Thursday, 22 August 2013

Ransomware and Android become tastiest targets for cyber crooks

Android logo
Ransomware and banking-focused mobile malware are cyber criminals' new must-have items, according to security provider McAfee.
McAfee reported seeing a marked spike in the number of ransomware and mobile banking attacks active in the wild in its Second Quarter Threat Report [PDF]. The McAfee report highlighted ransomware as the fastest-growing attack type, revealing that the number of computer-hijacking malware detected has more than doubled in the last four months.
"Ransomware has become an increasing problem during the last several quarters, and the situation continues to worsen. The number of new, unique samples this quarter is greater than 320,000, more than twice as many as last quarter. During the past two quarters we have catalogued more ransomware than in all previous periods combined," read the report.
McAfee said the growth is unsurprising as ransomware offers criminals a variety of powers and ways to make money.
"One reason for ransomware's growth is that it is a very efficient means for criminals to earn money because they use various anonymous payment services. This method of cash collection is superior to that used by fake AV products, for example, which must process credit card orders for the fake software," said the report.
"Another reason is that an underground ecosystem is already in place to help with services such as pay-per-install on computers that are infected by other malware, such as Citadel, and easy-to-use crime packs are available in the underground market. These advantages mean that the problem of ransomware will not disappear anytime soon."
McAfee also reported seeing a marked spike in active mobile malware, confirming it discovered 17,000 new variants during the period. "Halfway through 2013 we have already collected almost as many mobile malware samples as in all of 2012. Will the count double by the end of the year? That much and more, we expect. This quarter we added more than 17,000 Android samples to our database," read the report.
The company said the Android malware discovered are designed for a variety of purposes, including espionage and theft. McAfee listed a pair of sophisticated banking-focused attacks as being particularly problematic as they can bypass most banks' two-factor authentication defence measures.
"Attackers seeking to bypass two-factor authentication need to get that text message sent by the banks. Once the attacker has stolen a username and password from a victim's PC, the thief needs only to get the user to install SMS-forwarding malware. A pair of malware, Android/FakeBankDropper.A and Android/FakeBank.A, take the standard SMS forwarder malware a step further," read the report.
"Normally we advise users to employ only the official app provided by their banks for any online banking. Android/FakeBankDropper.A counters that defence by replacing the bank's official app with Android/FakeBank.A. While the victims think they have the original app installed, the attacker logs into the users' accounts to get the latest SMS from the bank."
Ransomware and mobile malware have been a growing problem for businesses, with security firms all reporting seeing an ever-increasing sea of new attacks using the tools. Most recently, Kaspersky researchers reported detecting 100,000 mobile malware variants during the second quarter of 2013, in the firm's latest IT Threat Evolution report.

Hackers hit Foxtons, stealing 10,000 customers' account details

Cyber criminals have compromised thousands of Foxtons estate agent customers' accounts, following a successful cyber attack on its networks.
The attackers infiltrated the company's networks and posted username and password details of a staggering 9,816 Foxtons customers online. It is currently unclear how the attackers got into Foxtons' networks to steal the information and at the time of publishing the estate agent had not responded to V3's request for comment on the attack.
However, a number of customers confirmed to V3 that they had received an email from Foxtons, telling them about the breach and to change their passwords, and verified that the information in the data dump was correct. Foxtons is one of many companies that have suffered breaches in recent months. Numerous big-name companies including Apple and Nasdaq have suffered similar attacks on their developer and community forums.
Director of cyber security at Thales UK, Ross Parsell, cited the attacks as proof that businesses need to rethink their cyber defence strategies. "The recent spate of high-profile data breaches, such as this alleged attack on Foxtons, are evidence that organisations are either not taking cyber security seriously or are bewildered by the problem. Regulation in this case is a necessity to alter corporate behaviour," he said.
"Once the full extent of the cyber threat is uncovered, greater collaboration on cyber issues should lead to an improvement in cyber awareness and cyber standards."
Increased collaboration between businesses has been a central part of the UK government's ongoing Cyber Security Strategy. Most recently the government officially launched two cyber incident response initiatives to help UK firms better respond to cyber attacks.

PRISM: NSA spying fallout sees Groklaw blog shut down and Guardian hard drives crushed

Hard drives with a pirate flag in the background
Another popular website has gone offline citing fears over lack of privacy, as the revelations surrounding the NSA's online surveillance tactics continue to have an effect on internet use. Further issues have also emerged for the Guardian, which was forced to destroy its UK-based hard drives containing evidence supplied by whistleblower Edward Snowden.
The latest website to go offline following the demise of secure email service Lavabit and Silent Circle's Silent Mail service is technology law news site Groklaw, which said it could no longer guarantee its sources' anonymity.
Groklaw founder Pamela Jones wrote: "The owner of Lavabit tells us that he's stopped using email and if we knew what he knew, we'd stop too. There is now no shield from forced exposure. You don't expect a stranger to read your private communications to a friend. And once you know they can, what is there to say? Constricted and distracted. That's it exactly. That's how I feel."
It has also emerged that UK cabinet secretary Sir Jeremy Heywood asked the Guardian to destroy or surrender files the paper obtained from Edward Snowden. The Guardian obliged, destroying the hard drives under the supervision of two security experts from GCHQ. The paper labelled the act as "largely symbolic" as both sides knew that copies of the information stored on the offending drives was available elsewhere.
This act followed the revelation that David Miranda - the partner of Guardian journalist Glenn Greenwald, who wrote a number of stories about PRISM – had been held for questioning at Heathrow airport for nine hours under terror laws. The legislation, which applies to people in UK ports and airport transit areas, means that the protection journalists would normally have in the rest of the country does not apply.
Further information about the NSA's US surveillance has been revealed today, with The Wall Street Journal citing sources saying the telecoms providers that co-operate with the programme handle up to 75 percent of US internet traffic.

Why Facebook's Zuckerberg is taking the right approach to connecting the next five billion

V3 reporter Alastair Stevenson photo
This week Mark Zuckerberg, aka captain Facebook, triumphantly launched a new initiative designed to get everyone in the world connected to the internet. This announcement was of course immediately met with a public outcry of negativity, with many quite justifiably pointing out that the Facebook owner has a lot to gain from the initiative.
After, all Facebook is a service powered by web users' personal data, using it to make money with initiatives such as targeted advertising. This of course is a sensitive point for many people, given that tech companies such as Google and Facebook reportedly have a role in the US National Security Agency's (NSA's) infamous PRISM operation, which saw the agency siphon vast amounts of web users' data from a multitude of tech companies.
Still, even with the obvious privacy and data collection issues and the fact more people on the internet means more money for Zuckerberg, I still think what he's doing is a good thing. The fact is Zuckerberg has, at least for now, done everything right and has been fully open about the fact he, like all businesses, will benefit from having more people online. As he said in his opening call to arms, having more people online is a good thing for everyone, from the person enjoying their new internet connection, to the carrier providing the connection, to the business touting its wares online to the newly connected audience.
This is because, as Zuckerberg pointed out, opening up the perks of the internet and its vast resources will help people in all areas of the world, making it so even the smallest of businesses in the remotest areas will be able to market and sell their services or products on a global scale.
For me the open approach of Zuckerberg addressing people's privacy concerns is a welcome breath of fresh air, being completely at odds with most other tech companies, like Google for example. Just this month Google has had two absolutely golden moments privacy-wise, first telling users of its Gmail service they really shouldn't expect privacy during a US court case proceedings, and then saying UK privacy laws don't apply to the search giant because it's American. Stellar PR work right there. Sure, Facebook will still take advantage of the new data, like all smart businesses will, but at least it's being transparent about the move.
Because of this I can't help but hope the initiative works and the world's economy does indeed get the adrenaline shot it needs. In fact, my only concern is whether Zuckerberg's three-pronged strategy to make internet access affordable by delivering data more efficiently, making apps use less data and partnering with businesses to develop a new, more cost-effective model to get people online will work. After all, these are pretty big goals that will require a lot of investment and Zuckerberg to get a host of other businesses on board – a feat not too dissimilar to herding cats.
Still with big names such as Samsung, Nokia, Qualcomm, Ericsson, MediaTek and Opera Software already signed up to help the company achieve its goals and roll out a host of affordable smart devices and network deals to the masses, Zuckerberg's chances are better than most. Let's just hope the new internet users don't end up using a privacy-killing Android smart device as their door into the worldwide web.

New Zealand’s version of the NSA laws pass by two votes

The controversial spy laws have been passed by Parliament by 61 votes to 59.
The laws were drafted in the wake of a succession of blunders by New Zealand's foreign intelligence agency, the Government Communications Security Bureau, which included illegally spying on German internet entrepreneur Kim Dotcom.
Earlier, Prime Minister John Key has acknowledged new surveillance laws have "alarmed" some people but blames the Government's opponents for stoking their fears.
Legislation giving the Government Communications Security Bureau (GCSB) the power to spy on New Zealanders was debated in Parliament today ahead of being passed into law.
Key launched the debate with a defence of the bill, denying that it would give the GCSB more sweeping powers.
"Misinformation and conspiracy theories" had confused people about what the legislation would do, he said.
"That has some citizens agitated and alarmed which I regret," Key told Parliament.
But his regret would be greater if the bill was not passed.
Labour leader David Shearer accused the Government of ramming the legislation through over the concerns of New Zealanders.
The law change was an opportunity lost to lead the world by conducting a wide-ranging inquiry into the activities of New Zealand's intelligence agencies, he said.
There had been a loss of confidence in the intelligence and security apparatus.
An inquiry would have been a good starting point for restoring people's confidence.
"Instead, this bill is about simply getting across the line, a quick remedy to a political hangover," Shearer said.
Labour would replace the legislation after a wide-ranging inquiry into the security agencies, he said.
"We will involve New Zealanders every step of the way and we will replace this law with a world-leading one that is based on the findings of that comprehensive inquiry.
"Because the only way we will ever win people's trust back that has been so sadly lost right across this country is to get an enduring solution that works in the best interests of this country."
But Key said the legislation was essential.
"Over the past four and a half years that I have been prime minister, I have been briefed by intelligence agencies on many issues, some that have deeply concerned.
"If I could disclose some of the risks and threats from which our security services protect us, I think it would cut dead some of the more fanciful claims that I've heard lately from those who oppose this bill."
He rejected claims that the bill allowed "wholesale spying on New Zealanders" and said it simply made clear what it may and may not do.
He listed the first of the changes as allowing the GCSB to protect government organisations and the private sector from cyber-attack.
"The bill requires GCSB to get a warrant from the independent Commissioner of Security Warrants, and me, before it can intercept a New Zealander's communications.
"That warrant must be issued for a particular function, in this case cyber security. The clear intention of that function is to protect, not to spy.
He said the bill also allowed for conditions to be put on warrants and he intended to do that.
"I will not allow cyber security warrants in the first instance to give GCSB access to the content of New Zealanders' communications.
"There will be times where a serious cyber intrusion is detected against a New Zealander and the GCSB will then need to look at content - that's why the law allows that. But that should be the end point, not the starting point."
The second function was the collection of foreign intelligence, which had always been the biggest portion of GCSB's work.
The third function allowed the GCSB to assist police, NZSIS and NZ Defence Force.
It had been doing this for more than a decade, but the law allowing it to do so had been "ambiguous", Key said.
But he rejected that by writing into law what the GCSB had already been doing meant an extension of its powers.
"Instead, we will make it clear GCSB can assist only those three agencies, and only when they are able to show they have the lawful authority to undertake the surveillance themselves."
The legislation also allowed for a review of the intelligence agencies in 2015 and every five to seven years after that.
The GCSB would also be required to disclose how many times it had assisted other agencies and how many warrants and authorisations it had been issued.
Today in Parliament, National MP Mark Mitchell described how a military "sat phone" was stolen by al Qaeda operatives from a dead driver during an attack in Iraq.
Mitchell, a former police officer, worked in security in Iraq before being elected to Parliament.
"Before the account was cancelled there were over 200 calls made. The calls were spread around countries like Saudi Arabia, Yemen, the UK, some European countries, the United States and 14 calls were made to New Zealand," Mitchell told Parliament.
"Why would terrorists attacking and killing our allies in Iraq making calls to New Zealand?
"That is why we have agencies like the SIS and the GCSB so they can find out who and why."
Labour MP Grant Robertson accused Key of dismissing the likes of the Law Society, the Privacy Commissioner, Sir Geoffrey Palmer and others who had objected to the law.
"All of them dismissed by an arrogant out of hand, out of touch prime minister," Robertson told Parliament.
But Attorney General Chris Finlayson said and the "high and mighty, like Dame Anne Salmond" were wrong in their opposition to the bill. He labelled statements likening the GCSB bill to Nazi Germany "disgraceful".
The Law Society had also been "disappointing".
He said the problem was not the current legislation, but Labour's 2003 legislation, which provided conflicting explanations of GCSB's powers.
"The 2003 legislation was should never have been passed in the form it was."
Green Party co-leader Russel Norman said as the moment of truth approached on the bill MPs would have to decide how they felt about freedom.
"Are they going to vote for freedom and liberty or are they going to vote against  it?"
Norman said the bill was a fundamental  constraint on freedom.
"It restricts our freedom of expression; it reduces our freedom to live free from state surveillance and in that respect is a bill that reduces the freedom of New Zealanders. It is the moment of truth."
Maori Party co-leader Te Ururoa Flavell said the bill was a "nightmare" and he opposed it.

Russia accuses Britain of human rights hypocrisy over Snowden-gate

Russia has accused Britain of failing to practice what it preaches on human rights after authorities in London forced the Guardian newspaper to destroy material given to it by US military whistle-blower Edward Snowden.
The Guardian has used the data obtained by Snowden to blow the lid on controversial and hitherto secret surveillance practices employed by the US and other Western governments, including the monitoring of personal telephone calls and internet communications. On Tuesday, the UK government ordered the Guardian to destroy the hard drives containing the documents Snowden took from the US’ National Security Agency (NSA).
Western governments including the UK have frequently criticised Russia’s record on human rights.
“The measures taken by the British authorities towards the Guardian newspaper are out of tune with the British side’s statements on commitments to universal standards of human rights,” Interfax news agency quoted Foreign Ministry spokesman Alexander Lukashevich as saying.
Russia has granted asylum to Snowden much to the anger of the United States, where the former spy agency contractor is wanted by authorities who accuse him of espionage.

Poison Ivy: Assessing Damage and Extracting Intelligence : FireEye Report

Today, our research team is publishing a report on the Poison Ivy family of remote access tools (RATs) along with a package of tools created to work as a balm of sorts — naturally, we’re calling the package “Calamine.”
In an era of sophisticated cyber attacks, you might wonder why we’re even bothering with this well-known, downright ancient pest. As we explain in the paper, dismissing Poison Ivy could be a costly mistake.
RATs may well be the hacker’s equivalent of training wheels, as they are often regarded in IT security circles. But despite their reputation as a software toy for novice “script kiddies,” RATs remain a linchpin of many sophisticated cyber attacks and are used by numerous threat actors.
Requiring little technical savvy, RATs offer unfettered access to compromised machines. They are deceptively simple — attackers can point and click their way through the target’s network to steal data and intellectual property. But they are often delivered as a key component of coordinated attacks that use previously unknown (zero-day) software flaws and clever social engineering.
Even as security professionals shrug off the threat, the presence of a RAT may in itself indicate a targeted attack known as an advanced persistent threat (APT). Unlike malware focused on opportunistic cybercrime (typically conducted by botnets of compromised machines), RATs require a live person on the other side of the attack.
Poison Ivy has been used in several high-profile malware campaigns, most infamously, the 2011 compromise of RSA SecurID data. The same year, Poison Ivy powered a coordinated attack dubbed “Nitro” against chemical makers, government offices, defense firms, and human-rights groups.
We have discovered several nation-state threat actors actively using Poison Ivy, including the following:
  • admin@338 — Active since 2008, this actor mostly targets the financial services industry, though we have also seen activity in the telecom, government, and defense sectors.
  • th3bug — First detected in 2009, this actor targets a number of industries, primarily higher education and healthcare.
  • menuPass — Also first detected in 2009, this actor targets U.S. and overseas defense contractors.
Understanding why Poison Ivy remains one of the most widely used RATs is easy. Controlled through a familiar Windows interface, it offers a bevy of handy features: key logging, screen capture, video capturing, file transfers, password theft, system administration, traffic relaying, and more.
Here is how a typical Poison Ivy attack works:
  1. The attacker sets up a custom PIVY server, tailoring details such as how Poison Ivy will install itself on the target computer, what features are enabled, the encryption password, and so on.
  2. The attacker sends the PIVY server installation file to the targeted computer. Typically, the attacker takes advantage of a zero-day flaw. The target executes the file by opening an infected email attachment, for example, or visiting a compromised website.
  3. The server installation file begins executing on the target machine. To avoid detection by anti-virus software, it downloads additional code as needed through an encrypted communication channel.
  4. Once the PIVY server is up and running on the target machine, the attacker uses a Windows GUI client to control the target computer.
Poison Ivy is so widely used that security professionals have a harder time tracing attacks that use the RAT to any particular attacker.
We hope to eliminate some of that anonymity with the Calamine package. The package, which enables organizations to easily monitor Poison Ivy’s behavior and communications, includes these components:
ChopShop[1] is a new framework developed by the MITRE Corporation for network-based protocol decoders that enable security professionals to understand actual commands issued by human operators controlling endpoints. The FireEye PIVY module for ChopShop decrypts Poison Ivy network traffic.
PyCommands, meanwhile, are Python scripts that automate tasks for Immunity Debugger, a popular tool for reverse-engineering malware binaries.[2] The FireEye PyCommand script dumps configuration information from a running PIVY process on an infected endpoint, which can provide additional telemetry about the threat actor behind the attack.
FireEye is sharing the Calamine tools with the security community at large under the BSD 2-Clause license[3] for both commercial and non-commercial use worldwide.
By tracking the PIVY server activity, security professionals can find these telltale indicators:
  • The domains and IPs used for CnC
  • The attacker’s PIVY process mutex
  • The attacker’s PIVY password
  • The launcher code used in the malware droppers
  • A timeline of malware activity
The FireEye report explains how Calamine can connect these and other facets of the attack. This evidence is especially useful when it is correlated with multiple attacks that display the same identifying features. Combining these nitty-gritty details with big-picture intelligence can help profile threat attackers and enhance IT defenses.
Calamine may not stop determined APT actors from using Poison Ivy. But it can complicate their ability to hide behind this commodity RAT.
Full details are available, here:

[1] ChopShop is available for download at
[2] Immunity Debugger is available at
[3] For more information about the BSD 2-Clause License, see the Open Source Initiative’s template at
This entry was posted in Targeted AttackTechnicalThreat Intelligence by . Bookmark thepermalink.

Bradley Manning Sentenced by Military Judge to 35 Years in Prison

A military judge at Fort Meade in Maryland sentenced Pfc. Bradley Manning to 35 years in prison.
Guards quickly escorted Manning out of the courtroom as supporters in the gallery shouted, “We’ll keep fighting you, Bradley,” and also told him he was a hero.
Manning was convicted on July 30 of twenty offenses, including multiple violations of the Espionage Act and embezzlement of government property offenses. He was also convicted of “wrongfully and wantonly causing publication of intelligence belonging to the United States on the Internet knowing the intelligence” would be “accessible to the enemy to the prejudice of the good order and discipline in the armed forces or of a nature to bring discredit upon the armed forces.
“At the time of the charged offense,” Judge Army Col. Denise Lind found, “al Qaeda and al Qaeda in the Arabian Peninsula were enemies of the United States. Pfc. Manning knew that al Qaeda was an enemy of the United States.” His conduct was “of a heedless nature that made it actually and imminently dangerous to others.”
With regard to the Espionage Act offenses, she found, “The more than one classified memorandum produced by a United States government intelligence agency was closely held by the United States government. PFC. Manning had reason to believe the information could be used to the injury of the United States or to the advantage of any foreign nation.”
Manning has been in confinement for 1,294 days, including 112 days sentencing credit which he was granted when the judge found that he had been subjected to unlawful pretrial punishment during his nine months of confinement at the brig at Marine Corps Base Quantico. This will be time served credit and reduce his sentence to [#] years.
Manning is unlikely to serve his entire sentence in prison. He will immediately be able to petition for clemency from the court martial Convening Authority Major General Jeffrey Buchanan. A clemency and parole board in the Army can look at his case after a year. After that initial review, he can then ask the board to assess his sentence on a yearly basis for clemency purposes.
Manning has to serve a third of his sentence before he can be eligible for parole. Appeals application to the Army Criminal Court of Appeals will automatically be entered after the sentence is issued. If Manning or his lawyers do find issues to press, they can take the case to the Court of Appeals of the Armed Forces and then possibly the US Supreme Court.
There is “good behavior” credit, which can be as much as ten days for each month of his confinement.
The government in its sentencing closing argument on August 19 argued, “There is value in deterrence, Your Honor. This court must send a message to any soldier contemplating stealing classified information. National security crimes that undermine the entire system must be taken seriously. Punish Pfc. Manning’s actions, Your Honor.”
The judge was asked to sentence Manning to sixty years in prison. The government also requested he be forced to forfeit all pay allowances, pay the United States a fine of $100,000, be reduced to the rank of Private E1 and be dishonorably discharged.
“He’s been convicted of serious crimes,” military prosecutor, Cpt. Joe Morrow, declared. He “betrayed the United States and for that betrayal is deserves to spend the majority of his remaining life in confinement.”
The defense did not make an exact recommendation to the judge on how long they believed Manning should be sentenced but generally recommended the judge issue a sentence that would allow Manning to “have a life” after his time in military prison at Fort Leavenworth.
“This is a young man who is capable of being redeemed. We should not throw this man out for 60 years. We should not rob him of his youth,” Manning civilian defense attorney, David Coombs, declared.
Coombs also argued, “The appropriate sentence in this case would be a sentence that takes into account all facts and circumstances that you’re aware of, that it gives Pfc. Manning an opportunity to be restored to a productive place in society.”
An appropriate sentence would also give him “the opportunity, perhaps, to live the life he wants in the way that he would like, perhaps find love, maybe get married, maybe have children, to watch his children grow and perhaps have a relationship with his children’s children.”
The sentence is far greater punishment than individuals in the military, who actually committed war crimes by killing innocent civilians in Iraq or Afghanistan, have received. It is also, when considering proportionality, a level of punishment than what soldiers or officers involved in torture in the past decade have received.
Supporters of Bradley Manning, led by the Bradley Manning Support Network, will now officially begin the next chapter of their effort to free Bradley Manning. This includes pushing for a presidential pardon for Bradley Manning and a college trust fund that would allow Manning to go to college once he was released.


The nations' top intelligence official is declassifying three secret U.S. court opinions showing how the National Security Agency scooped up as many as 56,000 emails annually over three years and other communications by Americans with no connection to terrorism, how it revealed the error to the court and changed how it gathered Internet communications.
Director of National Intelligence James Clapper authorized the release Wednesday.
The opinions show that when the NSA reported to the court in 2011 that it was inadvertently collecting as many as 56,000 Internet communications by Americans with no collection to terrorism, the court ordered the NSA to find ways to limit what it collects and how long it keeps it.

League Of Legend Hacked,salted credit card numbers have been accessed

League of Legends in a announcement post that its server has been hacked.
The security of your information is critically important to us, so we’re really sorry to share that a portion of our North American account information was recently compromised.
What we know: usernames, email addresses, salted password hashes, and some first and last names were accessed. This means that the password files are unreadable, but players with easily guessable passwords are vulnerable to account theft.
Additionally, we are investigating that approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers have been accessed.
The payment system involved with these records hasn't been used since July of 2011, and this type of payment card information hasn't been collected in any Riot systems since then.
We are taking appropriate action to notify and safeguard affected players. We will be contacting these players via the email addresses currently associated with their accounts to alert them. Our investigation is ongoing and we will take all necessary steps to protect players.
If you have any questions or concerns, please don’t hesitate to consult the player support knowledge base or reach out to player support directly.
As a measure to make your accounts safer, within the next 24 hours we’ll require players with accounts in North America to change their passwords to stronger ones that are much harder to guess. At such time, you’ll be automatically prompted to change your password when you attempt to log in to the game. If you’d prefer, please click here to change your password now.
Additionally, new security features that are currently in development include:
Email verification: all new registrations and account changes will need to be associated with a valid email address (we’ll also require all existing players to provide a valid email address).
Two-factor authentication: changes to account email or password will require verification via email or mobile SMS.
We’re sincerely sorry about this situation. We apologize for the inconvenience and will continue to focus on account security going forward.