Hacking Expose!: 2011-03-27

Trusteer vows to fight 'baseless' code-theft lawsuit

Thursday, April 7, 2011

Transaction security firm Trusteer has vowed to fight a US lawsuit filed by rival developer Blue Gem Security which alleges code theft.

Blue Gem is seeking unspecified damages, costs and an injunction over allegations that Trusteer plagiarised code to maintain compatibility between anti-keystroke logging software types of Intel chipset that were first introduced back in 2007.

Trusteer's Rapport transaction security software "includes idiosyncratic features of the Intel Compatibility Code that Trusteer would have had no reason to include if it had written the code independently," the Blue Gem lawsuit (filed in a Californian court late last month) alleges.

For example, Rapport allegedly uses the same arbitrary variable as Blue Gem's Total Privacy to replace a user's keystroke with a dummy keystroke.

Israel-based Trusteer's Rapport browser lock-down technology is offered as a voluntary download by 50 banks worldwide, including NatWest and HSBC in the UK. US customers include ING Direct USA, eBay and PayPal firms Blue Gem also pitched its technology to without being awarded contracts.

Trusteer is by far the biggest player in the emerging market of transaction security software, technology designed to stop fraudsters from extracting personal information from machines even if they are infected with malware.

In a brief statement, Mickey Boodaei, chief exec of Trusteer, dismissed Blue Gem's accusations as without merit. "These are false, baseless accusations which Trusteer will defend vigorously in court," he said.

MPs criticise banks on online fraud despite declining losses

A House of Commons Treasury Select Committee report has criticised banks for failing their customers in the fight against online fraud.

Members of the influential committee criticised banks as being "unprepared" to deal with internet fraud as part of a wider study into retail banking, whose main conclusions called for greater transparency on charges and steps to make it easier for consumers to switch accounts.

MPs criticised banks on fraud prevention despite official figures from UK Payments, published last month, that show online banking fraud losses totalled 46.7 million in 2010, a 22 per cent fall on figures for 2009. Better fraud detection software from banks and improved customer awareness of the need to guard against phishing scams and malware is credited with the improvement.

Security experts said it was wrong to tar all UK banks with the accusation of being weak on cybercrime.

David Belchick from IT security software developer ActivIdentity, said: "The Treasury Select Committee was correct in highlighting the issue of online banking security as recent research shows that attacks on large corporations such as banks has doubled since 2008, and the damage costs more than tripled.

"While we agree with the Treasury Select Committee that there can be improvements in online security, we caution against the typical rush to judgment that all banks are not doing enough," he added.

Belchick said that if MPs were serious about banking security they should impose tougher regulations, such as the requirement to provide two-factor authentication for bank logins (a step that would help firms that sell the technology, of course, such as ActivIdentity).

"Regulatory guidelines for strong, versatile authentication have been established in the United States, India and other nations. If the Treasury Select Committee desires real change, it will establish a panel or organisation, such as the UK Payments Association, to set regulations to protect all UK banking customers."

Popular open source DHCP program open to hack attacks

The makers of the internet's most popular open source DHCP program have warned that it's vulnerable to hacks that allow attackers to remotely execute malicious code on underlying machines.

The flaw, which is present in Internet Systems Consortium's DHCP versions prior to 3.1-ESV-R1, 4.1-ESV-R2, and 4.2.1-P1, stems from the program's failure to block commands that contain certain meta-characters. The vulnerability makes it possible for rogue servers on a targeted network to remotely execute malicious code on the client, the non-profit ISC warned on Tuesday.

ISC advises users to upgrade. Users can in some cases follow workarounds, which include disabling hostname updates or configuring their systems to access only legitimate DHCP servers in settings where access control lists are in place.

Short for Dynamic Host Configuration Protocol, DHCP is a system for automatically assigning computers IP addresses on a given network and helping administrators to keep track of those assignments. ISC says its DHCP program is the most widely used open source DHCP implementation on the Internet.

Sophos has more about the vulnerability here.

Chrome offers malicious download warnings

Google is trying out a new malicious download warnings feature in Chrome.

Google has added malicious download warnings to its Chrome browser, starting with dangerous Windows executables.

The feature targets drive-by download attacks, showing up warnings if a user tries to get a malicious file onto their system, Google said on a blog.

The warning will show up when a user visits any URL on the blacklist within Google’s Safe Browsing API - a service a range of other browsers take advantage of to warn people about potentially dangerous sites.

“We’re starting with a small-scale experimental phase for a subset of our users who subscribe to the Chrome development release channel, and we hope to make this feature available to all users in the next stable release of Google Chrome,” said Moheeb Abu Rajab from the Google security team.

“We hope that the feature will improve our users’ online experience and help make the internet a safer place.”

He said the web was still “rife with deceptive and harmful content,” despite efforts in the safe browsing space.

“It’s easy to find sites hosting free downloads that promise one thing but actually behave quite differently,” he added.

“These downloads may even perform actions without the user’s consent, such as displaying spam ads, performing click fraud or stealing other users’ passwords.”

A number of vendors have jumped on browser security, seeing it as a potentially highly lucrative market.

Overtis recently launched an add-on to enable IT administrators to watch over employee browser activity.

This article originally appeared at itpro.co.uk

Pandora's mobile app transmits 'mass quantities' of user data

A free smartphone app provided by internet radio service Pandora supplies advertisers with enough user information for them to compile detailed snapshots of those who use it, researchers who analyzed the software have said.

Tuesday's report, titled Mobile Apps Invading Your Privacy and issued by software analysis firm Veracode, found that Pandora's app tracked users' age, sex, zip code and precise geographic location, which in many cases was updated in a continuous loop. The app then sent the information to servers operated by advertising services including comScore. Other information that was shared included the phone's device ID and the user's birth date.

The report follows Monday's revelation that federal prosecutors are investigating whether smartphone apps have been illegally collecting information about handset users without proper disclosures. Pandora has said it received a subpoena in the matter and believes other app providers have, as well.

If Veracode's findings are correct, they could provide plenty of fodder to investigators.

It means your personal information is being transmitted to advertising agencies in mass quantities, Veracode's Tyler Shields wrote.

He continued:

In isolation some of this data is uninteresting, but when compiled into a single unifying picture, it can provide significant insight into a person's life. Consider for a moment that your current location is being tracked while you are at your home, office, or significant other's house. Couple that with your gender and age and then with your geolocated IP address. When all that is placed into a single basket, it's pretty easy to determine who someone is, what they do for a living, who they associate with, and any number of other traits about them. I don't know about you, but that feels a little Orwellian to me.

A spokeswoman for the California-based company declined to comment until after a pending initial public offering is completed.

The report focused solely on Pandora's app for phones running Google's Android operating system. It found that the app is bundled with code libraries offered by five advertiser services, which in addition to comScore, include AdMarvel, AdMob, Google.Ads, and Medialets.

Pandora's audience has doubled to more than 80 million listeners, thanks to the popularity of its iPhone app, USA Today reported in January. Veracode's report made no reference to that app, presumably because of the closed nature of Apple's iOS.

Malware baddies crank up Trojan production

Malware authors have stepped up production rates still further in their efforts to overwhelm anti-virus defences with banking Trojans and other crud.

During the first three months of 2011 an average of 73,000 new strains of malware have been created every day: 10,000 more than during the same period last year, according to stats from Panda Security. Around 70 per cent of these malware strains were Trojans, with viruses making up 17 per cent of the sample, the second most common category.

Worms (eight per cent) also made up a significant percentage while other once-significant categories of malware, such as adware, have dwindled away to background noise levels. This is illustrated by Panda's pie-chart here.

Many would think that Windows PCs in Western Europe and the US are frequently infected with information-stealing Trojans, spyware, worms and other strains of malware. However, scans using Panda's on demand virus scanning technology suggest PCs in China, Thailand and Taiwan head the ranking for the most pox-ridden worldwide, with infection ratios of almost 70 per cent.

PandaLabs latest quarterly report can be found here.

Panda's figures show the continuation of a trend already well underway last year. A study from Symantec, published on Tuesday, reports 286 million new threats in 2010.

Hackers and their virus-writing allies are increasingly targeting vulnerabilities in Java in their persistent attempts to break into computer systems, the net security giant warns. Attack toolkits, such as The Phoenix, automate Java-based attacks that work against multiple browser platforms.

Nearly three quarters of all spam (74 per cent) sent in 2010 related to pharmaceutical products. Most of this junk mail - typically offering diet pills or male enhancement drugs from sites peddling prescription medicines without a prescription - came from botnets, networks of compromised PCs. A batch of 10,000 bot-infected computers can be yours for as little as $15 via underground forums, Symantec adds.

The latest edition of Symantec's internet threat report can be downloaded here (pdf - registration required).

Israel mulls creation of elite counter-cyberterrorist unit

Wednesday, April 6, 2011

Israel is mulling the creation of a counter-cyberterrorism unit designed to safeguard both government agencies and core private sector firms against hacking attacks.

The proposed unit would supplement the efforts of Mossad and other agencies in fighting cyberespionage and denial of service attacks. Israel is, of course, a prime target for hackers from the Muslim world.

The country's hi-tech industries also make it an interesting target for cyberespionage from government-sponsored hackers from China and elsewhere. Spear-phishing attacks featuring targeted emails, custom malware and subsequent hacking action have been in the news over recent weeks, in the wake of cyberattacks against EU agencies and oil-prospecting multinationals, to quote just two recent threats.

Major General Isaac Ben-Israel, former head of the Defence Ministry's administration for the development of weapons and technological infrastructure, the main candidate to lead Israel's cyber-defenders, reportedly met with local and international experts for a brainstorming strategy development session late last year.

A report based on the outcome of the talks involving the International Institute for Counter-Terrorism (ICT) at the Herzliya-based Interdisciplinary Center (IDC) is due to presented to Israeli Prime Minister Binyamin Netanyahu sometime in the next few weeks.

Israel is rumoured to have collaborated with the US on the development of Stuxnet, the SCADA-system infecting worm described in some circles as the world's first cyberweapon. Circumstantial evidence for this theory came, in part, from a video from the retirement party of General Gabi Ashkenazi that recently surfaced on the net. The video cited the successful Stuxnet worm attack on Iran's uranium enrichment facility at Natanz as among the successes he had racked up during his tenure as chief of staff of the Israel Defence Forces, Israeli daily Haaretz reports (Google translation from original Hebrew here).

Stuxnet, whoever might have created it, along with recent cyberespionage attacks, have concentrated government minds across the world on the problem of defending against cyberattacks. Some of the scenarios peddled by doom-mongers cyberattacks using Stuxnet variants to take down power grids or collapse communications infrastructure are more the stuff of Hollywood than reality. However there is a real threat in there, mainly at this stage from either cyberespionage or denial of service attacks.

In response to these threats, Germany opened a new Cyber Defense Center last week, with a reported roster of 10 staff. The team is tasked with spotting and evaluating internet-based attacks, as well as developing counter-strategies, DeutscheWelle reports.

The UK government last year earmarked 650m over the next four years to tackle cyberthreats, as part of its Strategic Defence and Security Review. Part of this money 63m has been allocated to boost the policing of financially motivated cybercrime.

A larger proportion is expected to be allocated towards fighting state-sponsored attacks, with most of this money going towards GCHQ. This is expected to involve an expansion of the role of the Cheltenham-based Cyber Security Operations Centre, a small group established in 2009 and initially focused on gathering intelligence on online threats for use by government agencies.

McAfee recovers from Sesame Street email filter mix-up

McAfee has apologised for a Sesame Street-style mix-up over the weekend that temporarily prevented any customers with addresses that start with the letter A from receiving email.

The glitch which involved the managed email filtering service from MX Logic, acquired by McAfee back in 2009 bounced emails sent to supported inboxes that began with an A or a non-alphanumeric special character (eg, @$).

In a statement, McAfee blamed a rogue script for the mix-up, which has now been resolved.

During scheduled maintenance late Saturday evening and early Sunday morning, a subset of customers experienced temporary account verification issues, impacting non-alphanumeric email addresses and aliases up to the letter "a".

The engineering team monitoring the scheduled maintenance addressed the issue. The root script that caused this issue has been identified and fixed.

Reg reader Simon, who tipped us off about the glitch, said his firm was obliged to turn off the filtering service on Monday morning, as a workaround, until the glitch was resolved.

"This Sesame Street stuff-up began around 4pm yesterday [Sunday] and continued until the early hours of Monday morning," Simon said. "Mail to the affected addresses was bounced with a 553."

Anonymous DDoS hobbles Sony

PlayStation, PSN and Sony websites crippled in revenge at hacker lawsuit.

Anonymous has taken down Sony’s PlayStation website in revenge for the company’s lawsuit against George Hotz.

Yesterday's assault by the hacker collective knocked offline Sony.com and PlayStation.com with more attacks promised to come. It's the hacker collective's second major attack on an entertainment giant in a week following Anonymous' takedown of Warner Bros last Tuesday.

It stemmed from Sony's recent court battle with George Hotz, who released an exploit to ‘jailbreak’ PS3 consoles.

Sony sought to collect information from PS3 customers who visited Hotz’s website. A US federal magistrate gave Sony permission to collect IP addresses of those who had accessed Hotz's site or posted comments on a related YouTube video

Yesterday, Anonymous released a statement that laid out its grievances: “Congratulations, Sony. You have now received the undivided attention of Anonymous".

"Your recent legal action against our fellow hackers has not only alarmed us, it has been deemed wholly unforgivable..

“You have victimised your own customers merely for possessing and sharing information. In doing so you have violated the privacy of thousands.”

It outlined threats against Sony for its abuse of the judicial system.

”Now you will experience the wrath of Anonymous. You saw a hornets nest, and stuck your p*nises in it. You must face the consequences of your actions, Anonymous style.”

The attack started soon after.

Users were having difficulty connecting to the PSN network.

"Access to the PSN may be interrupted throughout the day. We apologise for any inconvenience," Sony's tech support explained in a tweet.

Anonymous posted a video to YouTube, which promised that the attacks will continue: "We do not forgive the denial of free flow of information. Expect us".

You can see the full video below:

The hacking collective known as Anonymous has successfully taken down Sony’s official PlayStation website in revenge for the company’s conduct during the lawsuit against George Hotz. Earlier today, the coordinated assault knocked Sony.com and PlayStation.com offline, with more attacks promised to come.

Yesterday, the Anonymous collective released a statement that laid out their chief grievances against Sony and the consequences that the company would pay.

“Congratulations, Sony. You now have now received the undivided attention of Anonymous. Your recent legal action against our follow hackers has not only alarmed us, it has been deemed wholly unforgivable,” the statement read. “You have victimised your own customers merely for possessing and sharing information. In doing so you have violated the privacy of thousands.”

The statement then descended into threats against Sony for its abuses of the judicial system.”Now you will experience the wrath of Anonymous. You saw a hornets nest, and stuck your p*nises in it. You must face the consequences of your actions, Anonymous style.... We are Anonymous. We are Legion. We do not Forgive. We do not forget. Expect us.”

Since the statement was released, Sony.com and PlayStation.com were both knocked offline (at the time of writing, PlayStaton.com is still returning a broken link).

For those who haven’t been keeping abreast of the news, Sony has recently been embroiled in a court battle against George Hotz

Yesterday, the Anonymous collective released a statement that laid out their chief grievances against Sony and the consequences that the company would pay.

Since the statement was released, Sony.com and PlayStation.com were both knocked offline (at the time of writing, PlayStaton.com is still returning a broken link).

For those who haven’t been keeping abreast of the news, Sony has recently been embroiled in a court battle against George Hotz, a hacker who released an exploit to the public designed to ‘jailbreak’ PS3 consoles.

In the ensuring court case, Sony sought to collect information from PS3 customers who visited Hotz’s website. The court reportedly gave Sony permission to collect everything from IP addresses of those who visited the site in question, to those who watched or posted comments on a YouTube video

, a hacker who released an exploit to the public designed to ‘jailbreak’ PS3 consoles.

Targeted attacks pick up where Stuxnet left off

Symantec report predicts a spike this year.

Symantec warned businesses to prepare for a surge in targeted attacks this year as cyber criminals build on their successes.

Last year saw the likes of Stuxnet and Hydraq set a precedent for targeted attacks, using zero-day vulnerabilities to penetrate systems, a Symantec report noted.

This year will only see more of these attacks, where employees are targeted by spear phishing emails and cyber criminals go after specific kinds of corporate data, the security giant claimed.

Sian John, distinguished engineer at Symantec, said Stuxnet proved “there is no such thing as something that is not a target.”

“For us it is a move towards looking at any file that comes on a system, don’t assume that it’s good,” John said.

“Let’s look at building a reputation around it, let’s look at what the file is actually doing… But at the same time look at what you are actually doing on a system, so once you have installed a file, let me just check what that system is doing – is it trying to bypass things, is it trying to open up backdoors?”

The report came following various targeted attacks on both the public and private sector this year.

In particular, Advanced Persistent Threats (APTs) emerged as something the security industry and enterprises needed to look at seriously, John said.

The security arm of EMC, RSA, was recently hit by an APT, as data on the firm’s token product SecurID went missing.

Symantec said the increasing prevalence of zero-day vulnerabilities and rootkits was partly responsible for the rise of targeted attacks.

In 2010, a total of 14 new zero-day flaws were discovered in a number of widely used applications, such as Adobe Flash Player and Internet Explorer.

Hackers will increasingly adopt rootkit exploits into targeted attacks too, Symantec said.

More generally, the security giant saw 286 million new threats appear last year, as well as a 93 per cent in rise in web attacks over 2009.

Making money from mobile malware

Meanwhile, mobile attacks will start bringing in profit for hackers, according to Symantec, as the level of threats rise.

Symantec spotted 163 vulnerabilities in mobile device operating systems last year, compared to 115 the year before.

Attacks once mainly came through trojanised third-party applications, which have only dialled or texted premium rate numbers from the phone.

This is still not as profitable as stealing online banking credentials and carrying out credit card fraud, Symantec noted.

“As people start to do more financial transactions over mobiles, we expect to see more activity,” John said.

“In the next year, mobile attacks will get more sophisticated.”

Symantec said it expects to see more PC-like attacks hit smartphones - such as phishing - as cyber criminals decide to stick with tried and tested methods.

This article originally appeared at itpro.co.uk

Feds, RIAA Ask $22,500 in Damages Per Song

Do federal judges have the power to reduce jury awards in copyright infringement cases?

The Obama administration and the Recording Industry Association of America don’t think so. On Monday, they argued that point before a three-judge panel of the 1st U.S. Circuit Court of Appeals in Boston, which has released a 41-minute audio recording (.mp3) of the hearing.

They were urging the circuit to try and reinstate a $675,000 file sharing verdict a Boston jury levied against Joel Tenenbaum, the nation’s second defendant to go to trial against the RIAA in an individual file sharing case. U.S. District Judge Nancy Gertner reduced the verdict to $67,500 last year.

Sony v. Joel Tenenbaum
Listen to the April 4, 2011 appeal

Both sides appealed, with Tenenbaum claiming it was still too excessive, and the RIAA and government arguing the reduction was an abuse of judicial power.

The Copyright Act allows damages ranging from $750 an infringement to $150,000.

The RIAA had sued thousands of individuals for file sharing over five years ending last year. Most defendants have settled out of court for a few thousand dollars. Only two cases have gone to trial. In both, monstrous jury verdicts were reduced by the presiding judges. The outcome of the other case against Jammie Thomas-Rasset is pending.

The significance of the Tenenbaum and Thomas-Rasset cases appear to be minimal in the illicit music-sharing context. The RIAA has abandoned its litigation campaign and instead is working with internet service providers to warn file sharers or kick them off the internet if they repeatedly engage in online copyright infringement. The RIAA has also successfully lobbied for the Obama administration to seize file sharing websites.

But where the RIAA litigation campaign left off, independent movie makers have picked up. In the last year, they have sued about 130,000 BitTorrent users for downloading and sharing low-budget movies.

The players you’ll hear on the tape include RIAA attorney Paul Clement, who is the former solicitor general; Jeffrey Clair, for the Obama administration; Jason Harrow, a Harvard Law School student and Harvard professor Charles Nesson, both for Tenenbaum; and Julie Ahrens of the Electronic Frontier Foundation for Tenenbaum.

The circuit panel consists of Judge Sandra Lynch, Judge Juan Torruella and Judge Rogeriee Thompson.

Here are briefs in the case.

Hat Tip: techdirt

See Also:

Jury in RIAA Trial Slaps $2 Million Fine on Jammie Thomas
RIAA Qualifies Statement on No New Copyright Lawsuits
Supreme Court Won’t Hear RIAA File Sharing Case
RIAA ‘Making Available’ Argument: File Sharers ‘Freeload’
Do RIAA Snoops Need P.I. Licenses?

Collateral Murder Soldier Speaks in New Film

In July 2007, Ethan McCord, a 33-year-old Army specialist, was engaged in a firefight with insurgents in an Iraqi suburb when his platoon, part of Bravo Company, 2-16 Infantry, got orders to investigate the aftermath of a recent firefight on a nearby street.

When McCord’s platoon arrived, they found a scene of fresh carnage - the scattered remains of a group of men, believed to be armed, who had just been gunned down by Apache attack helicopters. They also found 10-year-old Sajad Mutashar and his five-year-old sister Doaha covered in blood in a van. Their 43-year-old father, Saleh, had been driving them to a class when he spotted one of the wounded men moving in the street and drove over to help him, only to become a victim of the Apache guns.

McCord was captured in a video shot from one helicopter as he ran frantically to a military vehicle with Sajad in his arms seeking medical care. That video created its own firestorm when the whistleblower site WikiLeaks published it on April 5, one year ago today, on a site called Collateral Murder. It was the leak that put WikiLeaks on the map and is among a multitude of high-profile leaks allegedly provided to the site by former Army intelligence analyst Bradley Manning.

Last year, Wired.cominterviewed McCord about the incident and about his experience of suddenly seeing himself on the news, three years after the event. McCord had just returned from dropping his children at school on April 5, when he turned on the TV news to see grainy black-and-white video footage of himself running from a bombed-out van with Sajad in his arms. It was a scene that had played repeatedly in his mind for three years and had caused him much grief.

A new short film about the Baghdad incident will be showing this month at the Tribeca Film Festival in New York. In it, McCord goes into more detail about the events of that day and shows a number of photos he took of his fellow soldiers before and after the controversial attack. You can see a clip from the film “Incident in New Baghdad” above.

See also:

U.S. Soldier on 2007 Apache Attack: What I Saw

Google Chrome to warn of malicious Windows executables

Google says it's expanding its blacklist of malicious websites to include those that use deceptive claims to push harmful Windows programs.

The addition to Google's Safe Browsing API will warn people when they are about to visit websites that offer Windows-based trojans that are disguised as screen savers or other innocuous applications. The search behemoth introduced the service five years ago to alert users when they try to browse sites that perform drive-by downloads that exploit security vulnerabilities in the operating system or browsing software.

The underlying programming interface is already being used by browsers including Google Chrome, Mozilla Firefox, and Apple Safari. It's also available to any webmaster who wants to use the wealth of information available from Google to prevent malicious links from being posted to their sites.

Safe Browsing has done a lot of good for the web, yet the internet remains rife with deceptive and harmful content, Moheeb Abu Rajab, a member of Google's security team, blogged on Tuesday. It's easy to find sites hosting free downloads that promise one thing but actually behave quite differently.

Keyloggers, botnet software and adware are just three examples.

The new feature will initially be available only for Chrome users who subscribe to the browser's development release channel. The company plans to integrate it into the next stable release of Chrome. There is no mention of it being made available to browser providers outside of Google.

The warning will be displayed whenever users encounter a download from a URL that matches the latest list of malicious websites published by the Google API.

Money mule scam offers CAPTCHA-protected malware

Fraudsters are seeking to hoodwink small business owners into signing up as money mules.

The splendidly named Megatech Service Ltd is seeking "Tier 2" payment processing agents from the ranks of small business owners, their partners, or anyone who otherwise has access to a small business banking account. Would-be marks are promised they will be handling larger transactions, and therefore have much higher weekly earnings, than run-of-mill mules processing agents.

Earning an extra $1,500 or more per month might seem like a useful source of secondary income to hard-pressed businesses. Unfortunately the work on offer would be illegal, namely funneling money from compromised bank accounts in the US to fraudsters overseas, probably somewhere in Eastern Europe.

And, as net security firm Bluecoat notes, those who respond to the ad expose themselves to both fraud and malware.

Would-be applicants are asked to complete an online psychometric test, which actually offers Windows-based malware. Before marks can get their hands on this malicious software they are confronted with what would appear to be a CAPTCHA. However the challenge is not a genuine Turing test, because the download is then initiated irrespective of whether the surfer correctly responds to the supposed test or types in any old garbage, Blue Coat reports. The security company adds that in reality the supposed-CAPTCHA is purely there to add a veneer of legitimacy to the scam site.

Even if you don't encounter malware (Mac users are taken via a different sign-up route and not targeted for infection) having anything to do with Megatech Service Ltd especially if this involves handing over business bank account details is a very bad idea, Blue Coat warns.

"Needless to say, giving an external entity like this access to your business/corporate bank account is a very unwise thing to do," the security company warns, "especially since business bank accounts typically do not have the same fraud protections associated with traditional consumer accounts."

Fired Gucci BOFH accused of tearing up network

Tuesday, April 5, 2011

A fired network engineer has been charged with mounting a revenge hack attack against the American branch of Gucci.

Sam Chihlung Yin, 34, of Jersey City, New Jersey, allegedly wrought havoc on the network of the US branch of the Italian luxury good retailer around six months after he was dismissed by Gucci in May 2010. The November 2010 assault shut down servers and deleted data, causing damage and lost productivity costs estimated at $200,000 in the process.

Gucci lost access to documents and email for nearly 24 hours, while other documents and emails were permanently lost. The attack relied on the use of a fictitious VPN access account allegedly established by Yin while still on Gucci's payroll. Yin tricked his former colleagues into activating a token associated with this account in June 2010, a month after his contract of employment was terminated by Gucci for unrelated reasons in May 2010.

The fashion house called in investigators after the November assault, who tracked the attack back to Yin. In Monday, the alleged hacker was indicted on a 50-count rap that includes computer hacking, identity theft and falsifying business records charges. The most serious charge computer tampering in the first degree is punishable on conviction by up to 15 years behind bars.

The case is being prosecuted by the New York County District Attorney's office, which put out a statement on the case here.

Regardless of the outcome of the case, the incident serves to illustrate the importance of managing user accounts, particularly in cases where a worker leaves the employment of a firm. More commentary on this aspect of the case can be found in a blog post by Sophos here.

SpyEye mobile banking Trojan uses same tactics as ZeuS

Cybercrooks have deployed a sophisticated man-in-the-mobile attack using the SpyEye banking Trojan toolkit.

The Trojan, which infects Windows machines, displays additional content on a targeted European bank's webpage that requests prospective marks to input their mobile phone number and the IMEI of the device. The bank customer is informed the information is needed so that a new "digital certificate" can be sent to the phone.

The so-called certificate contains the malicious executable (sms.exe) that infects Symbian-based smartphones along with another executable (SmsControl.exe) that displays a message designed to hoodwink users into believing that the only thing delivered was a digital certificate. Net security firm F-Secure detects this malware as Spitmo-A.

The European bank targeted in the attack uses SMS-based mTANs to authorise transfers. Details of how the SMS-based mTANs are delivered to the attacker are still under investigation, but preliminary research suggests that they are delivered via HTTP, and not via SMS as with an otherwise similar earlier attack that used the infamous ZeuS cybercrime toolkit.

The earlier ZeuS-based attack also used a file called SmsControl.exe as part of its payload. Presenting a Trojan as a digital certificate, one of the tricks up the sleeve of the SpyEye-based attack, also appeared in the earlier ZeuSMitmo attack. Despite these similarities, and the rumoured merger between ZeuS and SpyEye the two biggest toolkits for banking Trojan creation the two strains of malware are otherwise dissimilar, F-Secure reports.

More information on the SpyEye-based mobile banking Trojan attack can be found in a blog post by F-Secure here.

EMC buys NetWitness after its impressive hack smackdown

EMC has announced its acquisition of network security monitoring and analysis platform outfit NetWitness. Financial terms of the deal, announced Monday, were undisclosed.

NetWitness helped EMC's RSA division in the aftermath of the latter's high profile hack last month. Post acquisition, NetWitness will become a core component of RSA's advanced security management products and services group.

Upcoming tech from NetWitness includes Spectrum, a product designed to replicate the knowledge, process and workflow of malware analysts. The technology is designed to foil strains of so-called zero-day malware, strains of Trojan malware not yet detected by anti-virus software.

Anonymous hacks Sony PS3 sites

Several Sony PlayStation sites are unavailable this morning thanks to what looks like a distributed denial of service attack launched by Anonymous.

The hacktivists have left the Scientologists alone in order to harass the console-makers because of Sony's action against two lads for jailbreaking PS3s.

In a strangely self-important and sanctimonious message, the hackers said:

Congratulations, Sony.

You have now received the undivided attention of Anonymous. Your recent legal action against our fellow hackers, GeoHot and Graf_Chokolo, has not alarmed us, it has been deemed wholly unforgivable....

Now you will experience the wrath of Anonymous.

You saw a hornets' nest, and stuck your penises in it.

You must face the consequences of your actions.

Anonymous style."

No comment from Sony so far this morning, we will update this story should we hear back from them.

The UK PlayStation 3 site is down, so is the European PlayStation store. But the main US and UK Sony sites are still available.

There's more from AnonNews here.

Anonymous is better known for its attacks against Scientology and in support of Julian Assange.

Virally spreading scam spreads over Twitter

Twitter has been struck by a virally spreading worm that attempts to make money by scamming users into filling out surveys and viewing advertisements.

The rogue Twitter app is known as Profile Spy and gets installed by people who are tricked into believing it can tell them who has been viewing their online microposts.Wow! See who viewed your twitter with Profile Spy, the come-on reads.

Those who click on the link are asked to allow the app to access and update their account data. Once they do so, they are presented with an unending series of popups for online surveys and ads promoting car insurance, long distance services and games, according to Errata Security CEO Rob Graham, who blogged about the worm on Monday.

Suckers will also find two new posts added to their tweet stream: one that claims to say how many people have viewed the user's profile over the past day and the aforementioned tweet attempting to trick others into installing the rogue app.

Based on Twitter searches, the scam has generated plenty of posts, though at time of writing, most Tweets appeared to be warning others not to fall for the scam. Similar scams have been hitting Facebook for weeks now.

Those who fall for the scam are advised to revoke Profile Spy's access to their account data. To do so, go to Profile > Edit your profile > Connections and click the button that says Revoke Access.

Pandora subpoenaed over privacy of iPhone, Android apps

A federal grand jury has subpoenaed online radio service Pandora for documents related to the privacy of smartphone apps it offers for Apple's iPhone and Google's Android operating system.

The document demand, which was made earlier this year, was part of a larger set of subpoenas issued on an industry-wide basis to publishers of smartphone apps, Pandora said in a filing issued Monday with the Securities and Exchange Commission. The California-based company doesn't believe it's the target of the investigation, the filing said.

The revelation came as The New York Times reported that federal prosecutors in New Jersey are investigating whether smartphone apps have been illegally collecting information about handset users without proper disclosures. The probe, according to an unnamed person familiar with the matter, is examining whether app makers provided adequate legal notice before tracking information such as the user's geographic whereabouts and the unique identifier of their phone.

The investigation is the latest sign of unease about the wealth of personal details being swept up by online services eager to deliver advertisements targeted to specific users. In early December, the Federal Trade Commission recommended consumers be given a do not track option that prevents websites and advertisers from compiling data about their web-browsing habits. A few weeks later, Apple was slapped with a lawsuit alleging that it allowed iOS applications to provide advertisers with sensitive user information that's supposed to remain private.

A large number of applications that run on Apple's iOS collect serial numbers that uniquely identify the hardware device, according to a study issued in October that warned that the practice could compromise users' privacy. More recently, tens of thousands of users of smartphones running Android downloaded apps from Google's apps Market that secretly commandeered their handsets.

Both Apple and Google have defended the privacy protections offered by the iOS and Android. If reports about the grand jury investigation are correct, the world may soon have a large body of evidence proving or debunking these claims.

Appeals Court Strengthens Warrantless Searches at Border

The authorities may seize laptops, cameras and other digital devices at the U.S. border without a warrant, and scour through them for days hundreds of miles away, a federal appeals court ruled.

The 2-1 decision (.pdf) Wednesday by the 9th U.S. Circuit Court of Appeals comes as the government is increasingly invoking its broad, warrantless search-and-seizure powers at the U.S. border to probe the digital lives of travelers.

Under the “border search exception” of United States law, international travelers, including U.S. citizens, can be searched without a warrant as they enter the country. Under the Obama administration, law enforcement agents have aggressively used this power to search travelers’ laptops, sometimes copying the hard drive before returning the computer to its owner.

Courts have ruled that such laptop searches can take place even in the absence of any reasonable suspicion of wrongdoing, and more than 6,500 persons have had their electronic devices searched in this manner since October 2008.

The issue has gained renewed attention in recent months as American computer geeks connected to WikiLeaks, or who know people connected with WikiLeaks, have foundthemselvesrepeatedly singled out for the searches.

At issue in the case decidedWednesdaywas the prosecution of a California man on child pornography charges. In 2007, ICE agents seized three laptops and a camera from convicted child molester Howard Cotterman, and transported them 170 miles away for a two-day search that uncovered hundreds of child porn images.

A lower court judge threw out the evidence, finding that the border exception did not apply when the search went beyond the border area.

The government appealed. Cotterman’s lawyers argued that law enforcement should only be allowed to search digital devices at points of entry where they have the necessary equipment and personnel on hand.

“We find this position simply untenable,” 9th Circuit Judge Richard Tallman wrote for the majority, reinstating the evidence. Limiting searches “would only reward those individuals who, either because of the nature of their contraband or the sophistication of their criminal enterprise, hide their contraband more cleverly or would be inclined to seek entry at more vulnerable points less equipped to discover them.”

The court also affirmed that “particularized suspicion” was not required for a border search.

In dissent, Judge Betty Fletcher wrote that the government should have had a better reason to search Cotterman other than him being a convicted in 1992 of child molestation.

“I add my voice to the chorus lamenting the apparent demise of the Fourth Amendment,” Fletcher wrote.

Photo: BenKulbertis/Flickr

See Also:

Another Hacker’s Laptop, Cellphones Searched at Border
New Border Search Policy Far Broader, New Documents Reveal
ACLU Sues Over Laptop Border Searches
Border Agents Can Search Laptops Without Cause, Appeals Court Says
Border Laptop Searches? No Reason Needed
Friend of Accused WikiLeaks Source Detained at Border
ACLU Assails 100-Mile Border Zone as ‘Constitution-Free

Attack hijacks sensitive data using newer Windows features

Security researchers have outlined a way to hijack huge amounts of confidential network traffic by exploiting default behavior in Microsoft's Windows operating system.

The MITM, or man-in-the-middle, attacks described on Monday take advantage of features added to recent versions of Windows that make it easy for computers to connect to networks using the next generation IPv6 protocol. The attack will also work against Apple's OS X for Macs, although the proof-of-concept has not been tested on that platform, said Jack Koziol, a program manager at InfoSec Institute, an information security services company.

The attack exploits an industry standard known as SLAAC, or Stateless Address Auto Configuration for allowing clients and hosts to find each other on IPv6 networks. When the next-generation addressing scheme is turned on, as it is by default in OS X, Windows Vista, Windows 7 and Server 2008, SLAAC can be used to create an unauthorized IPv6 network that reroutes data through hardware controlled by the attackers.

All these Windows boxes will default connect to the evil router instead of the legitimate router when this parasitic overlay is running, Koziol told The Register. If Microsoft didn't have that configuration by default, it would negate a lot of the effects of the attack.

The proof of concept outlined by Infosec Institute researcher Alec Waters requires no interaction at all from end users and provides no warning that their machines are connecting to an unauthorized IPv6 network.

The technique works because the vulnerable operating systems automatically prefer to use the newer protocol over the older one. Implanting a rogue piece of hardware that uses IPv6 in an IPv4-based network will cause the computers to automatically route traffic over the unauthorized device and bypass the legitimate channels. In other words, the attack works by altering the flow of traffic over the targeted network by exploiting the OS's preference to use the newer protocol over the older one.

By default, Linux, Free BSD and other operating systems aren't vulnerable, Koziol said.

The technique has long been considered a theoretical means of hijacking network traffic, in the same vein as poisoning data associated with the so-called Address Resolution Protocol. But while there are plenty of tools for detecting and preventing ARP attacks, there are virtually none for countering the effects of SLAAC attacks, Koziol said. What's more, with the growing adoption of newer versions of Windows and OS X, the attacks will work by default on an increasing number of machines.

Of course, attackers will still need to figure out a way to sneak a rogue piece of hardware into a network. But in environments that are already vulnerable to insider threats, the support of Microsoft and Apple could make the attack feasible where it wasn't before.

Bruce Cowper, group manager in Microsoft's Trustworthy Computing group issued the following statement:

"Microsoft is aware of discussions in the security community concerning the possibility of using IPv6 network protocols to undertake a 'man in the middle' attack on a target network. The attack method described would require that a would-be attacker have physical access to the targeted network in order to install a tainted router - a situation that does not provide a security boundary."

The only way to prevent the attack for now is to disable IPv6 on all machines that don't use the protocol.

Army: Manning Snuck Data-Mining Software Onto Secret Network

Accused WikiLeaks source Pfc. Bradley Manning installed and used unauthorized “data-mining software” on his SIPRnet workstation during the time he allegedly siphoned hundreds of thousands of documents off that classified network, the Army said Friday in response to inquiries from Threat Level.

Manning’s use of unauthorized software was the basis of two allegations filed against him this year in his pending court martial, but the charge sheet listing those allegations was silent on the nature of that software.

On Friday, an Army spokeswoman clarified the charges. “The allegations … refer to data-mining software,” spokeswoman Shaunteh Kelly wrote in an e-mail. “Identifying at this point the specific software program used may potentially compromise the ongoing criminal investigation.”

She added that the two allegations relate to “the same data-mining software used on two different dates.”

Manning’s attorney, David Coombs, did not respond to telephone and e-mail inquiries.

Manning allegedly installed the software twice on Army computers connected to SIPRnet, the Secret Internet Protocol Router Network that’s been identified as the original source of WikiLeaks’ large-scale U.S. releases. Those releases included 250,000 State Department diplomatic cables and 500,000 classified field reports from the wars in Iraq and Afghanistan.

Manning allegedly installed the code the first time between Feb. 11, 2010 and April 3, 2010. The second time was around May 4, the day he was demoted from Specialist to Private First Class and given a new job assignment following an altercation with another soldier.

If Manning installed data-mining software on his SIPRnet workstation, that could potentially strengthen the government’s case against the alleged leaker. Two of the 22 allegations against Manning are for allegedly violating the Computer Fraud and Abuse Act - the federal anti-hacking statute.

Manning exceeded his authorized access to SIPRnet, the charge sheet says, when he obtained and leaked classified U.S. State Department cables to an unauthorized third party. According to a former federal prosecutor, the data-mining software could aggravate the unauthorized access crime by showing premeditation to obtain the documents.

“Generally, people who engage in unauthorized access — many of them anyway — are thrill seekers who do it without any specific plan in mind,” said Scott Christie, a former federal prosecutor who specialized in computer crime and is now a partner at the private firm McCarter & English.

“But to upload a data-mining suite of software suggests you have a plan in mind, you’re sophisticated enough to use the software and to configure it to find what you want, and that you have given this plan a great deal of attention.”

Christie said that prosecutors wouldn’t have to show definitive evidence that the software was used to obtain or sort the purloined documents; just the fact that it was installed on Manning’s computer during the time the documents were taken would allow prosecutors to draw reasonable inferences that it was used to commit the crime.

The charges also suggest that the United States has recovered evidence from Manning’s machines, despite Manning’s apparent confidence that no investigator would be able to uncover forensic evidence against him.

Manning was arrested in May 2010 after telling former hacker Adrian Lamo in online chats that he had leaked two Army videos to WikiLeaks, as well as 260,000 U.S. State Department cables and hundreds of thousands of documents on the Iraq war. Lamo provided the chat logs to U.S. investigators.

Manning never mentioned installing software on SIPRnet. But he did say that his classified computer hard drives had been “zerofilled” — securely wiped — as part of the Army’s withdrawal from Iraq. “[E]vidence was destroyed,” he wrote, “by the system itself.”

It’s still unclear exactly what the software was — “data-mining” is a fairly broad term, and the Army declined to be more specific. But data-mining programs generally sort and index files on a computer or network, allowing users to do keyword searches across all file formats — Word documents, PDFs, Excel spreadsheets, media files, etc.

Such a program on a SIPRnet machine might have been useful to Manning as an alternative search tool rather than “the official one that might be monitored,” said computer security expert Chris Wysopal, CTO at VeraCode.

Wysopal added that the tools are designed to make sophisticated queries and that in order to customize the program, if needed, someone would have to possess a certain level of skill.

“You’d have to understand the query language they use to build up different rules,” he said. “I don’t think it would be that difficult, but you probably need to have somewhat of a programming mindset. I don’t know if Manning would have that, or if he would need someone to help him do that.”

Manning is currently being held at the U.S. Marine Corps brig in Quantico, Virginia. Last July he was charged with two crimes consisting of 12 counts. In March, the Army dismissed these charges and filed a new charge sheet. Manning now faces three charges consisting of 22 counts, including a capital offense. The Army, however, has said it would not seek the death penalty.

See also:

Bradley Manning Charged With 22 New Counts, Including Capital Offense
Army Intelligence Analyst Charged With Leaking Classified Information
Army Was Warned Not to Deploy Manning to Iraq
WikiLeaks Suspects YouTube Videos Raised Red Flag in 2008
Suspected Wikileaks Source Described Crisis of Conscience Leading to Leaks
U.S. Intelligence Analyst Arrested in Wikileaks Video Probe

Studio Suing BitTorrent Pirates Does Not Own the Movie, Records Show

A film company suing 5,865 BitTorrent downloaders over the flick Nude Nuns with Big Guns doesn’t own the rights to the movie, according to court documents and interviews.

Incentive Capital of Utah took ownership last month of the B-rated flick about a sister who is “one Bad Mother.” Yet two weeks after Incentive Capital foreclosed and assumed Camelot Distribution Group’s titles because of an allegedly soured loan, Camelot filed a mass copyright lawsuit (.pdf)on behalf of Nude Nuns claiming it owned the rights.

In a Thursday story, Wired.com featured Camelot Distribution Group’s legal tactics as part of a nationwide practice by small-time movie houses trying to extract legal settlements — in the $3,000 range — from as many as 130,000 alleged BitTorrent downloaders across the country. The story questioned Camelot’s and others’ legal methods, but assumed Camelot owned the film.

“They don’t presently own that film,” Joseph Pia, Incentive Capital’s attorney, said Friday in a telephone interview from his Utah office. “We are the legal title owners. ”

He said Incentive Capital is sending a cease-and-desist letter to Camelot demanding that it drop the copyright lawsuit.

“They’re holding themselves out as the owner of a title they don’t own,” Pia said. Incentive is also suing Camelot for $2 million on contract breach allegations (.pdf).

For its part, Camelot claims the ownership switch was a “usurpation of its assets,” (.pdf) according to court documents.

The flap concerns a $650,000 loan Incentive provided to Camelot last year, which was used by Camelot to acquire the rights to what court documents sometimes called the “Liberation Assets” or “Distribution Assets.” Those assets include the Nude Nuns movie and a dozen other titles you’ve never heard of.

Incentive claims Camelot defaulted on the loan.

So on Feb. 21, Incentive took title to the movies (.pdf) after purchasing them for $200,000 at a public auction (.pdf) held by Incentive in Utah. Incentive claims it had the right to auction them off because they were the collateral for the loan it claims was in default.

“Incentive has no right to the collateral,” Camelot countered in its own lawsuit against Incentive. Camelot also said Incentive declared a loan default “to obtain control of the Liberation Assets.”

Two weeks after Incentive took title to Nude Nuns, Camelot lodged a federal copyright lawsuit in Los Angeles on behalf of Nude Nuns, and telling the court it was the rightful owner. Camelot is based in Irvine, California.

In that copyright lawsuit, Camelot demanded a federal judge order ISPs from around the country to provide Camelot with the names of the 5,865 account holders whose IP addresses did the downloading.

A hearing on that issue is scheduled for April 13. It is likely to be delayed or abandoned pending the outcome of the Incentive-Camelot brouhaha.

A Camelot attorney, Scott Hervey, said in a Wednesday telephone interview that the goal of the copyright lawsuit was to “lessen the severe economic impact that illegal downloading is having on my clients.”

Hervey did not respond for comment Friday after The Hollywood Reporter disclosed Incentive’s lawsuit against Camelot.

See Also:

Viacom Says YouTube Ruling Will ‘Completely Destroy’ Copyright …
EFF Demands Copyright Troll Pay for Suing Democratic Underground
Newspaper Chain’s New Business Plan: Copyright Suits
Copyright Czar Backs IP Enforcement, ‘Fair Use’
Porn Site Says Revealing Takedown Notices Infringes Copyright
Prosecutors Dismiss Xbox-Modding Case Mid-Trial
LimeWire Begs Music Industry for Second Chance
ACTA Backs Away From 3 Strikes

Former Teen Stock Swindler Sentenced to Three Years on New Hack

A former teenage hacker who once served time for an online stock-trading scheme wassentencedin New York this week to three years in prison on new charges of cracking a New York-based currency exchange service and gifting himself more than $100,000.

Van T. Dinh leaves a federal courthouse in Philadelphia in 2003, when, as a 19-year-old Drexel University student, he was charged with a hacking scheme the SEC called unusually complex. Photo: Mark Stehle/AP

Van T. Dinh, now 27, was also ordered to pay $125,000 in restitution for the scam, and to serve three years of federal supervised release.

Dinh, who lives in Pennsylvania, gained notoriety in 2003, when, as a 19-year-old stock trader, he found a novel way to unload a bad investment in thousands of worthless stock derivatives: He hacked into another trader’s account, and bought the options from his own account.

The gambit made Dinh the first person charged by the Securities and Exchange Commission with a fraud involving both computer hacking and identity theft. in 2004 he was sentenced to 13 months in prison.

After his release, his probation officer concluded that Dinh “was not seriously applying himself” to secure employment.Then, in December 2008, according to an FBI affidavit (.pdf), Dinh set up a legitimate account with an online currency exchange service based in New York. Two weeks later, he logged in using an administrative password and added $55,000 to his account. The bureau says he added another $55,000 two days after that.

At the same time, Dinh used his access to make currency trades on two other customer accounts, and then gave one of them $140,326.75, according to an affidavit by FBI agent Frank Manzi.

The FBI traced the hacking to an IP address assigned to the home Dinh shares with his mother in Phoenixville, Pennsylvania, near Philadelphia. Dinh was arrested and held without bail at the Metropolitan Correctional Center in New York as a “danger to the community by hacking activities,” among other reasons. He later pleaded guilty to computer fraud and identity theft.

The hacker’s early legal trouble also involved online trading accounts.

In 2003, Dinh found himself the unhappy owner of $90,000 of Cisco”put” options that were on the verge of expiring without a payoff.Instead of absorbing the losses, the young trader used a Trojan horse program disguised as a stock charting tool to take control of an innocent victim’s online stock account. He then had the victim’s account purchase $37,000 worth of his options, shaving his losses.

At his sentencing hearing on that earlier case, prosecutors read from an electronic diary found on Dinh’s computer.

“I am so proud of myself for my ‘hacking business’ I will never regret what I did,” Dinh wrote. “I am the best of the best trickster. I laugh often when Mom says she worries … Even if I go to jail, big deal: I will learn something there. Hahaha.”

Cond Nast Got Hooked in $8 Million Spear-Phishing Scam

A spear phisher managed to reel in a prize catch last year with a single hook when media giant Cond Nast took the bait and wired $8 million to his bank account after he posed as a legitimate business, according to a news account.

The alleged swindler failed to withdraw any funds before federal authorities intervened and froze the money, but the case highlights how little effort a scammer needs to invest in order to get a big payday.

A Cond Nast representative said the company could not comment on a pending investigation. Cond Nast publishes Wired magazine and Wired.com, as well as Vogue, The New Yorker, GQ and Glamour.

The filing seeks the funds for forfeiture on grounds that they are allegedly proceeds from wire fraud and money laundering crimes.

According to the court document (.pdf), last November Cond Nast’s accounts payable department received an e-mail that purported to come from Quad/Graphics, the company that prints Cond Nast magazines.

The e-mail instructed Cond Nast to send payments for its Quad/Graphics account to a bank account number provided in the e-mail, and included an electronic payments authorization form. The e-mail indicated the account was for Quad Graph, a name similar to the real printer’s name.

Someone at Cond Nast apparently signed the form and sent it back to a fax number listed in the email, then began making electronic transfer payments to the bank account specified by the scammer.

Between November 17 and December 30, the company wired $8 million to the Quad Graph account before a query around December 30 from the real printer, Quad/Graphics, asking about outstanding bills, prompted Cond Nast to investigate the matter. The company was apparently able to reverse at least one transfer of about $36,000 back to its JPMorgan Chase account, though the court document doesn’t indicate when that occurred.

According to the court filing, a man named Andy Surface allegedly opened the scam bank account last September at a branch of BBVA Compass Bank in Alvin, Texas. Surface had allegedly incorporated his business name with the county clerk’s office before opening the bank account, identifying his home address in Alvin as the location of the business.

During December, about $84,000 of the $8 million was transferred from the Quad Graph account into another account bearing Surface’s own name, but no money was withdrawn from either account before federal authorities got wind of the operation. They obtained a federal seizure warrant on January 10 to freeze the funds until they could file the forfeiture lawsuit to retrieve them.

Surface has yet to be charged with any crime related to the scam, but Forbes dug up a previous charge against someone with the same name and address who pleaded no contest in December to “terroristic threat of family/household.

The U.S. Attorney’s office did not return a call for comment.

Photo: The Conde Nast Building in Times Square, New York, Jan. 12, 2007. Bebeto Matthews/AP

RSA explains how attackers breached its systems

RSA has provided more information on the high-profile attack against systems behind the EMC division's flagship SecurID two factor authentication product.

The security firm, criticised for its refusal to discuss the hack aside from warning that the security of SecurID might be reduced broke its silence to provide a fair amount of detail on how it was attacked. What it didn't say is what was taken, a topic that remains the subject of both concern and speculation.

The attack itself involved a targeted phishing campaign that used a Flash object embedded in an Excel file. The assault, probably selected after reconnaissance work on social networking sites, was ultimately aimed at planting back-door malware on machines on RSA's network, according to a blog post by Uri Rivner, head of new technologies, identity protection and verification at RSA.

The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn't consider these users particularly high profile or high value targets. The email subject line read "2011 Recruitment Plan".

The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled "2011 Recruitment plan.xls".

The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609). As a side note, by now Adobe has released a patch for the zero-day, so it can no longer be used to inject malware onto patched machines.

Rivner compared the hack to stealth bombers getting past RSA's perimeter defences. He said many other high profile targets, such as Google via the Operation Aurora attacks, had been hit by such "Advanced Persistent Threats" (an industry buzzword that often boils down to a combination of targeted phishing and malware).

In the case of the RSA attack the assault involved a variant of the Poison Ivy Trojan. Once inside the network, the attacker carried out privilege elevation attacks to gain access to higher value administrator accounts. Such stepping stone attacks allow hackers to jump from compromised access to a low interest account onto accounts with far more privileges before carrying out the end purpose of a multi-stage assault, normally the extraction of commercially or financially sensitive information. Even though RSA detected the attack in progress hackers still managed to make off with sensitive data, as Rivner explains.

The attacker in the RSA case established access to staging servers at key aggregation points; this was done to get ready for extraction. Then they went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction.

The attacker then used FTP to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack.

So what data was extracted? We still don't know. The concern is that SecurID seeds have been lifted, along with the mechanism that links an individual token's serial number to its individual seed. It may be, in addition, that RSA's database of serial numbers has been compromised.

It may be that SecurID's two-factor authentication has not been broken in either of these ways but until RSA explains what was taken and how that impact customers then user's will not unnaturally think the worst. RSA may well have provided an anatomy of an attack but it hasn't said what was stolen, akin to a bank saying that robbers got in through the vault and made off with something without saying what was taken.

Email compromised at Epsilon

Permission email marketing outsourcer Epsilon has announced a data breach which may affect millions of individuals.

In a single-paragraph statement, the company said the breach affects a subset of its customer data, but does not disclose the extent of the breach. The unauthorised entry into its email system gained access only to customer names and email addresses, the companys announcement says.

(Aside: while reading the brief announcement on Epsilon's site, The Register was presented with an invalid security certificate warning, shown below.)

As Epsilon claims to deliver more than 40 billion emails each year, a subset of its clients databases could be very large indeed.

Over the weekend, affected Epsilon customers named by various sources (such as MSNBC) included US supermarket chain Kroger, JP Morgan, Capital One, TiVo, Walgreens, Marriott Rewards and Citibank.

According to the MSNBC report, at least one of the Epsilon customers whose data was breached, Marriott Rewards, warned of more than just customer name and email being exposed. It advised customers that the information accessed included member point balances.

Most of the companies breached have warned customers to be on the alert for phishing attempts.

Other reports can be found in Security Week, the Wall Street Journal, and Bloomberg.

Photoshopped image scam used in rogue Facebook app trap

Facebook users were put under fire on Monday by a brace of new threats, one of which spreads through a link disseminated through the Facebook Chat application.

An estimated 600,000 people have already clicked onto the link, which falsely promises to show them a funny Photoshopped image of themselves. In reality users install a rogue application which sends messages to their contacts via the social network's IM feature, thus continuing the infection cycle.

Users are taken to a fixed gallery of 45 photoshopped images (such as the image of someone's features morphed onto a dog's head), none of which feature the person who followed the link. M86 Security reports that the scam, whose purpose is unknown, is spreading quickly, attracting new victims at the rate of around 90,000 clicks per hour.

No malware is getting spread through the ruse, at least at present. Details on the attack, complete with screenshots, can be found in a blog post by M86 here.

Separately, a slew of various rogue applications offer the false promise of letting Facebook members known "how many times their profile has been viewed". Some of these apps give a breakdown of male and female profile viewers.

Interested parties are asked to complete a survey, the real purpose of the ruse, before getting access to the "locked away" content, which in reality doesn't exist.

Such survey scams are all too common on Facebook. Previous ruses have falsely offered access to an "unlike" application, for example.

More details on the latest rogue app, and how to avoid this type of shenanigan more generally, can be found in a blog post by Sophos here.

[ NSFW ] Attacker grabs gaming tag of Xbox Live policy director

NSFW link Microsoft's director of policy and enforcement for Xbox LIVE has had his Xbox account hijacked by a disgruntled gamer using a social engineering attack on his domain name registrar, Network Solutions.

Stephen Toulouse, who goes by the screen name Stepto and owns the domain stepto.com, also lost his email and web hosting accounts.

He tweeted yesterday: "Sigh. please be warned. Network solutions has apparently transferred control of Stepto.com to an attacker and will not let me recover it."

Somebody claiming to be the attacker has uploaded a video to YouTube showing him clicking around Toulouse's Xbox account, while breathlessly describing how he "socialed his hosting company".

The domain and account have since been returned to Toulouse's control.

Toulouse was head of communications for the Microsoft Security Response Center for many years, handling PR during worm outbreaks such as Blaster and Sasser.

Now at Xbox LIVE, Toulouse is, as the attacker put it: "the guy who's supposed to be keeping us safe". He's responsible for enforcing the policies that ban persistent cheats.

Social engineering attacks against domain name registrars exploit human, rather than technological, vulnerabilities. Attackers call up tech support and try to convince them that they are their target.

In this case, hijacking Toulouse's domain name seems to have been a means to control his email account, enabling the attacker to reset Toulouse's Xbox LIVE password and take over his "gamer tag".

The same technique was used to compromise the Chinese portal Baidu.com, that time via Register.com, in late 2009. That resulted in a lawsuit, which was settled for an undisclosed sum last year.

The attacker, calling himself Predator, was apparently annoyed that Toulouse had "console banned" him over 35 times. He said he'd compromised accounts in the past, and offered to do so again for $250.

He seems to have left a fair bit of evidence in his wake. The video shows his instant messaging contact lists and some Facebook information. Commenters have already posted his purported home address.

The video, which shows the immediate aftermath of the attack, can be viewed here. It may not be entirely safe for work, due to some racist language.

Net boffins plot password alternatives

Computer scientists are looking to develop a more secure alternative to passwords for website sign-ons and other functions.

Most users have scores of online accounts and, human nature being human nature, often choose easy-to-remember passwords. Using the same password on multiple sites is also a common problem. Most sites are sensible enough to store passwords as hashes. But if these hashes are exposed via a website vulnerability, then the use of rainbow tables readily exposed passwords based on dictionary words. That's bad enough on its own but gets even worse if a user utilities the same password for social networking as he or she does on more sensitive profiles, such as webmail or e-banking accounts.

Security researchers have long known that consumers can't be trusted to maintain multiple secure password sign-ons. The recent HBGary hack, which partly took advantage of shared passwords, underlined that weak password security is also a problem in business.

A new paper by computer scientists at Max-Planck-Institute for Physics of Complex Systems in Dresden, Germany proposes to fix the weak password problem, in a way that frustrates brute-force dictionary-based attacks but gets around the reluctance of people to choose secure but hard-to-remember passwords. The novel approach involves splitting the password into two parts, one remembered by a human and the second held by the site itself, as explained in a abstract for the paper (extract below).

The core idea of our method is to split a long and secure password into two components. The first component is memorized by the user. The second component is transformed into a CAPTCHA image and then protected using evolution of a two-dimensional dynamical system close to a phase transition, in such a way that standard brute-force attacks become ineffective.

It's an interesting idea, but whether it is strong enough to withstand some modified brute force attack remains unclear.

Cambridge University computer scientists looking into the same well-worn security problem are advocating an even more radical idea: an end to passwords.

In a position paper, Pico: no more passwords (20-page PDF/433 KB), Frank Stajano of Cambridge University proposes a clean-slate design to "get rid of passwords everywhere, not just online". Instead of using passwords, logins should be secured using a token, a controversial idea in the wake of the highly-publicised RSA SecurID hack last month.

Stajano acknowledges as much, stating that he's mainly interested in getting a debate going. "Maybe your gut reaction to Pico will be 'it'll never work', but I believe we have a duty to come up with something more usable than passwords," he wrote on the Cambridge University's Light Blue Touchpaper blog. If nothing else, the paper neatly summarises why users are perfectly entitled to be fed up with passwords.

From a usability viewpoint, passwords and PINs have reached the end of their useful life. Even though they are convenient for implementers, for users they are increasingly unmanageable. The demands placed on users (passwords that are unguessable, all different and never written down) are no longer reasonable now that each person has to manage dozens of passwords. Yet we can't abandon them until we come up with an alternative method of user authentication that is both usable and secure.

The paper (20-page PDF/433 KB) was presented at the International Workshop on Security Protocols in Cambridge last week.

Cond Nast Got Hooked in an $8 Million Spear-Phishing Scam

A Cond Nast spokeswoman said the company could not comment on a pending investigation. Cond Nast publishes Wired magazine, as well as Vogue, The New Yorker, GQ, Glamour

Information about the scam appeared in a forfeiture lawsuit filed March 30 in Manhattan by the U.S. Attorney’s office for the Southern District of New York in an attempt to retrieve the money for Cond Nast. It was first reported by Forbes. The filing seeks the funds for forfeiture on grounds that they are allegedly proceeds from wire fraud and money laundering crimes.

The e-mail instructed Cond Nast to send payments for its Quad/Graphics account to a bank account number provided in the email, and included an electronic payments authorization form. The e-mail indicated the account was for Quad Graph, a name similar to the real printer’s name.

Someone at Cond Nast apparently signed the form and sent it back to a fax number listed in the email, then began making electronic transfer payments to the bank account specified by the scammer.

The U.S. Attorney’s office did not return a call for comment.

Photo: The Conde Nast Building in Times Square, New York, Jan. 12, 2007. (AP Photo/Bebeto Matthews)

Net boffins plot password alternatives

Computer scientists are looking to develop a more secure alternative to passwords for website sign-ons and other functions.

It's an interesting idea, but whether it is strong enough to withstand some modified brute force attack remains unclear.

Cambridge University computer scientists looking into the same well-worn security problem are advocating an even more radical idea: an end to passwords.

The paper (20-page PDF/433 KB) was presented at the International Workshop on Security Protocols in Cambridge last week.

RSA explains how attackers breached its systems

Monday, April 4, 2011