Saturday, 24 August 2013

U.S. Energy Dept admits to second big data leak this year

Personal information for 14,000 U.S. Department of Energy employees has leaked in a data breach, according to the Wall Street Journal.
“The Department of Energy has confirmed a recent cyber incident that occurred at the end of July and resulted in the unauthorized disclosure of federal employee Personally Identifiable Information (PII). We believe about 14,000 past and current DOE employees PII may have been affected,” the letter states.
ESET security researcher Cameron Camp suggests that the attack may have been deliberate, saying that “effort was involved” and that “the DOE has to stay on its guard,” in a report by SC Magazine.
The Department of Energy admitted to a large-scale breach which involved a leak of personally identifiable information in February this year, according to Computer World. The breach also involved the compromise of 14 servers and 20 workstations.
A Congressional survey of electrical utilities earlier this year found that companies faced up to 10,000 attacks per month. Out of 53 companies surveyed, more than a dozen described attacks on their systems as “daily” or “constant”. One company complained of being under a “constant state of ‘attack’ from malware and entities seeking to gain access to internal systems.”
Cybercriminals have targeted U.S. energy companies with attacks throughout the year, according to the Industrial Control Systems Emergency Response Team (ICS-CERT). A series of attacks were directed against companies operating gas compressor stations in the U.S. in February and March this year.
“While none of the brute force attempts were successful, these incidents highlight the need for constant vigilance on the part of industry,” ICS-CERT said in its newsletter. “ The ability to detect anomalous network activity and network intrusions early in an incident greatly increases the chance of a successful mitigation and resolution.”
The organization says it has responded to more than 100 incidents targeting the energy sector between October 2012 and May 2013.
This April, a spear-phishing attack which targeted an American electrical company was documented in this month’s Monitor report from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

Twitter hacker claims “no account is safe” – but network says not to worry

A hacker has claimed to have access to “the entire database of users on Twitter”, warning that “no account is safe”. He has leaked 15,000 account details via a file-sharing service as “proof” of his claims – although experts are skeptical, and Twitter says no accounts are at risk.
The hacker, who styles himself the “Mauritania attacker”, claimed in an interview with an Indian security site, Techworm, that he had access to Twitter’s “entire database”.
The account details which he leaked on Zippyshare included OAuth tokens, rather than passwords, which suggested, according to GigaOm, that he had hacked a third-party app rather than Twitter itself.
“The details, which appear to be genuine, do not include passwords,” GigaOm’s David Meyer wrote. “They do include OAuth tokens, though, so Twitter users should probably revoke and re-establish access to connected third-party apps.”The tokens are used to connect Twitter accounts to third-party services without requiring passwords.
A Twitter spokesman, speaking to Mashable, said, “”We have investigated the situation and can confirm that no Twitter accounts were compromised.” The spokesman said that the third-party app responsible had already been suspended.
GigaOm’s Meyer spoke to security expert Alan Woodward, of the University of Surrey who said that the tokens might allow attackers to Tweet under other people’s names.

Avatar rootkit: the continuing saga

Back at the beginning of May ESET Security Community posted preliminary information about Win32/Rootkit.Avatar rootkit (Mysterious Avatar rootkit with API, SDK, and Yahoo Groups for C&C communication). One of the major questions not covered in that previous research was this: What payload and plugins does Avatar install onto infected machines? They continue their research and are still tracking this malware family. In the middle of July they detected a repacked Win32/Rootkit.Avatar with an active command and control (C&C) server. In this blog post they confirm that Avatar in-the-wild activity continues, and disclose some new information about its kernel-mode self-defense tricks.
Configuration information for analyzed samples has the same format as discussed in our previous analysis at the beginning of summer. Decrypted, the configuration looks like this:
Avatar 1
However, the main command center shown in the configuration information was not working at the time of our analysis and they checked the backup control system, which uses Yahoo Groups.
Win32/Rootkit.Avatar has an additional way of communicating with the C&C if other methods are not working correctly. The payload tries to search for messages in Yahoo Groups using special parameters. How this technique works was already described in our previous blog about Avatar. The specific group search parameters for this botnet look like this URL: hxxp:// After activation this search request we found the following Yahoo Group with an encrypted message:
Avatar 2
The group description is encrypted with an RSA algorithm and a 1024-bit private key from the bot configuration information. The message looks like this after decryption:
Avatar 3
In our case the main C&C from configuration information was not active and the bot therefore tries to use the second communication channel via Yahoo Groups. After successful communication with the second C&C the bot received following command to download additional modules:
Avatar 4
These instructions download two additional modules to infected machines:
In the previous blog about the Avatar rootkit they had a question left open about the nature of the downloaded payload because not all C&C functionality was active at the time of our analysis. But this time they recognized one SOCKS5 plugin and one additional payload with Smoke bot.

Avatar self-defense tricks

When infecting a system the malware modifies one of the legitimate drivers already installed in the system and puts its modules and the payload into a hidden storage created at the end of the hard drive. So, in order to be able to stay undetected on the system, it protects the corresponding areas of the hard drive from being read or overwritten. To achieve this goal the Avatar hooks the storage miniport driver. This approach isn’t new and has already been employed by such complex threats as TDL3/4 Olmasco and others. However, its implementation details make it interesting and worth describing in the blog post. .
It tries to camouflage the hooks to look like a legitimately loaded kernel-mode driver. More specifically, the malware duplicates the image of the loaded hard disk miniport driver into kernel-mode address space and modifies it so as to be able to intercept disk read/write requests. Consider the following image representing which modifications are made to the system after infection with Avatar:
Avatar 5
In other words, the malware remaps the image of the original kernel-mode driver into kernel-mode address space and uses one of its sections to inject malicious code. The Avatar looks for the section to infect – the name of which is ‘INIT’ – and the attributes field contains the value IMAGE_SCN_MEM_DISCARDABLE. This means that the contents of the section are unloaded from memory after the driver is initialized so that the malware is able to take advantage of the freed space to keep its malicious code there. As a result the malicious code will be located at addresses that belong to the legitimate image and, thus, won’t trigger any alarms from security software . The malware renames the section as ‘NONPAGED’ and removes the IMAGE_SCN_MEM_DISCARDABLE value from its attributes and writes malicious code into it.
The fields of the DRIVER_OBJECT structure corresponding to the hard drive miniport driver are modified as well so as to reflect the changes:
•             DriverInit – entry point of the driver image
•             DriverStart – base address of the image when loaded
•             MajorFunctions – array of entry point of driver handlers, including IRP_MJ_INTERNAL_CONTROL
•             DriverUnload – the routine executed upon unloading driver
•             DriverExtension->AddDevice – the routine responsible for handling PnP devices
After such modifications the malicious code written into the new section in the fake image is able to intercept read/write requests to the hard drive, and therefore protect areas of the hard drive containing the rootkit components.
After that the malware cleans up traces of the original hard drive miniport driver left in the system so as to conceal the addresses of entry points of the original I/O handlers.
If one tries to read the image of the modified driver from the disk so as to compare it to the instance loaded into kernel-mode address space (with the fake instance) the malware will intercept the result of such an operation and return an unmodified driver. As a result it’s unlikely that the difference between the file read from the disk and the one in memory will be noticed. However, the digital signature of the modified driver is no longer valid.

HiddenFsReader update

ESET’s forensic tool HiddenFsReader has been updated so that it will work with the Avatar hidden file system. A dump of the hidden file system presented here:
Avatar 6
HiddenFsReader is only able to work correctly with an active Avatar infection. This is because in order to decrypt the hidden file system we need extract ten bytes of an encryption key that is stored in the Avatar driver and generated randomly by each infection. After disinfecting the infected machine it’s not possible to restore any filesfrom the hidden partition but this information can be helpful when following up with an investigation since interesting facts are revealed about names for directories and files within the hidden partition. These names of files and directories are generated randomly for each infected machine.
Win32/Rootkit.Avatar is an interesting example of malware with multiple techniques for bypassing standard forensic approaches and making analysis of this malware family more difficult.

Anton Cherepanov, Malware Researcher
Eugene Rodionov, Malware Researcher
Aleksandr Matrosov, Security Intelligence Team Lead

SHA1 hashes for analyzed samples:
Dropper1 (tron botnet) – 4b8a61e4eb1e9bdd67d5e82a4c6c71ce842c9710
Dropper2 (tron botnet) – d68ffd63702e34dbade04e7775f36ac8474ae1e1
SOCKS5 plugin (cr.mod) – 1d617f2d2de961edafe45c38ab01cd34471d8a50
Smoke bot (loader29.mod) – f50cb2895cdd695f8d8fa297245876f52ea44d8f

Bitdefender Security Suite Earns Top Endurance Rating

Antivirus Testing
Based in Magdeburg, Germany, AV-Test is an innovative lab that puts security products through a variety of tests. Over the past six months they've had 45 computers running day and night, testing two dozen significant security suites under Windows XP, Windows 7, and Windows 8. Each product was challenged to protect against 400 brand-new zero-day threats and against a reference set containing about 60,000 known malware samples. The overall report also rates each product's usability and impact on system performance. All three Windows versions used for testing come with firewall and antivirus protection built in. Researchers also tested these combinations, using their results as a baseline.
Well-Known Winners
Of the 24 products tested under all three Windows versions, Bitdefender$49.95 at BitDefender is a clear winner. It detected 100 percent of the real-world zero-day samples and 100 percent of the reference set. F-Secure and Kaspersky$33.43 at Discount Mountain also achieved perfect scores in these tests. G-Data and Symantec came very close, with 100 percent detection of the reference set and 99 percent of the zero-day samples.
In addition, Bitdefender earned the top score in the complete endurance test. A product can earn up to six points each for protection, performance, and usability, so the highest possible score is 18 points. Bitdefender scored an impressive 17.2, a full point higher than the nearest competitor. Kaspersky earned 16.0 points; Symantec$25.98 at Discount Mountain came in third with 15.5.
Avast!, F-Secure, and G Data shared fourth place, each with 15.2 points. That makes avast! the highest-scoring free solution. As for Windows's built-in protection, it scored 10.8 points, detected 97 percent of the reference set, and caught just 79 percent of the real-world samples.
Useful Conclusions
The full report, available on the AV-Test website, draws some interesting conclusions from this endurance test. The test shows very clearly that you get a lot more protection from a good (or even mediocre) third-party security solution than from what's built into Windows. The report concludes that "use of external security solutions can lead to a massive improvement when it comes to system protection."
On the flip side, you will probably pay a price in decreased system performance due to the resources consumed by you security product. The report notes that the average performance score for the top ten products overall was just 4.0 of 6.0 possible points. Bitdefender's score of 5.2 is impressive. Webroot managed 6.0 points for performance; lower scores in protection and usability dragged down its total.
As for free protection, avast! and AVG both made it into the top ten for overall endurance score, but they weren't at the top for protection. Even so, both managed 99 percent detection of the reference set. Avast detected 98 percent of the real-world samples; AVG caught 97 percent. Those are good scores, but the best products earned 100 percent in both tests.
Independent labs like AV-Test are immensely helpful both to consumers and to reviewers like myself. There's no way I could run tests on 45 computers day and night for six months straight! When you're looking to choose a new antivirus or security suite, you'll definitely want to see what the labs have to say.

Norton Mobile For Android Pwned By Fast Fingers

Norton Mobile
Many Android security apps allow you to remotely control your device in the event it's lost or stolen. A remote lock is a common feature, but on Symantec's Norton Mobile Security for Android, the lockscreen seems to do more harm than good.
The issue came to light when Computer Bild commissioned independent testing lab AV-Comparatives to investigate popular Android security apps. The researchers found that Norton Mobile could allow an attacker to bypass the lockscreen for a second. With some planning and fast fingers, researchers showed that they could uninstall Norton giving them unfettered access to the device.
It's a painstaking process, as you can see in the video. An attacker would have to tap the emergency call button, then the back button, and then quickly move to make an action on the homescreen before the lockscreen returned. As an attack it's very tedious, but it does work.

"Practically speaking, the likelihood of anyone exploiting it is extremely slim," Con Mallon, Symantec's Senior Director for Mobility, told SecurityWatch. "This is not a vulnerability that would be stumbled upon and exploited by your average cybercriminal just looking to make a quick profit. It requires several steps and critical timing to take advantage of the vulnerability."
And he's right; though this issue is dramatic, the worst vulnerabilites are those that can be use to attack a large number of victims simultaneously.
Norton is Not Alone
We've seen similar vulnerabilities in the past. Viber famously was used to bypass a device's lockscreen, letting an attacker take complete control of a phone. The company has since fixed the issue (and received an Editors' Choice award for their app).
The issue with Norton is described by Computer Bild as a "code error" but other Android security apps have issues with their remotely-triggered lockscreen. Some allow you to access the homescreen simply by tapping the home button—albeit briefly. Other apps will let you access the task manager, though I've never seen it used to actually shut down the security app itself.
The most common issue I've seen is that the lockscreen will allow you to access the notification tray. This is troubling, since a stranger could come along and see messages as they are delivered to your device. Worse yet, they could toggle wireless data, GPS, and airplane mode on and off, preventing you from sending commands to your device.
I have encountered several of these issues while testing Android security apps for PC Mag, but I have never managed to disable or uninstall a security app using these lockscreen foibles.
Keep Your Device Safe
SecurityWatch has confirmed with Symantec that a fix is in the works, and should be available as early as next week.
It's not clear from the article if the vulnerability works on phones that have a device-level screen lock set, like a passcode. Regardless, you should at least set a passcode for your device. This simple action can provide a critical line of defense for your Android. Hopefully Symantec will release their patch soon.

Can Your Antivirus Handle a Zero-Day Malware Attack?

Can Your Antivirus Handle Zero-Day Malware
Testing signature-based antivirus protection is a snap. You gather hundreds or thousands of known malware samples, run a scan, and note how many your antivirus product detected. However, for a brand-new, zero-day virus (or other type of malware) there's necessarily no signature available. Testing protection against zero-day threats is tough, but the researchers at AV-Comparatives have worked out a technique that satisfies them. Note, though, that not all antivirus vendors approve of this particular test; quite a few opted out of the latest edition, the results of which have just been released. By definition, it's not possible to run a test using actual zero-day samples. By the time the researchers could capture and validate a sample, the antivirus vendors would already be on the way to preparing a signature. AV-Comparatives simulates zero-day detection by "freezing" a product's signature database and then using only samples that first appeared after the big freeze.
Some products will detect new malware using heuristic techniques, identifying them by similarity to known malware or by other characteristics. The researchers launched each sample not caught by heuristics, noting whether the product's behavior-based detection or other real-time protection prevented infestation. Products earned full credit for blocking the malware all by itself and half-credit in situations where blocking required a correct decision by the user.
Very Good Detection
Based solely on their detection rates, 11 of the 16 tested products would have earned an ADVANCED+ rating, the top rating. Bitdefender topped this group, with 97 percent detection; Kaspersky and Emsisoft both managed 94 percent. Panda and Avast would have earned ADVANCED. Microsoft would also have gotten an ADVANCED rating, but AV-Comparatives uses it only as a baseline. At the bottom, AnhLab and Vipre would have passed with a STANDARD rating.
Pesky False Positives
Heuristic and behavior-based detection systems have to be very carefully tuned to avoid flagging valid programs as dangerous—that's what we call a false positive. Quite a few of the tested products lost points for too many false positives. Since the detection test was performed using signatures frozen last February, the researchers were able to re-use the false positive results from a test performed in March.
Six of the tested products lost one rating level due to too many false positives. For Emsisoft, eScan, and G Data, that meant dropping from ADVANCED+ to ADVANCED, while Panda dropped from ADVANCED to STANDARD. As for AhnLab and Vipre, they were both already at the lowest passing level, so their final rating became merely TESTED; they did not pass.
Cloud Controversy
Vendors who submit their products for testing by AV-Comparatives must agree to participate in all of the required tests. The signature-based file detection test is one of the required set; Symantec doesn't approve of that test, which is why you won't find results for Norton in AV-Comparatives reports.
The proactive test, on the other hand, is optional. According to the report, "AVG, McAfee, Qihoo, Sophos, and Trend Micro decided not to take part, as their products rely heavily on the cloud." The zero-day test necessarily excludes cloud-based detection, as there's no way to "freeze" the cloud. These vendors felt their products would score poorly without access to a cloud connection.
While AV-Comparatives did allow these vendors to bow out, the report scolds them just a bit. "Even several weeks later, a number of the malware samples used were still not detected by some cloud-dependent products, even when their cloud-based features were available," it states. "We consider it a marketing excuse if retrospective tests... are criticized for not being allowed to use cloud resources." The report concludes, "If a file is completely new/unknown, the cloud will usually not be able to determine if it is good or malicious."
If your antivirus earned a top rating in this test, that's a good sign that it will defend against brand-new zero-day threats. But since the test doesn't literally use real-world never-before-seen samples, a poor score (or no participation) doesn't necessarily prove it won't do the job. For a full understanding, you'll want to look at a wide variety of tests, and at PCMag's in-depth hands-on antivirus reviews.

Microsoft hits back at German security body over Windows 8 security claims

Microsoft has lashed out at the German Federal Office for Information (BSI) over claims its Windows 8 operating is unfit for use in government and critical infrastructure areas.
In a statement sent to V3 a Microsoft spokesperson said the BSI's claims that companies deploying Windows 8 on machines with a Trusted Platform Module (TPM) chip could lose control of their systems are misguided.
"Windows has made a fundamental bet on trustworthy hardware and TPM 2.0 is a key component. Based in no small part on lessons learned in the TPM 1.2 timeframe, TPM 2.0 is designed to be on by default with no user interaction required Since most users accept defaults, requiring the user to enable the TPM will lead to IT users being less secure by default and increase the risk that their privacy will be violated. We believe that government policies promoting this result are ill-advised," read the statement.
"It is also important to note that any user concerns about TPM 2.0 are addressable. The first concern, generally expressed as 'lack of user control,' is not correct as OEMs have the ability to turn off the TPM in x86 machines; thus, purchasers can purchase machines with TPMs disabled (of course, they will also be unable to utilize the security features enabled by the technology)."
Questions about Windows 8's security initially surfaced when reports broke suggesting that a leaked BSI document proved Microsoft had built a back door into the OS, letting it, or the NSA, hijack control of the machine from the end-user.
The reports led to wider concerns that Microsoft was helping the NSA, which ran the infamous PRISM campaign, siphon information from companies.
The spokesperson moved to quell these rumours, saying, "Since the adoption of the Trustworthy Computing Initiative over 10 years ago, Microsoft has focused relentlessly on the security and privacy of IT users. Indeed, we are committed to building products that are SD3 (Secure by Design, Secure by Default, and Secure in Deployment) and PD3 (Privacy by Design, Privacy by Default, and Privacy in Deployment). It is also important to remember that one cannot have privacy without good security."
The BSI reacted to the reports by releasing an official statement criticising the lack of user control in Windows 8. The Microsoft spokesperson attacked this supposition, arguing, "Windows has been designed so that users can clear/reset the TPM for ownership by another OS if they wish. Many TPM functions can also be used by multiple OSes (including Linux) concurrently."
Microsoft's rebuttal of the BSI's claims has been backed by members of the security community. F-Secure security research Sean Sullivan told V3 that the BSI has a chequered past regarding Microsoft and it is unlikely that the current accusations have much weight.
At the time of publishing the BSI had not responded to V3's request for comment on Microsoft's rebuttal.

EU 24-hour breach disclosure laws to come into force

European commission
European Union regulations designed to force telecom operators and internet service providers (ISPs) to notify national authorities within 24 hours of detecting a data breach are set to take effect on 25 August, despite widespread criticism from numerous UK government bodies.
The laws mean that the companies will have to report any cyber incidents resulting in theft or unauthorised access to customer data to the relevant law enforcement agency within just one day.
ISPs and telecoms firms have already been subject to this law, but the 24-hour notification regime is new, as European Commission (EC) vice president Neelie Kroes looks to strengthen the data protection regime in Europe.
However, the wider reforms for data breach disclosure, which could see the same burdens on ISps and telecoms firms placed on all industries, have been widely criticised by groups in both the private and public sector.
Experts from numerous security firms, including Trend Micro and F-Secure, arguing that while they are well intentioned there is no realistic way to police the laws fairly or safely.
They also warned that by forcing companies to disclose attack data so quickly, businesses will not have time to do adequate cyber forensics work, meaning that to act within the law they will have to take ill-conceived, knee-jerk actions in reaction to attacks - a practice that security firm's like Detica have warned against for some time.
The laws come as a wider debate on future European data protection laws undergo fierce debate. The legislation has attracted the ire of UK Justice Minister Lord McNally, who has criticised the European Commission's data protection draft, warning that the overarching legislation will cause untold damage to the British economy.
Lord McNally said that the unrealistic time frame of the proposal will force many smaller businesses to operate outside the law, risking potentially devastating fines.
The calls for change have met with some success, with recent reports suggesting that the European Parliament is deadlocked on whether to rethink the 24-hour disclosure time frame. The vote to decide whether the law should remain the same is scheduled to take place in October, with amended legislation hoped for before the European elections in May 2014.

German GCHQ says Microsoft Windows 8 unsafe for government use after NSA snooping claims

Windows 8.1 apps and services one vision plan
Germany's Federal Office for Information (BSI) security agency, the equivalent of the UK's GCHQ spy agency, has slammed Windows 8's security, following reports that the NSA placed a back door in it to spy on companies.
The claim stemmed from German paper Zeit, which reported receiving a leaked BSI document claiming that Microsoft built a back door into Windows 8 letting it, or the NSA, hijack control of the machine from the end-user. At the time of publishing the BSI had not responded to V3's request for comment on the report.
However, since then the BSI issued a statement claiming to have also discovered errors in Windows 8's coding. The errors reportedly mean that companies could lose control of their systems if they deploy Windows 8 on machines with a Trusted Platform Module (TPM) chip.
"From the perspective of the BSI, the use of Windows 8 in combination with a TPM 2.0 [chip] is accompanied by a loss of control over the operating system and the hardware used. This result for the user, especially for the federal government and critical infrastructure, new risks," read the statement as translated by Google.
The news is troubling, as the TPM is a specialised chip installed in many business PC systems. It is designed to perform hardware authentication and is able to store information like encryption keys, digital certificates and passwords.
The BSI said that errors could be exploited for sabotage purposes. "In particular, on a hardware, which is operated with a TPM 2.0, with Windows 8 due to unintentional errors of hardware - formed or operating system manufacturer, is also the owner of the IT system error conditions that prevent further operation of the system," read the statement.
"This can cause such an extent that in case of error in addition to the operating system and the used hardware is permanently withdrawn from use [...] In addition, the newly established mechanisms can also be used for sabotage of third parties. These risks need to be addressed."
At the time of publishing Microsoft had not responded to V3's request for comment on the BSI's research. If true the claims are troubling, as attacks on critical infrastructure industries are commonly listed as one of the biggest threats facing governments.
Earlier this year Russian security expert Eugene Kaspersky warned that it is only a matter of time before terrorist groups start targeting critical infrastructure industries with advanced malware during a speech at InfoSec London.

Xerox issues security patch to fix faulty scanners

Xerox WorkCentre 7530
Print giant Xerox has started releasing patches for its machines to fix a fault that meant its scanners would sometimes reproduce incorrect numbers on documents.
The issue was uncovered by security researcher David Kriesel earlier this month. He revealed that an issue related to optical character recognition (OCR) algorithms meant pixel data was slightly changed during the scanning process, leading to incorrect scans.
Xerox has now released a patch to address this issue, with Rick Dastin, president of the Office and Solutions Business Group at Xerox, writing in a blog post that teams at the company had been working “around the clock” to issue the fixes.
“We are releasing the first wave of software patches to address the scanning error identified in some of our multifunction printers (MFPs),” he wrote.
“We have confirmed that errors can occur under a set of limited conditions when scanning 'stress documents' to PDF – which can include very small font sizes, stray pixels and be difficult to read. Given this finding, however uncommon, we have developed this patch, which eliminates that possibility.”
To access the downloads, Xerox has made a website where the patches are listed with the details for different machines, with a second set of affected products due to receive their patches on 26 August.
“You can download and install the patch immediately or co-ordinate with your local service or support representative. We have conducted extensive testing both in our labs and in the field to assure a quality result and an easy installation,” wrote Dastin.
The researcher who uncovered the issue, Kriesel, said in a blog post that he had already looked at the patches and verified that Xerox fixed the issue, revealing he had been involved in a call with Xerox to provide a solution for the issue.
“The patch completely eliminates pattern matching in all compression modes. This is more or less what I suggested within and after my first conference call with Rick Dastin and Francis Tse,” he said.
“In my opinion, this is the right thing to do with respect to the legal value of scanned documents. Of course, slightly greater files are produced, but even with low resolution and the strongest compression ('normal') no numbers should be mangled any more.”

Britain operates secret monitoring station in Middle East: report

Britain runs a secret monitoring station in the Middle East to intercept large numbers of telephone calls, emails and internet traffic that it shares with intelligence agencies in the United States, the Independent newspaper reported on Friday.
The station is part of a 1 billion pound ($1.56 billion) global eavesdropping project run by Britain to intercept digital communications, the newspaper said, citing leaked documents from former U.S. National Security Agency contractor Edward Snowden.
Snowden's leaks have sparked a global surveillance scandal that has pitted U.S. President Barack Obama against the Kremlin and prompted British Prime Minister David Cameron's advisers to demand the return of secrets from the Guardian newspaper.
The London-based Independent, which did not say how it got access to the information from the Snowden documents, said the British had tapped into the underwater fiber-optic cables which pass through the Middle East.
Data gleaned from the monitoring station, whose exact location the Independent said it would not reveal, is then passed onto Britain's eavesdropping agency (GCHQ) in Cheltenham, England, and shared with the U.S. National Security Agency.
Western intelligence agencies rushed to improve their monitoring of Middle East traffic after the attacks on the United States on September 11, 2001.
Britain's monitoring station in the Middle East was set up under former Foreign Secretary David Miliband, who served in that post between 2007 and 2010, the Independent said.
Britain's foreign ministry declined comment. A spokesman for GCHQ could not be reached for immediate comment on the report.
Snowden's leaks have embarrassed both Britain and the United States by laying bare the extent of their surveillance programs. London and Washington say their spies operate within the law and that the leaks have damaged national security.
British police said on Thursday that documents seized from the partner of a Guardian journalist who has led coverage of Snowden's leaks were "highly sensitive", and could put lives at risk if it fell into the wrong hands.
Counter-terrorism detectives said they had begun a criminal investigation after looking at material taken from David Miranda, partner of American journalist Glenn Greenwald, during his nine-hour detention at Heathrow Airport on Sunday.
Miranda, a Brazilian citizen who had been ferrying documents between Greenwald and a Berlin-based journalist contact of Snowden's, was held at Heathrow under anti-terrorism powers, before being released without charge minus his laptop, phone, a computer hard drive and memory sticks. He has since left Britain for Brazil.

Poland Takeover Domain Silver, Inc .pl domains to fight botnets

CertPolska published an updated detailed technical report with new statistics were made from 20 different botnets sinkholed by its servers.
All of them used domains registered through Domain Silver, Inc. These are not all of the botnets that used Domain Silver as the registrar, but only ones that were sinkholed as of 23rd of July 2013. The botnet malware included ZeuS ICE IX, Citadel, Andromeda/Gamarue and Dorkbot/NgrBot. Among them is also the Citadel plitfi botnet which is takedown.
Highlights from the gathered data are:
  • 101 831 unique IP addresses connected to our sinkhole on one day.
  • Connections were made from 191 different countries, however most of the connections were made from Europe.
  • Some botnets used geographical profiling in order to capture victims in a specific countries.
Full text of the UPDATED report can be found here or under the “Reports” tab.

Windows 8 PCs vulnerable to cyber threats : German BSI Agency

A German government technology agency has warned that new security technology in computers running Microsoft's Windows 8 operating system may actually make PCs more vulnerable to cyber threats, including sabotage.
Germany's Federal Office for Information Security, or BSI, said in a statement posted on its website on Wednesday that federal government agencies and critical infrastructure operators should pay particular attention to the risk.
The warning comes after weeks of public indignation in Germany over leaks related to U.S. surveillance programs. The spying scandal has become a headache for Chancellor Angela Merkel ahead of a September 22 election.
The problem, according to the BSI, is with the use of a computer chip known as the Trusted Platform Module, or TPM 2.0, which is built into Windows 8 computers. TPM 2.0 is designed to better protect PCs by interacting with a variety of security applications.
But the BSI, which provides advice on technology and security to the government as well as the public, said the joint implementation of Windows 8 and TPM 2.0 chips could lead to "a loss of control" over both the operating system and hardware, without specifying exactly how that could occur.
"As a result, new risks occur for users, especially for federal and critical infrastructure," it said.
The statement concluded: "The new mechanisms in use can also be used for sabotage by third parties. These risks need to be addressed."
Microsoft declined comment on the BSI statement.
The company provided Reuters with a statement saying that PC makers have the option to turn off TPM technology, so that customers can buy PCs with it disabled.
TPM was developed by the Trusted Computing Group, a non-profit organization backed by technology firms including IBM (IBM.N), Intel (INTC.O), Hewlett-Packard (HPQ.N) and Microsoft.
The BSI said it was working with the Trusted Computing Group and operating systems producers to find a solution.
A spokeswoman for that group declined to comment on the specific claims raised by the BSI. She said the group has provided PC makers and users with plenty of advice on best security practices to avoid any threats that they may face.

Kaspersky – Unvalidated redirection flaw exploitable to serve malware

The cyber Security Analyst Consultant at Q-CERT Ebrahim Hegazy has found an “Unvalidated Redirection Vulnerability” in the website of the giant security solutions vendor “Kaspersky”.

Ebrahim Hegazy (@Zigoo0) has found an “Unvalidated Redirection Vulnerability” in the website of the giant security solutions vendor “Kaspersky”.
Ebrahim Hegazy is the cyber Security Analyst Consultant at Q-CERT who found a SQL Injection in “Avira” website last month, this time he found a Unvalidated Redirection Vulnerability that could be exploited for various purposes such as:
  • Cloned websites (Phishing pages)
  • It could also be used by Black Hats for Malware spreading
In the specific case what is very striking is that the link usable for the attacks is originated by a security firm like Kasperky with serious consequences.
Would you trust a link from your security vendor? Absolutely Yes!
But imagine your security vendor is asking you to download a malware!
To explain how dangerous the situation is when your security vendor is vulnerable, Ebrahim Hegazy sent me a video explaining the malware spreading scenario to simulate a Black Hat’s exploiting Unvalidated Redirection Vulnerability in Kaspersky website to serve a malware.
Unvalidated redirection on Kaspersky
“Since I’m working on Cyber security analysis, I’ve seen many methods of black-hats to spread links, maybe this link is for Exploit kits, Java Applet, flash exploits, or maybe a direct link to their EXE file. Let’s take an example on the Facebook spreading techniques of the attackers, you may notice that “Mediafire” website was used lately in wide Malware spreading attack on,Which caused a wide infection, as the infected user will start to send links from to his friends and since “Mediafire” is a trusted website/source  for users so they simply click it and download the file!
But what if the links are coming from a very well known Security solutions vendor such as Kaspersky? For sure people will trust the links. So, through “Unvalidated Redirection Vulnerability” in Kaspersky, attackers will be able to spread a link coming from but when the user clicks on that link, he will get redirected to the attacker’s website which would download at Malware on their machines or even download a “Rogue Antivirus” to steal financial information such as credit card information!” explained Ebrahim Hegazy.
After the researcher reported the vulnerability to Kaspersky team, it took about 2 months to fix the vulnerability, it is really a long time considering that if a hacker had found this flaw before Hagazy he could spread links using
The consequences of unfixing of such vulnerability are critical
  • Wide infection – since the redirection is coming from a trusted source especially if the attacker registered a domain name similar to
  • Very bad reputation for Kaspersky company.
  • Your most trusted resource “Your Antivirus” will be your worst enemy! Would you trust anything else!
And many other consequences.
The vulnerability was reported to Kaspersky web-team and is now fixed.
Pierluigi Paganini
(Security Affairs – Poison Ivy , cybercrime, cyberespionage)
The post Kaspersky – Unvalidated redirection flaw exploitable to serve malware appeared first on Security Affairs.

Hacking Consumer Devices

Last weekend, a Texas couple apparently discovered that the electronic baby monitor in their children's bedroom had been hacked. According to a local TV station, the couple said they heard an unfamiliar voice coming from the room, went to investigate and found that someone had taken control of the camera monitor remotely and was shouting profanity-laden abuse. The child's father unplugged the monitor.
What does this mean for the rest of us? How secure are consumer electronic systems, now that they're all attached to the Internet?
The answer is not very, and it's been this bad for many years. Security vulnerabilities have been found in all types of webcams, cameras of all sorts, implanted medical devices, cars, and even smart toilets -- not to mention yachts, ATM machines, industrial control systems and military drones.
All of these things have long been hackable. Those of us who work in security are often amazed that most people don't know about it.
Why are they hackable? Because security is very hard to get right. It takes expertise, and it takes time. Most companies don't care because most customers buying security systems and smart appliances don't know enough to care. Why should a baby monitor manufacturer spend all sorts of money making sure its security is good when the average customer won't even notice?
Even worse, that consumer will look at two competing baby monitors -- a more expensive one with better security, and a cheaper one with minimal security -- and buy the cheaper. Without the expertise to make an informed buying decision, cheaper wins.
A lot of hacks happen because the users don't configure or install their devices properly, but that's really the fault of the manufacturer. These are supposed to be consumer devices, not specialized equipment for security experts only.
This sort of thing is true in other aspects of society, and we have a variety of mechanisms to deal with it. Government regulation is one of them. For example, few of us can differentiate real pharmaceuticals from snake oil, so the FDA regulates what can be sold and what sorts of claims vendors can make. Independent product testing is another. You and I might not be able to tell a well-made car from a poorly-made one at a glance, but we can both read the reports from a variety of testing agencies.
Computer security has resisted these mechanisms, both because the industry changes so quickly and because this sort of testing is hard and expensive. But the effect is that we're all being sold a lot of insecure consumer products with embedded computers. And as these computers get connected to the Internet, the problems will get worse.
The moral here isn't that your baby monitor could be hacked. The moral is that pretty much every "smart" everything can be hacked, and because consumers don't care, the market won't fix the problem.
This essay previously appeared on I wrote it in about half an hour, on request, and I'm not really happy with it. I should have talked more about the economics of good security, as well as the economics of hacking. The point is that we don't have to worry about hackers smart enough to figure out these vulnerabilities, but those dumb hackers who just use software tools written and distributed by the smart hackers. Ah well, next time.

A Gift for the Hackers

IT companies are failing to secure devices connected to the internet, leaving them open to hackers. This shocking report reveals how anything from your pins to your passport could now be accessed online.
"Is this your pin? Is this a letter you received from your bank? Do you have a HP e-Print scanner?" The young man answers yes to every question, stunned that all of his information was accessible on the internet for anyone who wanted to see it. And he's not alone: the wealth of information available is staggering. From shop owners whose security cameras can be watched and controlled remotely, to medical records and confidential documents for international companies like Unilever, Orange and KLM, it's a bonanza for any would-be hackers. While it would be simple for the IT firms who provide printers, scanners and software to make the system more secure, they don't see it as their problem and argue that attending to basic safety protocols is a bit of a marketing nightmare. "There are people who know all about how this works, security-wise, but it's too much trouble to explain all that." One company went so far as to call consumers who didn't know they had to change their passwords "idiots". As the rate of technological change continues at a frightening pace, do technology companies have a duty to prevent our privacy being eroded?

Hacker Accuses US Government Of Tricking Anonymous Into Attacking Foreign Targets

Just as a former member of Anonymous says the United States government coerced hackers to do their dirty work in America’s international cyberwars, the sentencing hearing for the group’s alleged ex-ringleader has been mysteriously delayed yet again.
The hacker-turned-informant who compromised the underground movement known as Anonymous for the FBI will remain free for at least another two months following a Friday morning decision to postpone sentencing for the man behind the online alias “Sabu.”
Hector Xavier Monsegur, a single father from New York involved with a number of high-profile hacks carried out by Anonymous and its offshoots, had been scheduled to be sentenced Friday morning in Manhattan. He pleaded guilty to a dozen criminal counts two years prior.
Just one day earlier, an ex-colleague within the ranks of Monsegur’s cyber-clan published a statement in which he suggested the US government gave Anonymous the ammunition to take down foreign targets, and directed those orders through a cast of characters who took direction from the infamous informant.
RT reported previously that Monsegur, better known by his Internet handle “Sabu,” was scheduled to be sentenced on Friday after a federal judge decided twice already to postpone previous hearings that would have sealed the turncoat’s fate. For the third time in 12 months, however, the United States District Court for the Southern District of New York elected once again to adjourn the hearing Friday morning without handing out a punishment.
A spokesperson for the court told RT over the phone on Friday that Monsegur’s sentencing has been moved to October 25, 2013 at 2:30 p.m. Should District Judge Loretta Preska make a determination at that time, it will come 28 months after Monsegur was arrested for his connection with a series of hacks that impacted the websites and servers of Sony, PBS, News Corp, Stratfor and others. Those operations were carried out by hacktivists aligned to Anonymous and its offshoots Lulz Security and Anti-Sec, and a number of individuals in the US and abroad have been arrested, indicted, convicted and sentenced already for their involvement with those groups thanks to Monsegur’s cooperation with the authorities.
Assistant US Attorney James Pastore said previously that Monsegur has been cooperating with the government proactively since “literally the day he was arrested.” When Judge Preska authorized a sentencing hearing for Monsegur that was slated for six months ago, she signed-off on postponing her decision “in light of the defendant’s ongoing cooperation with the Government.”
Representatives at both the District Court and the office of lead prosecutor, US Attorney Preet Bharara, declined to cite why Preska has postponed sentencing for another two months, but Friday’s news marks the third instance in which she has agreed to delay her decision in the case. It also comes just days after a leading FBI cyber-cop declared the Anonymous movement all but dead and cited the arrests that stemmed from Monsegur’s cooperation as the catalyst in their demise.
Austin P. Berglas, assistant special agent in charge of the FBI’s cyber division in New York, told Huffington Post this week that the arrests of five LulzSec hackers in March 2012 had a “huge deterrent effect” on Anonymous and brewed distrust within the movement.
“All of these guys [arrested] were major players in the Anonymous movement, and a lot of people looked to them just because of what they did,” Berglas told HuffPost. “The movement is still there, and they’re still yacking on Twitter and posting things, but you don’t hear about these guys coming forward with those large breaches.”
“It’s just not happening,” he said, “and that’s because of the dismantlement of the largest players.”
Among those top-dogs taken down last year is Jeremy Hammond, a 28-year-old political activist from Chicago who has been in confinement since his arrest 17 months ago. Hammond pleaded guilty earlier this year to a number of computer crimes in a deal that will allow him to escape a possible life sentence.
On Thursday, a website managed by Hammond’s supporters published a statement the hacktivist penned from behind bars in advance of Monsegur’s since-adjourned sentencing.
“It is widely known that Sabu was used to build cases against a number of hackers, including myself,” Hammond wrote. “What many do not know is that Sabu was also used by his handlers to facilitate the hacking of targets of the government’s choosing – including numerous websites belonging to foreign governments. What the United States could not accomplish legally, it used Sabu, and by extension, me and my co-defendants, to accomplish illegally. The questions that should be asked today go way beyond what an appropriate sentence for Sabu might be: Why was the United States using us to infiltrate the private networks of foreign governments? What are they doing with the information we stole? And will anyone in our government ever be held accountable for these crimes?”
In an earlier statement published by Hammond in February, he wrote that the US government “and numerous federally-contracted private corporations openly recruit hackers to develop defensive and offensive capabilities and build Orwellian digital surveillance networks, designed not to enhance national security but to advance US imperialism.” Attempts to enlist hackers for such activity, he said, “should be boycotted or confronted every step of the way.”
Hammond is expected to be sentenced in November by Judge Preska to a maximum of ten years in prison, but attorneys working with related cases have said previously that they don’t expect Monsegur to be sent away until the FBI has finished with Anonymous. When Monsegur’s February 2013 hearing was postponed, attorney Jay Leiderman said he thought the case would be continuously delayed “until he either testifies against Hammond or Hammond pleads guilty.” Leiderman is not working on the Monsegur case, but is co-representing Matthew Keys, a journalist who was indicted in March with conspiring to damage a computer system after allegedly enlisting members of Anonymous to deface a former employer’s website. Federal prosecutors have since filed a Notice of Related Cases motion linking the Keys and Monsegur matters since the Anon-turned-informant “appeared in the Internet chat log at the core of the Keys case, and, in that chat log, offered advise on how to conduct the network intrusion” for which the journalist was indicted.

Chinese Hackers Build Attack Tools From Security Patches

Chinese hackers have found a quick road to developing cyberattacks. They wait for companies to patch their software, then create hacking software using information from the patch.
The newly-created hacking software can then be used to automatically hack computers and systems that failed to update.
Cybersecurity company TrendLabs observed this process in real time. It observed a group of Chinese hackers take a security patch, build an automated hacking tool, and then begin launching attacks.
It started close to a month ago when the Apache Software Foundation released an update to its popular Struts development framework after it found a vulnerability that would let hackers add code to servers.
TrendLabs stated on its Security Intelligence Blog on August 14 that it first noticed the tool on July 19, which was just three days after the security patch was released.
“We have observed attacks against Asian targets using this specific hacking tool, which indicates these Struts flaws are being actively exploited by potential threat actors in the wild,” it states.
The tool is meant to attack any Struts server that did not update their systems. Struts is a popular Web application development framework for Java, a coding language that lets people build software.
According to TrendLabs, with just a few clicks, the tool could be used to create a backdoor in a company’s server. Using that backdoor, a hacker can gain and maintain access to information, steal information, and hide evidence of attacks.

Anonymous DDoS Attack hit New Zealand GCSB Website

The Government Communications Security Bureau website was attacked by hackers earlier today.
A spokesman for the organisation said although the attack did not shut down the website, it slowed the website's gateway for about 30 minutes.
"... There is an indication there could have been some temporary degradation of service."
It is believed the website suffered a DDoS or distributed denial-of-service attack, where a website suffers a saturation of external communications requests to the point that it cannot respond to legitimate traffic in an attempt to cause the server to overload.
The attack did not affect GCSB operations in any way the spokesman said.
A Twitter page with the handle 'OpF*ckGCSB' tweeted "#TangoDown" and a screen shot showing the website down.
The Twitter user claimed links to the international 'hacktivist' group Anonymous.

Turkish Hackers Attack Syrian Government and Arab News Agency website

The Official website of Syrian Arab News Agency (SANA) and other Syrian Government websites attacked by Turksih hackers reported Sabah Turkish newspaper on Saturday.
Turkish hackers attacked and destroyed the official websites of several Syrian state agencies, including the websites of Road Regulatory and Emergency Assistance Agencies in response to recent allegations that Syria used chemical weapons near Damascus, killing hundreds of people.
Back in June, a Syrian hacker defaced several Turkish websites, including some belonging to the country’s government, in support of the Gezi protests. In July, the notorious Syrian Electronic Army hacked the systems of Turkey’s Ministry of Interior.

Nasdaq is neither in New York nor on the Internet

Today's new coverage of the Nasdaq outage included pictures from New York City and speculation it was due to a hacker DDoS attack. Neither reflect the truth.
The Nasdaq market is not located on Wall Street. Iconic pictures of the Wall Street sign or charging bull have nothing to do with the story. Worse yet is the footage of a hectic trading floor: Nasdaq is all electronic, that trading floor is their competitor, the New York Stock Exchange. Sure, Nasdaq has a few Wall Street offices (coincidentally, overlooking Zucotti Park, home of Occupy Wall Street), but only minor business functions take place there, not stock trading.
Even less accurate are the depictions of the Nasdaq video wall on  Time Square, their "MarketSite". That really is just a billboard with a television studio, and nothing more. Even less happens there than at the Wall Street location.
The actually location of the Nasdaq market, where the computers process trades, is in their primary data center in in Carteret, New Jersey, and a backup data center in Ashburn, Virginia. At least, I think, that's where they advertise direct connections to their trading computers. A few years ago their primary data center was in Trumbull, Connecticut, but I think the moved it. While it's not a terribly big secret where the computers are located, neither does Nasdaq make it hard to find, so I can't confirm this. Wherever they are, they aren't in New York City.
While the Nasdaq market is computerized, it's not really on the Internet. There's no way to DDoS it from the Internet. Sure, there's a path to the Internet, many of the ubiquitous Bloomberg terminals on the Internet can eventually cause trades to happen, but fundamentally the market has it's own private network. Trades can continue in the face of any sort of DDoS attack.
As this Wall Street Journal story points out, the main cause of Nasdaq failures in the past has been squirrels electrocuting themselves, causing power outages. As @attritionorg likes to point out, it's squirrels not hackers that are the chief threat to a stable power grid.

Snowden defeat the NSA's own tripwires and internal burglar alarms

The U.S. government's efforts to determine which highly classified materials leaker Edward Snowden took from the National Security Agency have been frustrated by Snowden's sophisticated efforts to cover his digital trail by deleting or bypassing electronic logs, government officials told The Associated Press. Such logs would have showed what information Snowden viewed or downloaded.
The government's forensic investigation is wrestling with Snowden's apparent ability to defeat safeguards established to monitor and deter people looking at information without proper permission, said the officials, who spoke on condition of anonymity because they weren't authorized to discuss the sensitive developments publicly.
The disclosure undermines the Obama administration's assurances to Congress and the public that the NSA surveillance programs can't be abused because its spying systems are so aggressively monitored and audited for oversight purposes: If Snowden could defeat the NSA's own tripwires and internal burglar alarms, how many other employees or contractors could do the same?
In July, nearly two months after Snowden's earliest disclosures, NSA Director Keith Alexander declined to say whether he had a good idea of what Snowden had downloaded or how many NSA files Snowden had taken with him, noting an ongoing criminal investigation.
NSA spokeswoman Vanee Vines told the AP that Alexander "had a sense of what documents and information had been taken," but "he did not say the comprehensive investigation had been completed." Vines would not say whether Snowden had found a way to view and download the documents he took, without the NSA knowing.
In defending the NSA surveillance programs that Snowden revealed, Deputy Attorney General James Cole told Congress last month that the administration effectively monitors the activities of employees using them.
"This program goes under careful audit," Cole said. "Everything that is done under it is documented and reviewed before the decision is made and reviewed again after these decisions are made to make sure that nobody has done the things that you're concerned about happening."
The disclosure of Snowden's hacking prowess inside the NSA also could dramatically increase the perceived value of his knowledge to foreign governments, which would presumably be eager to learn any counter-detection techniques that could be exploited against U.S. government networks.
It also helps explain the recent seizure in Britain of digital files belonging to David Miranda the partner of Guardian journalist Glenn Greenwald in an effort to help quantify Snowden's leak of classified material to the Guardian newspaper. Authorities there stopped Miranda last weekend as he changed planes at Heathrow Airport while returning home to Brazil from Germany, where Miranda had met with Laura Poitras, a U.S. filmmaker who has worked with Greenwald on the NSA story.
Snowden, a former U.S. intelligence contractor, was employed by Booz Allen Hamilton in Hawaii before leaking classified documents to the Guardian and The Washington Post. As a system administrator, Snowden had the ability to move around data and had access to thumb drives that would have allowed him to transfer information to computers outside the NSA's secure system, Alexander has said.
In his job, Snowden purloined many files, including ones that detailed the U.S. government's programs to collect the metadata of phone calls of U.S. citizens and copy Internet traffic as it enters and leaves the U.S., then routes it to the NSA for analysis.
Officials have said Snowden had access to many documents but didn't know necessarily how the programs functioned. He dipped into compartmentalized files as systems administrator and took what he wanted. He managed to do so for months without getting caught. In May, he flew to Hong Kong and eventually made his way to Russia, where that government has granted him asylum.
NBC News reported Thursday that the NSA was "overwhelmed" in trying to figure what Snowden had stolen and didn't know everything he had downloaded.
Insider threats have troubled the administration and Congress, particularly in the wake of Bradley Manning, a young soldier who decided to leak hundreds of thousands of sensitive documents in late 2009 and early 2010.
Congress had wanted to address the insider threat problem in the 2010 Intelligence Authorization Act, but the White House asked for the language to be removed because of concerns about successfully meeting a deadline. In the 2013 version, Congress included language urging the creation of an automated, insider-threat detection program.