Monday, 1 July 2013

Cisco warns of flaws in security appliances

A Cisco logo
Cisco is advising administrators to patch their security appliance following the disclosure of vulnerabilities in the company's Web Security and Email Security Appliance systems.
The company said that the flaws included both command injection flaws on denial of service attacks for both of the security systems.
For the Web Security Appliance, the fix will bring patches for two authenticated command injection vulnerabilities. If exploited, the flaws could allow a user to remotely take control of a targeted appliance and execute arbitrary code. In order to do so, however, the company noted that the user would need to have a valid account on he network, thus decreasing the likelihood of a remote attack.
The remaining flaw, however, could potentially be exploited by a remote attacker to produce a denial of service attack. By exploiting a flaw in the handling of HTTP and HTTPS messages, the attacker could prevent users and administrators from accessing the targeted appliance.
Meanwhile, the update in the Email Security Appliance will include two fixes for denial of service errors and one for an authenticated command injection flaw. Like the Web Security Appliance update, the command injection flaw requires a valid account, while the denial of service flaws can be remotely targeted to take the security appliance offline.
Cisco is also issuing updates to address code injection and denial of service flaws in its Content Security Management Appliance and a denial of service issue in the ASA Next-Generation Firewall platform.
The company is advising that users of the impacted Cisco appliances apply the fixes or contact their maintenance providers to check their systems and install the updates if needed.

Bletchley Park codebreaking huts set for historic restoration

The main house at Bletchley Park
The curators of Bletchley Park have announced plans to begin restoring the facility's historic codebreaking huts as well as the buildings which housed the Bombe codebreaking machine.
Under the plan, Codebreaking Huts 3 and 6, which housed the decryption and translation of signals intercepted from German Enigma machines, will be restored to their World War II condition and will allow visitors to see the conditions under which scientists and mathematicians worked to crack the legendary cipher.
Additionally, the park plans to restore Huts 11 and 11a, which housed the Bomb computational system. Considered one of the forerunners to modern computers, Bombe was able to simulate the activity of multiple Enigma machines to help crack a complex cipher which contained millions of millions of configurations and combinations.
The foundation said that it hopes to have restoration of the huts completed by mid-2014.
The renovations are the latest in an effort to establish Bletchley Park as both a historic location and an educational centre teaching of the role technology and computation played in helping the Allies win the war. Curators hope that by 2020 all restoration work on the facility will be finished and open to the general public.
Lead by Alan Turing, the Bletchley Park group helped to crack an Enigma code which at the time had proven unbreakable. Through a combination of mathematical analysis and engineering skill, the group developed a system for reliably intercepting and decoding German signals and orders. The intelligence coup proved vital in the European theatre.
Post-war, however, the facility and its staff faced a series of tragedies. After being tried on charges of homosexuality, Turing died in 1954 after ingesting cyanide. Though the government apologised for it's prosecution of Turing in 2009, he was never formally pardoned.
Bletchley Park also fell on hard times after the war, falling into a state of neglect for decades, only to be rediscovered and championed by the scientific community as a historical site and a rallying point for math and science education campaigns.

Opera infrastructure hacked and digital certificate stolen

Opera software revealed that its infrastructure was attacked and a digital certificate has been stolen to sign malware and to deceive victims.

On June 19th Opera suffered a cyber attack that was uncovered and contained by the same software company, the news has been provided by Opera with an official advisory published Wednesday morning.
“On June 19th we uncovered, halted and contained a targeted attack on our internal network infrastructure. Our systems have been cleaned and there is no evidence of any user data being compromised. We are working with the relevant authorities to investigate its source and any potential further extent. We will let you know if there are any developments.
The evidences suggest a limited impact. The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign instances of a malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser.”
The attackers penetrated Opera network and have stolen at least one digital certificate used to distribute malware, once again hackers used digitally signed malicious code to elude defense mechanisms of targets. There are several details not still clear on the attack for example the source of the attack, the real number of servers compromised and the number of digital certificates stoles.
The software signed with the digital certificate appeared to be published by the browser maker deceiving the victims. Despite there is no evidence that user’s data has been exposed the incident could have serious repercussions, it is likely that hackers signed the code to disguise it as Opera software or update with the consequence that a few thousand Windows users, who were using Opera between June 19 from 1.00 and 1.36 UTC, may have received and installed the signed malicious code.
System administrators and security team at Opera have cleaned the servers, the company doesn’t provide further info on the incident.
How hackers accessed to the storage of Opera digital certificates and which is the nature of malicious code used by the attackers?
No data are available regarding the compromised server meanwhile Opera team suggested to consult the information provided by VirusTotal to have more details on the instance of malware detected.
Opera malware digitally signed

As usual in this case it is suggested to potential victims to sanitize their system and update to the last version of the software provided by compromised firm, in this case Opera company urges users to "update to the latest version of Opera as soon as it is available, keep computer software up to date, and to use a reputable antivirus product on their computer."
The investigation is still ongoing, personally I have many doubts that the Opera company has mitigated the data breach, the attackers have deployed at least one infected file an Opera server and the malicious content may have been downloaded and installed by Opera itself, this is a failure under security perspective.
Last doubt that I have is related to the fact that, according to the advisory, the stolen certificate was expired, but in this case does Opera's auto-update alerted the user or stopped software update?
Fortunately the majority of antivirus on the market are able to detect the malware and the timing window of the exposure to the malware was limited at most 36 minutes.

Internet overlords close to opening new online domains

The agency in charge of website addresses passed a major milestone Friday on the path to broadening the world of domain names by the end of this year.
The board of US-based Internet Corporation for Assigned Names and Numbers (ICANN) touted freshly-approved benefits and responsibilities for registrars that essentially act as domain name wholesalers.
Changes to contractually enforceable rules include requiring registrars to confirm phone numbers or addresses of those buying domain names within 15 days.
"People who have stolen an identity or have criminal backgrounds obviously don't want to give you their name and address if their intentions are not kosher," said Cyrus Namazi, ICANN's vice president of industry engagement.
"The intent here is to weed out bad actors."
Prior to new rules outlined in the Registrar Accreditation Agreement, there were "loose checks and balances" to make sure aliases weren't being used by people buying domain names, according to Namazi.
"It is a very serious and significant milestone in moving toward new gTLDs (generic Top-Level domains)," he said.
ICANN is considering more than 1,800 requests for new web address endings, ranging from the general such as ".shop" to the highly specialized like ".motorcycles."
Many of the requests are from large companies such as Apple, Mitsubishi and IBM—with Internet giant Google alone applying for more than 100, including .google, .YouTube, and .lol—Internet slang for "laugh out loud."
California-based ICANN says the huge expansion of the Internet, with some two billion users around the world, half of them in Asia, means new names are essential.
There are currently just 22 gTLDs, of which .com and .net comprise the lion's share of online addresses.
"We spent a long time negotiating very thorny issues," Akram Atallah, ICANN's generic domains division head, said in an online video.
"The new agreement achieves everything we wished for in order to roll out the new gTLD program."
The first new website address endings should be available in the final quarter of this year, according to Namazi.
The revamped agreement will affect more than 1,000 domain name registrars around the world.
ICANN has been negotiating with domain handlers for more than two years on agreement revisions, with interests of governments and law enforcement agencies among those factored into changes, according to Namazi.
"Law enforcement agencies played a big role in it, because Internet crime is one of the biggest factors out there," he said.
"Governments are actively involved because the Internet is one thing that connects all the governments of the world and some want to control it."
The agreement doesn't require domain operators to go beyond legal limits regarding information that must be supplied to law enforcement officials, according to ICANN.
"This agreement is probably going to be somewhat invisible to consumers but it provides a mechanism to protect privacy and prevent crime," Namazi said.

Opera Breach - When Cybercriminals take on Targeted Attacks

On June 26 2013, browser manufacturer Opera announced that they had been breached as a result of a targeted attack against their infrastructure. However, this was no ordinary targeted attack.
The attackers in this case weren't looking to steal intellectual property. They wanted to use Opera's auto-update mechanism in order to propagate a piece of malware normally associated with financial Trojans.
When attackers breached the Opera network sometime around June 19 2013, they first stole an expired Opera code signing certificate to sign a piece of malware. Signing the malware allowed them to distribute it via Opera's auto-update mechanism. Users would receive the malware as part of a browser update.
The malware in question is Downloader.Ponik, a downloader Trojan typically used to propagate cybercrime-related malware, such as financial Trojans and infostealers.
Opera, in their statement, estimates that a few thousand users may have automatically received the malware sometime between 01:00 and 01:36. Opera spotted the breach and were able to halt any further propagation of the malware.
As the attackers only had a small window in which to operate they had limited success. Had they had more prolonged access to the Opera network they would have been much more successful. Or would they?
Had the attackers had access to the Opera servers for a longer period they would have been able to propagate their malware to a much larger number of users. However, such an attack would be very noisy, drawing the attention of security companies who would quickly provide protection and lead a concerted effort to take down command-and-control (C&C) servers. All of this would render the malware effectively useless.
This is reminiscent of Conficker, a threat which spread to millions of computers and was due to trigger a payload on April 1, 2009. However, by that time, security organizations and hosting providers had worked together to take control of the C&C servers. The threat was being so closely monitored that the attackers were unable to leverage it.
When attackers try aggressive propagation methods they become victims of their own success. For now this attack has been neutralized. Opera recommends that users update their browsers as proactive measure against further attacks. Symantec provides protection for this as Downloader.Ponik. We also recommend that users who think they may have been affected reset their passwords.

China, US Continue “War of Words” on Cybersecurity

China and the U.S. continued to throw accusations at each other on cyber issues on Thursday, this time with the military leaders taking the lead. At the Brookings Institution, Gen. Martin Dempsey, the chairman of the U.S. Joint Chiefs of Staff, said: All nations on the face of the planet always conduct intelligence operations in all domains. [But] China's particular niche in cyber has been theft and intellectual property I've had some conversations about that with them. Their view is that there are no rules of the road in cyber, there's nothing, there's no laws that they are breaking, there's no standards of behavior.”
Chinese Defense Ministry spokesman, Col. Yang Yujun fired back, however, declaring: “The Prism-gate affair is itself just like a prism that reveals the true face and hypocritical conduct regarding Internet security of the country concerned.” These comments echoed earlier ones by a Chinese military expert, who told Xinhua that the U.S. is a “hacker empire” with “many faces.”
Meanwhile, the liquidity crisis over the last few weeks continues to dominate news coverage. On Thursday it was first reported that the Agricultural Development Bank of China has pumped US$100.1 billion into the market since late May to unfreeze lending.
Over at Foreign Policy, Michael Pettis argues that the slower growth in China is the new normal, and everyone should get used to (and try to accommodate) the type of turbulence in credit markets we saw last week.
One way the PBSC, and Li Keqiang in particular, hope to stave off this slowdown is by accelerating the pace of urbanization. To that end, the Economic Observer reports on some of the details of the State Council’s forthcoming plan on urbanization, including how to reform the Hukou system.
More and more upper-class Chinese are sending their kids to elite Western summer school programs, with the ultimate goal being to gain admission to a Western university for college, according to the Wall Street Journal.
Clashes in Xinjiang killed over thirty this week, while a new report by Human Rights Watch claims China has forcibly relocated 2 million people in Tibet since 2006. U.S. Ambassador Gary Locke has decided to go check it out for himself.

Report : NSA Spied On EU Institutions

According to a report in the German news magazine Der Spiegel, the US National Security Agency bugged institutions of the European Union. The magazine cited documents provided by whistleblower Edward Snowden.
The Spiegel report, published Saturday in its online edition, says that the NSU used bugs, phone taps and cyber-monitoring to obtain information from EU institutions in Washington, D.C., New York, and in Brussels.
Edward Snowden, a former NSA contractor who recently leaked classified documents about the NSA's monitoring program of US citizens, provided the documents the magazine cited in its report.
The documents, marked 'top secret' and dated September 2010, specifically name the EU as a "target" for surveillance. The NSA appears to have had access to telephone calls, computer documents and emails.
Part of the surveillance included monitoring the Justus Lipsius building in Brussels (pictured above) where the European Council is housed. Every EU member nation has rooms in the building which can be used for phone calls or to access the internet.
Spiegel reports that five years ago, EU security officers had investigated a series of missed calls to NSA offices located in NATO facilities in Brussels.
Snowden fled the United States in May before the initial stories of the NSA's secret phone and data monitoring program were published. The extent of the government monitoring continues to grow as Snowden shares more leaked documents with news outlets.
He is currently believed to be in a transit center at a Moscow airport. The US has called for Snowden's extradition and arrest on espionage charges. He had previously been in Hong Kong, and has submitted an asylum request to the government of Ecuador.

ATM $14 Milion Hacker Sentenced

A Pakistani man who participated in two multimillion-dollar ATM heists targeting debit card processors was sentenced in Brooklyn federal court on Friday to 18 months in prison.
Imran Elahi pleaded guilty last year to access device fraud and conspiracy, largely for his involvement in two precision strikes: a $9 million heist in 2008 involving RBS WorldPay and a $14 million hack in 2011 against Fidelity Information Services.
The cybercrimes were strikingly similar to the $45 million global ATM heist that Brooklyn federal prosecutors revealed last month, when U.S. Attorney Loretta Lynch charged eight defendants with using stolen debit cards at thousands of automated teller machines worldwide over a period of hours in a coordinated attack.
That effort involved MasterCard Inc prepaid debit cards issued by Bank Muscat of Oman and National Bank of Ras Al Khaimah PSC, or Rakbank, of the United Arab Emirates.
In court on Friday, prosecutors praised Elahi for immediately waiving extradition upon his arrest in the Netherlands last May and agreeing to cooperate with the government.
Elahi's case was sealed until recently, and details of his cooperation remain under wraps.
Lynch's office has not indicated whether there is any connection between Elahi's assistance and the case in May. The ringleaders of the Middle East heist, and the country in which they are based, have not been charged or publicly identified by authorities.
Assistant U.S. Attorney Cristina Posa said Elahi had provided "significant assistance" to investigators. When asked by U.S. District Judge John Gleeson what sentence seemed appropriate, she said, "If he was to go home to his family this weekend, I wouldn't be bothered by it."
In so-called "unlimited operation" heists, like those Elahi admitted to joining, hackers gain access to the computer systems of payment processors that handled prepaid debit cards for various financial institutions and dramatically increase the available balance and withdrawal limits on a handful of cards.
Co-conspirators in countries around the world then fan out to ATMs and take out money using the stolen debit card numbers in a coordinated global operation.
The operations can net cybercrime rings enormous sums of money in short amounts of time. In the case revealed in May, "casher crews" were able to withdraw $40 million in just over 10 hours.
Authorities said Elahi was responsible for disseminating the debit card numbers to casher crews in Mexico and elsewhere. Between 2005 and 2012, Elahi's activities earned him roughly $250,000 to $300,000.
All told, Elahi's actions victimized more than 350 financial institutions, according to the government.
In sentencing Elahi, Gleeson noted his remorse and the aid he provided to the government. With time served and good behavior, Elahi could be released almost immediately and sent back to Pakistan to rejoin his family.