Monday, 8 July 2013

Investment firm Morningstar admits client credit card numbers leaked in breach

Investment research firm Morningstar says that personal information including credit card numbers for clients, email addresses and passwords may have been compromised during an intrusion into its systems in April 2012.
Morningstar admits that the data was not encrypted at the time, and advised users to check credit card statements for evidence of fraud.
Around 2,300 users of the Morningstar Document Research system had their credit card information leaked, and a further 182,000 users may have had usernames and passwords compromised. The information was revealed in an SEC filing, and reported by Associated Press.
The investment research firm said, “A small subset of our clients’ credit card and other personal information may have been compromised because of an illegal intrusion into the Morningstar Document Research. We recently learned that this intrusion occurred around April 3, 2012.”
“The server in question housed information clients provided to us, and may have included first and last names, addresses, email addresses, user-generated passwords, and some credit card numbers. This information was not encrypted at the time of the intrusion.”
Morningstar said that it had introduced a more secure system since the breach, and that has sent notices via email to affected clients, as well as initiating password rsesets. The company also said it was working with law enforcement to investigate the breach. The company posted more detailed information, including advice for affected clients in a PDF on its news site.
“We don’t have any evidence to suggest that the information was misused,” the company said in its statement. “As a precaution, if  you were among the small number of clients whose credit card information may have been compromised, you should look at your statements from last year and this year.We have arranged for clients whose credit card information may have been compromised to receive 12 months of free identity protection through Experian.”

Hackers using PRISM-phishing Java RAT to steal government data

Security padlock image
Cyber criminals are targeting government agencies with phishing messages containing a dangerous Java remote access tool (RAT).
Symantec researcher Andrea Lelli reported uncovering the threat, confirming that the messages are designed to entice government workers to download the attachments by masquerading as news announcements and messages about the PRISM scandal.
"We recently came across an attack campaign which looked quite unusual compared to the standard attacks normally seen in the wild. This campaign is targeting government agencies by sending phishing emails with a malicious attachment. Nothing new so far, except for one thing: the malicious payload is a Java remote access tool (RAT)," wrote Lelli on a company blog.
"As we all know, cyber criminals tend to use recent hot media topics to entice users. In the case of this campaign they are using the recent news coverage surrounding the NSA surveillance programme PRISM."
Lelli highlighted the use of the RAT as particularly troubling, as it grants the attackers several advanced powers over compromised machines. "This applet is a RAT named jRat, it is available for free and Symantec detects it as Backdoor.Jeetrat. This threat can give full control of the compromised computer to a remote attacker," wrote Lelli.
"More importantly, because it is a Java applet the threat is able to run on multiple operating systems, not just Windows. In fact, the threat has a builder tool that allows you to build your own customised versions of the RAT, and we can see that when it comes to the targeted operating systems, the choice is very broad."
The Symantec researcher said the malware used is a modified version of one used in a previously detected attack. "This malicious RTF document exploits the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158), detected by Symantec as Bloodhound.Exploit.457," wrote Lelli.
"The attack has been simplified as it does not involve the use of an exploit, nor an executable shellcode/payload, but simply relies on a Java applet. Nonetheless, it is no less dangerous than the older attacks and it can spread more easily since exploits are usually limited to work on specific versions of the vulnerable software and operating system, while this RAT can spread on any system where Java runtime is installed. In fact, not only has the attack been simplified, but it has also become more stable and more virulent, it is a big upgrade."
Despite the troubling news Lelli confirmed there are protection tools available that can ward off the attack. "While this new attack is a little unusual, it can be detected and blocked like older ones. We advise our customers to update their definitions and to be very cautious when receiving suspicious emails," wrote Lelli.
The RAT is one of many evolved cyber attacks targeting UK networks. Most recently Olympic cyber security head Oliver Hoare revealed hackers targeted the electricity grid powering the London 2012 Olympics stadium on the eve of the opening ceremony.

McAfee closes Stonesoft deal and plans next-generation firewall tool

A McAfee logo
McAfee has finalised its deal to acquire Stonesoft, announcing plans to offer advanced next-generation firewall technology acquired as part of the deal to its customers.
The deal was announced in May when McAfee paid $389m to buy the Finnish firm. Now the deal has completed the Stonesoft team will become a part of the McAfee Network Security Business Unit led by Pat Calhoun.
Stonesoft regional director, Ashish Patel, told V3 the deal is designed to offer businesses next-generation protection against the sea of evolved targeted attacks facing them. "Before next generation firewall technology came to market firewalling was quite a point product - so you had your firewall technology then you had your AV added onto that and so on," he said.
"The next generation firewall technology is about bringing all of that together to deal with advanced threats. The threats we see on a daily basis are evolving and rapidly becoming much more complex and fluid in the way they attack. It can be quite difficult for companies to maintain the level of security they need to protect their businesses. That's where firewalling and intrusion prevention systems come into place."
Patel said the upgraded tech will vastly bolster McAfee's existing firewall portfolio, boasting it will be a key tool in the firm's network security expansion strategy.
"McAfee does have firewall technology but it's proxy based, this is obviously a next generation Firewall that they've taken on board. One of the key reasons to take on the technologies is to ensure McAfee itself holds a competitive advantage in the network security space, adding to the portfolio," he told V3.
Patel added that Stonesoft will continue to support its existing 6,500 customers and will honour its forecast update and strategy announcements.
Network security is forecast to be a boom area in the security industry. Gartner estimates that the market will boast a seven percent compound annual growth rate (CAGR) over the next five years and be worth $11.4bn by 2017.
McAfee is one of many companies expanding its technology portfolio to deal with the recent influx of targeted attacks hitting businesses. Most recently competing security firm MalwareBytes acquired US firm Zero Vulnerability Labs, adding its flagship ExploitShield browser protection service to its anti-hacker arsenal.

Cyber attack threat to London 2012 Olympic opening ceremony revealed

Hackers targeted the electricity grid powering the London 2012 Olympics stadium on the eve of the opening ceremony, Olympic cyber security head Oliver Hoare has revealed.
Hoare revealed that the games were hit with a serious and "credible" cyber attack during an interview with the BBC. "I got a phone call at quarter to five, which is always disturbing, particularly on your day off, but more disturbing because of the fact the phone call was from GCHQ and there was a suggestion that there was a credible attack on the electricity infrastructure supporting the games," he said.
Hoare said the attack, while serious, was countermanded by meticulous preparations prior to the event, which ensured even if the lights went down, they could be recovered.
"I don't want to go into too much detail how we put those mitigations in place but – put basically – we switched to manual or had the facility to switch to manual. It's a very crude way to describe it, but effectively we had lots of technicians stationed at strategic points and we, of course, had a tremendous amount of work done on resilience and power – to the extent I think that even if all the lights went out in east London you could guarantee the Olympics Stadium would still be burning brightly," he said.
"Those were put in place and I distinctly remember a conversation about an hour before, being asked, ‘Well, what's the situation?' And I said: 'The good news is if the lights go down, I can get them up and running regardless within 30 seconds.' On the surface you may say, ‘Wow that's great,' but 30 seconds at the opening ceremony with the lights going down would have been catastrophic in terms of reputation."
Hoare's comments follow wider reports that hackers had laid siege to the Olympic networks for the duration of the event. Prior to Hoare, BT revealed the London 2012 website was subjected to over 200 million attacks during the two-week event. The revelation comes during a wider boom in the number of cyber attacks targeting the UK.
Experts from both the public and private sector have warned that state and lone wolf hackers have been developing new and more dangerous ways to infiltrate companies' networks. The UK government has implemented several new directives and initiatives to deal with the increased threat.
Most recently minister for defence equipment, support and technology, Philip Dunne announced that the government has forged partnerships with nine of the country's largest contractors to help protect British supply chains.

ICO fines energy firm £45,000 over nuisance marketing calls

The fight against nuisance marketing calls continues as the Information Commissioner’s Office (ICO) revealed that it had handed out a fine of £45,000 to a Manchester-based energy company that plagued consumers with nuisance calls.

The firm, Tameside Energy Services, was hit with the fine after numerous complaints that it continued to badger people despite being asked repeatedly for the calls to stop. In one instance the firm is said to have continued to call an 80-year-old woman despite her telling the company 20 times that she wanted to be removed from its lists.

In total, between 26 May 2011 and 31 January 2013 the company received over 1,000 complaints to the Telephone Preference Service (TPS) and the ICO itself. The company was found to have failed to remove people from its list and to find out if people had registered with the TPS, which is a legal requirement of the Privacy and Electronic Communications Regulations.
The fine would have been £90,000, but the ICO said the financial situation at the firm meant it was lowered to half that. Simon Entwisle, director of operations at the ICO, said the fine proved the watchdog was taking a hardline stance with firms that irritate consumers with unwanted calls.

“This is not the first and will not be the last monetary penalty issued by the ICO for unwanted marketing calls,” he said.

“These companies need to listen – bombarding the public with cold calls will not be tolerated. Were it not for the company’s poor financial position, this monetary penalty would have been £90,000.”

He repeated calls for the law to be improved in this area to make it easier for the ICO to hit firms with fines. “We would like to see the law changed to make it simpler for us to punish companies responsible for repeated and continuous breaches of the law,” he explained.

V3 contacted Tameside Energy Services for comment on the fine but had received no reply at the time of publication.

The fine was welcomed by Mike Lordan, chief of operations at the Direct Marketing Association, who said it is important that such firms are targeted so those abiding by the rules are protected.
"The ICO must use enforcement action to protect the consumer, as well as the interests of the vast majority of companies that comply with the law and follow the highest standards of best practice,” he said.

"We know there are more companies breaking the law, so we look forward to seeing further enforcement action to stamp out nuisance calls and protect the legitimate telemarketing industry."
The fine follows others handed out in recent months, including one of £225,000 for the two companies that star in the BBC TV show The Call Centre and another of £90,000 sent to a Glasgow-based design company.
The recent spate of fines underlines the need for companies handling customer information and involved in marketing projects to ensure they are adhering to the necessary data protection laws, or risk a fine themselves

Intel to detail vPro extensions beyond management features at IDF

Intel Haswell 4th generation Core processor
Intel is set to add new capabilities to its vPro technology for businesses in its 4th generation Core processors, extending it to enhance file transfer and collaboration tools, offer secure wireless display capabilities and better integrate it with the small business advantage (SBA) platform for SMEs.
In an interview with V3, Intel's Business Client division general manager Rick Echevarria said that the company is looking to build on its vPro technology in ways designed to help boost end user productivity.
While the 4th generation of its Core vPro was announced as part of the Haswell launch last month, Intel is planning a broader launch at its upcoming Intel Developer Forum (IDF) in San Francisco, where more details will be disclosed.
"In September, we will talk about our decision to turn vPro into not only a security and manageability platform, but how we are also building into the platform technologies that are intended to help you be more productive and to have a better experience as a user of technology," said Echevarria.
As well as extra management capabilities and enhancements to its KVM technology, Intel is adding to vPro encryption key management that will work with encryption support in its own flash solid state drives (SSDs), as well as opening up encryption capabilities through application programming interfaces (APIs) to secure file transfer and secure file sharing services.
"We have a lot of capability in our active management technology to manage keys, and for those workers who want to go drop their data in different locations, we want to give IT the ability to manage those keys."
"We'll provide the underlying technology, the APIs, and we'll choose a few of our partners. SkyDrive Pro represents a very good opportunity for us and there will be a few others we will partner with," Echevarria said.
While the 4th generation Core platform launched with Intel Wireless Display (WiDi) technology built in, Intel is looking to offer a secure version of this for corporate environments by integrating it with vPro.
"Wi-Di is one of those technologies we have to go and enhance for the business environment because it is a hassle to be dealing with cables and connections and adapters, and it's one of those technologies that gets a lot of usage from a productivity perspective," said Echevarria.
The overall strategy seems to be to expand vPro so that other management tools and business technologies can plug into it and extend its capabilities.
"We're basically turning this management and security capability that's in vPro into a programmable engine for IT," he said.
Intel is also looking to integrate vPro better with its small business advantage (SBA) tools, which are aimed at smaller companies that may lack an IT department to take care of PC management processes for them.
"If you look at vPro, it's really designed as an enterprise class technology, so with SBA, we looked at whether there were some things we could leverage from that platform that small businesses might want to use," Echevarria explained.
"What you will likely see in future is us taking more of the vPro functionality and exposing it through the SBA interface. We will also enable OEMs to do the same thing with an SDK, so they can take those capabilities and expose them in a simpler way for small businesses."

Cyberspying targeted SKorea, US military

The hackers who knocked out tens of thousands of South Korean computers simultaneously this year are out to do far more than erase hard drives, cybersecurity firms say: They also are trying to steal South Korean and US military secrets with a malicious set of codes they've been sending through the Internet for years.
The identities of the hackers, and the value of any information they have acquired, are not known to US and South Korean researchers who have studied line after line of computer code. But they do not dispute South Korean claims that North Korea is responsible, and other experts say the links to military spying add fuel to Seoul's allegations.
Researchers at Santa Clara, California-based McAfee Labs said the malware was designed to find and upload information referring to US forces in South Korea, joint exercises or even the word ``secret.''
McAfee said versions of the malware have infected many websites in an ongoing attack that it calls Operation Troy because the code is peppered with references to the ancient city. McAfee said that in 2009, malware was implanted into a social media website used by military personnel in South Korea.
``This goes deeper than anyone had understood to date, and it's not just attacks: It's military espionage,'' said Ryan Sherstobitoff, a senior threat researcher at McAfee who gave The Associated Press a report that the company is releasing later this week. He analyzed code samples shared by US government partners and private customers.
McAfee found versions of the keyword-searching malware dating to 2009. A South Korean cybersecurity researcher, Simon Choi, found versions of the code as early as 2007, with keyword-searching capabilities added in 2008. It was made by the same people who have also launched prior cyberattacks in South Korea over the last several years, Choi said.
Versions of the code may still be trying to glean military secrets from infected computers. Sherstobitoff said the same coded fingerprints were found on an attack June 25 _ the anniversary of the start of the 1950-53 Korean War _ in which websites for South Korea's president and prime minister were attacked. A day later the Pentagon said it was investigating reports that personal information about thousands of US troops in South Korea had been posted online.
Sherstobitoff began his investigation after the March 20 cyberattack, known as the Dark Seoul Incident. It wiped clean tens of thousands of hard drives, including those belonging to three television networks and three banks in South Korea, disabling ATMs and other bank services. South Korea says no military computers were affected by Dark Seoul.
The code used in the shutdown is different from that used to hunt for military secrets, but they share so many characteristics that Sherstobitoff and Choi believe they were made by the same people.
Sherstobitoff said those responsible for the spying had infected computers by ``spear phishing'' _ targeted attacks that trick users into giving up sensitive information by posing as a trusted entity. The hackers hijacked about a dozen obscure Korean-language religious, social and shopping websites to make it easier to pull secrets from infected computers without being detected.
The McAfee expert said the hackers have targeted government networks with military information for at least four years, using code that automatically searched infected computers for dozens of military terms in Korean, including ``US Army,'' ``secret,'' ``Joint Chiefs of Staff'' and ``Operation Key Resolve,'' an annual military exercise held by US Forces Korea and the South Korean military.
The report does not identify the government networks that were targeted, but it does mention that in 2009, the code was used to infect a social media site used by military personnel living in South Korea. McAfee did not name the military social media site, nor release what language it is in, at the request of US authorities who cited security issues. South Korea has a military force of 639,000 people, and the US has 28,500 military personnel based in the country.
McAfee also said it listed only some of the keywords the malware searched for in its report. It said it withheld many other keywords that indicated the targeting of classified material, at the request of US officials, due to the sensitivity of releasing specific names and programs.
``These included names of individuals, base locations, weapons systems and assets,'' said Sherstobitoff.
Choi, who works for a South Korean cybersecurity company, has made similar discoveries through IssueMakersLab, a research group he and other ``white-hat'' hackers created.
Results of a report Choi produced were published in April by Boan News, a Seoul-based website focused on South Korean security issues, but they did not get broad attention. That report included many search terms not included in the McAfee report, including the English-language equivalents of Korean keywords.
Both McAfee and IssueMakersLab found that any documents, reports and even PowerPoint files with military keywords on infected computers would have been copied and sent back to the attackers.
The attackers are also able to erase hard drives en masse by uploading malware and sending remote-control commands, which is what happened March 20.
Before that attack, hackers had been sending spy malware on domestic networks for months, giving them the ability to gather information about how their internal servers work, what websites the users visit and which computers are responsible for security, the researchers found. This information would have been crucial for planning the coordinated attacks on banks and TV networks.
Anti-virus software and safe practices such as avoiding links and attachments on suspicious emails can prevent computers from getting infected, but the March attack shows how difficult this can be to accomplish on a broad scale. Ironically, some of the malicious codes used were disguised as an anti-virus product from Ahnlab Inc., South Korea's largest anti-virus maker, said McAfee.
McAfee said it shared its findings with US authorities in Seoul who are in close collaboration with South Korean military authorities.
Tim Junio, who studies cyberattacks at Stanford University's Center for International Security and Cooperation, said the McAfee report provides ``pretty compelling evidence that North Korea is responsible'' for the attacks in the South by tying the series of hacks to a single source, and by showing that users of a military social media site were targeted.
There are clues in the code as well. For example, a password, used again and again over the years to unlock encrypted files, had the number 38 in it, a politically loaded figure for two countries divided on the 38th parallel, security experts said.
Pentagon spokesman Army Lt. Col. James Gregory said the Defense Department is aware of the study and looks forward to reviewing it.
``The Defense Department takes the threat of cyber espionage and cyber security very seriously, which is why we have taken steps to increase funding to strengthen capabilities and harden networks to mitigate against the risk of cyber espionage,'' he said.
South Korea's Defense Ministry says its secrets are safe. Ministry spokesman Kim Min-seok said officials were unaware of McAfee's study, but added that it's technically impossible to have lost classified reports because computers with military intelligence are not connected to the Internet. When accessing the Web, military officials use different computers disconnected from the internal military server, he said.
A hack of sensitive South Korean military computers from the Internet ``cannot be done,'' Kim said. ``It's physically separated.''
Sherstobitoff, however, said it can be done, though he's not sure that it has been.
``While it is not entirely impossible to extract information from a closed network that is disconnected from the Internet, it would require some extensive planning and understanding of the internal layout to stage such an exfiltration to the external world,'' he said.
Kwon Seok-chul, chief executive officer of Seoul-based cyber security firm Cuvepia Inc., said recent hacking incidents suggest that hackers may have enough skills to infiltrate into the internal servers of Korean and US military. Even if two networks are separated, he said, hackers will do anything to find some point where they converge.
``It takes time, but if you find the connection, you can still get into the internal server,'' Kwon said.
FBI Assistant Director Richard McFeely would not comment on McAfee's findings, but said in a written statement that ``such reports often give the FBI a better understanding of the evolving cyber threat.''
Neither the McAfee nor the IssueMakersLab reports suggest who is responsible for the cyberattacks, but many security experts believe North Korea is the likely culprit.
South Korean authorities have blamed the North for many cyberattacks on its government and military websites and have said they linked the March 20 attacks to at least six computers located in North Korea that were used to distribute malicious codes.
Several calling cards were left behind after the March attack, taunting victims. Two different and previously unknown groups separately took credit: The ``Whois Hacking Team'' posted pictures of skulls and a warning, while the ``NewRomanic Cyber Army Team'' said it had leaked private information from banks and media organizations.
``Hi, Dear Friends,'' began one such note. ``We now have a great deal of personal information in our hands.''
But McAfee says that claim, and others _ including tweets and online rumors claiming credit for prior attacks _ were meant to mislead the public and investigators, covering up the deeper spying program.
James Lewis, a senior fellow at the Center for Strategic and International Studies, said the attack is far more skillful and took place over a much longer period than was previously thought.
``I used to joke that it's hard for the North Koreans to have a cyber army because they don't have electricity, but it looks as if the regime has been investing heavily in this,'' said Lewis. ``Clearly this was part of a larger effort to acquire strategic military information and to influence South Korean politics.''
North Korean leader Kim Jong Un has made computer use and the importance of developing the IT sector hallmarks of his reign, devoting significant state resources toward science and technology. Though much of the country lacks steady electricity, a massive hydroelectric power station keeps the capital _ and state computer centers _ humming.
North Korean officials insist the emphasis on cyberwarfare is on protecting North Korea from cyberattacks, not waging them, but there is widespread suspicion that resources are also being poured into training scores of cyberwarriors as well.
Relatively few North Koreans are allowed to access the Internet _ especially when compared to the South's hyper-wired society _ but it too has seen its computer systems paralyzed by cyberattacks. Pyongyang blames the US and South Korea and has warned of ``merciless retaliation.''