Friday, 31 May 2013

Evernote latest to debut two-factor authentication



evernote logo elephant
Note-taking service Evernote has become the latest online vendor to offer users two-factor security authentication features.
The company said that its service, which allows users to store notes, reminders and other important pieces of data, would be rolling out the feature as part of a larger security update which will also include the ability access user history and authorise outside applications.
Under the new system, customers will be able to link their accounts with a mobile device or number. When the user accesses a service which requires an account name and password, a third dialogue will also require the input of a numerical code sent to the device via SMS.
“This will usually only happen when you log into Evernote Web or install it on a new device,” the company explained.
“This combination of something you know (your password) and something you have (your phone) makes two-step verification a significant security improvement over passwords alone.”
Evernote has been under pressure to beef up its security protections since early May, when a breach allowed attackers to lift user credentials and forced the company to require users to reset their account information.
The use of two-factor authentication has long been advocated by security experts who view the method as a means for thwarting social engineering attacks such as phishing operations which can easily gather usernames and passwords.
While it has been shown theoretically possible to intercept the SMS transmissions via malware-born 'man in the middle' attacks, such operations have been shown to be complex and extremely difficult to carry out on a large scale.

Think you have a strong password? Hackers crack 16-character passwords in less than an HOUR

A team of hackers has managed to crack more than 14,800 supposedly random passwords - from a list of 16,449  - as part of a hacking experiment for a technology website.
The success rate for each hacker ranged from 62% to 90%, and the hacker who cracked 90% of hashed passwords did so in less than an hour using a computer cluster.
The hackers also managed to crack 16-character passwords including 'qeadzcwrsfxv1331'.
A team of hackers have managed to crack more than 14,800 cryptographically hashed passwords - from a list of 16,449 - as part of a hacking experiment for tech website Ars Technica.
A team of hackers have managed to crack more than 14,800 cryptographically hashed passwords - from a list of 16,449 - as part of a hacking experiment for tech website Ars Technica. The success rate for each hacker ranged from 62% to 90%, including 16-character passwords with a mix of numbers and letters. The hacker who cracked 90% of hashed passwords did so in less than an hour

The hackers, working for the website Ars Technica, have now published how they cracked the codes and the traditional methods used to create an anatomy of a hack.
Rather than repeatedly entering passwords into a website, the hackers used a list of hashed passwords they managed to get online.
Hashing takes each user's plain text password and runs it through a one-way mathematical function.
This creates a unique string of numbers and letters called the hash.
Hashing makes it difficult for an attacker to move from hash back to password and it lets sites keep a list of hashes, rather than storing them insecurely as plain-text passwords.
This means if a list is stolen, the plain text passwords can't be obtained easily.
However, this experiment shows this doesn't mean its impossible.
When a user types a password into an online form or service, the system hashes the entered word and checks it against the user's stored, pre-hashed password.
When the two hashes match, the user is allowed entry to their account. 
And using characters, a mix of lower and upper case letters and numbers creates slight variations of a hash. 
The example, Ars Technica use is: hashing the password 'arstechnica' produced the hash c915e95033e8c69ada58eb784a98b2ed.
Adding capital letters to make 'ArsTechnica' becomes 1d9a3f8172b01328de5acba20563408e after hashing. 
Jeremi Gosney, the founder and CEO of Stricture Consulting Group, managed to crack the first 10,233 hashes, or 62 percent of the leaked list, in 16 minutes.

He used a so-called 'brute-force crack' for all passwords that were one to six characters long.
Brute-force attacks is when a computer tries every possible combination of six letters and characters, starting with 'a' and ending with '//////.'
It took Gosney just two minutes and 32 seconds to complete the first round, which found 1,316 plain-text passwords.
Gosney then used brute-force to crack all passwords seven or eight characters long that only contained lower letters. This yielded 1,618 passwords.
He repeated this for seven and eight-letter passwords using only upper-case letters to reveal another 708 passwords.
This graph shows how long in days it took the Ars Technica hackers to crack the list of 16,449 hashed passwords based on the method used.
This graph shows how long in days it took the Ars Technica hackers to crack the list of 16,449 hashed passwords based on the method used. It also shows how long it took to crack passwords based on how long they were. Each hacker used a combination of wordlists, brute-force attacks and Markov chains to crack the list. One hacker managed to crack 90% of the list
Using passwords that contained only numbers, from one to 12 digits long, Gosney managed to brute-force 312 passwords in three minutes and 21 seconds.
Gosney has spent years perfecting word lists that contain a list of all the six-letter words, for example, to make cracking the weaker passwords faster. 
One hurdle Gosney had to jump during stage one of the hack was 'salted hashes', a technique where sites add random characters to passwords to make them harder to crack.
This can include adding random numbers, characters or letters to the start or end of a password during the hashing process so hackers can't automatically enter a six-letter word, for example, and match the hash automatically.

However, Gosney explained that once one weak, 'cryptographically salted' hashes are cracked it becomes easier to work out the rest.

Once Gosney had obtained the weaker passwords, even those that had been salted, using brute-force he moved onto stage two.

Using a hybrid attack - which combines a dictionary attack with a brute-force attack - he added all possible two-character strings of both numbers and symbols to the end of each word in his dictionary. 
Jeremi Gosney used a mixture of brute-force attacks, a hybrid attack that combined wordlists with brute-force attempts
Jeremi Gosney used a mixture of brute-force attacks, a hybrid attack that combined wordlists with brute-force attempts, statistically generated guesses using Markov chains, and other rules to turn a list of hashed passwords into plain text. It took him 14 hours and 59 minutes to complete all stages

TYPES OF PASSWORDS RECOVERED

Some of the longer, stronger and more noticeable passwords that the hackers were able to recover included:
k1araj0hns0n
Sh1a-labe0uf
Apr!l221973
Qbesancon321
DG091101%
@Yourmom69
ilovetofunot
windermere2313
tmdmmj17 and
BandGeek2014
Also included in the list were:
all of the lights
i hate hackers
allineedislove
ilovemySister31,
iloveyousomuch
Philippians4:13
Philippians4:6-7 and
qeadzcwrsfxv1331

He recovered 585 plain passwords in 11 minutes and 25 seconds.
He next added all possible three-character strings to get another 527 hashes in 58 minutes to complete.
Thirdly, he added all four-digit number strings and he took 25 minutes to recover 435 passwords.
In round four he added all possible strings containing three lower-case letters and numbers and got 451 more passwords.
In five hours and 12 minutes he managed to get 2,702 passwords.
He continued to crack the rest of the passwords using a hybrid attack and cracked a total of 12,935 hashes, or 78.6 percent of the list, in five hours and 28 minutes.
During the third stage, in which Gosney attempted to crack the most complicated passwords, he used a mathematical system known as Markov chains.
This method uses previously cracked passwords and a statistically generated brute-force attack that makes educated guesses to analyse plain text passwords, and determine where certain types of characters are likely to appear in a password.
A Markov attack on a seven-letter password has a threshold of 65 tries; using the 65 most likely characters for each position. 
And because passwords usually have capital letters at the start, lower-case letters in the middle, and symbols and numbers at the end, Markov attacks can crack almost as many passwords as a straight brute-force.
Hackers use mix of wordlists, rainbow tables (pictured) and an algorithm called a Markov chain to crack passwords from a hashed list.
Hackers use a mix of wordlists, rainbow tables (pictured) and an algorithm called a Markov chains, among other techniques, to crack passwords from a hashed list. A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering the plaintext password, up to a certain length consisting of a limited set of characters

From this method, Gosney discovered that people who don't know each other use very similar, and in some cases, identical passwords for the same sites.
During this third stage, Gosney also used other wordlists and rules and it took Gosney 14 hours and 59 minutes to complete all stages.
He managed to get another 1,699 more passwords - three hours to cover the first 962 plain passwords in this stage and 12 hours to get the remaining 737.
The other two password experts who cracked this list used many of the same techniques and methods, although not in the same sequence and with different tools.
They used a wordlist that was created directly from the 2009 breach of online games service RockYou.
This hack leaked more than 14 million unique passwords in plain text and this list is the largest list of 'real-world passwords ever to be made public.'
This method cracked 4,900 of the passwords. The same list was then used again, but this time the last four letters of each word were replaced with four digits. This yielded 2,136 passcodes.
Hacker radix then tried brute-forcing all numbers, starting with a single digit, then two digits, then three digits, and so, and managed to recover 259 additional passwords.
He then ran the 7,295 plain text passwords he'd recovered through the Password Analysis and Cracking Toolkit, developed by password expert Peter Kacherginsky, to identify patterns.
A 25-computer cluster that can cracks passwords by making 350 billion guesses per second
A 25-computer cluster that can cracks passwords by making 350 billion guesses per second. It was unveiled in December by Jeremi Gosney, the founder and CEO of Stricture Consulting Group. It can try every possible Windows passcode in the typical enterprise in less than six hours to get plain-text passwords from lists of hashed passwords
Radix then used this information to run a mask attack, which uses the same methods as Gosney's hyrbid attack but took less time.
He replaced common letters with numbers, for example he replaced 'e' with the '3' and recovered 1,940 passwords.
In December, Gosney created a 25-computer cluster that can make 350 billion guesses a second.
In an email to Ars Technica, Gosney explained: 'Normally I start by brute-forcing all characters from length one to length six because even on a single GPU, this attack completes nearly instantly with fast hashes.
'And because I can brute-force this really quickly, I have all of my wordlists filtered to only include words that are at least six chars long.
'This helps to save disk space and also speeds up wordlist-based attacks.
'Same thing with digits. I can just brute-force numerical passwords very quickly, so there are no digits in any of my wordlists.
'Then I go straight to my wordlists + best64.rule since those are the most probable patterns, and larger rule sets take much longer to run.
'Our goal is to find the most plains in the least amount of time, so we want to find as much low-hanging fruit as possible first.'

Belarus becomes world's top country ... for SPAM

Belarus has eclipsed the US to become the biggest single source of global spam, according to cloud-based email and web security firm AppRiver.
Junk volumes from the landlocked former Soviet republic, which borders Poland and Russia, hit an all-time high on 13 April and have sustained this level since then.
In January, AppRiver security researchers were seeing an average of 3.1 million spam messages per day from Belarus. After the spike happened on 13 April, AppRiver said it began recording an average of 12.3 million spam messages per day - which is now climbing.
Only one in a thousand messages from Belarus is legitimate, with 99.9 per cent of the electronic messages consisting of junk mail, said the security firm. Current volumes of junkmail from Belarus are exceeding those from the US, the historic source of most of the world's internet detritus.
"The actual message content was very slim and simple," explains AppRiver security analyst Jonathan French in a blog post. "Most of the messages just simply contained a link and a few words. Many of the links did not lead to active webpages, with most giving 500 or 404 server errors."
"The links that did work lead to pharmacy websites trying to sell drugs to visitors. There was a very small amount of the messages that also lead to websites hosting malware," he added.
French told El Reg that most users would likely recognise the messages, which come from .ru domains and make no attempt at spoofing, as spam. He's currently at a loss to explain the sustained spam spike from Belarus.
"I can only speculate at the cause, but I assume there was nothing special about the April 13th date when spam volume began to rise," French told El Reg. "It may have just been the time for the campaign organiser(s) to start after preparing the machines and systems for this particular campaign. It has been ongoing a while and showing no signs of declining."
Belarus, best known as the last holdout of a Stalinist-style regime in Europe, has rarely - if ever - been mentioned as a major source of spam. However, a quick check with Sophos revealed it had also logged Belarus as the world's worst spam-relaying country over the last 30 days.
Belarus now accounts for 16.3 per cent of the world's spam, compared to 15.1 per cent from the US and 7.45 per cent from the Ukraine, according to exclusive figures produced for The Register. China accounts for 5.78 per cent of the world's spam-relaying.
Sophos's stats, like the figures from AppRiver, look at the locations of abused computers (almost always Trojan-infected zombie drones) rather than the physical location of current spam kingpins

US National Intelligence Council boss gets personal email hacked

In a rather embarrassing slip, the personal email account of Christopher Kojm, chairman of the US National Intelligence Council (NIC), has become the latest victim of been the cracker known as Guccifer.
According to screenshots seen by The Smoking Gun, Guccifer grabbed email exchanges with 9/11 Commission members, banking information, personal correspondence, and documents covering the latest Obama administration's transition earlier this year.
Kojm is a foreign policy wonk who heads the NIC and advises the executive on intelligence matters. Classified information doesn't appear to have been compromised, although no doubt there are some embarrassing tidbits to be had.
"Good night America where ever you are," Guccifer said in a "lengthy, rambling note" attached to the images. In it he calls President Obama "The Black Angel" and mocks the attempts of the Secret Service to find out his identity.
This is the latest political scalp for Guccifer, a cracker who has made a habit of subverting the accounts of the rich and powerful for fun. The cracker's debut was getting into the personal email account of the 41st US President, George HW Bush.
Paintings by George W Bush"Out, damn'd spot! out, I say!"
That instance uncovered a welter of personal information and contact information for the Bush clan and also introduced the world to the artistic ambitions of his son, the 43rd president. A series of self-portraits show that the younger Bush seems to spend a lot of time scrubbing himself down in the bathroom.
Other political targets have included US Senator Lisa Murkowski, General Colin Powell, former advisor to Bill Clinton Sidney Blumenthal, and two staff at the Council on Foreign Relations. Author Candice Bushnell and actor Rupert Everett are also claimed victims.

Indonesia to build crack IT-trained military unit to deflect attacks

The world’s fourth most populous country, Indonesia, is fed up with getting hacked and wants to build a special military defence force to protect the state against online attacks.
A senior defence ministry official revealed that the government is proposing a new law which would allow such a force to defend against and disrupt the increasing number of attacks hurled at government systems, Xinhua reported.
Indonesia has some pretty strict penalties which can be levied against domestic hackers but nothing that would sanction the creation of a specialised military unit such as those which exist in the US and China.
The unit will apparently be manned by specially trained uniformed soldiers from the country’s army, navy and air force, with the Communication and Information ministry providing equipment and training.
Communications and Information minister Tifatul Sembiring said that the country has suffered over 36 million attacks in the past three years and is currently building out a National Cyber Security strategy to protect critical infrastructure and government assets.
It’s unclear how many of those attacks came from outside the country, but some of the most high profile over the past year or two have been the work of home-grown miscreants.
East Javan internet café worker Wildan Yani Ashari, 22, was arrested by police in January for defacing the homepage of president Susilo Bambang Yudhoyono (SBY) and could face up to 12 years in jail.
If and when the military defence unit finally is set up, let’s hope a name is chosen carefully – even a cursory search online will reveal the Indonesian Cyber Army is the moniker of a rather prolific hacking group, as well as the name of what appears to be an info-security training outfit.

'Secret Pentagon papers' show China hacked into Patriot missile system

Chinese spies have allegedly hacked into the designs of many of the United States' advanced weapons systems and platforms, including those for F/A-18 Hornet fighter jets, the Patriot missile system and Black Hawk helicopters.
According to the Washington Post, a "confidential section" of a report prepared for the Pentagon seen by the paper makes the claims. The confidential section alleges that 25 of these hacked designs were in programmes critical to American missile defences, combat aircraft and ships.
The Defence Science Board has already warned in the public part of the report (PDF), released in January, that the Pentagon wouldn't be able to defend itself in the event of a full-scale cyber-conflict.
"After conducting an 18-month study, this Task Force concluded that the cyber threat is serious and that the United States cannot be confident that our critical Information Technology (IT) systems will work under attack from a sophisticated and well-resourced opponent utilising cyber capabilities in combination with all of their military and intelligence capabilities (a 'full spectrum' adversary)," the report said.
However, the report also included a confidential list of compromised weapons, which included the US Army's system for shooting down ballistic missiles, the Terminal High Altitude Area Defence, and the US Navy's Aegis Combat System, also designed to defend against ballistic missiles.
According to the WP, sensitive design information for aircraft and ships was also illicitly accessed, including: the V-22 Osprey tiltrotor transport aircraft; the US Navy's new Littoral Combat Ship, designed to patrol close to shore; and the F-35 Joint Strike Fighter, which the UK is procuring to fly from its two new Queen Elizabeth-class aircraft carriers.
The Defence Science Board didn't claim that Chinese agents were behind the cyber attacks, but top military and industry sources who knew about the breaches told the paper that the hacks were part of a growing Chinese campaign of espionage.
The US has been increasingly vocal about what it claims is increased espionage by the Chinese government and Chinese-controlled corporations. The White House has made it clear that cyber-security is a top concern, and has accused both China's government and Chinese companies of continuous attacks aimed at stealing intellectual property.
China has consistently denied any charges of cyber-snooping on American agencies or companies and has flung back accusations against the US government, claiming that it is using cyber-espionage techniques against China

Microsoft loads botnet-crushing data into Azure

Microsoft is plugging its security intelligence systems into Azure so that service providers and local authorities can get near-realtime information on botnets and malware detected by Redmond.
The new Windows Azure-based Cyber Threat Intelligence Program (C-TIP) was unveiled on Tuesday by Microsoft as an extension of its crime-busting Microsoft Active Response for Security (MARS) program.
C-TIP will let ISPs and Computer Emergency Response Teams (CERTS) get a direct link between their servers and Windows Azure to ingest near-realtime data on malware-infected computers tracked by Microsoft. Previously, these organizations would get MARS data via emails from Microsoft.
"Participation in this system allows these organizations almost instant access to threat data generated from previous as well as future MARS operations." Microsoft's director of security for its Digital Crimes Unit TJ Campana, wrote.
"While our clean-up efforts to date have been quite successful, this expedited form of information sharing should dramatically increase our ability to clean computers and help us keep up with the fast-paced and ever-changing cybercrime landscape,"
ISPs and CERTS plugging into C-TIP will get updated threat data for their specific country or network every 30 seconds, Microsoft said. The Spanish CERT, INTECO, will be one of the first organizations to get C-TIP data, Microsoft said, along with CERTS, CIRCL and govCERT in Luxembourg. Several other unnamed CERTs and ISPs have signed up as well.
Project MARS was started in 2010 as a way for Microsoft to share data on infected PCs with CERTs and ISPS. Mars has helped take down numerous botnets including Bamital, Waledac, Rustok, Kelihos, and Nitol.
Microsoft did not disclose whether C-TIP will use all of Azure's data centers and edge locations or merely those located in the US.

Raspberry Pi puts holes in China's Great Firewall

A tech-savvy China-based Redditor has spotted a hassle-free way of ensuring he or she is always able to bypass the Great Firewall, even when out and about, using the Raspberry Pi to connect to a virtual private network (VPN).
VPNs are a necessity for foreigners living in the People’s Republic who want to access sites prohibited by the country’s ubiquitous internet censorship apparatus – business users and consumers alike have come to rely on them to connect to a banned site.
However, although there’s no shortage of foreign VPN providers to choose from, it can be time-consuming to choose, install and open a client if out and about and using machines which are not your own.
Spotted by TechInAsia, a Reddit user going under the name JaiPasInternet revealed a relatively straightforward solution using the popular single-board computer:
I set my Raspberry to automatically connect to my VPN server through OpenVPN, and then share the connection with a wifi dongle, using hostapd software. I use it on a daily basis with my iPhone and Android tablet (way better than the included VPN client) but the good thing is that, wherever I go, I just bring my Raspberry, plug it into ethernet and to any usb plug, and after a few minutes, I have my censor-free Wi-Fi hotspot.
The Redditor claims set-up is fairly simple to do using information on a Wikipedia page and a blog post on Hostapd, and claimed it’s more straightforward than installing OpenVPN on a DD-WRT router.
Although connection to the user’s own VPN server in France takes a long time, it is apparently “stable for hours”.
Like other OpenVPN users, JaiPasInternet was forced to use the slower TCP version after the Chinese authorities effectively blocked access to UDP as part of a renewed crackdown on foreign VPNs in December.
However, services using other VPN protocols PPTP and L2TP have largely been unaffected as they are too tricky to block without shutting down the entire internet, as explained here.
The cat and mouse game between the Chinese government and internet users in the country took another turn back in March with the launch of the VPN Gate Academic Experiment Project – a free public relay VPN service from Japan claiming to offer “strong resistance to firewalls”. ®

Security boffins say music could trigger mobile malware

Security researchers have discovered that specific music, lighting, vibrations or magnetic fields could all be used as infection channels to trigger the activation of mobile malware on a massive scale.
The paper, titled Sensing-Enabled Channels for Hard-to-Detect Command and Control of Mobile Devices, was presented in the eastern Chinese city of Hangzhou earlier this month by researchers at the University of Alabama at Birmingham (UAB).
The research describes at length how hard-to-detect non-internet channels can be used to trigger malware hidden in smartphones and other mobile devices from up to 55 feet away.
“When you go to an arena or Starbucks, you don’t expect the music to have a hidden message, so this is a big paradigm shift because the public sees only emails and the internet as vulnerable to malware attacks,” said UAB professor Ragib Hasan in a canned statement.
“We devote a lot of our efforts towards securing traditional communication channels. But when bad guys use such hidden and unexpected methods to communicate, it is difficult if not impossible to detect that.”
On the audio front, the report claimed that “command and control trigger messages” could be sent over 55 feet indoors and 45 feet outdoors, even using “low-end PC speakers with minimal amplification and low-volume”.
It speculated that malware could be activated with messages hidden in TV or radio programmes, background music and even musical greeting cards.
The light channel works best at night or in places with low illumination but could be relayed to a large number of devices and over “reasonably long distances” using large screen TVs, the report said.
The magnetic channel was described as having the shortest range although with the added advantage for the attackers of being able to work whether the device is being carried in the hand or inside a pocket.
“This kind of attack is sophisticated and difficult to build, but it will become increasingly easier to accomplish in the future as technology improves,” said UAB doctoral student Shams Zawoad, in a separate canned statement.
“We need to create defences before these attacks become widespread, so it is better that we find out these techniques first and stay one step ahead.”

Drupal website hacked , users login credentials compromised

One of the famous Content management system(CMS) find them-self as a victim to security breach.  Unknown hackers breached the drupal.org by exploiting a vulnerability in third-party software installed on their server.

Hackers managed to gain access to the account information on Drupal.org and groups.drupal.org.  The information exposed includes usernames, email addresses, country information and hashed passwords.

According to the official announcement, the security breach is result of a vulnerability within drupal.org itself.  The users who running the drupal cms are not affected.

The team said they don't store credit card info on their site and there's no evidence that card numbers have been intercepted.

Drupal has now reset the Drupal.org account holder passwords and asked users to pick a new password at their next login.  Users are also advised to change the password , if they used the same password somewhere else

McAfee upgrades enterprise Endpoint arsenal to help firms fight hackers


A McAfee logo
McAfee has unveiled new Complete Endpoint Protection Enterprise and Business packages, aimed at offering firms better protection against the cyber threats facing them through hardware-enhanced security.
The two packages are the result of collaboration between McAfee and parent company Intel, and are claimed as the first to integrate security services from the chip level through to operating system and applications.
This holistic integration will allow customers to see and protect themselves from previously invisible attacks, according to McAfee.
Complete Endpoint Protection Enterprise and Complete Endpoint Protection Business debut McAfee's Deep Defender rootkit protection, plus dynamic whitelisting, risk intelligence and real-time security management services.
Key features included in the suites are McAfee's Real Time ePO analytics tool, Enterprise Mobility Management (EMM) software, Application Control for PCs and Risk Advisor tools. McAfee said the services will combine to offer administrators and IT managers a single pane of glass view of activity on their networks, letting them spot and react to incoming threats or atypical activity more quickly.
McAfee EMM integrates mobile device management and secure container into the McAfee ePolicyOrchestrator (ePO) platform,enabling customers to use a single pane of glass and integrated policy environment to manage all endpoints, inlcuding smartphones and tablets.
McAfee said the increased endpoint protection will help arm businesses of all sizes against the influx of new sophisticated attacks targeting them.
The explosion of devices in use in the enterprise multiplies the chance of an attack affecting the mobile workforce, who can unknowingly endanger other systems when reconnecting to the corporate network, McAfee said. The Complete Endpoint Protection suites are desinged to protect against this.
The unveiling follows widespread rumblings within the security community that the threat facing businesses is growing. Most recently security experts from Trend Micro, Kaspersky and F-Secure cited a recent boom in Apple Mac Malware as evidence of the increased threat.

Facebook looks to improve security with verified pages

Image of Facebook logo and login screen
Facebook has unveiled a platform that could help to protect both celebrities and fans alike from the dangers of fake pages.
The company said that it will begin verifying certain pages within its social networking service as authentic, providing assurance that the pages, connected to celebrity users, are authentic and not the work of imposters.
The feature, which begins rolling out this week, allows the company to verify a page and then display a blue check mark badge that shows that the page has been authenticated. The company said that it will soon look to expand the feature to pages. Facebook said that it is not accepting any submissions or requests for verifications.
The use of verified accounts has been a valuable tool in helping to crack down on fraud and social engineering scams. Twitter has long used the feature to verify the accounts of celebrities and professional athletes.
For celebrities, the verified accounts will allow for means of separating official pages from fan-created profiles and will help to authenticate any news or announcements released via Facebook. The company said that it will also be expanding the service to popular public figures and brands.
End users, meanwhile, can benefit from knowing the celebrity accounts they follow are authentic and will not contain possible security risks, such as spam or links to third-party sites that could attempt to serve malicious code.
Security has arisen as a primary concern for social networking services in recent weeks. Under heavy criticism following a string of account thefts, Twitter introduced multi-factor authentication.

Ruby on Rails attacks threaten servers

Security threats - password theft
Administrators are being urged to update their Ruby on Rails servers following the discovery of an active malware campaign targeting vulnerable versions of the web development framework.
Researcher Jeff Jarmoc said that the attack – which was spotted earlier this week and is now believed to have been partially disabled – preys upon a vulnerable version of Ruby on Rails to exploit flaws and infect targeted systems with a malware payload that then attempts to establish an IRC connection with a possible command and control system.
The attacks suggest that the infected servers are possibly being drawn into a larger network for additional cybercrime operations.
“Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers,” Jarmoc explained. “There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands.”
Despite the danger posed by the attack, administrators can protect themselves by updating to the latest version of Ruby on Rails. A patch for the targeted vulnerabilities has been available since early this year, and all Ruby on Rails servers running versions 3.0.20 and 2.3.16 and later will be protected from the exploit.
A popular platform for web development, Ruby on Rails has not traditionally been the popular attack target that platforms such as Java have become. Because of the high risk posed by a successful attack, however, the platform could become more attractive to cyber criminals.
Chester Wisniewski, senior security advisor at Sophos, told V3 that the high value of Linux servers is enough to lure attackers even to platforms that are not deployed on a massive scale.
Anytime there is a vulnerability in a widely deployed software stack like Ruby on Rails it takes years for all of the server administrators around the world to get around to patching it,” Wisniewski explained.
“In fact it is likely far worse on Linux computers, which are perceived to be more secure and are not patched on a regular schedule like Windows, Java, Flash and other widely exploited software packages.”

Google gives firms only seven days to come clean on zero-day vulnerabilities

Google logo
A pair of Google engineers have cited a recent slew of unannounced zero-day vulnerabilities in unnamed software vendors' products as proof that companies' current responsible disclosure policies are obsolete and should be reduced to just seven days.
Google security engineers Chris Evans and Drew Hintz reported uncovering the vulnerabilities in a public blog post on Thursday, and called for firms to take a more proactive approach to threat disclosures. "We recently discovered that attackers are actively targeting a previously unknown and unpatched vulnerability in software belonging to another company. This isn't an isolated incident; on a semi-regular basis, Google security researchers uncover real-world exploitation of publicly unknown zero-day vulnerabilities," wrote the researchers.
The engineers said while it would be unrealistic to expect companies to be able to fix the vulnerabilities within a week of discovery, it is more than enough time to responsibly report them. "Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information," they wrote.
"As a result, after seven days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the co-ordination of vulnerability management."
The upgraded announcement cycle would be a marked increase on Google's current 60-day responsible disclosure recommendation, which was implemented by the search giant three years ago. Evans and Hintz said the hastened time frame is an essential measure businesses must take if they hope to protect themselves and their customers from the increased cyber threat facing them. "Over the years, we've reported dozens of actively exploited zero-day vulnerabilities to affected vendors, including XML parsing vulnerabilities, universal cross-site scripting bugs, and targeted web application attacks," they wrote.
"Often, we find that zero-day vulnerabilities are used to target a limited subset of people. In many cases, this targeting actually makes the attack more serious than a broader attack, and more urgent to resolve quickly. Political activists are frequent targets, and the consequences of being compromised can have real safety implications in parts of the world."
Google is one of many technology companies to call for businesses to be more proactive in combating and disclosing cyber threats. Microsoft recently loaded its anti-botnet security intelligence systems into Windows Azure, to help businesses spot threats more quickly. The UK government has also implemented new measures designed to let firms spot and disclose threats more quickly, launching the Cyber Security Information Sharing Partnership earlier this year.

Malawi Domain Registrar nic.mw website hacked by Bangladeshi Grey Hat hackers

Bangladeshi grey hat hackers has breached the domain registrar of Malawi, a landlocked country in southeast Africa that leads to defacement of several high profile websites.

Hackers placed the defacement page in the "nic.mw/r00t.htm".  They also managed to upload their defacement page in registrar.mw, biz.mw, co.mw, com.mw, www.coop.mw,www.dot.mw, www.edu.mw/, www.gov.mw, www.int.mw, www.net.mw.

At the time of writing, the hacked websites still displays the defacement page. You can also check the mirror of the defacement here:  http://zone-h.net/archive/notifier=BD%20GREY%20HAT%20HACKERS


Of course, this is not the first time the site is under the radar of the hackers.   Earlier this year,  Bangladeshi hackers hijacked the NIC.mw and left the Google Malawi , Kaspersky, MSN, Yahoo defaced.

We are not sure whether the nic fails to patch the previous vulnerability that leads to the security breach or BGHH found a new vulnerability.  It is always better to take care of your web-app security once you find yourself victim of hackers.

Thursday, 30 May 2013

City of Lansing website hacked and database leaked by TurkishAjan


The City of Lansing, capital of the U.S. State of Michigan, official website(lansingmi.gov) has been hacked by the Turkey hacker group known as TurkishAjan.  The group defaced the website an leaked the database.

The home page(index.jsp) of the website is not affected by the defacement.  Hackers seem to have uploaded the defacement page in "index.html" page. The defacement is still available at "www.lansingmi.gov/index.html".

In case you missed it, you can still check the mirror of the defacement at zone-h record : goo.gl/PnmX6



5.83MB size RAR file has been uploaded in the Speedyshare.  As you can see in the above image, the RAR file contains 20 folders.  Each folder contains few 'xls' files.

After analyzing the files, EHN found the files contain username, email address and plain-text passwords and few other details.

Recently, the same group breached the City of Akron , Akron-Canton Airport  websites and left their home page defaced.

Cybercriminals hijacked Twitter accounts of Cher and Alec Baldwin

American singer and actress Cher fell victim to the twitter account hacks.  Cybercriminals hijacked her account and posted a message about a diet brand.

She come to know about the security breach after her followers told her account was hijacked.

"You guys I’m really upset about this hacking thing ! What diet are you all talking about ?!" In one of the tweets , she said.

She is not the only celebrity whose account compromised by the cybercriminals.  There are a number of celebrities fell victim to the twitter account hijack.  The list includes Alec Baldwin, Australian model Miranda Kerr and Donald Trump.

"This fu**ing hacking weight loss shit. GOOOOOODDD!!!" Tweets posted by Alec Baldwin. "IGNORE this weight loss trash. I mean, I'm all for weight loss. But DAMN!!!"

Secunia apologises after accidentally disclosing zero-day vulnerability on public mailing list



Secunia, an international IT Security firm specialized in vulnerability management , has apologized after an unpatched zero-day vulnerability was accidentally sent to a public mailing list.

The story published yesterday by Security Week revealed the mistake Secunia made while forwarding the a zero-day details within an image viewing app. The email was supposed to be addressed to the vuln address at Secunia.  However the auto-fill mistake address sent the details to the vim[at]attrition.org.

"While coordinating with the researcher, one email was accidentally sent from Secunia to a public emailing list, thereby making information about one of the vulnerabilities publically available." Secunia commented on the disclosed vulnerability.

"Upon realizing the mistake, Secunia immediately informed the vendor in question, who is currently working to create a patch for the vulnerability. Secunia is going through all procedures to ensure that this cannot happen in future.

Wednesday, 29 May 2013

Anonymous Hacked English Defence League

NAMES and personal details of English Defence League members have been leaked online by a group of hackers. Information on the far-right hate mob, including names, addresses and phone numbers, has been published by the computer group Anonymous.
Anonymous has warned it will carry out more cyber attacks on the anti-Islam group and said the EDL "should have expected us".
In a video posted on YouTube the group says the EDL has used Drummer Lee Rigby's death as an “another excuse to further spread your campaign of hate, bigotry, and misinformation.”
Drummer Rigby was hacked to death near Woolwich barracks in south east London last Wednesday.
A list of what were said to be mobile phone numbers for senior named EDL figures appeared online along with addresses of what were said to be donors to the group.
The video was posted under the title ’A Message from Anonymous UK to the English Defence League’.
“Under the guise of national pride you have instigated crimes against the innocent and incited the subjugation of Muslims,” the message continues.
“We will not allow your injustices, your lies, and your stupidity, to further radicalize our youth into fearing and despising their fellow man.”
The menacing warning concludes: “In this operation, we will begin the systematic and comprehensive decimation of your cult.
“We will further expose your falsities and your attempts to censor, to your members, to the British public, and to the world as a whole.
“You will fall, we can say this with complete confidence.”
About 1,000 protesters joined an EDL march to Downing Street on Monday, chanting “Muslim killers off our streets” and “There’s only one Lee Rigby” in tribute to the soldier killed in Woolwich last week.
Four men have since been charged with various offences.
A massive police presence kept them apart from a smaller group of anti-fascist activists, with officers making 13 arrests in total.

U.S. Secret Weapons Designs Stolen by Chinese cyberspies

Chinese cyber spies have stolen some of America's most sensitive weapons designs a dangerous development that could endanger soldiers in a conflict with China, The Washington Post reports.
Many of the larger contractors have put up effective security, so the hackers have gone after subcontractors instead.
“In many cases, they don’t know they’ve been hacked until the FBI comes knocking on their door,” a senior military official told the Post. “This is billions of dollars of combat advantage for China. They’ve just saved themselves 25 years of research and development. It’s nuts.”
The cybertheft gives China an edge that it could exploit during a conflict, it accelerates China's military technology while saving it billions of dollars in research costs and the American designs can be used to benefit China's own defense industry.
The report's public version says that such cyber-attacks could cause "severe consequences for U.S. forces engaged in combat," including cutting communications links that could make weapons fail to operate correctly. Planes, satellites and drones might crash, the report said.
"If they got into the combat systems, it enables them to understand it to be able to jam it or otherwise disable it," said Winslow T. Wheeler, director of the Straus Military Reform Project at the Project on Government Oversight. "If they’ve got into the basic algorithms for the missile and how they behave, somebody better get out a clean piece of paper and start to design all over again."

PayPal Site Vulnerable to XSS Attack

A 17 year old German schoolboy posted information over the weekend regarding an apparent cross site scripting (XSS) vulnerability in the popular money transfer site PayPal. The problem lies in the site’s search function and at least in the German version of the website can be triggered by using a string of Javascript alert code.
Robert Kugler, the security researcher behind the bug posted details about the vulnerability on the Full Disclosure mailing list Friday. Now Kugler is finding his name in the headlines after PayPal allegedly informed him he was too young to qualify for an award.
“Unfortunately PayPal disqualified me from receiving any bounty payment because of being 17 years old…” Kugler, who turns 18 next March, wrote on Seclists.
Kugler wrote in the post that he’s interested in securing computer systems and in the past has dug up bugs for Microsoft – his name is listed in the security researcher acknowledgments last month – and found flaws in Mozilla’s Firefox browser on two separate occasions.
PayPal started its bug bounty program last June, following in the footsteps of companies like Mozilla and Facebook who over the last few years have set up systems to responsibly disclose bugs. While Kugler’s bug does appear to be in scope with its program as it is new and is on the valid PayPal web site, PayPal fails to mention an age requirement for security researchers in its terms and conditions.
While it isn’t clear if PayPal is planning to fix Kugler’s vulnerability right away – emails to the company were not immediately returned on Tuesday – it fixed a similar XSS flaw last fall that allowed the execution of client-side script and browser cookie hijacking.

The African Cyber Gold Mine: your Western data

Going on a holiday is dangerous when it comes to security. You leave your well known environment and you leave towards an environment that is not secured as the way you expect it should be. Last week I have been in Africa and I have witnessed the African Cyber Gold Mine.

African Cyber Gold Mine

Face it - in Africa the technology has to make some big jumps until it comes to the "secure" level of Western countries but still the Western people travel to Africa and they make use of the Public Wifi hotspots, public computers in various internet cafe's. They have a lot of money and they love to keep a close watch on it.
Hackers know this - they are after your credentials in the African continent.

Don't hack the bank - hack the hotel

Why would an hacker try to hack an Western bank if it could simply attack an African hotel that has stored all your personal information in clear text? That is the African Cyber Gold Mine. It does not matter if you are the President or some guy that is just going on a holiday. We all come in the same database.

No statistics in Africa

If you start searching for cybercrime statistics in Africa you will get almost no information. But we do know that the most spam is being send from the same continent.

Have you been in Africa?

Have you ever been in Africa? Did you use public wifi? or did you take security measures?

Source:Cyberwarzone

WiFi and Hackers in KLM airplanes

Today The Netherlands announced that the Airplanes of KLM will be equipted with WiFi-accespoints in the airplane itself. This will allow the passengers to use internet while being in the air. This is great news - but it is awesome news for hackers.

Clients in the air

The clients that are being used in airplanes are most of the times simple smartphone devices that have little to no security options enabled.
These devices are an possible target for hackers in the air.

Man in the middle attack 

A man in the middle attack is easily done when it comes to smartphones. Smartphones don't have a function to check if the access point has changed or that someone is reading the internet traffic.

Disable your electronic devices

It is standard routine in The Netherlands - when you are in the airplane and your still on the ground you are obligated to turn of your smart phone as it could affect the airplane instruments.
This seems to be solved as KLM is introducing WiFi-access points.

Connection

The clients will connect to the access point - the access point gets the connection from Satellites. The clients will be paying 20 euros to get an ticket to connect to the WiFi access point.

Cyberinfocts Ethical Hackers Forum -- June 2013



Event Details

Cyber Information Communication Technology Services organized the Cyberinfocts Ethical Hacker & Security Community to highlight its three-fold mission on Security awareness, research and continuing education for IT professionals. The forum promotes collaborative research by welcoming IT professionals , as well as members of the public, to be part of the forum. We are especially interested in coming together to tackle challenges faced by IT professional in their different fields.

Cyberinfocts Ethical Hacker & Security Forum  is a forum to host and foster quality dialogue on subjects of relevance to the Information Systems and Security. It is intended for the benefit of the IT Professionals and of all whose subject interests or fields of research and study intersect with IT Security.

We setup this forum so you can chat and meet other IT Professionals who have similar interests in Information Security. Our forums are for discussing everything on Information Technology to IT security and exposing hacking attacks. We know that not everyone has just one challenge, so our forum of many different experts allows you to chat about your challenges and getting solutions to them all in one place!

Topics:   
IP surveillance Camera
Batch & Virus Programming
Window Password Hacking
Computer Forensics and Investigations
Question and Answer

Date: 8th June 2013
Time:10:00 am Prompt
Venue: Perfect Touch Consulting Limited
1 A, Basheer Augustos Street, Eric Emmanuel Bus Stop off Bode Thomas Street Surulere Lagos
Fees: 500
For further details contact: 07037288651


To reserve your sit please visit:   http://cyberinfocts-june-forum.eventbrite.com

Mobile malware attacks will spread through sensors in handsets

Digital security padlock red image
A group of university researchers have uncovered a new generation of malware attacks that target mobile hardware.
A study conducted at the University of Alabama Birmingham found that malware samples can be tuned to spread through sensor components in mobile handsets, resulting in fast-spreading infections that can be difficult to detect by conventional means.
According to the researchers, the theoretical new attacks would prey on sensor hardware such as optics, microphones or magnetic field sensors. The malware would then in theory be able to infect other devices in the area through sensor communications.
“These communication channels can be used to quickly reach out to a large number of infected devices, while offering a high degree of undetectability,” the researchers explained.
“In particular, unlike traditional network-based communication, the proposed sensing-enabled channels cannot be detected by monitoring the cellular or wireless communication networks.”
In addition to being difficult to detect, researchers believe that the malware could be used to create local botnets, chaining together multiple devices in a single area such as a sports arena and then using the infected machines to perform distributed-denial-of-service (DDoS) operations.
The researchers also noted that the infected handsets would be particularly prone to targeted attacks and advanced-persistent-threat (APT) operations.
“The malware on the phone can be triggered when the infected phone is inside a driving car; the malware may then interact with the car’s internal network and cause some serious problems. Similarly, malware may get triggered inside a home or company and may then interfere with the home’s wireless security system, perhaps dismantle it.”
The study is not the first to suggest that sensor hardware can be a possible infection vector. In 2012 researcher Charlie Miller found that NFC hardware could be exploited to completely compromise a targeted device

Microsoft brings anti-botnet fight to the cloud with Azure level-up


Microsoft Windows Azure logo
Microsoft is moving to better defend businesses against cybercrime, loading its anti-botnet security intelligence systems into Windows Azure, therby offering firms real-time information on the threats facing them.
The move was announced on Tuesday and is the latest stage of Microsoft's Active Response for Security (MARS) programme. The move will offer businesses direct real-time access to threat intelligence data from Microsoft and other Computer Emergency Response Teams (CERT), which was previously distributed via email.
TJ Campana, Microsoft's director of security for its Digital Crimes Unit, wrote: "By tapping into Microsoft's vast cloud resources, we are now able to share information on known botnet malware infections with ISPs and CERTs in near real-time. The new Windows Azure-based Cyber Threat Intelligence Program (C-TIP) will allow these organisations to have better situational awareness of cyber threats, and more quickly and efficiently notify people of potential security issues with their computers."
Campana said the upgrade is an essential step in Microsoft's ongoing battle against criminal operated zombie botnets, which it claims have become more tenacious in recent years.
"Cybercrime is a global phenomenon and malicious software poses grave risks to computer owners, businesses and users of the internet in general. Among the risks are bank fraud, identity theft, critical infrastructure and denial of service attacks, intellectual property theft and much more," he wrote.
"Every day our system receives hundreds of millions of attempted check-ins from computers infected with malware such as Conficker, Waledac, Rustock, Kelihos, Zeus, Nitol and Bamital."
This upgrade to Azure is the latest stage in Microsoft's ongoing battle against botnets. To date Microsoft has participated in several high-profile operations. These have included a take-down of Kelihos botnet in 2011 and the Bamital sting in February. Campana said that while the Azure upgrade won't result in any more direct takedowns, it will further squeeze cyber criminals' wallets, hampering their ability to expand their operations.
"While our clean-up efforts to date have been quite successful, this expedited form of information-sharing should dramatically increase our ability to clean computers and help us keep up with the fast-paced and ever-changing cybercrime landscape," he wrote.
"It also gives us another advantage: cyber criminals rely on infected computers to exponentially leverage their ability to commit their crimes, but if we're able to take those resources away from them, they'll have to spend time and money trying to find new victims, thereby making these criminal enterprises less lucrative and appealing in the first place."

US charges Liberty Reserve in $6bn money laundering scheme

it-computing-crime-law
The US government is charging a popular online currency exchange with what it claims is the largest money laundering scheme in history.
Attorneys with the US Southern New York have charged the operators of Liberty Reserve with trafficking in some $6bn worth of funds for activities including child pornography, cybercrime services and financial fraud.
Designed as a secure an anonymous payment service, Liberty Reserve allowed users to transmit funds internationally without the need for monetary exchange markets or other financial institutions. According to attorneys, however, the company existed almost entirely to facilitate underground transactions for criminal activity.
“As alleged, the only liberty that Liberty Reserve gave many of its users was the freedom to commit crimes – the coin of its realm was anonymity, and it became a popular hub for fraudsters, hackers, and traffickers,” said US Attorney Preet Bharara.
“The global enforcement action we announce today is an important step towards reining in the ‘Wild West’ of illicit Internet banking.”
The US court said that it has indicted five people who are believed to be behind Liberty Reserve, including individuals based in the US and Spain. Two more individuals, last seen in Costa Rica, are also being sought as suspects in the case.
This is not the first time Liberty Exchange has been singled out as a facilitator of underground transactions. Earlier this month the firm was one of several Bitcoin operations singled out by security researchers as money laundering fronts for malware sales.

Hack the hacker: US Congress urged to legalize cyber-attacks to fight cybercrimes

US Congress should legalize attacking hacker’s computers with malware, physically destroy networks and take photos of data thieves and copyright violators with their own cameras in order to punish IP thieves, the IP Commission recommends.

The commissioners - former US government officials and military men - say that the “scale of international theft of American intellectual property (IP) is unprecedented”. However, the US government response has been “utterly inadequate to deal with the problem.”

"Almost all the advantages are on the side of the hacker; the current situation is not sustainable," the commissions's report says.

“New options need to be considered,” the authors call, then adding that current laws are limited and “have not kept pace with the technology of hacking.”

Thus, the commission suggests allowing active network retrieving stolen information, “altering it within the intruder’s networks, or even destroying the information within an unauthorized network."

For example, locking down the computer of unauthorized users and forcing them to come out to police could be one of the options.

“The file could be rendered inaccessible and the unauthorized user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account,” the commission recommended.

In other words, authors suggest legalizing ransomware - an extortion tool used by organized criminals, when malware that blocks access to the computer system it infects, and demands a ransom paid to the creator to remove the restriction.

Such measures, the commissioners stressed, do not violate existing laws, but still might help to prevent attacks and even provide both time and evidence for law enforcement to investigate the cyber-crime.

As additional measures, the report recommends “physically disabling or destroying the hacker’s own computer or network,” implanting malware in the hacker’s network or photographing the hacker using his own system’s camera.

“The legal underpinnings of such actions taken at network speed within the networks of hackers, even when undertaken by governments, have not yet been developed,” the authors say.

So, if counterattacks against hackers were legal, companies could use a variety of techniques and cause severe damage to the capability of IP pirates.

"These attacks would raise the cost to IP thieves of their actions, potentially deterring them from undertaking these activities in the first place," the report concludes.

However, if counterattacks were legalized, this would not be just about companies and hacker. Some pirated movies or songs on private computers, could be deemed an IP theft and allow rights holders to do horrible things to suspected systems.

ASIO at no risk from hack attack

THE building details of ASIO's new headquarters in Canberra, allegedly hacked by Chinese cyber spies, were stolen three years ago and no longer pose any threat to the agency's operations.

As China strongly denied allegations it mounted a cyber attack to steal the plans for ASIO's Canberra headquarters, sources familiar with the breach moved to play down its significance.

The Australian has been told the breach occurred in 2010, or possibly 2009. Although construction of the headquarters on Canberra's Constitution Avenue started in 2008, the discovery of the breach meant ASIO had the opportunity to alter the designs of the building to reduce the risk of espionage.

It is understood the layout of the $630 million building was accessed through a contractor working on the building, which is yet to be completed.

The breach shocked those familiar with the intensive security arrangements surrounding the construction of the building.
Digital Pass $1 for first 28 Days

One cyber security expert, who asked not to be named, said anything to do with the building's plans would have been "air-gapped", or stored on a system or computer not connected to the internet. The same restrictions would apply to contractors working on the site.

However, a second insider said it was presumptive to assume the data had been stolen through a cyber attack, saying it might have been obtained from a source such as a memory stick.

Although embarrassing for ASIO, sources with knowledge of the incident said its significance had been overplayed.

One said ASIO had since taken steps to counter the breach, but would give no details as to what those steps were.

A second questioned what the Chinese could realistically do with schematics, given the building itself would be one of the most secure in Australia.

A spokesman for ASIO declined to comment on any aspect of the claims first raised by the ABC's Four Corners program on Monday. A spokesman for the Chinese embassy in Canberra told The Australian the claims were baseless and some of them made with ulterior motives.

Julia Gillard told parliament the report on the Chinese cyber attack was inaccurate but she would not say what was wrong with it. "As the Attorney-General has stated, neither he nor the director-general of ASIO intend to comment further on these inaccurate reports," the Prime Minister told parliament.

Opposition legal affairs spokesman George Brandis said he had asked for an ASIO briefing on the allegations.

The Chinese embassy spokesman said that like other countries, China was facing a serious threat of cyber attacks and it was one of the world's main victims of hacking.

"China attaches importance to network security issues, and resolutely opposes all forms of hacker attacks," the spokesman said.

He said Chinese law prohibited hacker attacks and other acts of sabotage against internet security.

The last time something similar happened the boot was on the other foot, with Australian agencies accused in 1995 of bugging the new Chinese embassy in Canberra.

Tuesday, 28 May 2013

Investigative journalists threatened with felony for exposing security flaw

Investigative journalists with Scripps News Service have discovered a major security lapse, in turn accessing the private data of tens of thousands of cell phone customers in the United States.

Scripps isn’t being hailed for exposing the error, though, and has been accused by telecom attorneys of hacking into computers to gain access to the records — a claim the reporters dispute.

According to the journalists, they uncovered the files using nothing more than a simple Google search.

Reporters with Scripps were investigating Lifeline, a government benefit-program that provides low-income Americans with discounted phone service, when they came across the sensitive data.

“While looking into companies participating in the program, the Scripps News investigative team discovered more than 170,000 records posted online listing sensitive information such as Social Security numbers, home addresses and financial accounts of customers and applicants of Lifeline,” the news service wrote this week.

According to Scripps, Oklahoma-based TerraCom Inc. and an affiliate, YourTel America Inc., were up until recently hosting around 170,000 files just like these on the Internet, unencrypted and easy to find for anyone looking in the right spot. In fact, the journalists say they discovered the records by keying in a basic search query into Google.com.

“A simple online search into TerraCom yielded a Lifeline application that had been filled out and was posted on a site operated by Call Centers India Inc., under contract for TerraCom and YourTel,” Scripps reported.

When another journalist conducted a follow-up Google search of the website, Scripps was presented with a trove of documents that were all hosted online without any security system in place to restrict access. From there, they used a computer code to download the publically available records and eventually possessed the entire trove without ever hacking any passwords or posing as an unauthorized party.

The reporters put the number of Lifeline applicants whose privacy was breached at around 44,000, spanning 18 states in the US.

San Antonio, Texas resident Linda Mendez, 51, was among the thousands of customers whose personal info was compromised due to the lack of security. When Scripps presented her with a completed TerraCom application she was shocked.

“How can they make it so easy like this for people to steal somebody’s identity?” Mendez asked.

Scripps asked similarly of TerraCom but was met with a shocker as well. Shortly after they presented their findings to the telecom, the files disappeared off the website. Then came a warning from TerraCom’s attorney.

“The person or persons using the Scripps IP address have engaged in numerous violations of the Computer Fraud and Abuse Act,” insisted TerraCom’s lawyer, Jonathan Lee, “by gaining unauthorized access into confidential computer files maintained for the Companies by Vcare, and by digitally transferring the information in these folders to Scripps. I request that you take immediate steps to identify the Scripps Hackers, cause them to cease their activities described in this letter and assist the companies in mitigating the damage from the Scripps Hackers’ activities.”

“Shoot the messenger,” wrote a blogger for NetworkWorld. “Reporters found a gaping security hole exposing 170,000 Lifeline phone customer records online, but were labeled Scripps Hackers and accused of violating [the] CFAA.”

Lee continued:

“If the purpose of the hacking was journalistic and the Scripps Hackers have not made and do not intend to make any further disclosure of the hacked data, then any financial or other risk for those applicants would be minimal and notification of the breach may not be necessary under the law of about half of the states involved. However, the downloading of more than 120,000 files over a period of several weeks may not be consistent with solely journalistic intent.”

New York-based attorney Tor Ekeland represented security researcher Andrew Auernheimer during a CFAA case that ended earlier this year with a federal judge sentencing the so-called hacker to 41 months in prison. In Auernheimer’s case, he was convicted of gaining unauthorized access to the personal details of thousands of AT&T customers after he discovered — and disclosed — a major security flaw that exposed the data of Apple iPad users in a major breach.

“I don’t see much difference between what happened in that case and what happened here,” Ekeland wrote on his website this week, “[e]xcept maybe that the DOJ might be a bit sensitive about going after reporters given their current track record on that front.”

“By not defining its key operative phrase ‘unauthorized access’ as requiring  bypassing a password or some other type of technological access barrier, it allows corporations to be negligent regarding their infosec,” or informational security, wrote Ekeland. “The corporations know that someone else, and not themselves, will suffer the consequences for discovering their confidential data that the corporation has displayed for all to see on the open Web. Why should anyone disclose any computer security flaw in that type of set up? Why risk a felony conviction? Better to keep your mouth shut and let all sorts of criminal organizations and foreign governments harvest the information than to incur the wrath of the Department of Justice and a vexatious and costly civil suit.”

Before being sentenced, Auernheimer himself wrote that “in an age of rampant cyber espionage and crackdowns on dissidents,” the only ethical way to disclose security exploits was to avoid going to the company involved or the government that might prosecute you. “In a few cases, that individual might be a journalist who can facilitate the public shaming of a web application operator. However, in many cases the harm of disclosure to the un-patched masses . . . greatly outweighs any benefit that comes from shaming vendors.”

Scripps’ attorney, David Giles, responded much akin to Ekeland that TerraCom was misinterpreting the CFAA. “Regardless of the flowery moniker you have used to characterize the bureau's newsgathering activities, the bureau's reporters have not violated the Computer Fraud and Abuse Act or any other law or regulation,” Giles wrote. “Rather, in the process of gathering newsworthy information, the bureau accessed – via a basic Internet search – personal and confidential information that apparently is available to anyone with a computer, an outlet and access to electricity.”

Scripps requested an on-camera interview with TerraCom before and after making their disclosure in order to show the company face-to-face how they “hacked” into their network. TerraCom acknowledged the breach on their website and told customers that “names, addresses, Social Security numbers, tax information and other government forms used by our company to determine applicant eligibility for the federal Lifeline program” were all compromised.

Sunday, 26 May 2013

Twitter adds two-factor authentication after multiple security breaches


New Twitter logo
Twitter is moving to improve the security of its microblogging service with the introduction of two-factor authentication, finally meeting the demands of users of the site after endless hacks on accounts over the last few months.
The company said that the new feature will allow users to connect their Twitter accounts with a mobile phone number, which will be used to verify logins. When the user attempts to log into their account, they will be asked to provide a randomly generated code that will be sent via SMS.
Security experts have hailed the use of two-factor authentication as critical for services such as social networking platforms.
Because the system requires a one-time use code, an attacker who harvests a user's account information through a phishing attack or brute force password guess will not be able to access the account.
“Every day, a growing number of people log in to Twitter,” explained Twitter security team member Jim O'Leary.
“Usually these login attempts come from the genuine account owners, but we occasionally hear from people whose accounts have been compromised by email phishing schemes or a breach of password data elsewhere on the web.”
In order to set up the new features, users will be required to provide a verified mobile phone number and email address. The company will then send a verification message to the user in order to set up the feature. Twitter noted that the service may not work properly with certain mobile service providers.
When active, the two-factor authentication could help to curb an outbreak of attacks on high-visibility accounts. Targets including the Associated Press and the Financial Times have been targeted by attackers who retrieved credentials from phishing attacks.

Governments risk killing internet freedom with cyber wars

Colourful web address URL bar in blue
Governments could use the influx of hyper-sophisticated malwares targeting their systems as a justification to push through draconian reforms that will end core internet freedoms, like the ability to browse anonymously, according to security firm PandaLabs.
PandaLabs' security expert, Luis Corrons told V3 the recent slew of attacks stemming from China listed in the firm's Q1 2013 Threat Report has resulted in a dangerous change in attitude by many governments regarding how much control of the internet they want.
"The first quarter of 2013 has been a really interesting one for cyber war. It's mainly about China, there are other elements but China's the main one. Whenever we see an attack on a company – or a government contractor or anything where someone has been hacked somehow and information's been stolen – most of the accusations go to China, which is perhaps unfair as most major governments are doing this in some way," he said.
"These kind of attacks are really professional; that's why it's difficult to see who's behind them. But when you look at them it's clear they have lots of money behind them. So they are getting more complex and they will get more sophisticated, but this will not just happen with China, it'll happen with every major player, like the United States for example.
This could create a desire for control of the internet, Corrons warned:
"My main concern is what this is going to mean for the rest of the internet users, for the wider community. I'm afraid this could result in changes to the internet we know and the freedoms we have may not be there anymore."
Corrons said that while the reforms may be slow, many governments like the US have already begun testing the water, toying with new technologies like electronic online passports.
"I don't have a crystal ball to see what's going to happen in the near future, but there are already people talking about electronic passports, making it so that you need some sort of ID to connect to the internet," he said.
"I think they will try and go this way, to have some control of the internet, which in my mind is really pointless and useless because you're only going to control the good citizens who go to the internet with their ID. Any criminals are not going to use that, they'll go over or around it to be anonymous, as they already do."
The right to surf the web anonymously is one of many online freedoms currently being debated by the European Commission and the UK government. Another key freedom being discussed is web users' right to be forgotten. Earlier this year, despite widespread calls for the freedom, representatives from the Information Commissioner's Office (ICO) and European Data Protection Supervisor said the right to be forgotten is impossible to guarantee.

Blue Coat acquires Solera Networks to help businesses spot sneaking cyber threats

Security padlock image
Blue Coat has confirmed plans to acquire Solera Networks, pledging that the move will let it offer new analytics-based services capable of warding off the new wave of evolved threats to businesses.
The firm announced the purchase early on Wednesday confirming that it is the opening step in a wider strategy shift designed to fix problems in most businesses' outdated, productivity-hampering, perimeter-based cyber defences.
Blue Coat president David Murphy told V3: "Many companies are frustrated by the barriers that traditional security networks in IT are putting in place, relative to what's available. We're not saying you shouldn't continue to do some of the core things, just that there a couple of key arenas that have been missing. We're closing to acquire Solera Networks, which is a leader in the ability to bring this deep inspection, recording capability and intelligence to the business as well as the security team."
Murphy declined to disclose the financial details of the acquisition, but did confirm it will see Blue Coat take control of the intelligence analytics and cyber forensics firm's 300 customers and 140 employees. The figure adds to Blue Coat's already impressive 15,000 customer base.
The chief said Solera's technology will be used to create several new service centres for Blue Coat customers. These include a Business Assurance Technology Resolution Center, a Policy Enforcement Center, a Mobility Empowerment Center, a Trusted Application Center and a Performance Center. The centres will offer businesses real-time analytics on their networks, making it easier for managers to mitigate threats and sensibly implement flexible device and application management policies.
"There are about 1.2 billion mobile applications in the market place today. The old model of trying to classify them by brute force doesn't work. We've built technology that allows you to bring all of those applications into a managed environment in an analytically-based way using an intelligence-based approach," he said. "What Solera does is allow you to create a kind of Tivo of the entire set of activities that's gone on for six months or a year."
Murphy highlighted the recent influx of targeted attacks hitting enterprise networks as further proof of the need for a change in strategy. "When one of these advanced attacks appears, one of the challenges now is that what you find at the instant it attacks has nothing really to do with the last three to six months of activity that led to that server being compromised," he said.
"We believe in order to be agile, you need the intelligence to go back to the cause, get full scope and redeploy defence measures around these advanced threats, which are much more personalised than the generic ones that have targeted network security in the past."
The Blue Coat chief said that by letting IT managers be more agile, businesses will be stop employees going round security measures, thus reducing the number of attack vectors open to hackers.
"Exchange is an example of this. In many companies Exchange has a file size limit of 20MB to 25MB. We know you can go and use DropBox and move any significant content we need to that way – we're going to work round Exchange if Exchange doesn't work," said Murphy. "In this case we have to allow the business to make a decision about what to do and support business DropBox use case as opposed to just saying you can't move files of that size, which frankly is ridiculous, people will still do it, but they'll do it in a rogue way."
Murphy's comments mirror those of several other technology firms. SAP chairman Hasso Plattner and head of technology and innovation Vishal Sikka have warned that businesses need lighting-fast analytics and monitoring services like HANA to combat the evolved cyber threat facing them.

Apache Darkleech PDF and JavaScript attacks infect hundreds more websites

Apache Software Foundation feather logo
Cybercrooks running the Apache Darkleech JavaScript attacks have become more tenacious, infecting hundreds more websites, according to security firm Zscaler.
The security firm reported a marked increase in the number of websites falling victim to the Darkleech attack on Wednesday, warning that many of them are hosted in the UK.
Zscaler's Krishnan Subramanian wrote: "The Apache Darkleech attack has been in the news for quite some time now. The first compromise that we identified in our transactions dates back to mid-March. This Darkleech exploit (aka Linux.Cdorked) injects malicious redirections into a website that leads to a Blackhole exploit kit (BEK) landing page.
"We are currently observing a considerable rise in websites being compromised due to this attack. The infected websites redirect to a version of the BEK version 2. We identified the following sites being compromised in the past week within observed Zscaler traffic."
Subramanian said that the complex nature of the attack's exploit method makes it difficult to know exactly how many sites have been affected, making tracking and combating the threat a difficult task.
"The exploit code targets vulnerabilities in multiple plugins including Adobe PDF and Java when run on IE, causing the attacker to load malicious code in the context of the application. When deobfuscating the PDF exploit, we can see the final URL used for redirection. However, this URL was not accessible (404 error response) at the time of writing, hence it was not possible to retrieve the malicious binary file," explained Subramanian.
"Upon revisiting some of these compromised websites, it was found that the page was no longer serving the injected code. This provides a clue. The attackers probably choose random sites running the Apache Webservers that are vulnerable to the Darkleech exploit and infect them only for a brief period of time and then clean them up. Hence tracking Darkleech infections can be a challenging task."
The attack was already believed to have infected thousands of websites when it was first uncovered earlier this year. Subramanian said businesses or website owners that are worried their site has been infected should contact their Apache server host to ensure they have installed the CVE-2012-1557 security patch to fix the flaw.