Wednesday, 13 November 2013

Suspected 'Messiah' hacker charged in Singapore; 5 others rounded up for hitting govt sites

Summary: A man reportedly linked to Anonymous and a string of recent cyberattacks has been charged. 5 other suspects are in custody over the hacking of the official sites of Singapore's prime minister and president.

The man alleged to have hacked Singapore sites under the moniker "The Messiah" has been arrested by police, according to newsdaily Straits Times.
Singapore police arrested James Raj Arokiasamy, 35, who was charged in court on Tuesday for hacking the site of Ang Mo Kio Town Council.
Raj is accused of hacking the town council's site from a unit in Dorchester Apartment at Jalan Sri Hartamas in Kuala Lumpur, Malaysia, on October 28 at about 1.35pm, according to Channel NewsAsia. He had allegedly defaced the site with an image of a Guy Fawkes mask and a message signing off as "The Messiah".

He is also suspected of hacking the sites belonging to The Straits Times, People's Action Party Community Foundation and City Harvest Church's co-founder and musician Sun Ho, according to a police statement.
He faces up to three years in jail and a S$10,000 (US$8,011) fine for one charge under the Computer Misuse and Cybersecurity Act. Separately, Raj also has been accused of three prior drug charges, which could add up to 10 years in jail and a S$20,000 (US$16,022) fine on each count.
According to Today. the prosecution asked that Raj be remanded in the Institute of Mental Health (IMH) for a psychiatric evaluation after he told the court that he was taking medication for Attention Deficit Hyperactivity Disorder (ADHD), had borderline personality disorder, suffered from depression, suicidal tendencies and hallucinations.

Raj was arrested by Malaysian police on November 4, and brought back to Singapore and charged for drug related offences the next day. The court then granted a one-week remand for further investigation.

How PMO site was "hacked"
According to Trend Micro, the attack was a result of typical Cross Site Scripting (XSS) where the cybercriminal exploited the "search" function on the site, and injected content from external sources. The cybercriminal had redirected the URL to the criminal's intended image. Exploited URL was then broadcast across various social networking sites  implying that the PMO website has been defaced. With the exploited link referencing the official URL,  unsuspecting visitors were tricked into thinking that the exploited link was a real defaced-PMO website.

Other suspects rounded up for PMO, Istana attacks

Police also have in custody five suspects who are assisting in investigations into the hacking of Prime Minister's Office (PMO) and Istana websites, according to the Straits Times. It added three suspects in the incident related to the hacking of the PMO site were family members. The other two suspects in the incident involving the presidential Istana site were Facebook friends. The men were aged between 17 and 45, added the article.
The three hacking incidents currently appear to be unrelated, police said in its statement.
Last week, the PMO and Istana sites were defaced a day after Singapore Prime Minister Lee Hsien Loong pledged to "spare no effort" to "track down" hackers who targeted Singapore's IT infrastructure. He was responding to earlier threats by a hacker called "The Messiah", who claimed to be part of the Anonymous group and posted a YouTube video in protest of the Singapore government's online media licensing rule.

How To Teach Kids To Code Without Turning Them Into Crackers

In the digital age, teaching kids to write computer code seems like a winning idea. But could these lessons do as much harm as good? In just under a year, the UK will begin to find out. This former industrial powerhouse is aiming to resurrect the old-fashioned Victorian spirit of innovation by teaching every five-year-old the basics of computer coding. From next September, school kids can expect to spend at least 11 years developing their “capability, creativity and knowledge in computer science, digital media and information technology”, hopefully to the point where many of them will be able to go on and develop professional careers.
If you buy the government’s claims, this will be no Mickey Mouse course. First-graders will start with lessons on the function of an algorithm and then progress to writing a simple program within a year. By sixteen, they will understand Boolean logic and be familiar with at least two programming languages, which isn’t bad for a country that is famously reluctant to learn foreign tongues. The Telegraph, one of Britain’s most respected broadsheets, has called the curriculum a “quiet revolution”, whilst politicians are hoping the new curriculum will create a new generation of tech tycoons primed and ready to knock Silicon Valley off its gilded perch.
However, Carl Miller, research director at the Centre for the Analysis of Social Networking within the London-based think-tank Demos, isn’t sure the future is as rosy and straight-forward as Westminster is making out. “The course itself doesn’t seem to deal with the rights and wrongs of the use of these new skills,” he said. “These are all necessary skills for the digital workplace and we have a shortage of them in the UK at the moment. But they absolutely can be used both for right or wrong.  These skills – technical prowess, an analytical ability and digital creativity – are exactly the ones needed for hacking.”
His warning is chilling. It’s all very well teaching kids how to write computer programs to a high level, but what happens when they reach adolescence and start wanting to cause trouble? The curriculum itself aims to teach children how to “use technology safely, respectfully, responsibly and securely”, yet this relates to issues such as avoiding online predators or dealing with online bullying, Miller continued. It doesn’t deal with the rights and wrongs of online life, let alone why it’s probably not a good idea to infiltrate US military networks as did British hackers Gary McKinnon or Lauri Love. Left to their own devices, it isn’t difficult to imagine what sort of imaginative – and destructive – uses a disaffected 17-year-old will find for their new talents.
“These pupils are part of a society going through an incredibly tumultuous clash of online and offline norms,’’ Miller continued. “There’s no need to teach someone in woodwork not to hit someone over the head with a two-by-four, because the values of the real-life street are well understood and most people sign up to them.
“However, the reality is completely different on the digital street. Norms are in flux and if you spend too long in places like 4Chan,  you might start thinking there are no norms at all… The internet, especially since the explosion of social media, has become the new public space. We need to learn that we have responsibilities to other inhabitants of it.”
In the U.S., the risk of nurturing a new generation of super-skilled hackers is outweighed by the benefit of gaining more software engineers. America will have one million more software jobs than coders by 2020, according to research by not-for-profit group The charity found that just one in ten American schools offer computer programming classes, despite the fact that the number of jobs in the area is growing at twice the rate of the national average. Even though recognizes the need to follow the example countries like the UK or, more pertinently, China, where kids are also taught to code, the programming champion is clear that there needs to be a moral component to computer science.
“Anytime you teach anything, ethics should be part of it,” Hadi Partovi, co-founder and CEO of “The same is true about driving. Or writing. It just happens that computer programming is like a superpower, so the incidents of people doing bad things with it are more noticeable. However, in a world where healthcare, commerce, transportation, communication and entertainment are all run by computers, this is a foundational field to which every single student should have basic exposure.”
It’s hard enough teaching coding, let alone working out how to make sure kids don’t go rogue using their new skill. How might we able to make sure youngsters stay on track? One clue might come in an admission from Jake Davis, a hacktivist linked to the Lulzsec group, who recently told the BBC that the internet was “devoid of empathy”. Maybe encouraging techie folk to be a bit more touchy-feely might make sure they don’t use their new skills for nefarious purposes.
Roman Krznaric, author of the upcoming book How Should We Live: Great Ideas From The Past On Everyday Life and a founding faculty member at London’s School of Life, is obsessed with getting us all to think a bit more about other people’s well-being. His next book, Empathy: A Handbook for Revolution, will urge us humans to be a bit less indifferent to each other. His solution to making sure the next generation of digital natives don’t tear down the internet around our ears is simple: we need to teach them to care about someone other than themselves.
“Online culture destroys empathy and brings out our dark side,” he said. “It’s been shown that the more Facebook FB +0.88% interactions a person has, the more narcissistic they are. We need to be teaching empathy to kids and making them think about what it’s like to be another person. That is the beginning of morality.”
Krznaric even has an idea about how this might be achieved. He wants to see all elementary school pupils taught how to care about each other using a scheme called Roots of Empathy. This involves bringing a baby into classrooms and encouraging kids to talk about how it’s feeling, why it’s laughing or crying and what they can do to change its mood.
“This is the perfect fit for the demographic who will be taught coding in the UK,” he said. “It has amazing results, reducing bullying and even boosting academic achievement.”
I would care to bet few technology teachers have spent as much time thinking about online behavior as they have the finer points of C++. Even fewer have probably considered bringing a baby into the tech lab. But new problems require fresh thinking – something young minds are adept at. If we want to keep up with them, it’s time to keep an eye on how we teach kids and what they end up doing with their new skills after the school bell rings. Otherwise, it won’t just be windows that end up broken.

Micro-GPS trackers are good for parents, but a target for hackers

Micro-GPS trackers are good for parents, but a target for hackers »Play Video
SEATTLE -- The first three hours after a child goes missing are the most critical, according to the National Center for Missing and Exploited Children. Of the children found murdered, experts believe it usually happened in the first three hours after the abduction.

Several companies are now marketing portable, micro-GPS trackers to anxious parents who want to know where their kids are at all times. The devices are small -- no bigger than three inches long -- and use GPS satellites, WiFi and cellular networks to update its whereabouts.

But at least one expert says the devices are vulnerable to hackers.

Products such as AmberAlertGPS, eTrak and eZoom are targeting families with 2- to 10-year olds, pre-cell phone age children. But you don't need to have a kid to use them.

The devices can be used to track a cheating spouse, a wandering employee or an elderly grandparent with Alzheimer Disease. But it's worried parents who seem to be fueling the growth of these tracking devices.

In 2007, the founder of AmberAlertGPS, Russ Thornton, lost his 3-year-old son at an amusement park.

"As a father you're worst fear is losing a young child," Thornton said. 

He found his son after a frantic 45-minutes search. The incident prompted him to create AmberAlertGPS.

"I thought there has to be a way to give parents some piece of mind about there their children are," he said.

With AmberAlertGPS, parents can log into a website and see on a map where the device is located in real time.  Using a "breadcrumb" feature, a parent can track the path of the device over a period of several days.

Users can set up custom zone alerts. Should the device enter or exit an area of the parent's choosing, an immediate email or text message is send to the parent.

Speed limits could be set incase the person with the device gets in a vehicle.  If the device goes faster than a set speed, an immediate alert is set to the parents.

The same goes for registered sex offenders. If the device passes within 500 feet of a registered sex offender's address of record, parents can be alerted of the that too.

The AmberAlertGPS can also be used for communication. The child can press an SOS or panic button on the device, which places a cell phone call to a number registered to the account. That can be a parent's cell phone. Since the device has both a speaker and a microphone, the parent can have a conversation with the child.

But the parent can also call the device and listen in to what is happening to the child at any moment. The child or whoever is in possession of the device would never know the unit is now an eavesdropping device.

The only way they know if someone is listening is if the caller speaks up, because the device doesn't have a ring tone.  If the caller mutes their phone, the holder of the device would never know someone is evesdropping.

Security expert Don Bailey has been investigating vulnerabilities with micro-GPS devices and how they interact with the cellular networks.

"The devices themselves can be designed with a reasonable amount of security and the network itself has a reasonable amount of security but when you pair these two things together, sometimes security falls through the cracks," Bailey said.

Bailey is the CEO of Capitol Hill Consultants and is a well recognized computer-security consultant that has exposed vulnerabilities with internet connected cars.

"With a very small amount of equipment for only a couple thousand dollars, they absolutely can intercept transmissions from the device to the network," he said.

The devices have lots of protocols to deal with, and Bailey said cellular carriers need to spend more money to strength security to make transmissions more immune to hackers.

"Allot of these devices really won't be secure for quite some time," he said.

Thornton defends the security of AmberAlertGSP, saying the necessary SSL and related security protocols are built into the device.

"We feel confident we can keep the integrity of that data secure and we don't feel there's an issue using our device in any way," Thornton said.

David Cassels recently spent a weekend with an eTrak device in his coat jacket. ETrak is another company marketing a micro-GPS tracker to parents.  It offers similar features to the AmberAlertGPS, except it does not have two-way voice communications.

A father of three small kids, Cassels is typical parent who spends his weekend doing errands and taking his kids to soccer games and play dates. He's trying to decide if wants to track his kids.

"There's a feeling of security that if something were to happen, you would know where they are," he said.

But when asked about the possibility of someone intercepting the device's transmissions or stealing the user name and passwords, Cassels said the benefit may outweigh the risk.

"I think the purpose it serves is more valuable than the risk I might face of somebody get access to that information," he said. "You know that kids have their Facebook profiles and people have more an idea where they are based on that and it takes allot less effort than to access this data."

ETrak says it uses the best encryption available for its transmissions.

"The odds of it getting hacked are pretty low, said eTrak CEO John Harris.

Harris says eTrak operates the same way a cell phone or text message is transmitted.

"If the person has the ability to hack one's phone and get their information, they could potentially do the same with any other device around," he said. " Frankly, we are at the mercy of the network and their security devices."

Micro-GPS tracking units typically run between 100 and 200 dollars each and require a monthly subscription which run between $10 and $25 per month.

Hackers probe HTTPS weaknesses

HTTPS is vulnerable to attack, and we can expect the situation to worsen over time. In two to five years, serious compromises of the Web's underlying security structure could take place more frequently at the criminal level.
This doesn't mean that HTTPS is broken - it still provides strong protection against many online threats. But for individuals and corporations, the lesson here is that HTTPS shouldn't be solely relied upon.
E-commerce, online banking or simply logging securely into an online account - these things wouldn't be possible without HTTPS. The same can be said for new areas of growth like the cloud, mobile payments and Internet-connected devices.
And yet, while so much is riding on the Internet's ability to function securely and protect its users, not enough is being done to keep pace with a growing number of threats that could diminish the reliability of the cryptographic systems that make a secure Internet possible.
Not least of which is the Edward Snowden disclosure, reported back in September, which allegedly shows the U.S. National Security Agency has been able to influence the security standards used to protect HTTPS, and has been able to bypass it.
But the threat to HTTPS isn't just at the nation-state level. It's also filtering down to the average criminal.
One of these threats was recently the subject of a Department of Homeland Security alert. It's an attack that is able to bypass the encryption of an HTTPS website, such as your online bank, allowing a hacker to hijack a person's account in just 30 seconds. Three other attacks similar to this have come out in the past couple of years. There are also other attacks which take advantage of certain flaws in HTTPS to render it useless.
At the same time, hackers have also figured out how to spoof, or impersonate, legitimate websites by breaking into Certificate Authorities - the same companies that are supposed to be protecting the integrity of the Web. Lastly, new research is finding ways to crack one of the complex ciphers (known as the RSA algorithm) that form the very backbone of the Internet's security.
For the individual, it's important to take additional precautions to protect yourself. The most important of these is to start using a virtual private network (VPN) to add an additional layer of security on top of HTTPS. Since many VPNs use the same type of security that's vulnerable to these attacks, it's best to use a VPN that relies on IPsec.
Other steps to take include limiting what you do over WiFi - perform sensitive tasks like online banking only over an ethernet hardline. Additionally, consider buying a cheap netbook or Chromebook that is only used to do online banking and have a dedicated credit card for online purchases.
Enterprises should also re-assess their level of risk. Like consumers, corporations also rely on Web security - to protect their internal operations from attack. It's critical to implement defense-in-depth across all areas of their networks - even those inside the firewall. They should also require software vendors to run security upgrades that will patch against many of these threats.
Companies should also protect their websites against these attacks by implementing the DHS' six-point mitigation strategy (outlined in Vulnerability Note #987798).
It's also important to consider the next step for HTTPS. With researchers predicting that the RSA algorithm will be defeated in the next two to five years, it's time for the security industry to get serious about a replacement.
There is one available - its called Elliptic Curve Cryptography (ECC). The problem is that it's not widely used, and many Certificate Authorities don't accept it. Over the next few years, enterprises should pressure the security industry to start accepting viable alternatives to RSA - and they should start preparing their own organizations for the switch.

Intelligence agency seeks facial recognition upgrade

The U.S. intelligence community is pushing a leap forward in facial recognition software that will enable it to determine better the identity of people through a variety of photographs, video and other images.
Called Janus, the program run by the Intelligence Advanced Research Projects Agency (IARPA), "seeks to improve face recognition performance using representations developed from real-world video and images instead of from calibrated and constrained collections. During daily activities, people laugh, smile, frown, yawn and morph their faces into a broad variety of expressions. For each face, these expressions are formed from unique skeletal and musculature features that are similar through one's lifetime. Janus representations will exploit the full morphological dynamics of the face to enable better matching and faster retrieval."
Documents released by IARPA over the weekend show that the Janus program will start in April 2014 and run for four years. During that time, the agency hopes to "radically expand the range of conditions under which automated face recognition can establish identity."
A division of the Office of the Director of National Intelligence, IARPA was created in 2006 and modeled after DARPA, the Pentagon's agency that researches technology for future military uses. Another branch of the intelligence community, a venture capital firm run by the Central Intelligence Agency called In-Q-Tel, invests in companies that develop facial recognition software.
Civil liberties groups, such as the American Civil Liberties Union and the Electronic Privacy Information Center, have raised concerns about unchecked uses of facial recognition software.
Janus and IARPA's increased interest in facial recognition software raises significant privacy issues, said Jay Stanley, senior policy analyst with the ACLU's Speech, Privacy and Technology Project. Coupled with the rapidly increasing number of surveillance cameras around the country, facial recognition software "represents a quantum leap in the amount of surveillance taking place in public places."
For example, Stanley noted, authorities could randomly run facial recognition programs over surveillance video and determine the identities of people frequenting certain public places without any kind of oversight.

iPhones can be hacked while charging

ATLANTA — Apple's iPhone has won praise over its resistance to hackers, but university researchers have revealed you can still be vulnerable.
The risk comes when using public USB chargers, says Billy Lau, a Georgia Tech research scientists.
Lau and his team, at Georgia Tech's Security Information Center, made a malicious app look like Facebook and hid the malware code to get an initial security certificate.
After gaining Apple's initial approval for testing, the app was downloaded to an iPhone. Like Lau, hackers could now introduce the app to an iPhone through public USB chargers, disguised as a normal iPhone or iPad charger, connected to a hidden computer.
Lau says nothing will happen, as long as you don't unlock your password protected phone, while it's charging.
"If it's unlocked even for a second or less than a second, the attack commences," Lau pointed out.
When they unlocked the phone for the demonstration, the Trojan app went to work.
A minute later, he launched what looked like the Facebook app on the phone but it was their Trojan app that took over, allowing him remote control of the phone, seeing everything the user could see, passwords and all. He was able to remotely make a call from the phone and had the ability to eavesdrop on one.
"The possibilities are really endless. It can steal your banking credentials," Lau said.
The solution - don't unlock your phone while charging at a public charging station. Apple has also updated its software to warn you about plugging into unknown USB public charging stations, asking first, if you trust it.
Okay, you've plugged into a public USB charger before and want to be sure you're not compromised. What do you do?
"You go to settings, then you need to go into general and then you need to search for the profiles," Lau demonstrated.
If you see an unknown profile running on your phone you could have been hacked. If it's a company iPhone, you should check with your IT folks to see what profiles are legitimate.
Georgia Tech reached out to Apple to get this fixed. We should also point out, the researchers say their malicious app wouldn't survive Apple's full review process, in order to be available in its app store, even though it got initial testing approval.

Loyaltybuild: Hackers Steal Card Details

Computer user in shadow 

Hundreds of thousands of card details have been stolen from an Irish company and Interpol may have to be called in, experts warn. 

Hackers have stolen the full card details of at least 376,000 people in a cyberattack on Irish marketing company Loyaltybuild.
Phone numbers and addresses of more than a million people have also been taken.
Loyaltybuild runs reward schemes for companies across Europe, including one for the Irish supermarket chain SuperValu.
Some 70,000 SuperValu customers have had their full card details stolen, confirmed the Office of the Data Protection Commissioner (ODPC).
In a statement, it said: "The inspection team confirmed the extent of the breach in which the full card details of over 376,000 customers were taken of which over 70,000 were SuperValu Getaway customers and over 8,000 were AXA Leisure Break customers.
"The details of an additional 150,000 clients were potentially compromised.
"The inspection team also confirmed that name, address, phone number and email address of 1.12m clients were also taken."
GM generic trolley
Some 70,000 supermarket customers in Ireland have has their details stolen
The ODPC said early indications were that it was an "external criminal act".
Loyaltybuild said it had been the victim of a sophisticated criminal attack and that it was urgently investigating what had happened.
"We are working around the clock with our security experts to get to the bottom of this and to further enhance our security in order to protect our valued customers, who are of paramount importance to us," said the company.
"Unfortunately, the threat of cyberattacks is increasingly becoming a reality of doing business today and Loyaltybuild would like to sincerely apologise for any distress or inconvenience caused."
Loyaltybuild first raised concerns about a data security breach on October 25 and the problem was initially thought to be limited to customers in Ireland.
Axa flags
Axa says it will contact affected customers
Fraud squad officers and data protection inspectors have spent the day at the company's headquarters and data centre in Ennis, Co. Clare.
Follow-up inspections are planned and the company has been warned that customers, banks and credit card firms must be notified.
"The ODPC continues to warn customers to be vigilant in relation to their accounts and to report any suspicious transactions to their card company," said Ireland's data commissioner Billy Hawkes.
"Clients should also be vigilant in relation to suspicious communication of any kind which they receive."
Mr Hawkes also said that Interpol may have to be called in.
Loyaltybuild operates both the SuperValu Getaway Breaks and Axa Leisure Breaks programmes.
SuperValu is now contacting customers to tell them there is a "high risk" that an unauthorised third party accessed details of payment cards used to pay for Getaway Breaks between January 2011 and February 2012.
Axa also promised to contact affected customers and will advise them to get in touch with their banks to check transactions for any suspicious activity.

How Corporate America fights hackers


To defend themselves against hackers, some of America's largest corporations have adopted shadowy tactics usually reserved for government spies.

They go undercover, infiltrate secretive hacking groups and occasionally even build personal profiles of their attackers -- everything short of physically hunting them down themselves.
The old method of constructing defenses and waiting for a strike doesn't cut it anymore, according to security professionals who advise Fortune 500 firms. Cyberattacks have gotten far more effective, especially now that hackers are increasingly being funded by foreign governments.
In fact, experts said that key corporate executives -- whose email accounts usually carry the most prized information -- are no longer the target of choice for hackers. Instead, the bad guys now try to hack into accounts of secretaries, who are often just as knowledgeable as their bosses, or engineers who create valuable intellectual property.
"The more modern approach is: I want to know who's going to attack me, so I can tune my defenses in advance," said Ian Amit, service director at security consultant IOActive.

None of the security consultants who spoke to CNNMoney would identify their clients. But the consultants said the largest firms in banking, energy, technology and health care are the ones most likely to be engaging in espionage to keep hackers at bay.
The stakes in the United States are high, as hacking costs more than $100 billion a year. Foreign governments want to steal intellectual property, and well-organized cyber mafias seek credit cards.
So how exactly are companies fighting back? Some use what's referred to as "active defense." Amit said that involves maintaining a cybersecurity team to monitor clandestine chat forums or marketplaces where hackers plan their assault. This usually happens on the so-called deep web, where anonymity is paramount.
Sneaking in. The first step is infiltration, security experts say. To fit in, some corporate scouts are fluent in Arabic, Chinese or Russian. To gain the community's trust and prove themselves as worthy, some even stage hacks of their own company. A bank might create a few throwaway credit card accounts.
"You'll fake compromise a few credit cards and lose a couple of bucks. If that buys your way into a forum that gives you a heads up on intelligence on future fraud," Amit said.
Businesses may also prepare bait to lure in an outside attack. Some set up computer servers as targets to passively study the hacker's movements. Others ruin the digital files hackers are trying to loot as it leaves their system. Hackers stealing large amounts of data tend to compress files to move them faster, so corporate tech security will change a single byte in the compressed file, rendering it useless.
The scary reality of hacking infrastructure
Companies often team up with consultants for the heavy lifting. A team of operatives at anti-virus software maker Symantec (SYMC, Fortune 500) does that very kind of spy work.
Samir Kapuria, who leads Symantec's Security Intelligence Group, recalls an incident last year when a major manufacturer (he wouldn't name) created bogus blueprints of a valuable product and left it hidden in its servers. When the company later found it being traded in an underground community, it knew there was a leak somewhere in its computer system.
"For them, it was really telling," Kapuria said.
Hacking the hackers. As companies up the ante, some flirt with the idea of fighting back. Jeffery Stutzman is the CEO of Red Sky Alliance, which coordinates intelligence sharing among 30 of the world's largest conglomerates. His firm profiles attackers by keeping their pictures, phones numbers and other personal information on file.
At a recent security industry conference in New York City, he noted the building sentiment among some companies to commit a counterstrike.
"I'm all for the Second Amendment right in cyber," he said, referring to the right to bear arms. "You've got to be able to defend yourself."
That could mean hijacking an attacker's computer and making its hard drive overheat. Or wiping it blank. Or turning on their webcam and taking their picture.
Related story: How Silk Road was reborn
But industry experts say that type of offensive is rare, and admitting to it is taboo. Although tempting, the risks of getting caught are too high, said Craig Carpenter, a marketing executive at digital investigating firm AccessData.
Fighting back is time intensive and expensive. Because hackers occasionally hijack servers to launch an attack, fighting back might hurt an innocent third party. And if it's a state sponsored attack, as with some Chinese government hacking, an American firm might be striking back on a government-owned enterprise.
"Vigilantism in the cyber world is dangerous," Carpenter said. "You could find yourself in a situation of undeclared war. It's a really bad idea."
It would also draw the ire of the FBI, which is why the industry norm is to document attacks, track down hackers and hand over "prosecution files" to the FBI. It gives federal agents a significant head start and puts companies one step closer to eliminating the threat.
"As a commercial entity, it's very hard to take an operation down by yourself," IOActive's Amit said. "This is a law enforcement thing." To top of page

Back up now! Warning over new wave of Filecoder infections hitting U.S.

American PC users are being hit with a new wave of filecoder ransomware, which locks access to computers and demands $300 – with a ticking timer before files are locked forever.
The U.S. Computer Emergency Response Team (US-CERT) issued a warning of an “increasing number” of infections with Cryptolocker, detected by ESET as a variant on Win32/Filecoder.
“CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments,” the agency says.
The Trojan was detected in 2013 – and We Live Security reported a surge in infections this summer.
US-CERT says that users are being targeted via emails resembling UPS and FedEx tracking notices.
ESET Malware Researcher Robert Lipovsky says, “We’ve noted a significant increase in Filecoder activity over the past few summer months.”
Lipovsky’s report on We Live Security showed countries that were being targeted with the malware – delivered via drive-by downloads and email attachments, among other common infection methods. At the time, Russia, Spain and Italy were the site of most infections.
US-CERT’s warning shows that the threat remains active. “CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices,” the agency said.  “ In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.
“To decrypt files, you need the private key,” the Trojan warns users, “The single copy of the private key is on a secret server. The server will destroy the key after the time specified in this window. After that, nobody will be able to restore the files.”
PC Authority reported that on 1 November, a variant of the Trojan allowed users to recover “past deadline” by paying an even bigger sum – 10 bitcoins, or $3,000.
The malware affects Windows users running Windows 7, Vista and XP, according to US-CERT. The agency also warns that some users report paying the ransom, and not being given access to their files.
“Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key,” says US-CERT. “While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key.”
The threat is not an empty one, Lipovsky says, “Unfortunately, in most cases, recovering the encrypted files without the encryption key is nearly impossible.”
With quick action, users can sometimes recover data – but the best defense is caution. A We Live Security guide to how to defend against ransomware is here. The most important advice is to back up data, according to Lipovsky.
“If they have backups, than the malware is merely a nuisance,” says ESET researcher Robert Lipovsky. “So, the importance of doing regular backups should be strongly reiterated.”
US-CERT suggests users immediately disconnect their systems from their wireless or wired network, and contact an IT professional, and advises against paying any ransom.

Massive ‘war game’ batters London’s banking system with simulated cyber onslaught

A ‘war game’ scenario on Tuesday tested thousands of banking staff across London’s investment banks against the ‘worst case scenario’ – a major cyber attack on stock exchanges.
The simulation – ‘Waking Shark II’ is one of the largest exercises of its kind ever organized in the world, according to a report by Reuters.
The simulated “attack” will test not only security staff and systems, but how executives communicate with other banks, the media and the authorities, as it unfolds on social media.
The exercise will also simulate other scenarios, such as how banks ensure the availability of cash from ATM machines. Staff at banks will work from their  own offices, but the “attacks” will be co-ordinated from a single “war room” with regulators, staff, and officials, according to sources.
The “game” is organized by the Bank of England, the Treasury and Britain’s Financial Conduct Authority and follows a similar exercise two years ago. All three authorities declined to comment, according to The Telegraph.
The first such simulation involved 3,500 people, and simulated “a concerted cyber attack upon the financial sector” targeting wholesale and retail payments, The Telegraph reports. The simulation follows repeated warnings in the UK and elsewhere that banks need to bolster their defenses.
In September, Scott Borg, chief of the U.S. Cyber Consequences Unit, said that he believed manipulation of the financial markets would be the next major target for cybercriminals, according to Computer World.

More than half of securities exchanges around the world faced cyber attacks last year, according to a paper released by the International Organization of Securities Commissions (IOSCO) and the World Federation of Exchanges (WFE) – as reported by We Live Security here.
“The number of high profile and critical ‘hits’ is also increasing,” says the IOSCO report. “The report warns that underestimation of the severity of this emerging risk may lay open securities markets to a black swan event.”
A survey of 46 exchanges around the world found that 53% had faced cyber attacks – mostly disruptive in nature, rather than financially motivated, and mostly consisting of malware or DDoS attacks. Nearly all – 89% – of those surveyed agreed that cybercrime should be considered a systemic risk.
The report says, “This suggests a shift in motive for cybercrime in securities markets, away from financial gain and towards more destabilizing aims. It also distinguishes cyber – crime in securities markets from traditional crimes against the financial sector e.g. fraud, theft.”
“While cybercrime in securities markets has not had systemic impacts so far, it is rapidly evolving in terms of actors, motives, complexity and frequency.”
The British Waking Shark tests follow a similar exercise conducted in 2011 – and mirror exercises conducted on Wall street, such as a simulated cyber attack with the Hollywood-esque title Quantum Dawn 2 bombarded the defenses of American banks on June 28 – in an exercise designed to test how Wall Street would endure a sustained cyber attack, as reported by We Live Security here.
Created by the trade organization Securities Industry and Financial Markets Association (SIFMA), the exercise was built to “test incident response, resolution and coordination processes for the financial services sector and the individual member firms to a street-wide cyber attack.”

More D-Link routers are vulnerable to attacks, researcher claims

More vulnerabilities have been discovered in a D-Link  router, leaving the device vulnerable to attacks via its web interface – only weeks after the discovery of a “backdoor” in other D-Link devices.
Security researcher Liad Mizrachi said he notified the company of the bugs on several occasions, but D-Link failed to respond, according to Threatpost. The D-Link 2760N – also known as the D-Link DSL-2760U-BN – is susceptible to several cross-site scripting bugs.
Details of Mizrachi’s findings can be found here.
The report follows the discovery of a  serious “backdoor” vulnerability in various D-Link models, reported by We Live Security here.
Craig Heffner, a security researcher, and former employee of the National Security Administration, claimed that the backdoor appears to have been placed deliberately – and could allow attackers access to unencrypted data, saying, “You can access the web interface without any authentication and view/change the device settings.
The code which could allow access was found on a Russian cybercrime forum, according to Heffner.
D-Link has since issued patches for affected routers, saying, “We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed.”
D-Link is one of the largest manufacturers of networking equipment on Earth, sold under its own brand. The company describes itself as “the global leader in total products shipped for consumer networking connectivity.”
CNET spoke to Jacob Holcomb, who discovered widespread vulnerabilities in popular routers earlier this year, who said, “Code written for these devices continues to provide inadequate security for today’s digital society, and manufacturers should be held accountable for the implementation of code that intentionally circumvents security.”
In October, Heffner found vulnerabilities in routers from Tenda – which contain a hidden “backdoor” which could allow attackers to “take over” the router and send it commands, as reported by We Live Security here. The Chinese manufacturer also sells routers branded as Medialink, and the machines are available around the world.
Heffner says that he made “short work” of cracking the routers, and that all an attacker needs to do is send a “magic string” to execute commands.

Facebook helps out users who used same password on Adobe – by blocking them

Facebook users who used the same email and password on their Adobe and Facebook accounts have been offered a helping hand by Facebook itself in the wake of the recent massive breach at Adobe, which leaked private data for 38 million users – in the form of a block and forced password reset.
The social network now blocks such accounts, and asks additional questions before forcing a password reset, according to The Verge.
Brian Krebs of Krebs on Security reports that the social network has mined data leaked from the recent breach to secure user accounts. Data from the breach is already available online.
Users who employed the same combination of email and password across both accounts are automatically locked out of their Facebook accounts, and asked additional questions before being granted access. Users are then asked to create a new password, The Verge reports.
Users are greeted with a warning message headed, “Someone May Have Accessed Your Account,” according to Engadget’s report. The message  continues, ““Recently, there was a security incident on another website unrelated to Facebook. Facebook was not directly affected by the incident, but your Facebook account is at risk because you were using the same password in both places. To secure your account, you’ll need to answer a few questions and change your password. For your protection, no one can see you on Facebook until you finish.”
Facebook did not confirm how many users were affected. The password information is available publicly on the internet via several password “dumps”.
“We actively look for situations where the accounts of people who use Facebook could be at risk—even if the threat is external to our service,” said spokesman Jay Nancarrow, speaking to Brian Krebs. “When we find these situations, we present messages like the one in the screenshot to help affected people secure their accounts.”
Adobe has admitted around 38 million active users may have had IDs and encrypted passwords accessed by unknown attackers in a breach earlier this year.
Previously, it had been estimated that around three million users had data accessed. Others have speculated the number affected may be much larger.
ESET Researcher Stephen Cobb described the breach as “unprecedented” at the time, due to the fact that attackers also appeared to have accessed source code for Adobe’s Acrobat software.
Krebs says, “It also appears that the already massive source code leak at Adobe is broadening to include the company’s Photoshop family of graphical design products.” The company now admits that “numerous” products were affected by the breach.
Many of the 38 million passwords accessed in the breach were extremely simple – and a security researcher claims that 1.9 million of these are the simple “123456”, as reported by We Live Security here.
Half a million craftier customers chose “123456789”, according to a report by The Register, quoting researcher Jeremi Gosni, a self-styled “password security expert” who found the passwords in a dump online.
“Our investigation to date indicates that a portion of Photoshop source code was accessed by the attackers as part of the incident Adobe publicly disclosed on Oct. 3,” Edell wrote. The company’s ColdFusion web application platform may also have been accessed.
ESET researcher Stephen Cobb says, “Access to the source code could be a major asset for cybercriminals looking to target computing platforms such as Windows or mobile operating systems such as Android.”
“So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users,” said Adobe spokeswoman Heather Edelll.
“We have completed e-mail notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident — regardless of whether those users are active or not.”
“Adobe’s security team recently discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products,”” the company says. “ We believe these attacks may be related. We are working diligently internally, as well as with external partners and law enforcement, to address the incident.”

Cyberattack on reward scheme company exposes credit card details for up to 376,000 European shoppers

Hackers have accessed full card details for at least 376,000 people in a cyberattack on a “reward scheme” company, Loyaltybuild – as well as phone numbers and addresses for more than a million others.
The company runs reward schemes including discounted holidays for supermarket chains across Europe, including the Irish chain SuperValu and insurance company AXA, according to Sky News.
The full scope of the attack only became apparent today, according to the Irish Times.
“Everything changed yesterday when Loyaltybuild contacted the Data Protection Commissioner  again to say financial details of more than 62,000 Supervalu customers and 8,000 Axa customers who had paid for breaks between January 2011 and February 2012 had been seriously compromised and could now be used by a third party to make purchases or – worse again – clone credit or debit cards,” wrote the paper’s Conor Pope.
Ireland’s Office of the Data Protection Commissioner confirmed that 70,000 Supervalu custommers had their full credit card details stolen in the breach, along with 376,000 others.
“The details of an additional 150,000 clients were potentially compromised,” the DPC said in its statement.
“The inspection team also confirmed that name, address, phone number and email address of 1.12m clients were also taken. The initial indications are that these breaches were an external criminal act.”
“The ODPC continues to warn customers to be vigilant in relation to their accounts and to report any suspicious transactions to their card company. Clients should also be vigilant in relation to suspicious communication of any kind which they receive.”
Loyaltybuild raised concerns about a breach on October 25, but the full extent of the attack has only emerged this week. The company described the breach as a “sophisticated criminal attack.”
“We are working around the clock with our security experts to get to the bottom of this and to further enhance our security in order to protect our valued customers, who are of paramount importance to us,” the company said in a statement.
“Unfortunately, the threat of cyberattacks is increasingly becoming a reality of doing business today and Loyaltybuild would like to sincerely apologise for any distress or inconvenience caused.”
ESET and We Live Security offer advice on what to do if you are affected by a major site breach here.

GCHQ remains tight lipped on Belgacom LinkedIn and Slashdot snooping

The UK Cabinet Office has moved to downplay concerns that it infected telecoms engineers' workstations with espionage-focused malware.
A Cabinet Office spokesperson told V3 that if such spying did occur it would have been within the law.
"All GCHQ's work is carried out in accordance with a strict legal and policy framework, which ensures that its activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the secretary of state, the Interception and Intelligence Services commissioners and the Intelligence and Security Committee," read the statement.
Reports that the GCHQ was using bogus LinkedIn and Slashdot pages to mount a targeted attack, via the part-government owned Belgacom telecommunications company, broke earlier in the week via German news outlet Der Spiegel. The newspaper reported uncovering the campaign while examining documents leaked by ex-CIA employee Edward Snowden.
The documents reportedly showed that the GCHQ had used the bogus pages to install custom malware on a select number of key targets' machines. The malware reportedly granted the GCHQ access to router systems used to traffic data when people use their mobile phones abroad. Der Spiegel reported that the agency was using its access to launch a series of man-in-the-middle attacks against an unspecified number of smartphone users.
LinkedIn has also moved to downplay the significance of Der Spiegel's report. A spokesman told V3 that the company has never received data requests from the GCHQ and has not seen any suspicious activity on its systems.
The reports follow widespread questions about how intelligence agencies collect data. The heads of the GCHQ, the Security Service (MI5) and the Secret Intelligence Service (MI6) defended their online data collection campaigns as an essential part of the war on terrorism.

International Atomic Energy Agency hit by unknown malware attack

International Atomic Energy Agency (IAEA) systems have been infected with an unknown data-stealing malware.
IAEA director of public information Serge Gas confirmed to V3 that a number of computers connected to its systems had been infected with malware, but added that no data was affected or compromised.
"During [the] past months some computers operated by the IAEA have been infected by malware. Data from a number of Vienna International Centre visitors' USB drives is believed to have been compromised. The Secretariat does not believe that the USB devices themselves were infected or that they could spread the malware further. No data from the IAEA network has been affected," he said.
He added that the agency has already taken appropriate measures to ensure its systems don't fall victim to a second attack. "All necessary measures are being taken to address the situation. Protecting information is vital to the IAEA's work. The Agency continuously endeavours to achieve the highest possible level of protection of information," he said.
The news follows widespread reports that hackers are increasingly focusing their efforts on critical infrastructure areas, such as power. Security tycoon Eugene Kaspersky revealed earlier this year that the notorious Stuxnet malware had "badly" infected a nuclear power plant in Russia.
Stuxnet is very different to the malware used in the attack on the IAEA. Originally discovered targeting Iranian nuclear plants in 2010, it is unusual as it has a sabotage rather than espionage focus. Security experts have since warned that Stuxnet's a typical nature and behaviour makes it difficult to track, and that it is likely to have infected several more nuclear power plants around the world.
Attacks on critical infrastructure are a growing issue facing governments. The heads of GCHQ, the Security Service (MI5) and Secret Intelligence Service (MI6) argued that they need PRISM-level data-monitoring powers to defend critical infrastructure areas from the cyber threats, during a briefing with the Intelligence and Security Committee (ISC) earlier in November.

Microsoft Internet Explorer zero-day vulnerability hit with diskless watering hole attack

Microsoft Internet Explorer
Businesses using Microsoft Internet Explorer (IE) are being targeted with a new advanced zero-day attack that is able to dodge traditional detection methods, according to security firm FireEye.
The FireEye researchers reported uncovering the watering hole attack in a blog post, warning that it uses several atypical techniques to infect its victims' systems.
"Recently, we discovered a new IE zero-day exploit in the wild, which has been used in a strategic web compromise. Specifically, the attackers inserted this zero-day exploit into a strategically important website, known to draw visitors that are likely interested in national and international security policy," read the post.
"The attackers loaded the payload used in this attack directly into memory without first writing to disk – a technique not typically used by advanced persistent threat (APT) actors. This technique will further complicate network defenders' ability to triage compromised systems, using traditional forensics methods."
The attack loads malicious software directly into a computer's memory in a way that bypasses the hard drive, making it more difficult for companies to check using traditional forensic and scanning techniques to find out if their computers have been compromised.
"Through the FireEye Dynamic Threat Intelligence (DTI) cloud, we were able to retrieve the payload dropped in the attack. This payload has been identified as a variant of Trojan.APT.9002 (aka Hydraq/McRAT variant) and runs in memory only. It does not write itself to disk, leaving little to no artefacts that can be used to identify infected endpoints," explained the researchers.
Forensic analysis linked the watering hole attack to a domain used by the hackers behind the DeputyDog campaign. "We have identified relationships between the infrastructure used in this attack and that used in Operation DeputyDog," read the post.
DeputyDog is a hacking campaign discovered in May. It saw hackers target a separate vulnerability in Microsoft Internet Explorer to infect a number of organisations in Japan.
The IE vulnerability is one of many discovered in recent weeks. Prior to it researchers reported uncovering issues in a number of Microsoft products and services, including Windows Server, Lync and Office.
The vulnerabilities are being actively targeted by hackers and Microsoft has issued a temporary fix. Microsoft is expected to release full fixes for the vulnerabilities in its December Patch Tuesday.

Stuxnet: UK and US nuclear plants at risk as malware spreads outside Russia

Cooling towers at a nuclear power station
Security experts have warned the notorious Stuxnet malware has likely infected numerous power plants outside of Russia and Iran.
Experts from FireEye and F-Secure told V3 the nature of Stuxnet means it is likely many power plants have fallen victim to the malware, when asked about comments made by security expert Eugene Kaspersky claiming at least one Russian nuclear plant has already been infected.
"[The member of staff told us] their nuclear plant network, which was disconnected from the internet [...] was badly infected by Stuxnet," Kaspersky said during a speech at Press Club 2013.
Stuxnet is sabotage-focused malware that was originally caught targeting Windows systems in Iranian nuclear facilities in 2010. The malware is believed to originally have been designed to target only the Iranian nuclear industry, but subsequently managed to spread itself in unforeseen ways.
F-Secure security analyst Sean Sullivan told V3 Stuxnet's unpredictable nature means it has likely spread to other facilities outside of the plant mentioned by Kaspersky.
"It didn't spread via the internet. It spread outside of its target due to a bug and so it started traveling via USB. Given the community targeted, I would not be surprised if other countries had nuclear plants with infected PCs," he said.
Director of security strategy at FireEye, Jason Steer, mirrored Sullivan's sentiment, adding the insecure nature of most critical infrastructure systems would make them an ideal breeding ground for Stuxnet.
"Stuxnet has mostly spread by USB and CD rom using removable drive vulnerabilities in Windows to date and continues to spread using remote calls to talk to and infect other computers on the network," Steer told V3.
"Many of these control systems are not connected to the internet, because they are so old and delicate that they cannot withstand any serious probing and examination, and frankly are not designed to connect to the internet as they are so insecure. Getting a vulnerability to a network not connected is not so difficult anymore if it's important enough."
Steer added the atypical way Stuxnet spreads and behaves, means traditional defences are ill equipped to stop, or even accurately track the malware's movements.
"It's highly likely that other plants globally are infected and will continue to be infected as it's in the wild and we will see on a weekly basis businesses trying to figure out how to secure the risk of infected USB flash drives," he said.
"When a PC is infected, the malware does many clever things, including not showing all the things that are on the USB so it's impossible to know if the USB is to be trusted or not and, as we know, using AV signatures doesn't solve some of these issues either."
Critical infrastructure networks' poor security and their use of outdated Windows XP and SCADA systems - industrial control software designed to monitor and control processes in power plants and factories - have been an ongoing concern for industry and governments.
Prior to Kaspersky's claims, experts Bluecoat Systems and the Jericho forum argued at the London 2012 Cybergeddon conference that critical infrastructure providers opened themselves up to cyber attacks by prematurely moving key systems online.
The US Department of Defense (DoD) said the premature move online is doubly dangerous as Chinese hackers are skilled enough to mount Stuxnet-level cyber attacks on critical infrastructure.
The use of XP in power plants is set to become even more dangerous as Microsoft has confirmed it will officially cut support for the 12-year-old OS in less than a year. The lack of support means XP systems will no longer receive critical security updates from Microsoft.

Google blasted over YouTube virus links fiasco

YouTube logo
Google has been slammed for its handling of its updated YouTube video commenting system, and for giving malicious users free rein to post links to phishing sites and spam.
Content creators and one of YouTube's co-founders have rejected the changes, which require commenters to use a Google+ account in order to post comments.
When Google unveiled the changes last week, the firm said it wanted "comments you care about to rise to the top", but so far many of the site's most popular videos have been plagued with shortened URLs linking to spam, so-called "screamers" - websites which play loud noises to scare users - and phishing sites. Previously, YouTube's comments were mostly shown in chrononlogical order rather than through any sort of priory algorithm.
Previously, URLs were blocked entirely from comments, but with Google's latest change, any links can be posted. Furthermore, an increased character limit meant users were able to post scripts of entire Shakespeare plays without issue.
YouTube's latest comments changes have allowed ASCII art
Comments that receive many replies appear to rise to the top of the section, resulting in comments that receive many angry responses from users gaining as much priority as those which promote discussion.
Comments which provoke negative feedback and promoted to the top of the comments section
Sean Sullivan, security analyst at F-Secure, told V3 that while spammers and scammers are making hay while the sun shines, the long term benefits of doing so are limited due to the high cost in terms of time and effort in creating fake accounts.
He added: "Malware gangs that have infected computers, and thus have access to Google+ profiles will sell that access to the spammers. After too much spam or malware is pushed via the account, the Google+ profile will likely be suspended."
YouTube design changes have often caused uproar, but its latest update has gone further and looks to have damaged its relationship with its content producers, who share a chunk of their advertising revenue with Google. Businesses that host videos on YouTube in an attempt to increase their company's reach have been impacted too. Of F-Secure's YouTube channel, Sullivan said: "If the videos weren't embedded on our blog, I'd just delete the whole damn channel."
Many of the site's most prolific creators – most of whom make their living from producing content on the site – have completely disabled comments after becoming unable to deal with the deluge of inappropriate and unmanageable comments. They include the site's most popular channel, owned by Swede Felix "PewDiePie" Kjellberg (15 million subscribers) and Rocket Jump (6.6 million subscribers).
YouTube co-founder Jared Karim returned from eight years of silence on the site to post his first ever comment, which read: "Why the f*** do I need a Google+ account to comment on a video?" Karim founded the site alongside Chad Hurley and Steve Chen in 2005, and holds the honour of having uploaded YouTube's very first video. The site was bought by Google in 2006 for $1.65bn.
A petition to return YouTube's comments system to its previous form reached more than 89,000 votes on Monday. V3 contacted Google for comment on the matter, but had not received a reply at the time of publishing.