Friday, 14 June 2013

US law enforcement groups seek killswitch mobile protections

iOS 7 will be available on the iPhone 5
US law enforcement officials are asking mobile handset developers to implement remote killswitch features in an effort to curb street crime.
The Save Our Smartphones initiative will seek to bring law enforcement groups and government officials together with handset vendors on ways to reduce the number of smartphone thefts and sales of stolen hardware in the US.
Among the measures being considered is the implementation of a killswitch functionality. The feature would allow a smartphone to be permanently disabled in the event that it is lost or stolen. In doing so, officials believe that the market for stolen handsets will dry up.
The group has sent letters to Apple, Motorola, Google, Microsoft and Samsung asking for the additional security tools.
New York attorney general Eric Schneiderman said: “The epidemic of violent street crime involving the theft and resale of mobile devices is a very real and growing threat in communities all across America. According to reports, roughly 113 smartphones are stolen or lost each minute in the United States, with too many of those thefts turning violent.”
As the popularity of smartphones has grown, so have the means of managing lost and stolen devices. Most platforms now ship with features to remotely track and monitor lost handsets, while Apple recently took things a step further when it introduced Activation Lock, a feature that requires an Apple ID and password to take the handset out of recovery.
The officials behind the Save Our Smartphones initiative would like to see other vendors follow suit and offer protections that would render stolen handsets useless for resale or redistribution.

Microsoft secures Azure cloud services with multi-factor authentication

Cloud computing
Microsoft has added much-needed multi-factor authentication to its Windows Azure cloud computing platform, enabling organisations to secure access to any Azure services used by workers, partners and customers.
Available now, Active Authentication enables multi-factor authentication for Windows Azure Active Directory identities, the cloud-based service that provides identity and access capabilities for applications and other resources on Windows Azure itself.
Active Authentication requires users to authenticate themselves at sign in using an app on their mobile device or via an automated phone call or text message. This extra step helps prevent unauthorised access to data and applications in the cloud, Microsoft said.
The service is based on technology Microsoft gained from last year's acquisition of PhoneFactor, a firm specialising in phone-based authentication.
Active Authentication can be used to secure access to Office 365, Windows Azure, Windows Intune, Dynamics CRM Online. There is also an Active Authentication SDK that customers can use to build multi-factor authentication into custom applications, Microsoft said.
Microsoft said that Azure customers can simply add the service to their Windows Azure AD tenant to enable it, after which users can enroll their own phone numbers and set authentication preferences during the standard sign in process.
Customers can choose to license Active Authentication based on a payment for each authentication, or on a per-user per-month basis.
The service is currently available as a preview, with pricing set at $1 per user per month, or $1 for every 10 authentications. Microsoft said it anticipated that pricing on general availability will be about double this amount. The firm declined to give a date for when it is expected to hit general availability.

Microsoft secures Azure cloud services with multi-factor authentication

Symantec headquarters
Symantec will lay off a further 1,700 employees as a part of its ongoing management shuffles.
AllThingsD claimed that an unnamed source familiar with the matter confirmed the firm's plans to make redundancies on Tuesday. The source said that other cuts have been going on for several months, but described the recent batch as "the biggest yet", and said the cuts have already begun.
Symantec plans to instigate the cuts in two phases, axing roughly 1,000 jobs this month, before going on to slash a further 700 positions in July. Symantec declined V3's request for comment on the 1,700 figure, but confirmed it is pushing ahead with its cost-reduction strategy and is making staff cuts.
"Symantec is in the midst of a company-wide transformation. As part of this effort, we are engaged in a company-wide reorganisation. As a result, some positions are being eliminated. This action is a reflection of our new strategy and organisational simplification initiative announced by Symantec's executives on 23 Jan 2013," a spokesman told V3.
"One of the goals of Symantec's reorganisational effort is to make the company's employee reporting structure more efficient and support the company strategy moving forward. We have no additional details to provide at this time."
Symantec initially announced plans to shed a number of middle management roles in January, after it posted a significant slump in profits. Since then the firm has cut numerous staff, and if the figure for the latest batch is true, Symantec will have shed nearly eight percent of its 21,500 worldwide workforce.
Symantec's poor performance has also affected the company's upper management. Ex-Symantec chief executive officer Enrique Salem stepped down from his role in July 2012. Salem was replaced by the company's current chief executive Steve Bennett, who pledged to reverse Symantec's ailing fortunes by consolidating its assets and remodelling its strategy to be more business focused.
Despite the negative news, Symantec's strategy has proved effective. The company reported $6.9 billion in sales for the fiscal year that ended in March, marking a four percent rise in net income. The positive news led to an 18 percent increase in Symantec's share value this year.

PRISM: US attorney general denies spying claims in meeting with EC officials

capitol hill
The US has denied claims that the PRISM spying programme allows the nation unfettered access to data on European and US citizens, in a meeting with a top European Commission official.

The meeting between justice commissioner Viviane Reding and US attorney general Eric Holder focused on a series of key questions posed by Reding to the Holder on the PRISM programme, and took place in Dublin on Friday.

Holder said claims that have circulated that the programme has given the US government unfettered access to firms such as Google, Facebook, Microsoft and Apple are not true and everything is carried out with due legal process.

“The contention it [PRISM] is not subject to any internal or external oversights is simply not correct,” he said. “It’s subject to an extensive oversight regime from executive, legislative and judicial branches and Congress is made aware of these activities. The courts are aware as we need to get a court order.”

Holder also gave some more insights into how and why data is collected, claiming it helps protect citizens in both the US and other nations.

“It facilitates the targeted acquisition of foreign intelligence information concerning foreign targets outside the US. Service providers provide information to the government when lawfully required to do so,” he said.

“We can’t target anyone unless appropriate documented foreign intelligence purpose for the prevention of terrorism or hostile cyber activities.”

Commissioner Reding repeated this, reporting that Holder provided more details about how the PRISM programme works.

“It is about foreign intelligence, targeted at non-US citizens under investigation on terrorism and cyber crime. So it’s not bulk collection but individuals and groups [targeted] and is the basis of a court order and congressional oversight,” she said.

Reding said she hoped the discussions would help set up more dialogue on the issues raised by PRISM, and revealed plans for US and EC intelligence officials to meet and fully establish how the programme works.

“I appreciate the proposal of the attorney general to convey, in the short term, experts of intelligence from the US and Europe in order to clarify together the remaining questions,” she said.
PRISM has dominated the headlines over the last week ever since a former CIA IT contractor revealed documents to the press revealing the existence of the programme. Tech giants such as Google and Apple have denied any involvement with the scheme.

Zeus malware preys on job seekers with 'money mule' offers

malware virus security threat breach
Researchers have uncovered a new variant on the Zeus financial malware, which looks to recruit users as money mules to process cybercrime transactions.
According to a report from security vendor Trusteer, new variants on the malware detect when a user is trying to access popular jobs site CareerBuilder and injects code into local HTML files.
First detected as a financial malware tool, the Zeus trojan installs itself on infected PCs and functions by injecting code into otherwise legitimate HTML files. The malware is set up to detect when a user is accessing a number of popular sites and to harvest account details or ask for additional personal information. The technique allows Zeus to covertly perform attacks without the need to compromise any of the actual host servers or sites themselves.
In the case of CareerBuilder, researchers have found that Zeus injects code claiming to be job offer links. Users clicking on the injected links are then taken to a third-party site, which attempts to lure users in with jobs such as mystery shopper positions.
In reality, however, experts say users are being recruited as money mules for an organised cybercrime operation. Often operating without any knowledge of wrongdoing, money mules are commonly used by malware operators to receive payments from compromised accounts then resend the money as a wire transfer or by other means of laundering.
Trusteer said in its report: “While HTML injection is typically used for adding data fields or to present bogus messages, in this case we witnessed a rare usage that attempts to divert the victim to a fake job offering.
“Because this redirection occurs when the victim is actively pursuing a job, in this case with CareerBuilder, the victim is more likely to believe the redirection is to a legitimate job opportunity.”
Because neither the CareerBuilder site itself nor any servers have been compromised, users not infected with Zeus are not in danger from the attack. Experts advise users to guard against Zeus and other malware attacks by keeping system software, browser plugins and antivirus software patched and updated.

PRISM: Microsoft and Intel accused of aiding US security services' cyber attacks

Digital security padlock red image
Technology industry heavyweights have been dragged further into the US snooping scandal after it emerged that many, including Microsoft and Intel, work hand in glove with security agencies, providing them with sensitive information in exchange for classified intelligence.
News agency Bloomberg cited four unnamed sources who claim that makers of hardware, software, communications equipment and security tools work with US security agencies not only to protect national interests, but also to attack rivals' computer systems.
According to the report, Microsoft provides US officials with early warnings about vulnerabilities in its software, enabling them to exploit weaknesses in targets' systems.
Elsewhere, Intel's McAfee unit is alleged to be so close to the FBI, CIA and National Security Agency that its president is regularly approached by the security services to clear specific company employees to work with investigators.
While it has long been understood that technology companies would work closely with governments in order to safeguard national security, the revelation that firms help security services to launch attacks on others will likely prove inflammatory.
Tensions around the relationship between the tech industry and government were heightened after a former NSA contractor, Edward Snowden, leaked top-secret documents detailing the information-sharing arrangements between the NSA and firms such as Google, Microsoft, Apple and Facebook.
Snowden has subsequently accused US security services of attacking scores of targets based in China. For their part, Google, Microsoft, Apple and Facebook had all denied knowledge of the so-called PRISM system.
Neither Microsoft nor McAfee had responded to request for comment on the latest revelations at the time of publication.

Anonymous Hacked Greek Court of Appeal

Anonymous hacked on Thursday the webpage of Athens Court of Appeal.
Hacktivist group Anonymous posted on Wednesday a video on YouTube warning the Greek government of their intention to launch a cyber-attack on state websites beginning on June 15th in retaliation to the shutdown of public broadcaster ERT and the dismissal of more than 2,650 employees

Iran-linked cyber group Arrested in Bahrain

Bahrain accuses Hezbollah of interfering in internal security affairs by backing local Shia opposition groups.
Authorities in Bahrain say they have identified and arrested leading members of the Shia opposition February 14 Revolution Youth Coalition, an influential cyber-group accused of working against the government and having links to Iran.
In making the arrests, the country's interior ministry accused the opposition on Thursday of taking part "in criminal acts" and "terrorist" activities.
The February 14 Coalition has been the main force behind a Shia-led uprising that began in 2011 to demand more rights from the country's ruling Sunni leaders.
The ministry identified the group's spiritual leader as Hadi al-Mudaressi, a leading Shia cleric living in the Iraqi holy city of Karbala.
The ministry said he "provided divisive sectarian support to the organisation".
It named 11 of those arrested, saying they had played prominent roles in the coalition inside Bahrain, and said other members were still being sought.
Sentenced in absentia
The ministry also named 13 people that it said were leading the coalition from abroad, some of whom are based in London.
Among those, it said, is Saeed Abdulnabi al-Shahabi "who is responsible for coordination with Iranian leaders".
Shahabi is an opposition leader who has been sentenced to life in prison in absentia for his role in the 2011 uprising.
"They frequently travel between Iran, Iraq and Lebanon to obtain financial and moral support as well as weapons training," the ministry statement said.
These members contact leaders in Iran "to receive direct financial support and field instructions".
"The information presented shows the active role in incitement and terror acts and the support that is provided by extremist religious and political leaders from outside and inside Bahrain," said the statement.
In one of the highest profile cases, Ali Abdulemam, a Bahraini blogger, who was also sentenced to a long prison term, managed to slip out of the country, and sought asylum in England.
Bahrain also accused Lebanese Shia movement Hezbollah - listed as a "terrorist organisation" by the kingdom -- and "extremists" in Iraq of interfering in its internal security affairs.
Tehran, which has repeatedly criticised the kingdom's crackdown on protesters, denies it is backing the uprising.
Bahrain's Shias, mainly in response to calls by the February 14 Coalition, continue to demonstrate in their villages, frequently clashing with police.
A total of 80 people have been killed since the protests erupted in 2011, according to the International Federation for Human Rights.

Top Ten Most Critical Web Application Security Risk

OWASP has officially released the Top Ten Most Critical Web Application Security Risk for 2013.
The Open Web Application Security Project (OWASP) Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP Top 10 - 2013 is as follows:
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Known Vulnerable Components
A10 Unvalidated Redirects and Forwards

DDoS Attacks On African National Congress Website

South Africa's ruling African National Congress on Friday said its website had been hacked by Zimbabwe activists claiming ties to the global "hacktivist" group Anonymous.
"Someone calling themselves Anonymous and claiming to be the legitimate representative of the people of Zimbabwe has flooded the website of our organisation," the ANC said in a statement.
The denial of service attack -- which floods a website with so many data requests that it crashes -- appeared to be in effect from around 09:00 GMT to 10:00 GMT.
"Our website management team is currently working on the problem, including assessing means to strengthen our security so that such does not recur in future," said spokesman Jackson Mthembu.
Anonymous is a loosely organised group that has been blamed for attacks on the FBI, Visa, MasterCard, the Kremlin, global intelligence firm Stratfor and Sony Pictures Entertainment among others.
The latest hacking attack appears to be linked to South Africa's stance on the ongoing political crisis in neighbouring Zimbabwe.
The South African government has been criticised for its perceived failure to take a hard line against Zimbabwean President Robert Mugabe, the leader of a fellow liberation movement.
Using the Twitter handle "@zim4thewin", a group calling themselves "Anonymous Africa" warned the ANC of the impending attack.
"Tick tock tick tock, your site will stop working in 40 minutes. think about all the blood on your corrupt hands when it is down," the unverified group warned.
A subsequent tweet read: " is tango down! for being corrupt and supporting the mass murdering mugabe #anc #africa #zimbabwe #anonymous"
Members of the group told AFP the attacks were aimed at getting as many people as possible discussing corruption, Mugabe's rule and his army's 1987 "Gukurahundi" suppression in which around 20,000 largely ethic Ndebele died.
Anonymous claimed responsibility for previous attacks on the websites of South African media, Mugabe's Zimbabwe African National Union - Patriotic Front (ZANU-PF) party, the Zimbabwean ministry of defence and the country's revenue authority.
The timing of this latest attack is politically sensitive.
Mugabe on Thursday plunged Zimbabwe back into political crisis by unilaterally announcing that elections will be held on July 31.
His political rival Prime Minister Morgan Tsvangirai vowed to fight the decision, arguing that Mugabe wants to avoid reforms and press ahead with a flawed poll to extend his 33-year rule.
The hack also came on the eve of a summit of regional leaders that will decide a response to Mugabe's gambit. The ANC on Friday defended its role in easing political violence in Zimbabwe, pointing to the establishment of a power sharing government and the passing of a new constitution.
The ANC vowed to "continue to work with the government and people of Zimbabwe to assist them find their own lasting solution to the challenges facing that country.

ICS-CERT Alert : Medical Devices Hard-Coded Passwords

Researchers Billy Rios and Terry McCorkle of Cylance have reported a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors. According to their report, the vulnerability could be exploited to potentially change critical settings and/or modify device firmware.
Because of the critical and unique status that medical devices occupy, ICS-CERT has been working in close cooperation with the Food and Drug Administration (FDA) in addressing these issues. ICS-CERT and the FDA have notified the affected vendors of the report and have asked the vendors to confirm the vulnerability and identify specific mitigations. ICS-CERT is issuing this alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks. ICS-CERT and the FDA will follow up with specific advisories and information as appropriate
The report included vulnerability details for the following vulnerability
Vulnerability Type Remotely Exploitable Impact
Hard-coded password Yes, device dependent Critical settings/device firmware modification
The affected devices have hard-coded passwords that can be used to permit privileged access to devices such as passwords that would normally be used only by a service technician. In some devices, this access could allow critical settings or the device firmware to be modified.
The affected devices are manufactured by a broad range of vendors and fall into a broad range of categories including but not limited to:
  • Surgical and anesthesia devices,
  • Ventilators,
  • Drug infusion pumps,
  • External defibrillators,
  • Patient monitors, and
  • Laboratory and analysis equipment.
ICS-CERT and the FDA are not aware that this vulnerability has been exploited, nor are they aware of any patient injuries resulting from this potential cybersecurity vulnerability.


ICS-CERT is currently coordinating with multiple vendors, the FDA, and the security researchers to identify specific mitigations across all devices. In the interim, ICS-CERT recommends that device manufacturers, healthcare facilities, and users of these devices take proactive measures to minimize the risk of exploitation of this and other vulnerabilities. The FDA has published recommendations and best practices to help prevent unauthorized access or modification to medical devices.
  • Take steps to limit unauthorized device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks.
    • Appropriate security controls may include: user authentication, for example, user ID and password, smartcard or biometric; strengthening password protection by avoiding hard‑coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
  • Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code. Note: The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity.
  • Use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”
  • Provide methods for retention and recovery after an incident where security has been compromised. Cybersecurity incidents are increasingly likely and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery.
For health care facilities: The FDA is recommending that you take steps to evaluate your network security and protect your hospital system. In evaluating network security, hospitals and health care facilities should consider:
  • Restricting unauthorized access to the network and networked medical devices.
  • Making certain appropriate antivirus software and firewalls are up-to-date. 
  • Monitoring network activity for unauthorized use.
  • Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
  • Contacting the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution.
  • Developing and evaluating strategies to maintain critical functionality during adverse conditions.
ICS-CERT reminds health care facilities to perform proper impact analysis and risk assessment prior to taking defensive and protective measures.
ICS-CERT also provides a recommended practices section for control systems on the US-CERT Web site. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.a Although medical devices are not industrial control systems, many of the recommendations from these documents are applicable.
Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT and FDA for tracking and correlation against other incidents.