electronic control system that could cause the floodgates to come open at the Hoover Dam and kill thousands of people in the process,” said Brandon Milhorn, staff director of the Senate Homeland Security and Governmental Affairs Committee.”That’s a significant concern.”

It turns out, though, that all the Hoover Dam doomsaying doesn’t sit well with Bureau ofReclamation, which runs the power-generating facility on the Arizona-Nevada state line.

“I’d like to point out that this is not a factual example, because Hoover Dam and important facilities like it are not connected to the internet,” Peter Soeth, a spokesman for the bureau, said in an e-mail. “These types of facilities are protected by multiple layers of security, including physical separation from the internet, that are in place because of multiple security mandates and good business practices.”

The Hoover Dam, which provides hydroelectric power to Arizona, Nevada and California, has featured in cybarmageddon scenarios since at least 2001. In June of that year, USA Today claimed in an article on cyberterrorism that hackers “might send a worm to shut down the electric grid in Chicago and air-traffic-control operations in Atlanta, a logic bomb to open the floodgates of the Hoover Dam and a sniffer to gain access to the funds-transfer networks of the Federal Reserve.”

Fast-forward a decade later, and the same argument is being made for the proposed kill-switch legislation.

Soeth said in a telephone interview that the bureau had recently contacted backers of the legislation to set the record straight.

Meanwhile, in the wake of Egypt’s internet blockade, supporters of the U.S. legislation are rushing to make the case that they’re not trying to give the president the emergency power to similarly kill American internet access.

Sens. Joe Lieberman (I-Connecticut), Tom Carper (D-Delaware) and Susan Collins (R-Maine), who are behind the proposal, put out a statement Tuesday saying, “We would never sign on to legislation that authorized the president, or anyone else, to shut down the internet.”

The “emergency measures in our bill apply in a precise and targeted way only to our most critical infrastructure — the networks and assets most essential to the functioning of society and the economy — to ensure they are protected from destruction,” the statement reads.

The legislation is expected to be introduced soon to the Senate Homeland Security and Governmental Affairs Committee. That committee approved the bill in December, but it expired when a new Senate took office last month.

Photo: Bureau of Reclamation

See Also:

May 29, 1935: Hoover Dam Set in Concrete
Top 5 Ways to Cause a Man-Made Earthquake
51 Conspiracy Theories That Don’t Exist But Should
Internet ‘Kill Switch’ Legislation Back in Play
NSA Must Examine All Internet Traffic to Prevent Cyber Nine-Eleven
Cyber Cyber Cyber!
Check the Hype There’s No Such Thing As ‘Cyber’
Richard Clarke’s Cyberwar: File Under Fiction