Wednesday, 7 August 2013

My Back Pages* – Virus Bulletin papers and articles

By David Harley CITP FBCS CISSP ESET Senior Research Fellow
I recently completed my 14th Virus Bulletin conference paper, co-written with Intego’s Lysa Myers, on “Mac hacking: the way to better testing?” to be presented at the 23rd VB conference in October, in Berlin. The paper itself won’t be available until after the conference, but the abstract is on the Virus Bulletin conference page here. Completing it reminded me that it might be worth rationalizing all (OK, most of…) my conference papers and other publications.
avien lite
While some may be of more historical interest than topical, most of them still have some validity. Of the 13 preceding papers, all those that were written since 2006, when I first started to work with ESET, are on the WeLiveSecurity conference papers page (by kind permission of VB). All the papers there (written by an impressive range of ESET’s researchers) are listed in more or less chronological order, not by author or by the conference for which they were submitted. However, all 13 papers can now be found on a page of their own on the Geek Peninsula blog site, ordered chronologically.
For good measure, all the Virus Bulletin articles I could lay hands on have a page of their own, too: however, some are just links to their page on the Virus Bulletin web site (which generally means I don’t have an approved and proofed PDF copy), and some are only readable if you download the whole of the issue that included them.  The latest, by the way, is an article that appeared in the May 2013 issue of Virus Bulletin. 
Articles published since 2006 or so are also available on Virus Bulletin’s own page in HTML format. The most recent articles are only available to subscribers or for individual purchase. Other articles are only available to registered users of the web site, but registration is free. While earlier articles aren’t available individually on the VB site, the whole issue for each of those months is available to registered users.
Some of the articles written since I started to work with ESET around 2006 are also available via the ESET Threat Center articles page (by permission of VB), but not on the WeLiveSecurity blog and papers resources page. Of course, there are many articles there written by other ESET researchers, too.
Some of the conference, workshop and expo presentations I’ve done on ESET’s behalf are available at the Threat Center page here along with presentations by other ESET researchers.
Of course, ESET researchers often write blogs and articles on ESET’s behalf for external sites and periodicals (and conferences) apart from Virus Bulletin, though VB has a special place in every AV researcher’s heart. Especially researcher’s as old as me… I can’t list everyone’s external articles here or on my own page, but an awful lot of mine (awful may be the operative word) are listed by site on Geek Peninsula. There’s even a not-quite-complete list of my (security) books. (The two shown here are the two that demanded the most of my time and energy…)
VR lite
I can’t really imagine that anyone will want to look up everything I’ve ever written, but there are pointers to most of my security stuff on the Geek Peninsula site. If some future biographer or PhD student in information security thinks they might need more than that, let me know and I’ll be happy to put up a page for my scanned shopping lists, the notepad I keep by the phone, and my cheque stubs. (You think I’m joking? Jack Trevor Story claimed he never threw anything he’d written away, not even shopping lists.)
ESET Senior Research Fellow

* Not that I’m about to make some drastic change in my own output like composing all future blogs on a Strat. (Yes, that’s a very old photograph, and I do own a Strat, but I don’t blog on it. Not on security blogs, anyway. )
kimbara lite

Bulletproof Inbox: Tips for staying safe (and sane) on email

Many cybercrime stories still start exactly the same way – someone opens an email, clicks an attachment, and unwittingly pulls the trigger.
Many of us have got wiser to email spams and scams – but cybercriminals are in the perfect position to “fine tune” their attacks. If one doesn’t work, they simply adapt, improve, and spam it out again.
Spear-phishing attacks – cleverly targeted emails aimed to penetrate corporate networks – are also on the rise this year, according to the FBI. These use personal information to convince people they are legitimate – and are far slicker and more convincing than the poorly spelt spam emails comedians used to laugh about.
Today’s attacks could look like anything from a tax demand to a wedding invitation from a friend. Thankfully, obeying a few basic rules can help keep your inbox safe.
Worried you’re being phished? Look closely at the bait
Take a look at who the email is from. It’s possible to fake any email address, but not all phishers are this clever – they may use a random email address that gives the game away. Check the link that you’re supposed to click by hovering your mouse over it to display a pop-up message with the real link in it. Look closely. Does the address make sense? Is it mispelt? If any alarm bells start to ring, don’t click.
Invoices, wedding invitations, tax returns – cybercriminals use them all
To a cyber criminal, nothing is sacred – wedding invitations, invoices, and tax returns are all commonly used tactics. Always think hard before opening ANY attachment – even ones that seem to come from friends. Is it surprising that someone is getting married – or that the IRS are suddenly demanding you refile your tax forms? Don’t click.
Be extra careful around shortened URLs
Services such as TinyURL are de rigeur on Twitter – but you should be cautious around them, especially in an email. If there isn’t a cap on the number of letters, why has someone shortened the link? ESET Senior Research Fellow David Harley says, “You cannot take it for granted that URL shortening services like and TinyURL are redirecting you to trustworthy web sites. Indeed, spam tweets containing a short link to a spammy or unequivocally malicious site are all too common. LongURL [] lets you see the expanded version of a shortened URL before you go there. TinyURL will let you do this for tinyURLs.”
Telephone numbers aren’t a guarantee an email is real
Do not trust professional-looking emails where there is a phone contact number – this can be another cybercriminal trick. The number may well work, but you will be connected to a scammer instead of the company you’re hoping to speak to – and they will attempt to fool you into handing over further details.
Don’t publish your email address
Publishing your email address on the internet can be a bad idea – both for individuals and for companies. Earlier this year, electricity coompanies in the U.S. were targeted with a well-crafted “spear phishing” attack, which used information published on company websites. If there is any way to avoid publishing your email address, do so.
Don’t auto-load images
Leave your email settings so that images aren’t automatically downloaded – otherwise you could be sending a signal to spammers.  Images are often stored on the spammer’s servers and can be unique to your email. By turning on pictures in an email your computer downloads the images from the spammers’ servers, proving your existence and showing that you exist.
Don’t spam yourself
Always be careful when filling out internet forms – especially around boxes saying, “I want to receive information.” Most reputable companies are safe, but customer lists can change hands – and your email address can end up being passed on. It’s also best to avoid receiving notifications from sites such as Twitter or Facebook – they clutter your inbox, and that “chaff” is useful to scammers and spammers.
Don’t store sensitive details in your “Sent” folder
For a cybercriminal, a personal email account is a treasure trove of information – much of which is useful for identity theft. Don’t leave information such as bank details, credit card numbers or passwords in your “Sent” folder – in fact, it’s safer never to send such details by email at all. Pick up a phone instead.
Don’t have an obvious recovery question
Questions such as your first school may be easy for a criminal to guess – especially if your social network profiles say where you’re from. Instead, make up your own question, and make it hard. That closes off a “back door” into your email account.
Changed job? Change your recovery email address
If the worst does happen, you need to be able to get back in – and if you no longer use your “recovery” email address, you may not be able to. Make sure yours is up to date.
Worried? Watch who’s logging in
Many email services have a function that allows you to see where you are logged in from – which can alert you if someone else is accessing your account, and log them out automatically. On Google Mail, for example, scroll down to the bottom right of the PC screen, and you can see a list of what devices and apps have accessed your account and when. If in doubt, log all of them out and change your password.

Paranoid Android user? Maybe this “security pouch” will help

The “Off Pocket” security pouch offers cellphone users total protection – high-level shielding that blocks GPS signals, Wi-Fi, Bluetooth and cellular networks. The aim of the pocket is to ensure that users cannot be tracked or contacted when they are not using their phone.
The $85 water-resistant metal-fabric pouch has a shielding score of 100dB for commonly used frequencies between 800MHz and 2.4GHz – and is more secure than simply switching a cellphone off, as some handsets may still communicate while “off”, and others may not permit users to remove the battery. Its creators are currently seeking funding via KickStarter.
“Today millions of people are tracked through their mobile devices. It’s not just when you’re using your phone, its 24/7 everywhere you go,” the Off Pocket’s creators say via their KickStarter page. “I began working on the Off Pocket in 2011 because I wanted more control over my privacy. Not just to protect my data, but also to unplug once in a while. I designed the first OFF Pocket as a permanent pocket for my pants.”
“The Off Pocket gives you the option to turn everything Off. The OFF Pocket has been tested on all major networks, including Verizon, AT&T, T-Mobile, and Sprint. It is compatible with mobile phone hardware including iPhones, Samsung, Motorola, Sony, BlackBerry, Nokia and all other modern phone hardware and operating systems.”
The device is the second-generation “Off Pocket” – the first sold out after a debut run in January, according to a report by TechCrunch. The current price per pocket is $85 or more – the entry-level $75 early pledges have all gone. The device will ship to backers in late September.
“The OFF Pocket’s New York-based creators say the pouch beats other shielding alternatives such as sticking your phone in the fridge — a la Edward Snowden — or repurposing a cocktail shaker,” TechCrunch says. “Its creators have since been spending their time making design improvements and doing additional field testing.”
Of course, as ESET security researcher Stephen Cobb points out, you do need to take your phone out of the pocket to use it. “And that’s why we offer the newly updated ESET Mobile Security,” said Cobb.

Stop using Windows, Tor Project advises users after malware outbreak

The Tor Project has advised users of the anonymous browser to stop using Windows, in the wake of a malware attack which exploited a Firefox vulnerability in the Tor Browser Bundle.
It also warned users that it is “reasonable to conclude” that the unknown attacker has a list of vulnerable Tor users. The Tor Project issued the warning in a critical security announcement this week.
Tor said that the attack targeted Windows users specifically, and said that the attack collects the hostname and MAC address of computers who visited various Tor “hidden services” and sends them to a remote webserver.
“It’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services,” Tor said in its official post. “Consider switching to a “live system” approach like Tails.  Really, switching away from Windows is probably a good security move for many reasons.”
The Tor Project advised users to ensure they are running a recent version of the Tor Browser Bundle, and to consider disabling Javascript.
“The vulnerability allows arbitrary code execution, so an attacker could in principle take over the victim’s computer.   We don’t currently believe that the attack modifies anything on the  victim computer,” Tor said.
Researchers and Tor users have claimed that the malware outbreak aims to expose the identities of Tor users, in particular users of child pornography.
The “smoking gun”, one researcher suggests, is that the malware – which infects users via Firefox, distributed as part of the Tor Browser Bundle – does not install a “backdoor” in users’ PCs. Intead, it sends their IP address and MAC address (which can be used to identify PC users) to an address in America.
The outbreak coincided with the reported disappearance of several sites connected to Freedom Hosting, a hosting firm widely reported to have connections to child pornography – and the recent arrest of a 28-year-old Eric Eoin Marques, described as “the largest facilitator of child porn on the planet”, according to the Irish Examiner. Tor users have suggested that the two events are linked.
“This is an annotation and very brief analysis of the payload used by the Tor Browser Bundle exploit,” said security researcher Vlad Tsyrklevich in a blog post. “Briefly, this payload connects to and sends it an HTTP request that includes the host name (via gethostname()) and the MAC address of the local host. After that it cleans up the state and appears to deliberately crash. Because this payload does not download or execute any secondary backdoor or commands it’s very likely that this is being operated by an LEA [Law Enforcement Agency] and not by blackhats.”
“It just sends identifying information to some IP in Reston, Virginia,” Tsyrklevich said in a report in Wired’s Threat Level blog. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.
ESET Senior Research Fellow David Harley says that the outbreak raises questions over how companies should deal with such “policeware”.
“We have no absolute proof that it’s FBI code,” Harley sayd. “They didn’t ask the AV community not to detect it (they may have asked some of the big players, but no-one has admitted it – Please Police Me), and many companies would probably have declined anyway. No-one wants the FBI not to pursue child abusers: in fact, we’ve frequently cooperated with police forces on forensic issues that are probably related to ‘the Trojan defence’ (SODDImy and the Trojan Defence) – but if we come across something like this, we simply can’t assume it’s being used legitimately, even if was known to be policeware in origin. The online threatscape is far too complex and dynamic for that. Robert Lipovsky and I also looked at this issue with reference to German policeware.”

Crytek is latest gaming company to face security breach

The German developer of the hit shoot ‘em up series Crysis has taken its websites offline after a security breach in which user login details “may have been compromised.”
Crytek warned affected users in an email, and users will be asked to change their passwords when they log in to Crytek’s sites again. The breach was first reported by Blues News, but Crytek later clarified the extent of the breach in a statement to Eurogamer.
“Our,, and sites were all subject to a security breach that may have resulted in some users’ login data being compromised,” Crytek said.
“Although it is uncertain whether the incident led to the copying and decryption of email addresses and passwords, it is possible that users with accounts at these websites have had personal data copied. On Friday afternoon we started to contact all affected users via email and informed them of the potential security breach.
“We would like to reiterate our suggestion to account holders that they change their password for other locations online if it is the same as their login data for the affected Crytek sites.”
It’s the latest in a series of breaches affecting games company websites – with both Ubisoft and Nintendo targeted this year.
Ubisoft’s Uplay service suffered a data breach in July, with the company warning users that personal data including email addresses, user names and encrypted passwords had been compromised. Uplay works across platforms such as PC, Xbox 360, iOS and Facebook. The Uplay system requires users to log in with an email or password, and offers digital extras such as screensavers for PC games, but also works as a Digital Rights Management system (DRM) to prevent copying.
Earlier this summer, a sustained brute force cyber attack hit Nintendo’s Club Nintendo site in Japan, and allowed cybercriminals access to private data such as names, addresses and phone numbers for up to 24,000 accounts. The “brute force” attack carried on from 9 June to 2 July this year – involving 15.5 million attempted logins, according to the Japan Times.

Google Chrome in privacy row over plain-text passwords

Google’s Chrome browser has been criticized over its password security, after a developer found that anyone logged into the same OS account – ie a colleague briefly sharing a PC, for instance – could easily see any saved website passwords in plain text.
Elliot Kember showed off how passwords can easily be seen in plain text in the “passwords” tab within Chrome, simply by pressing a button saying, “Show.”
Kember described Google’s password strategy as “insane”, saying, “Google isn’t clear about its password security. Users [...] don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, everyday users are saving their passwords in Chrome. This is not okay.”
Google’s security tech lead responded to the post, saying that the feature was a conscious decision, and that when users granted someone else access to an OS user account, “they can get at everything.”
ESET Senior Research Fellow David Harley said, “It’s a really bad idea to save passwords in Chrome on a machine that can be accessed without authentication (obviously a bad idea in itself), or where an account is shared (also not good practice – especially on business machines – but probably not uncommon on home machines). I’d suggest that it’s usually better to use some sort of password manager to store your passwords than a browser…”
Justin Schuh, security tech lead for Chrome replied in detail to Kember’s post on Ycombinator saying, “The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we’ve found that boundaries within the OS user account just aren’t reliable, and are mostly just theater.”
“Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.”
Schuh said that master passwords merely provided users with a false sense of security, and that when users granted someone access to an OS user account, “they can get at everything.”

“Worst of the worst” abuse images may be being used to spread Trojan, charity warns

Websites for businesses such as furniture stores have been hacked to host child pornography images – and the likely motivation is to spread malware, an internet charity has warned.
Folders containing hundreds of images have been uploaded to business websites, and are then displayed to users on other sites, usually adult sites, Britain’s Internet Watch Foundation has warned. The images are described as the “worst of the worst” of images on the internet.  The IWF has received 227 complaints about this sort of hack in the last six weeks.
“We speculate that the motivation behind the hacking is to distribute malware, specifically a Trojan,” Emma Lowther of the IWF said today. “The IWF specialises in removing online child sexual abuse images rather than tracking malware distributors. However, you can imagine that an internet user would be worried about taking their malware-infected computer to be fixed knowing it was a folder of child sexual abuse images which caused the problems. We know that those people whose computers have been infected were not looking for the criminal content though.”
The content is described as “among the worst” on the internet – and would be displayed without the administrators of adult sites being aware.
IWF Technical Researcher Sarah Smith said: “We hadn’t seen significant numbers of hacked websites for around two years, and then suddenly in June we started seeing this happening more and more. It shows how someone, not looking for child sexual abuse images, can stumble across it. The original adult content the internet user is viewing is far removed from anything related to young people or children.”
“We’ve received reports from people distressed about what they’ve seen. Our reporters have been extremely diligent in explaining exactly what happened, enabling our analysts to re-trace their steps and take action against the child sexual abuse images. Since identifying this trend we’ve been tracking it and feeding into police forces and our sister Hotlines abroad.”

How to Protect Your Website Passwords in Chrome

Protect Your Passwords
A blog post published yesterday by software developer Elliott Kember caused quite a stir. Titled "Chrome's insane password security strategy," the post points out that anybody with access to your Windows account can view all of your Chrome-saved passwords in plain text. That's a huge security risk, and Chrome is not the only browser affected. To see the extent of the problem, launch Chrome's Settings page and click the link at the bottom that says "Show advanced settings..." Scroll down to the section titled Passwords and forms, then click the link titled Manage saved passwords.
It doesn't look so bad at first—just a list of the sites for which you've let Chrome save passwords. However, when you click on any item in the list a button labeled Show appears next to the password. Yes, clicking the button displays the password in plain text. You can see it, and anybody else who gets access to your computer can see it.
Firefox, Too
Is Firefox your preferred browser? In that case, you've got a little more security available. Select Options from the Tools menu and click the Security tab. Note the checkbox titled "Use a master password." If you've checked this and defined a strong master password, your credentials are safe from casual snooping. If not, they're even more exposed than in Chrome.
To see why, click the Saved Passwords button. Initially it just displays the websites and corresponding usernames, but with the click of a button you can show all the passwords at once.
Internet Explorer's Better
A recent study by NSS Labs revealed that Internet Explorer's default settings protect your privacy better than Firefox, Safari, or Chrome. In fact, Chrome came in last for privacy protection.
IE also handles saved passwords better. The encrypted passwords reside in the Registry, and there's no mechanism to display them in IE. However, there are plenty of free third-party utilities that will dump this password cache and make all the passwords visible.
Google Responds
In a response to the original post, Chrome browser security tech lead Justin Schuh defended Chrome's password-handling behavior. Schuh contends that once a malefactor gets into your Windows user account, it's already Game Over, so adding a master password or otherwise protecting the saved passwords is pointless.
The comment thread is entertaining; it's a virtual fistfight right on the page. I have to agree with those who point out that theft of your system by a hacker is just one possible scenario. Do you lock down your user account when you briefly leave a roomful of friends? They could grab a password to prank you, or a jealous ex could do some real harm.
Twitter is abuzz with comment. One wag tweeted, "@justinschuh if you think that's a response then Chrome is in trouble. It's worse than Steve Jobs 'Don't hold it that way' response." On a more serious note, Tim Berners-Lee himself weighed in, saying, "How to get all you big sister's passwords and a disappointing reply from Chrome team."
Protect Your Passwords!
Whichever browser you use, this simple four-step plan will protect your passwords from snooping.
  • Install a password manager
  • Import passwords saved by your browser
  • Delete all browser-saved passwords
  • Turn off password-saving in the browser
The mere fact that third-party password managers can import passwords from your browser should be a red flag. If they can do it, a malicious application that got past your antivirus could do it too.
LastPass 2.0 (free) and Dashlane 2.0 (inexpensive) do a great job with browser-saved passwords. Not only can they import from Chrome, Firefox, and Internet Explorer, they'll also delete those passwords from the browser and turn off the password-saving feature. Not surprisingly, both are Editor's Choice products in this category. Note that LastPass extends this feature to Opera and Safari as well.
In Chrome, Firefox, and IE, manual deletion of saved passwords starts with pressing Shift+Ctrl+Del. The dialog that appears lets you delete a variety of browsing history components. Use it to specifically delete passwords. Firefox and Chrome ask what time period to clear. In Firefox, choose "Everything"; in Chrome, select "from the beginning of time."
That just leaves turning off the password-saving feature. In Chrome, launch Settings, click the link for advanced settings, and un-check "Offer to save passwords...". In Firefox, click the Security tab in the Options dialog and un-check the box "Remember passwords for sites." For IE, you have to dig a little deeper. In the Internet Options dialog, click the Content tab and then click the Settings button in the AutoComplete panel. Un-check the "User names and passwords..." box to turn off this feature.
Improve Your Passwords
Now that you've gotten your passwords out of insecure, browser-based storage, take a little time to upgrade them. Both LastPass and Dashlane will provide you with a security report listing the weakest passwords and also identifying those you've used on multiple websites (a security risk). Take a little time each day to replace the worst passwords with strong ones—since you've got a password manager you can have it generate crazy-strong passwords like 5GZk8cpC*XYs (freshly generated by LastPass).

Obama Task Force Revives SOPA Provision Outlawing Online Streaming

Sharing a song on YouTube could soon become a felony: the United State Department of Commerce is asking Congress to increase the penalties for streaming copyrighted work, reviving a provision from the failed Stop Online Piracy Act.
Opposition from the likes of Google, Wikipedia and the American Civil Liberties Union helped stop SOPA from passing in early 2012, but part of that bill could soon be back from the dead. According to a recent Commerce Department report, the office’s Internet Policy Task Force is asking Congress to reconsider a section of SOPA that could heavily penalize people for uploading select content to streaming services.
The task force’s latest report, Copyright Policy, Creativity and Innovation in the Digital Economy, pressures Congress to consider felony convictions for people caught streaming copyrighted songs, music and movies, and some say such legislation would outlaw the practice of uploading homemade cover tunes to the World Wide Web.
Under current law, streaming a copyrighted song or show is only a misdemeanor and not regularly enforced. Should the task force have its way, though, reproducing or distributing such material on streaming sites would open the possibility of felony charges.
In what the task force says would improve enforcement tools to combat online infringement, a green paper released last week “repeats the administration’s prior call for Congress to enact legislation adopting the same range of penalties for criminal streaming of copyrighted works to the public as now exists for criminal reproduction and distribution.”
That call, as noted in the Washington Post this week, was last seen as Section 201 of SOPA, a provision of the failed cyber-sharing bill that was originally titled “Streaming of copyrighted works in violation of criminal law.” But while SOPA was shot-down thanks to a massive campaign across all corners of the Web, Section 201 could soon resurface if the IPTF has their way.
In recent years a number of licensed online video streaming services have launched, and many cable television providers offer extensive on-demand catalogs to their subscribers. Other services have launched without licenses, using technology developed to transmit individual streams from individually-made copies, rather than broadcasting to the public from a single source copy. These services, which rely on recent case law in the context of a cable operator with underlying content licenses,pose a challenge to the traditional dividing lines between public and private performance, and raise a host of questions,” the report reads. “If any consumer can stream the content she wants on-demand, is this act ‘public’ as defined by the Copyright Act if the technology is structured so that the stream comes from a copy made by a third party for each individual? Does it make a difference if the consumer already has legal access in another form to the content being streamed? Does it matter how the source copies are made, and by whom? Such interpretive tensions in the face of changing delivery models are the inevitable result of a system based on a bundle of specific rights, each drafted in the context of then-existing technologies.”
Allowing anyone to sign-on to a website and upload material to be streamed around the world makes sharing remixes and home recordings all too easy. The task force says streaming content has cost the United States economy billions of dollars in losses, though, and they’re once again attempting to find a way to ensure anything with a copyright stamp can’t be shared without suffering some serious repercussions.
“The lack of potential felony penalties for criminal acts of streaming disincentivizes prosecution and undermines deterrence.The administration and the Copyright Office have both called on Congress to amend the Copyright Act to ensure that illegal streaming to the public can be punished as a felony in the same manner as other types of criminal infringement.The Task Force now repeats that call,” the group writes.
“While the willfully infringing reproduction and distribution of copyrighted works can be punished as a felony, willful violations of the public performance right are punishable only as misdemeanors. This discrepancy is an increasingly significant impediment to the effective deterrence and criminal prosecution of unauthorized streaming. Since the most recent updates to the criminal copyright provisions, streaming (both audio and video) has become a significant if not dominant means for consumers to enjoy content online. The Administration and the Copyright Office have both called on Congress to amend the Copyright Act to ensure that illegal streaming to the public can be punished as a felony in the same manner as other types of criminal infringement,” the task force continues.
Following widespread condemnation in and outside of the US, Rep. Lamar Smith (R-Texas) pulled SOPA from Congress early last year before it could go before a vote.
“I have heard from the critics, and I take seriously their concerns regarding proposed legislation to address the problem of online piracy,” Smith said at the time. “It is clear that we need to revisit the approach on how best to address the problem of foreign thieves that steal and sell American inventions and products.”

Iran’s Covert Cyber War

Over the weekend, Hassan Rowhani, a former top nuclear negotiator, was officially sworn in as Iran’s new president. Unfortunately, there are no indications that he will curtail Iran’s nuclear or cyber activities.
While most are concerned with the military implications of Tehran’s expanding nuclear program, there is little focus on the covert cyber war already underway in the region. Iran has engaged in aggressive cyber behavior, at both the international and domestic levels, which the Obama Administration has failed to deter.
Even though Iran lacks the manpower or expertise level of China and Russia, Tehran is credited with a massive cyber attack on Saudi Arabia’s ARAMCO computer system that knocked out and destroyed over 30,000 computers and was the largest, most devastating attack on the business sector to date. More recently, Israel’s prime minister accused Iran of directing a relentless cyber campaign on Israeli infrastructure, government agencies, and other vital national systems.
Additionally, Tehran has used cyber attacks to retaliate against U.S. banks for economic sanctions. In September 2012, Bank of America, JP Morgan Chase, and Wells Fargo were among the major banks whose websites were targeted for massive “distributed denial of service” attacks.
According to security experts, Iran continues to expand its hacking operations with the goal of potentially launching a cyber attack on the U.S. power grid, water system, or other vital infrastructure.
The Iranian government also engages in the oppression of its own population through Internet and cyber controls. The Iranian cyber police censor the web, block certain websites, and monitor social media for dissident activity.
The regime also uses cyber attacks to target journalists. In order to increase the domestic costs associated with these activities, the U.S. should work to degrade Tehran’s command of their “Halal Internet,” which often blocks access to major websites such as Gmail and Skype.
The cyber attacks emanating from Iran and others have demonstrated that the U.S. government cannot unilaterally combat all cyber attacks and breaches. To promote better security, the U.S. should develop clear rules for the private sector to defend their cyber domains while also coordinating with federal authorities. Such measures would allow the private sector to take an active role in preventing cyber attacks while also staying within reasonable legal limits.
The attacks orchestrated by Iran represent a sustained effort to undermine and destroy vital infrastructure. The U.S. should respond by taking a leading international role and actively deter malicious cyber behavior by increasing the costs associated with such actions.
As the simmering nuclear conflict with Iran escalates, it is essential for the U.S. to be more cyber prepared at home and lead international efforts to counter the real threat of cyber attacks.

US Consortium Forming on Industrial Internet

As many as ten companies including AT&T, Cisco Systems, GE, IBM, and Intel are working with US government representatives to form a consortium to drive the so-called Industrial Internet. Their goal is to define an architectural framework for open industry standards that would serve a broad swath of market sectors from automotive and manufacturing to healthcare and the military.
If successful, the consortium hopes to be up and running with an initial draft of its framework and a test bed for it within a year. Such a document and capability could impact a wide variety of commercial products and programs in the emerging Internet of Things sector.
"The industrial and Internet revolutions are converging, and we believe the US could gain a competitive advantage with new products and services if we can exploit this convergence," said S. Shyam Sunder, a director of the National Institute of Standards and Technology (NIST), who is helping organize the consortium.
The companies approached the government with the idea for the consortium in December. Their request dovetailed with an emerging NIST program on cyber-physical systems that had been the subject of a series of high-level meetings NIST hosted with technical and business industry leaders last year.
NIST and the interested companies laid out five areas the consortium's framework could address in a meeting in March. They included defining an architecture for:
  • Co-engineering cyber and physical systems
  • Identifying cyber-security issues and solutions
  • Addressing concerns about interoperability
  • Identifying ways to maintain robust wireless connections
  • Setting standards for real-time data collection and analytics
"The trick is to look at all these issues holistically rather than domain by domain," said Sunder in an interview with EE Times. "This way, you wind up with common frameworks and don't have to re-learn lessons of other domains."
The resulting architecture aims to be modular with separate portions addressing network physical layers, sensing, control, analytics, modeling/optimization, and business requirements. Sunder uses self-driving cars as an example of Industrial Internet systems that will require open standards to interact safely with each other and traffic management systems.
Earlier this year, NIST hired two IoT experts who will be tasked to help define the new architecture. Their work is sponsored by the Presidential Innovation Fellows program under the White House Office of Science and Technology Policy.
The presidential fellows are Sokwoo Rhee, the founder of Millennial Networks, an early IoT startup spun out of MIT; and Geoff Mulligan, the head of the IPSO Alliance, a trade association promoting IP-based IoT products. They were chosen by NIST earlier this year from more than 300 candidates who applied for the positions.
GE is taking a lead in helping convene the new consortium. Last fall, it published a widely cited white paper describing the Industrial Internet.
The NIST effort comes on the heels of work the agency did to drive consensus around standards for the smart grid. Indeed, the NIST representative who initially drove the smart grid effort, George Arnold, was closely involved in the early phases of the new Industrial Internet consortium.
They "had tremendous success convening a large community," said Sunder. But the new group "is more private-sector driven -- that makes it stronger and more focused."

Twitter Accounts of Jordana Brewster, Zach Roerig and Pentagram Hacked

#Exclusive: Jordana Brewster, a Brazilian-American actress, best known for his role in Fast & Furious Movies, admitted that her twitter account was hijacked by cybercriminals.

According to followers report, the cyber criminals who hijacked the account has posted a spam tweet from her account.  The incident was first reported by Eduard Kovacs at Softpedia.

"please ignore tweets ( except for this one) my account seems to have been hacked" recent tweet from @JordanaBrewster reads.  "all good now".
Jordana Brewster twitter account hacked

I found she is not the only celebrity who fell victim to the twitter account hijack in this month.

Zach Roerig, an American actor who is best known for roles of Casey Hughes on As the World Turns, admitted that his twitter account was hacked.
"Burn 2 + inches off your waist losing up to 20 lbs of body fat in 28 days with hxxx://tinyurl. com/klwcpwq" The spam tweet reads. 

The recent tweet from @zach_roerig "Once again being hacked sucks" apparently shows that this is not the first time his account being hijacked by cyber criminals.

Zach Roerig twitter account hacked

The story does not end here, the official twitter account of Pentagram, a design studio that was founded in 1972 , is also got hacked.  Hackers posted the same spam tweet used in the Zach Roerig twitter hack.

"Dear Twitter followers, if you receive a direct message from us, please don't click on the link. We caught something that's going around."  The recent tweet from pentagram reads.
Pentagram official twitter account hacked

I just found the following twitter accounts also fell victim to the spam attack: Hart Hanson (@HartHanson), @NewsBreaker, Jane Ellison MP(@janeellisonmp).

*Update 2:
Twitter account of Justin Bethel (@Jbet26), an American football cornerback for the Arizona Cardinals of the National Football League, also got hacked and spreading spam tweets.

Update 3:
ESPN Reporter,  Mike Massaro also admitted that his account abused for spreading spam:

ESPN NFC East twitter account (@espn_nfceast ) is unavailable after hackers hijacked the account.

Almost Half of Tor sites compromised by FBI [Exclusive details]

As many of you might know the US has been pushing for the extradition of Eric Eoin Marques who an FBI agent has called as "the largest facilitator of child porn on the planet."

But most of you might not know that he is also the owner of
"freedom hosting" the largest hosting provider for .onion sites within the TOR network . This means that all the sites hosted by "freedom hosting" are at the hands of the FBI. As you can see from the above linked article freedom hosting has been accused of hosting child pornography for a very long time.

I also have a fair idea on how the FBI did the "impossible", tracing a person who is using Tor.And they further might have found details on all the people visiting sites hosted by freedom hosting. First have a look at what a person posted on pastebin on Aug 3rd he says he found this code in the main page of "freedom host" this further links to this exploit .


This is my analysis of the exploit ( I have not looked into it deeply as I am busy with my exams)
1. It is a 0 day for the Firefox version that comes as default with the "TOR Browser Bundle"
2. The code says "version >=17 && version <18" checks if the browser is the right version that the exploit works on .

It also has an another check
var i = navigator.userAgent.indexOf("Windows NT");
        if (i != -1)
                return true;
        return false;

3.It also manages to gather the Real IP of the user and possibly execute a malicious payload that might give the attacker full access to the system.
4. This exploits works because the people at TOR project had made it such that Javascript is loaded by the built in browser by default (this was not the case before and people who had their "no script" plugin with proper setting "disallowed" are safe)
5.Please note that is NOT a zero day for the TOR network but rather an exploit for the Firefox version that most TOR users are running.

Tor's official reply:

Though the action's done by the FBI to take down child pornography in the TOR network is appreciated by all of us, many of the legitimate sites hosted by freedom hosting are also down .They should make sure that what they do does not kill the freedom and anonymity that the TOR network stands for.

Edit 1: Here are a few other deeper analysis I found --> ,

PS: If you have anything more that you would like to be added to this article or any corrections you can contact me on Twitter